Skip to main content

Software  >  Tivoli  >  Products  >  IBM Tivoli Access Manager for Business Integration  >  

Performance of TAMBI HE on z/OS
 White paper
 
Abstract
WebSphere® MQ Extended Security Edition(ESE) provides enterprise wide security facilities:

Protection of messages. Messages can be digitally signed to ensure they are not modified in transit, or can be encrypted for specific users, and only these users can decrypt the message.

Messages are protected at rest, so unauthorised users browsing the queue will not be able to see the content of encrypted messages nor will they be able to tamper with signed messages. SSL channels in WMQ only provide encryption when the messages are being sent over a channel.

Central administration of access to queues. Enterprise wide userids can be used to control which users can put or get messages to a queue

This white paper discusses the performance costs of using these facilities on z/OS.
 
 
Content
Architecture of an ESE solution
There are several components required when using ESE:
  1. IBM® Tivoli® Access Manager(TAM), this runs on a distributed platform and provides central administration of user, and access control for many products (Operating system, WMQ, Web etc).
  2. PDAS (Policy Director Authorization Services), this runs in the PDACL started task on z/OS and interacts with TAM on distributed. Information on WMQ attributes can be cached in RACF(®).
  3. LDAP (Lightweight Directory Access Protocol), this runs on z/OS and is a directory server implementing the Lightweight Directory Access Protocol, an open standard for storing directory information.
  4. DB2®, this is used by LDAP for storing its directory information.
  5. System SSL (which implements GSKIT (Global Secure TookKIT)) provides cryptographic services for applications.
  6. ICSF (Integrated Cryptographic Service Facility) controls use of the cryptographic co-processors which can off-load processing to dedicated hardware.
  7. TAMBI Host Edition(Tivoli Access Manager for Business Integration) which runs on z/OS. This has two components:
  8. PDMQ, which intercepts application calls to WMQ services and provides checking access permission to queues and other services.
  9. PDMQD, This runs in Unix Services Support and provides Encryption related services. This uses GSKIT and RACF to access certificate and do the encryption related work.

Of these components IBM Tivoli Access Manager, LDAP, and DB2 are used for administration, and are not used in the day to day message processing. They will not be considered further in this paper.

How TAMBI works on z/OS




The TAMBI libraries are in the application STEPLIB before the WMQ libraries. When an WMQ request is made by the application then the branch into the queue manager is intercepted and branches into the PDMQ address space occurs. PDMQ passes requests for encryption etc to PDMQD.

Cost of using Extended Security Edition

There are several additional costs when using ESE
  1. Intercepting the WMQ API and seeing if the operation on the queue requires more ESE processing.
  2. If the request requires access checking, there is a cost of looking up to see if the user is authorised.
  3. If the integrity option is specified then processing is done to calculate a digital signature, and add the information to the message.
  4. If encryption is specified then the message is encrypted (with a unique key) and the key is encrypted for each user.
  5. The resultant message will be larger than the input message, so this may have higher costs purely as a result of the increased size of the message. This is usually a few hundred bytes, though for encryption the increase in size depends on the number of recipients.
  6. When the message has arrived at the destination, then integrity checks, or decryption is done depending on the options used when the message was put.

What affects the cost of using Extended Security Edition

The following list is in decreasing impact - there are more details in the sections following:
  1. Different levels of protection requested: encryption requires more processing than integrity checking which requires more processing than doing nothing.
  2. Use of cryptographic co-processors: with special hardware some processing can be off-loaded to hardware devices, depending on the functions being performed.
  3. Size of message: with integrity checking and encryption then larger messages will require more processing.
  4. Encryption strength: increase in strength does not necessarily imply higher costs, as the processing can be off-loaded.
  5. For an encrypted message, each recipient gets some data encrypted just for them. So more recipients adds to the cost.
  6. Generally persistent messages are more expensive than non persistent messages regardless of ESE.

The application

The application used to put and get messages is the program OEMPUTX in SupportPac IP13. This displays the CPU used in various address spaces, and provides timing information. The application opens the queues, then loops doing put commit get commit. But as the messages were put out of syncpoint (put with implicit commit and get with implicit commit), the commit requests in the application have no processing to do.

For PDMQ the trace was on. This adds about 10% to the application costs compare to no trace.

Hardware and Software
The hardware configuration was:
  • CPU: 3-CPU logical partition (LPAR) of a zSeries 990 (2084-332).
  • PCIXCC co-processor
  • DASD: FICON-connected Enterprise Storage Server (ESS) Model F20.
Software levels were:
  • z/OS 1.7.
  • WebSphere MQ 6.0
  • Tivoli Access Manager for Business Integration Host Edition, 4.1.0


What is the difference in cost of the different levels of protection?

In this measurement an application puts a message and then got the same message. Different queues were used which had different levels of protection.


1000 byte non persistent message10,000 byte non persistent message100,000 byte non persistent message
No protection: Total

Application
365

365
429

429
1072

1072
Integrity: Total

Application
PDMQD
ICSF
2786

989
1686
111
3606

1177
2344
82
13217

3092
10013
112
Weak encryption with 10 recipients: Total

Application
PDMQD
ICSF
6750

1099
5268
380
10012

1264
8443
302
45765

3212
42146
404

For all measurements in the white paper, the results are in microseconds of CPU or elapsed time, unless otherwise stated.

Observation on the above information:
  1. Using more secure facilities increases the cost

What are the benefits of using a cryptographic co-processor?

In this measurement an application put a message and then got the same message. Measurements were done with and without a PCIXCC co-processor. The PCIXCC cryptographic co-processor is specialized hardware which performs different types of encryption (DES, TDES, RSA, and SHA-1) and hence relieves the main processor from these tasks. The device also accelerates the asymmetric public/private key operations involved in generating/verifying the digital signature and also in doing the secure symmetric key exchange (public key encrypt the symmetric encryption key and private key decrypting it).

Strong encryption was used. This is Triple DES with an 168-bit encryption key.

Stopping the ICSF address space stopped the cryptographic co-processors from being used


Using PCIXCC Cryptographic co-processorNot using a PCIXCC Cryptographic co-processor
Total CPU cost on CP (non cryptographic) engines
5941
40129
% utilisation of Crypto co-processor
58.7%
Effective cryptographic co-processor CPU used per round trip
12000
Effective Total CPU cost (rounded)
20,000
40,000
Round trip time
21,695
40,787
Application cost
1051
1085
Queue Manager cost
59
11
PDMQD
5119
39029
ICSF
310
NA


Observations on the above information
  1. Using the cryptographic co-processors reduces both the CPU time on and the elapsed time for the round trip.
  2. With the cryptographic co-processor, the transaction rate was about 45 round trips a second. The cryptographic co-processor was 58.7 % busy, or 587000 microseconds of CPU were used per second. So this means about 587000/45 = 12000 microseconds of cryptographic co-processor CPU was used per round trip.

Note: at high volumes you may get contention for the co processor. You can use RMF to determine the device utilisation.
What is the impact of different sized messages?

In What is the difference in cost of the different levels of protection previously, it shows the increased cost when using larger messages.
  1. Using more secure facilities increases the cost.
  2. The costs are approximately linear for increasing message size
  3. For no protection total cost = 0,007 * message size in bytes + 360
  4. For Integrity total cost = 0.106 * message size in bytes + 2,618
  5. For weak encryption total cost = 0.395 * message size in bytes + 6,214


What is the cost of using different strength encryptions?

In this measurement an application put a message and then got the same message. Measurements were done using different queues with different encryption strength specified.

Strong encryption uses Triple DES ( also known as TDES) with an effective key length of 168 bits.
Weak encryption uses RC2 with an effective length of 40 bits.

Using Weak EncryptionUsing Strong encryption
Total CPU cost on CP (non cryptographic) engines
6542
5941
Round trip time
22,221
21,640
Transaction rate per second
45.0
46.2
Application cost
1048
1042
Queue Manager cost
6
6
PDMQD
5143
4590
ICSF
343
326
PCIXCC utilisation
55.4%
58.8%

Observations on the above information
  1. The cost of the crypto co-processor is approximately the same in both cases.
  2. Surprisingly the cost of strong encryption is less than the cost of weak encryption. This may be because stronger encryption algorithm has been optimised.

What is the cost of using having different numbers of recipients?

In this measurement different queues were used with different number of recipients. Weak encryption was used.

1 recipient3 recipients10 recipients
Total
4174
4885
6748
Application cost
1062
1102
1281
Queue Manager cost
14
17
13
PDMQD
2955
3574
5746
ICSF
140
178
388

Observation on the above table (and other measurements).
  1. The cost of adding each additional recipient is about 320 microseconds of CPU.

How much bigger are the messages?

A 1000 byte messages was put to queue with different attributes. The increase in size in bytes is

Message put with integrity
1062
Message put with weak encryption 1 recipient
1307
Message put with weak encryption 10 recipient
3018
Message put with strong encryption 10 recipients
3012

Observations on the above information
  1. The size of the message increases with the number of recipients. The increase in size is approximately 1120 + 190 * number of recipients
  2. The increase in length is independent of the original size of the message

What is the overhead of using TAMBI ?

A 1000 byte message was put, committed and then got and committed in different environments.

No TAMBI libraries in the batch jobApplication 144
Tambi libraries in STEPLIB, Non TAMBI managed queueApplication 349
Tambi libraries in STEPLIB,TAMBI managed queue, no integrity or encryptionApplication 354

A 100,000 byte message was put, committed and then get and committed in different environments.

No TAMBI libraries in the batch jobApplication 797
Tambi libraries in STEPLIB, Non TAMBI managed queueApplication 1005
Tambi libraries in STEPLIB,TAMBI managed queue, no integrity or encryptionApplication 1006

Observations on the above information
  1. The overhead of using ESE was about 200 microseconds per transaction. This is about 100 microseconds per MQPUT or MQGET.
  2. The costs of whether the queue is managed by ESE is small and within measurement error.


What is the cost of ESE encryption compared to an SSL Channel

Two measurements were done in a loop back between two z/OS queue managers. They both used the same return channel, but going to the remote queue manager one used a channel with SSL, and the other used a channel without SSL. All other parameters were the same

1000 byte message10,000 byte message
CHINIT cost without SSL - microseconds of CPU per message
783
816
CHINIT cost using SSL SSLCIPH(DES_SHA_EXPORT) - microseconds of CPU per message
1170
1265

Observations on the above information
  1. The cost of encryption of the data on the channel is about 387 microseconds of CPU
  2. The cost of using ESE encryption is about 6000 microseconds of CPU ( from the table above showing 5941-6542). This is because during the SSL handshake a key is determined when the channel starts, and uses this same key for many messages. It can do this because there is effectively only one recipient, the other end of the channel. For ESE a key is required for each message to prevent someone from being able to decrypt a message destined for someone else.

Notices
DISCLAIMERS
The performance data contained in this report were measured in a controlled environment. Results obtained in other environments may vary significantly.

You should not assume that the information contained in this report has been submitted to any formal testing by IBM.

Any use of this information and implementation of any of the techniques are the responsibility of the licensed user. Much depends on the ability of the licensed user to evaluate the data and to project the
results into their own operational environment.

WARRANTY AND LIABILITY EXCLUSION
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore this statement may not apply to you.
In Germany and Austria, notwithstanding the above exclusions, IBM's warranty and liability are governed only by the respective terms applicable for Germany and Austria in the corresponding IBM program license agreement(s).

ERRORS AND OMISSIONS
The information set forth in this report could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; any such change will be incorporated in new editions of the information. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this information at any time and without notice.
INTENDED AUDIENCE
This report is intended for architects, systems programmers, analysts and programmers wanting to understand the performance characteristics of Extended Security Edition for z/OS V6 . The information is not intended as the specification of any programming interface that is provided by ESE. It is assumed that the reader is familiar with the concepts and operation of ESE.
LOCAL AVAILABILITY
References in this report to IBM products or programs do not imply that IBM intends to make these available in all countries in which IBM operates. Consult your local IBM representative for information on the products and services currently available in your area.
ALTERNATIVE PRODUCTS AND SERVICES
Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user’s responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
USE OF INFORMATION PROVIDED BY YOU
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
TRADEMARKS AND SERVICE MARKS
The following terms used in this publication are trademarks of International Business Machines Corporation in the United States, other countries or both:
Tivoli

IBM
WebSphere
WebSphere MQ
z/OS
zSeries

Other company, product, and service names may be trademarks or service marks of others.
EXPORT REGULATIONS
You agree to comply with all applicable export and import laws and regulations.
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Business IntegrationWebSphere MQSecurityAIX, HP-UX, Linux, Solaris, Windows6.0
 
 

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Security
 Access
 IBM Tivoli Access Manager for Business Integration
 Operating system(s):
  z/OS
 Software version:
  4.1
 Reference #:
  7009749
 IBM Group:
 Software Group
 Modified date:
 2007-05-23

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.