APAR status
Closed as program error.
Error description
Paste from Customer's note:
I am trying to use the PKCS#11 JCE Provider from IAIK as the
keystore-provider for the pluggable application client. There's
an
eval version available at
http://jce.iaik.tugraz.at/products/15_PKCS11_Provider/index.php
The SSL configuration in my sas.client.props is following:
com.ibm.ssl.keyStoreType=PKCS11
# tokenkeystore file contains the name of the provider IAIK
PKCS#11:1
com.ibm.ssl.keyStore=properties/tokenkeystore
com.ibm.ssl.keyStoreProvider="IAIK PKCS#11:1"
I have the following in my application code, to instantiate and
add the
providers (the software provider is used for delegating from the
PKCS#11 provider).
// Add IAIK hardware JCE provider
Security.insertProviderAt(new
iaik.pkcs.pkcs11.provider.IAIKPkcs11(),
3);
// Add IAIK software JCE provider
Security.insertProviderAt(new iaik.security.provider.IAIK(), 9);
When running the pluggable client with this configuration, the
result
is successful. I can authenticate to WAS using IAIK KeyStore and
Sun
KeyManager. However, the problem is that it takes too long.
When debugging the application, I see that the init-method of
Sun's
KeyManagerFactory is called four times!! Each time, it lists the
contents of the smart card. Why does an SSL client need to call
KeyManagerFactory init more than once?
I also noticed that the time it takes to authenticate, depends
on the
number of certificates on the token. When there are two
certificates
(and keys) on the token, it takes about 27 seconds to
authenticate. But if I delete the other certificate and key, it
takes
only 13 seconds.
I have tested the provider with a simple SSL client application,
that
makes a connection to WAS, and it doesn't take more than 8
seconds to
authenticate. And it doesn't depend on the number of
certificates on
the smart card.
************************************
To which we suggested the following:
************************************
You can probably get rid of all sockets but a single client
socket by
adding the following properties to the sas.client.props. The
client, by
default, initializes server sockets for orb callbacks.
com.ibm.CSI.claimTransportAssocSSLTLSRequired=false
com.ibm.CSI.claimTransportAssocSSLTLSSupported=false
And then changing this one in sas.client.props from both to
csiv2.
com.ibm.CSI.protocol=csiv2
NOTE:
By setting this to "csiv2", they will no longer be able to
communicate
to any server except WAS 5.x and above.
***************
Current status:
***************
I was already using only CSIv2. With both
protocols it takes around 40 seconds.
Those two properties helped a bit. Now it only calls
the KeyManagerFactory init three times instead of
four. The time has dropped to something like 21
seconds (two certs on token) from 27 seconds. I
think it's still doing some extra sockets (not sure
though).
So, if you could get rid of the two extra inits, it
might get under 10 seconds.
- The files are on wasdoc1:\\pmrs\05\05287.8YP.000\
See pmr for more information
LOCAL FIX:
NA
Local fix
NA
Problem summary
****************************************************************
* USERS AFFECTED: All WebSphere Application Server users *
* using PKCS#11 JCE Provider from IAIK as the *
* keystore-provider for a pluggable *
* application client. *
****************************************************************
* PROBLEM DESCRIPTION: Performance problem authenticating to *
* WAS using IAIK KeyStore and Sun *
* KeyManager. *
****************************************************************
* RECOMMENDATION: *
****************************************************************
Performance problem authenticating to WAS using IAIK KeyStore
and Sun KeyManager. The reason for this the initialization
method performance of the KeyManagerFactory is poor. This is
exacerbated by the method being called four times.
Problem conclusion
The initialization calls were reduced. This reduction is
enabled using a system property.
com.ibm.ssl.validationEnabled=true (default=true)
Temporary fix Comments
APAR information |
APAR number |
PQ82612 |
Reported component name |
WAS BASE 5.0 |
Reported component ID |
5630A3600 |
Reported release |
00W |
Status |
CLOSED PER |
PE |
NoPE |
HIPER |
NoHIPER |
Special Attention |
NoSpecatt |
Submitted date |
2003-12-23 |
Closed date |
2004-01-14 |
Last modified date |
2004-01-14 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
Publications Referenced
Applicable component levels |
R00S PSY |
UP |
R10W PSY |
UP |
|