SSL performance tuning on the Caching Proxy server
 Technote (troubleshooting)
 
Problem(Abstract)
During high HTTPS traffic volumes, the Caching Proxy server might cause high CPU usage. Tuning changes to an environment variable (GSK_V3_SIDCACHE_SIZE) and a proxy directive (SSLV3Timeout) can help the proxy server handle the load and reduce the CPU usage.
 
Resolving the problem
The SSL session ID identifies reusable SSL sessions, including encryption or decryption keys used by both browsers and servers, and is used to avoid unnecessary SSL handshakes on new connections, which consume a lot of the server's CPU time. The GSKit library for the Caching Proxy server supports SSL session ID and includes an SSL session ID cache. By default, the SSL session ID cache contains 512 entries. When the entry limit is reached, the oldest session entry will be removed and the new entry will be added into the cache.

Use the GSK_V3_SIDCACHE_SIZE environment variable to change the default size of the SSL session ID cache. A valid value of the variable is between 1 and 4096. Increasing the size will increase the look-up time required to locate a cached SSL session. However, the increased look-up time is insignificant compared to the overhead required to establish an SSL connection. Increasing the cache size will help the proxy server handle more concurrent SSL sessions and reduce the CPU usage when the proxy server is under high HTTPS loads.

Caching Proxy also has a tunable directive SSLV3Timeout. The default value of the directive is 1000 seconds. This directive defines the lifetime of an SSL session in the session cache. If no incoming SSL connection uses an existing SSL session and the session lifetime exceeds the value, that session will be removed from the session cache. It is recommended to set the SSLV3Timeout value to the length of a typical secured client session. If the timeout is set too short, it may slow the performance of the proxy because multiple SSL handshake sessions are needed to complete a single secured session. However, if the value is set too long, it may also hurt the security of a secured session.
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Edge Component
Operating system(s): Windows
Software version: 6.0.2
Software edition:
Reference #: 1227617
IBM Group: Software Group
Modified date: Jan 10, 2006