PQ82612: Perf issue: PKCS#11 JCE Provider from IAIK asthe keystore provider for the pluggavle app client.

 Fixes are available

5.1.1.17: WebSphere Application Server V5.1.1 Cumulative Fix 17 for AIX
5.1.1.17: WebSphere Application Server V5.1.1 Cumulative Fix 17 for HP-UX
5.1.1.19: WebSphere Application Server V5.1.1 Cumulative Fix 19 for Linux
5.1.1.16: WebSphere Application Server V5.1.1 Cumulative Fix 16 for AIX
5.1.1.18: WebSphere Application Server V5.1.1 Cumulative Fix 18 for AIX
5.1.1.18: WebSphere Application Server V5.1.1 Cumulative Fix 18 for HP-UX
5.1.1.18: WebSphere Application Server V5.1.1 Cumulative Fix 18 for Solaris
5.1.1.18: WebSphere Application Server V5.1.1 Cumulative Fix 18 for Windows
5.1.1.18: WebSphere Application Server V5.1.1 Cumulative Fix 18 for Linux
5.1.1.17: WebSphere Application Server V5.1.1 Cumulative Fix 17 for Linux
5.1.1.17: WebSphere Application Server V5.1.1 Cumulative Fix 17 for Solaris
5.1.1.17: WebSphere Application Server V5.1.1 Cumulative Fix 17 for Windows
5.0.2.7: WebSphere Application Server Express 5.0.2 Cumulative Fix 7
5.1.0.5: WebSphere Application Server V5.1.0 Cumulative Fix 5
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Solaris
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Windows
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for Solaris
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Windows
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for AIX
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for Linux
5.1.1.19: WebSphere Application Server V5.1.1 Cumulative Fix 19 for AIX
5.1.1.19: WebSphere Application Server V5.1.1 Cumulative Fix 19 for Windows
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for Solaris
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for Windows
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for Solaris
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for AIX
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for AIX
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for Linux
5.0.2.12: WebSphere Application Server 5.0.2 Cumulative Fix 12
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for HP-UX
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for AIX
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for Windows
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for HP-UX
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for AIX
5.1.1.11: WebSphere Application Server V5.1.1 Cumulative Fix 11 for AIX
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Linux
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for HP-UX
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Linux
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for HP-UX
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for Linux
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for HP-UX
5.1.1.12: WebSphere Application Server V5.1.1 Cumulative Fix 12 for Windows
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for Solaris
5.0.2.8: WebSphere Application Server V5.0.2 Cumulative Fix 8
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for Windows
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for AIX
5.1.1.11: WebSphere Application Server V5.1.1 Cumulative Fix 11 for Windows
5.1.1.16: WebSphere Application Server V5.1.1 Cumulative Fix 16 for Solaris
5.0.2.18: WebSphere Application Server 5.0.2 Cumulative Fix 18 for Solaris
5.1.1.11: WebSphere Application Server V5.1.1 Cumulative Fix 11 for Linux
5.0.2.18: WebSphere Application Server 5.0.2 Cumulative Fix 18 for Windows
5.0.2.18: WebSphere Application Server 5.0.2 Cumulative Fix 18 for HP-UX
5.0.2.18: WebSphere Application Server 5.0.2 Cumulative Fix 18 for AIX
5.1.1.16: WebSphere Application Server V5.1.1 Cumulative Fix 16 for Windows
5.1.1.14: WebSphere Application Server V5.1.1 Cumulative Fix 14 for Solaris
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for Windows
5.1.1.12: WebSphere Application Server V5.1.1 Cumulative Fix 12 for AIX
5.1.1.12: WebSphere Application Server V5.1.1 Cumulative Fix 12 for Linux
5.1.1.12: WebSphere Application Server V5.1.1 Cumulative Fix 12 for HP-UX
5.1.1.12: WebSphere Application Server V5.1.1 Cumulative Fix 12 for Solaris
5.1.1.11: WebSphere Application Server V5.1.1 Cumulative Fix 11 for Solaris
5.1.1.13: WebSphere Application Server V5.1.1 Cumulative Fix 13 for AIX
5.1.1.13: WebSphere Application Server V5.1.1 Cumulative Fix 13 for Windows
5.0.2.13: WebSphere Application Server 5.0.2 Cumulative Fix 13
5.1.1.13: WebSphere Application Server V5.1.1 Cumulative Fix 13 for HP-UX
5.1.1.15: WebSphere Application Server V5.1.1 Cumulative Fix 15 for Solaris
5.1.1.13: WebSphere Application Server V5.1.1 Cumulative Fix 13 for Solaris
5.1.1.13: WebSphere Application Server V5.1.1 Cumulative Fix 13 for Linux
5.1.1.14: WebSphere Application Server V5.1.1 Cumulative Fix 14 for AIX
5.1.1.14: WebSphere Application Server V5.1.1 Cumulative Fix 14 for Linux
5.1.1.14: WebSphere Application Server V5.1.1 Cumulative Fix 14 for Windows
5.1.1.15: WebSphere Application Server V5.1.1 Cumulative Fix 15 for Windows
5.1.1: WebSphere Application Server Version 5.1 Fix Pack 1 (Version 5.1.1)
5.0.2.5: WebSphere Application Server 5.0.2 Cumulative Fix 5
5.0.2.18: WebSphere Application Server 5.0.2 Cumulative Fix 18 for Linux
5.1.1.11: WebSphere Application Server V5.1.1 Cumulative Fix 11 for HP-UX
5.1.1.14: WebSphere Application Server V5.1.1 Cumulative Fix 14 for HP-UX
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for HP-UX
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for Linux
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Solaris
5.1.1.15: WebSphere Application Server V5.1.1 Cumulative Fix 15 for AIX
5.1.1.15: WebSphere Application Server V5.1.1 Cumulative Fix 15 for HP-UX
5.1.1.16: WebSphere Application Server V5.1.1 Cumulative Fix 16 for HP-UX
5.1.1.16: WebSphere Application Server V5.1.1 Cumulative Fix 16 for Linux
5.1.1.15: WebSphere Application Server V5.1.1 Cumulative Fix 15 for Linux
5.1.1.19: WebSphere Application Server V5.1.1 Cumulative Fix 19 for HP-UX



APAR status
Closed as program error.

Error description
Paste from Customer's note:
I am trying to use the PKCS#11 JCE Provider from IAIK as the
keystore-provider for the pluggable application client. There's
an
eval version available at

http://jce.iaik.tugraz.at/products/15_PKCS11_Provider/index.php

The SSL configuration in my sas.client.props is following:
com.ibm.ssl.keyStoreType=PKCS11
# tokenkeystore file contains the name of the provider IAIK
PKCS#11:1
com.ibm.ssl.keyStore=properties/tokenkeystore
com.ibm.ssl.keyStoreProvider="IAIK PKCS#11:1"
I have the following in my application code, to instantiate and
add the
providers (the software provider is used for delegating from the
PKCS#11 provider).
// Add IAIK hardware JCE provider
Security.insertProviderAt(new
iaik.pkcs.pkcs11.provider.IAIKPkcs11(),
3);
// Add IAIK software JCE provider
Security.insertProviderAt(new iaik.security.provider.IAIK(), 9);
When running the pluggable client with this configuration, the
result
is successful. I can authenticate to WAS using IAIK KeyStore and
Sun
KeyManager. However, the problem is that it takes too long.
When debugging the application, I see that the init-method of
Sun's
KeyManagerFactory is called four times!! Each time, it lists the
contents of the smart card. Why does an SSL client need to call
KeyManagerFactory init more than once?
I also noticed that the time it takes to authenticate, depends
on the
number of certificates on the token. When there are two
certificates
(and keys) on the token, it takes about 27 seconds to
authenticate. But if I delete the other certificate and key, it
takes
only 13 seconds.
I have tested the provider with a simple SSL client application,
that
makes a connection to WAS, and it doesn't take more than 8
seconds to
authenticate. And it doesn't depend on the number of
certificates on
the smart card.

************************************
To which we suggested the following:
************************************

You can probably get rid of all sockets but a single client
socket by
adding the following properties to the sas.client.props.  The
client, by
default, initializes server sockets for orb callbacks.

com.ibm.CSI.claimTransportAssocSSLTLSRequired=false
com.ibm.CSI.claimTransportAssocSSLTLSSupported=false

And then changing this one in sas.client.props from both to
csiv2.

com.ibm.CSI.protocol=csiv2

NOTE:
By setting this to "csiv2", they will no longer be able to
communicate
to any server except WAS 5.x and above.

***************
Current status:
***************

I was already using only CSIv2. With both
protocols it takes around 40 seconds.
Those two properties helped a bit. Now it only calls
the KeyManagerFactory init three times instead of
four. The time has dropped to something like 21
seconds (two certs on token) from 27 seconds. I
think it's still doing some extra sockets (not sure
though).
So, if you could get rid of the two extra inits, it
might get under 10 seconds.

- The files are on wasdoc1:\\pmrs\05\05287.8YP.000\

See pmr for more information

LOCAL FIX:
NA
Local fix
NA
Problem summary
****************************************************************
* USERS AFFECTED: All WebSphere Application Server users       *
*                 using PKCS#11 JCE Provider from IAIK as the  *
*                 keystore-provider for a pluggable            *
*                 application client.                          *
****************************************************************
* PROBLEM DESCRIPTION: Performance problem authenticating to   *
*                      WAS using IAIK KeyStore and Sun         *
*                      KeyManager.                             *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Performance problem authenticating to WAS using IAIK KeyStore
and Sun KeyManager.  The reason for this the initialization
method performance of the KeyManagerFactory is poor.  This is
exacerbated by the method being called four times.
Problem conclusion
The initialization calls were reduced.  This reduction is
enabled using a system property.

com.ibm.ssl.validationEnabled=true (default=true)
Temporary fix Comments
APAR information
APAR number PQ82612
Reported component name WAS BASE 5.0
Reported component ID 5630A3600
Reported release 00W
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2003-12-23
Closed date 2004-01-14
Last modified date 2004-01-14

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Publications Referenced

Fix information

Applicable component levels
R00S PSY    UP
R10W PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 00W
Software edition:
Reference #: PQ82612
IBM Group: Software Group
Modified date: Jan 14, 2004