|
Problem(Abstract) |
During high HTTPS traffic volumes, the Caching Proxy
server might cause high CPU usage. Tuning changes to an environment
variable (GSK_V3_SIDCACHE_SIZE) and a proxy directive (SSLV3Timeout) can
help the proxy server handle the load and reduce the CPU usage. |
|
|
|
Resolving the
problem |
The SSL session ID identifies reusable SSL sessions,
including encryption or decryption keys used by both browsers and servers,
and is used to avoid unnecessary SSL handshakes on new connections, which
consume a lot of the server's CPU time. The GSKit library for the Caching
Proxy server supports SSL session ID and includes an SSL session ID cache.
By default, the SSL session ID cache contains 512 entries. When the entry
limit is reached, the oldest session entry will be removed and the new
entry will be added into the cache.
Use the GSK_V3_SIDCACHE_SIZE environment variable to change the
default size of the SSL session ID cache. A valid value of the variable is
between 1 and 4096. Increasing the size will increase the look-up time
required to locate a cached SSL session. However, the increased look-up
time is insignificant compared to the overhead required to establish an
SSL connection. Increasing the cache size will help the proxy server
handle more concurrent SSL sessions and reduce the CPU usage when the
proxy server is under high HTTPS loads.
Caching Proxy also has a tunable directive SSLV3Timeout. The
default value of the directive is 1000 seconds. This directive defines the
lifetime of an SSL session in the session cache. If no incoming SSL
connection uses an existing SSL session and the session lifetime exceeds
the value, that session will be removed from the session cache. It is
recommended to set the SSLV3Timeout value to the length of a
typical secured client session. If the timeout is set too short, it may
slow the performance of the proxy because multiple SSL handshake sessions
are needed to complete a single secured session. However, if the value is
set too long, it may also hurt the security of a secured session. |
|
|
|
|
Cross Reference information |
Segment |
Product |
Component |
Platform |
Version |
Edition |
Application Servers |
Runtimes for Java Technology |
Java SDK |
|
|
|
|
|
|