SlideShare a Scribd company logo

Wire-speed Cryptographic Acceleration for SOA and Java EE Security

Ramesh Nagappan, profile picture
Ramesh Nagappan

The document discusses enabling wire-speed cryptography for securing Oracle SOA and Java EE applications using Sun Chip Multithreading (CMT) systems. It covers how the Sun CMT architecture includes an on-chip cryptographic accelerator that offloads cryptographic operations from the CPU. It provides examples of configuring the Solaris kernel SSL proxy and WebLogic SSL to leverage the on-chip acceleration for SSL handshakes and bulk encryption. The document aims to help organizations adopt Sun CMT servers to achieve security, performance and compliance goals in a cost-effective manner.

TechnologyEducation
1 of 47
Downloaded 66 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Wire-speed Cryptography for Securing Oracle SOA & Java EE Applications on Solaris (Emphasis on using Sun Chip Multi-threading (CMT) systems) Chad Prucha, Solutions Engineer Ramesh Nagappan, Security Architect 1
• SOA Security : Challenges and Motivators > Prejudicial Barriers > Relevance of Cryptography in SOA • Sun CMT and its On-chip Crypto Accelerator > Comparing On-chip vs. Off-chip Crypto accelerators > Sun CMT Crypto accelerator – How it works ? > Role of Solaris Cryptographic Framework (SCF) • Enabling Crypto Acceleration for Oracle SOA > SOA Security: Applied Crypto Acceleration • Realizing Wire-speed Security Performance > Performance studies on SSL and WS-Security scenarios • Adopting Sun CMT Systems for Oracle SOA Agenda > Security, Virtualization and 10GbE networking > Achieving compliance goals – PCI DSS, HIPPA > Introduction to Sun CMT Servers family • Call To Action • Q&A 2
Challenges and Motivators 3
Security Requires a Delicate Balance Cost Risk 4
SOA Security : Challenges and Motivators Fortifying SOA with Bolstering Compliance and Mitigating Risks • Security is one of today's most critical business challenges. > Greater business impacts due to increasing threats and application exploits. > Increasing need for stronger access control and data security. • Regulatory statutes enforce organizations act proactively secure information throughout its business life cycle. > PCI DSS, HIPAA, FISMA, EU Data Protection and many.. > Mandates to enforce data confidentiality and compliance – Negligence claims leads to penalties and jail sentences ! • Predictable Scalability and Performance is critical to catering mission-critical application deployments > Optimize utilization for QoS demands – ex. High availability, Reliability > Deliver end-to-end security – Network, Communication, Application, Data • Improve ROI while reducing Cost and Complexity > Simplify management while lowering system acquisition and operating costs 5
SOA Security : Prejudicial Barriers • Growing IT costs and complexity to identify and defend against cyber threats. > Security overheads leads to performance degradation of mission-critical applications. – Cryptographic operations, Non-deterministic payloads burdens CPU and Network bandwidth. > Need for high-performance security solutions that protects application at network speed – Increasing costs due to need for specialized appliances. • Mounting Regulatory pressures to manage and mitigate risks. > Mandates organizations to ensure compliance with effective security controls. – End-to-end data protection – Stronger access control – Tamper-proof audit controls. > Need to meet Compliance goals, SLAs and avoiding penalties. 6
Role and Relevance of Cryptography SOA Security: Using Crypto for Transport/Message/Application-level Security • Cryptographic operations plays a vital role in SOA security and trustworthy Java EE applications. > Confidentiality > Data integrity > Non-repudiation > Access Control. • SSL/TLS has been the de facto standard for securing application-to-application communication and data in transit. > Use Public-key algorithms : RSA, DSA, ECC • Securing XML Web services mandates the use of public- key encryption and digital signature services > To deliver XML message-level confidentiality, integrity and non-repudiation > Use standards such as WS-Security (XML Encryption, XML Signature), SAML 2.0, XACML, WS-Policy, WS-SecurityPolicy, WS-Trust and Liberty Alliance standards 7
Adopting Cryptography – Pain points Know the stumbling issues with adopting to Cryptography • Cryptographic functions tends to be consuming more CPU and Network bandwidth. > Crypto functions are usually compute-intensive operations, which taxes high CPU and Network bandwidth utilization. • Compelling need to perform acceleration of Cryptographic operations. > To avoid performance degradation and meet mission-critical application requirements and SLAs. > Use of dedicated cryptographic appliances help eliminate performance overheads. • Increasing costs and complexity with supporting Cryptographic operations > On-going acquisition and management costs > Integration with user applications and support virtualized deployments. 8
SOA Security : Performance Overheads Understanding SOA performance overheads with SSL and WS-Security SOA Performance Overheads 4.5 4 3.5 Execution time 3 Zero Security 2.5 SSL SSL & WS-Security (in ms) 2 1.5 1 0.5 0 Comparing SSL and WS-Security scenarios in SOA ● Significant performance overhead occurs after introduction of SSL and WS-Security. 9
Effect of Crypto Acceleration in SOA Understanding the overheads and relevance of crypto acceleration 1 NonSSL Handshake RSA RC4 MD5 0.9 0.8 0.7 Execution time 0.6 0.5 (in ms) 0.4 0.3 0.2 0.1 0 No accelerator Crypto Accelerated Comparing SSL scenarios w. Cryptographic Acceleration in SOA ● Performance gains can be achieved ONLY by using hardware-based cryptographic acceleration. 10
Delivering Sun CMT Based On-Chip Cryptographic Acceleration 11
Sun Chip Multithreading Technology (CMT) Modular arithmetic unit • Multi-core & Multi-threaded processor MA Scratchpad > 8 Cores/chip & 8 Threads/Core 160x64b, 2R/1W MA – Available as part of UltraSPARC T1/T2 based Sun Servers Sources To FGU • Industry's first “System on Chip” rs rs processor technology Multiply Result 1 MA Execution 2 > Integrates computing, networking and security on a single From FGU chip. Store Data, Address Address • Built-in Crypto Accelerator per Core. DMA Engine Data to/from L2 > 8 crypto accelerators per chip > Composed of two independent units Hash Cipher – Modular Arithmetic Unit (MAU) and Cipher/Hash Unit Engine Engines > Runs in parallel at core CPU speed and offloads target cryptographic operations from CPU. Cipher/hash unit – Performs public-key encryption, bulk encryption, hashing and random functions with CPU bus speed Sun CMT Servers deliver Wire-speed Crypto Acceleration 12
CMT Crypto Accelerators and its Ciphers Understanding Sun CMT processors and supporting Ciphers • UltraSPARC T1 Processor > First generation CMT processor that introduced built-in Cryptographic accelerator > Capable of accelerating public-key encryption operations. – RSA, DSA, Diffie-Hellman • UltraSPARC T2 Processor > Second-generation CMT processor > Crypto accelerators are enhanced to support more cryptographic operations. – Bulk encryption (RC4, DES, 3DES, AES) – Message digests (MD5, SHA-1, SHA-256) – Additional public-key encryptions (ECC) • Both T1 and T2 provide Light-weight accelerator drivers for Solaris. > NCP, N2CP and N2RNG drivers available on Solaris > Stateless communication just Fire and Forget – Consumer application is informed when operation is complete. 13
Sun CMT On-Chip Vs Off-chip Crypto Accelerators Comparison : Sun Onchip Crypto with Competition Off-chip Accelerators Sun On-Chip Accelerator Off-Chip Accelerator • Zero-cost Security • Additional Costs incurred > No additional investment > Cost per accelerator > No installation and tuning > Installation and Maintenance > Minimal configuration required > Extensive configuration and • Runs in parallel with CPU testing required speed • Runs as add-on PCI-E > Offloads target crypto overheads device/appliance efficiently > Not effective on smaller object > Object and session size does'nt offloads matter – effective on all > Limited to No. of SSL sessions or • Non-Intrusive & Ready-to-use memory size with applications • Custom integration required > PKCS11 and Solaris Crypto > Needs driver configuration and > Kernel SSL support device mapping > Virtualization support > No out-of-box virtualization 14
CMT Crypto Acceleration: How it works ? Operational model of Sun CMT based Cryptographic Acceleration • Access to CMT cryptographic acceleration provider is controlled via Solaris Cryptographic Framework (SCF). > Applications can access accelerator via PKCS11 standard interfaces – Most applications can use Solaris SunPKCS11 provider. – SOA and Java EE applications can access via JCE (Java SunPKCS11 provider) – OpenSSL interfaces also supported > All requests from user application traverses from userland applications to accelerator via SCF PKCS11 libraries • Solaris kernel modules can communicate directly with accelerator using SCF. > ex. KSSL and IPSec drivers support 15
Solaris Cryptographic Framework (SCF) ● Common framework for providing cryptographic services for Solaris Apache Web Server Sun Java Web Server SOA & Java EE applications and users ● PKCS11 interfaces for consumers and OpenSSL NSS JCE providers ● Allows performing, consuming and Commercial App w. PKCS 11 Consumer Interface (PKCS 11) integrating cryptographic operations and providers. – Kernel or userland providers Solaris Cryptographic Framework – Hardware or software based (JCE, NSS, OpenSSL, Files and PKCS11) Provider Interface (PKCS 11) ● Implements major Ciphers and algorithms Sun Software Hardware Hardware – AES, Blowfish, RC4, DES, 3DES, RSA Crypto. Plug-in Accelerator Crypto. (DES, 3DES, UltraSPARC T1 Accelerator – MD5, SHA-1, SHA-256, SHA-384, SHA-512 AES, Blowfish, RSA, UltraSPARC T2 MD5, SHA_, RC4) (Third-party) – DES MAC, MD5 HMAC, SHA-1 HMAC, SHA-256 HMAC, SHA-384 HMAC, SHA-512 HMAC ● Key Management ● Optimized for SPARC, Intel and AMD processors 16
Solaris Kernel SSL (KSSL) • Solaris KSSL > Facilitates an SSL Proxy service for applications and performs SSL operations right in the Solaris kernel. > Integral part of Solaris Cryptographic Framework (SCF) and makes use of its SSL/TLS cipher suites. > Supports using hardware-based cryptographic accelerators and HSMs (via PKCS11) for Private key storage. – Can use non-extractable RSA private keys stored in HSM > Non-intrusive SSL configuration independent of applications. – Managed via Solaris Service Management Facility (SMF) – ksslcfg to create and configure KSSL SMF service – FMRI is svc:/network/ssl/proxy > Can act as a SSL proxy for both SSL and Non-SSL capable applications. > Delivers 20% - 35% faster SSL performance in comparison with traditional applications managed SSL – Kernel consumers tends to have less overhead when using hardware accelerators 17
Sun CMT Cryptographic Acceleration for Oracle SOA/XML Web Services and Java EE Applications 18
Accelerating SOA Security: Ground Up Applied SOA Security Usecases with Sun CMT Crypto Acceleration • Message-layer Security > WS-Security (XML Encryption and XML Signature) – Use WS-Policy/WS-SecurityPolicy and enable JCE/SunPKCS11 provider configuration for offloading to CMT acceleration • Transport-layer Security > SSL/TLS – Option 1: Use KSSL as SSL Proxy – Option 2: Use Application Server managed SSL and then enable JCE/SunPKCS11 provider configuration for offloading to CMT acceleration • Network-layer Security > IPSec enabled – Follow Sun CMT driver configuration guide for IPSec 19
Anatomy of an SSL Scenario in SOA 1 MD5 0.9 0.8 RC4 0.7 Significant computation time Execution time 0.6 RSA spent on cryptography 0.5 (AU) 0.4 0.3 Handshake (non-RSA) 0.2 0.1 Non SSL (Web payload) 0 Web Application 20
Option 1: Solaris KSSL as SSL Proxy Non-invasive way for enabling SSL with Sun CMT Crypto Acceleration 1.Obtain your SSL certificate from your CA • Make sure the certificate artifacts (including CA certs) are available in a single file or a PKCS11 store. • Certificates may need to be in PKCS#12 or PEM formats. 2.Configure the KSSL proxy and its redirect HTTP/Cleartext port 3.Verify KSSL using Solaris SMF 4.Make sure your application/web server listens to the KSSL redirect port 5.Test for SSL interaction with your target Web server 21
Option 1: Solaris KSSL as SSL Proxy - Quick Configuration 1.Obtain your SSL certificate > For example using OpenSSL: – openssl req -x509 -nodes -days 365 -subj "/C=US/ST=Massachusetts/L=Burlington/CN=myhostname" -newkey rsa:1024 -keyout /etc/pki/mySSLKey.pem -out /etc/pki/mySSLServerCert.pem – KSSL requires all certificate artifacts in a single file (in case of file based keystore, concatenate them to a single file), otherwise import your certificates to a PKCS#11 keystore. 2.Configure the KSSL proxy and its redirect HTTP/Cleartext port – ksslcfg create -f pem -i /etc/pki/mySSLCerts.pem -x 7001 -p /etc/pki/passwordfile myhostname 443 – 7001 is the cleartext port (Your Weblogic application server listens) 3.Verify KSSL using Solaris SMF – svcs -a | grep "kssl" 4.Make sure your application/web server listens to the KSSL redirect port – Test drive https://myhostname.com:443/ 22
Option 2: SSL Acceleration for Weblogic Configuring Weblogic SSL and offload to Sun CMT Crypto Acceleration 1.Setup SSL listener for your Weblogic Server instance > Follow your Admin guide instructions for configuring SSL > Install the SSL certificates 2.Enable cryptographic acceleration for Weblogic SSL by editing JRE's SunPKCS11 provider configuration. > SunPKCS#11 provider is a generic provider to utilize any PKCS11 provider implementation. > The sunpkcs11 configuration file contains the attributes for accessing the hardware accelerator. – Located at <weblogic-java-home>/jre/lib/security/sunpkcs11-solaris.cfg > Mechanisms/attributes supported by the underlying hardware accelerator can be enabled or disabled at SunPKCS11 configuration file. – Include the RSA mechanisms in disableMechanisms list of SunPKCS11 softoken. – Helps to force those RSA mechanisms performed by NCP (Sun CMT accelerator) 3.Restart the Weblogic server instance. 23
Example: SunPKCS11 Provider configuration Disabling Soft-token and enabling RSA mechanisms to use HW accelerator name = Solaris description = SunPKCS11 accessing Solaris Cryptographic Framework library = /usr/lib/$ISA/libpkcs11.so handleStartupErrors = ignoreAll attributes = compatibility disabledMechanisms = { CKM_MD2 CKM_MD5 CKM_SHA_1 CKM_SHA256 CKM_SHA384 CKM_SHA512 CKM_DSA_KEY_PAIR_GEN CKM_SHA1_RSA_PKCS CKM_MD5_RSA_PKCS CKM_DSA_SHA1 CKM_TLS_KEY_AND_MAC_DERIVE CKM_RSA_PKCS_KEY_PAIR_GEN CKM_SSL3_PRE_MASTER_KEY_GEN CKM_SSL3_MASTER_KEY_DERIVE CKM_SSL3_KEY_AND_MAC_DERIVE CKM_SSL3_MASTER_KEY_DERIVE_DH CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC } 24
Anatomy of WS-Security Scenario 25
Enforcing WS-Security in Oracle SOA • Oracle Fusion Middleware builds on Oracle Weblogic 10.3.x for implementing WS-Security 1.1 – X.509 certificates to sign and encrypt a SOAP message – SOAP message targets (SOAP Body, Headers, Elements) are signed and encrypted. – Authentication token support – username/password, SAML, X.509 • Allows representing WS-Security scenarios using pre-defined WS-Policy and WS-SecurityPolicy based assertions. – Based on OASIS WS-SecurityPolicy 1.2 and WS-Policy 1.2 specifications – Applications use Java annotations to configure security policies – Attach a relevant WS-Policy to define a WS-Security scenario – ex. @Policy(uri=policy:Wssp1.2-2007-Wss1.0-UsernameToken-Plain-X509-Basic256) – Refers to the WS-Policy including WS-SecurityPolicy – Service to authenticate the client with a username token – Both request and response messages are encrypted + signed with X509 certificates. – Basic256 identifies the cipher algorithm suite to use. – Alternatively, you may use JAX-WS (Metro) for attaching WS-Policy ( via Netbeans IDE). 26
Accelerating WS-Security : Configuration 1.Identify the algorithm suite used in the WS-Policy > For example: Basic128Sha256Rsa15 refers to – Encryption algorithm: AES 128 – Digest algorithm: SHA256 – Symmetric Key Wrap: KwAes128 – Asymmetric Key Wrap: KwRSA15 – Signature Key Derivation: Psha1L128 2.Install keys and certificates in Java keystore or your HSM. 3.Disable mechanisms in the Java SunPKCS11 provider configuration file, to force those operations performed by NCP and N2CP (Sun CMT accelerators) > Edit the SunPKCS11 provider configuration file – Located at <weblogic-java-home>/jre/lib/security/sunpkcs11-solaris.cfg > Force the RSA and AES mechanisms to use NCP and N2CP by including them in disableMechanisms list of softtoken. 27
Solaris Crypto Admin commands Provider administration and Kernel Statistics • Crypto Provider Administration > To display the list of providers installed – cryptoadm list -p > To display the list of cryptographic mechanisms supported by the provider – cryptoadm list -m > To install the softtoken provider implementation – cryptoadm install provider=/usr/lib/security/$ISA/pkcs11_softtoken.so > To disable the selected mechanisms from the softtoken provider – cryptoadm disable provider=/usr/lib/security/$ISA/pkcs11_softtoken.so mechanism=<......> > To enable the selected mechanisms for the softtoken provider – cryptoadm enable provider=/usr/lib/security/$ISA/pkcs11_softtoken.so mechanism=<.....> • Kernel Statistics > To report the kernel statistics of NCP module – kstat -n ncp0 > To report the kernel statistics of N2CP module – kstat -n n2cp0 28
Wire-speed SOA Security using Sun CMT Performance Studies 29
Sun CMT based SSL Acceleration for Oracle Weblogic : Quick Look • No SSL Software SSL Hits/Sec Peak Xfer 2 Tests/min Hardware SSL - Sun CMT Acceleration 2.5 5 7.5 10 12.5 15 17.5 20 22.5 25 27.5 30 32.5 35 37.5 30
Weblogic SSL Performance on Sun CMT Predictable SSL performance with/with-out Sun CMT Crypto Acceleration 40000 35000 30000 RSA operations/sec SSL w/ RSA-1024 (CMT Accel- 25000 erated w. Solaris KSSL) SSL w/ RSA-1024 (CMT Accelera- 20000 tion w. JCE/PKCS11) SSL w/ RSA-1024 (No Accelera- tion) 15000 10000 5000 0 1 8 16 32 64 # of CMT threads used Using Sun CMT for Weblogic SSL: Comparative Study Solaris KSSL vs. Sun JCE vs. No Acceleration on Sun SPARC Enterprise T5440 31
Effect of Weblogic SSL vs. No SSL on Sun CMT Throughput performance on Sun CMT SSL vs. No SSL 2.25 2 1.75 1.5 Latency in ms SSL - JCE (No Acceleration) 1.25 SSL - JCE (Sun CMT Accelera- tion) 1 SSL with Solaris KSSL (Sun CMT Acceleration) 0.75 Zero Security 0.5 0.25 0 32 Threads 64 Threads No. of CMT threads Using Sun CMT for Weblogic SSL: Comparative Study Solaris KSSL vs. Sun JCE vs. No Acceleration on Sun SPARC Enterprise T5440 32
SOA: WS-Security Performance (XML Signature) 10000 RSA Signature (RSA Private Ops/sec) 9000 8000 7000 6000 RSA-2048 5000 RSA-1024 RSA-512 4000 3000 2000 1000 0 Keysize RSA Keysize WS-Security (XML Signature) Performance (Using Basic128Sha256Rsa15 Algorithm Suite in WS-Policy) on Sun SPARC Enterprise T5440 33
SOA Security: SSL and WS-Security Combined 1-socket 8-core 1.4GHz Sun UltraSPARC T2 (JCE/PKCS11 - SSL) 1-socket 8-core 1.4GHz Sun UltraSPARC T2 (Solaris KSSL) 40 Throughput (Gb/s) [2kb XML Payload] 35 30 25 20 15 10 5 0 12.5 25 37.5 50 62.5 75 87.5 100 CPU Utilization in % 34
UltraSPARC T2 Processor Performance Peak Cryptographic Performance Bulk Cipher Secure Hash Public key Algorithm Gb/s/chip Algorithm Gb/s/chip Algorithm Ops/sec/chip RC4 83 MD5 41 RSA-1024 37K DES 83 SHA-1 32 RSA-2048 6K 3DES 27 SHA-256 41 ECCp-160 52K AES-128 44 ECCb-163 92K AES-192 36 AES-256 31 • Accelerators support most common ciphers, hashes and modes of operation 35
Achieving Compliance Objectives PCI-DSS & HIPPA Scenarios 36
Addressing PCI-DSS Checklists Adopting Sun CMT for achieving PCI-DSS goals • Sun CMT can contribute to core PCI-DSS requirements > Requirements 1 through 9 • PCI-DSS Section 2.3 > Encrypt all administrative access interfaces – Use SSH, VPN, SSL/TLS based administrator interactions • PCI-DSS Section 4.1 > Use Strong cryptography and security protocols such as SSL/TLS or IPSec to safeguard sensitive cardholder data during transit over public networks. – Use SSL/TLS and IPSec for securing transmission over public networks 37
Addressing HIPPA Compliance Adopting Sun CMT for achieving HIPPA • Sun CMT can contribute to HIPPA data confidentiality requirements > CFR 63, No 155, 43255 • Guard against unauthorized access that is transmitted over a communication network > Data confidentiality, Integrity controls > Message authentication – Encryption and Digital signature mechanisms for LANs or ... – Private-wire exception 38
Adopting Sun CMT Servers 39
Built-in, On-Chip Wire-speed Security • Save Money > Don't pay extra for a separate cryptographic processor, and keep your PCI-Express slots free for other uses • Highest Security with minimal performance impact > Supports ten most common ciphers and secure hashing functions, including NSA approved algorithms > Enable SSL, WS-Security and IPSec > Securing Web applications, servers, networks, filesystems • • Faster Performance > Outperforms competing accelerators by more than 10x > Avoid the performance penalty previously associated with secure operation 40
Revolutionary Multi-Threaded Networking • Integrated 10 gigabit ethernet (10GbE) on the UltraSPARC T2 processor • 10GbE on the motherboard of T2 Plus servers • Save Money > Add low-cost XAUI interface cards instead of costly 10GbE NICs • Faster Performance > Delivers up to 4x the performance of current network interface cards > Total bandwidth nearly 40 Gb/sec. > On-chip network interface reduces bottlenecks, enables faster network access 41
Introducing Sun CMT Family 42
CMT Product Line Dramatically Changing Your Business Application ROI Sun SPARC Enterprise T5440 Sun SPARC Enterprise T5240 Sun SPARC Enterprise T5220 Sun SPARC Enterprise T5140 Sun SPARC Enterprise T5120 Sun Blade TM T6340 and T6320 43
Summary & Call To Action 44
Call To Action • Visit the Sun booth in Moscone South #1101 > See the Sun Storage and Server portfolio in person > View Sun Oracle solutions that bring Extreme Innovation to the Enterprise > Talk to Sun experts and leave with answers > Get briefed on next-gen Sun Storage and Servers under NDA • After the show... > Feel free to contact us for more information > Visit sun.com for our Blueprint on this topic 45
Thank You Chad Prucha Chad.Prucha@sun.com http://blogs.sun.com/soyuz Ramesh Nagappan Ramesh.Nagappan@sun.com http://www.coresecuritypatterns.com/blogs 46
Sun, Sun Microsystems, the Sun logo, Sun SPARC Enterprise, Sun Blade, Sun Ultra, Java, Solaris, OpenSolaris, StorageTek, Coolthreads, GlassFish,Sun Fire, and The Network Is The Computer are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. AMD, Opteron, the AMD logo, the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. ORACLE is a registered trademark of Oracle Corporation. 47

More Related Content

PDF
Juniper Networks SRX Branch Solutions
Altaware, Inc.
 
PDF
1000281 en 2
nguyenlam123
 
PDF
Architecting Secure Web Systems
InnoTech
 
PPTX
50357 a enu-module02
Bố Su
 
DOCX
ChadKillinger2016
Chad Killinger
 
PDF
Preventing The Next Data Breach Through Log Management
Novell
 
PDF
Intoto Linley Tech Utm Architecture Presentation
saddepalli
 
PDF
SANGFOR NGAF FIREWALL SG TECHNICAL PVT LTD 03002019693
Muhammad Adeel Kazim⭐⭐⭐⭐⭐
 
Juniper Networks SRX Branch Solutions
Altaware, Inc.
 
1000281 en 2
nguyenlam123
 
Architecting Secure Web Systems
InnoTech
 
50357 a enu-module02
Bố Su
 
ChadKillinger2016
Chad Killinger
 
Preventing The Next Data Breach Through Log Management
Novell
 
Intoto Linley Tech Utm Architecture Presentation
saddepalli
 
SANGFOR NGAF FIREWALL SG TECHNICAL PVT LTD 03002019693
Muhammad Adeel Kazim⭐⭐⭐⭐⭐
 

What's hot (19)

PDF
Datacenterarchitecture
rlynes
 
PDF
Windows Server 2008 Security Overview Short
Eduardo Castro
 
PDF
Wapples brochure v1 4 eng
hasbro505
 
PPT
CCNA Security - Chapter 2
Irsandi Hasan
 
PDF
UTM Cyberoam
Rodrigo Martini
 
PDF
Brkcrt 1160 c3-rev2
Solomon Abavire Kobina,
 
PPTX
oneM2M security summary
Jongseok Choi
 
PPTX
Cisco asa cx firwewall
Anwesh Dixit
 
PPT
Barracuda company and product presentation
Softechms
 
PPTX
Ixia anue maximum roi from your existing toolsets
responsedatacomms
 
PDF
CHECK POINT 5100 NEXT GENERATION SECURITY GATEWAY FOR THE SMALL ENTERPRISE AN...
Alexander Kravchenko
 
PDF
CHECK POINT 5900 NEXT GENERATION SECURITY GATEWAY FOR THE MID-SIZE ENTERPRISE
Alexander Kravchenko
 
PDF
CHECK POINT 3100 NEXT GENERATION SECURITY GATEWAY FOR THE BRANCH AND SMALL OF...
Alexander Kravchenko
 
PPT
Barracuda Networks Overview
AEC Networks
 
PPTX
Barracuda ng firewall
Kappa Data
 
PPTX
Data Center Security Now and into the Future
Cisco Security
 
PPTX
SDN_and_NFV_technologies_in_IoT_Networks
Srinivasa Addepalli
 
PPTX
Software defined security-framework_final
Lan & Wan Solutions
 
PDF
Dependable Cloud Comuting
Kazuhiko Kato
 
Datacenterarchitecture
rlynes
 
Windows Server 2008 Security Overview Short
Eduardo Castro
 
Wapples brochure v1 4 eng
hasbro505
 
CCNA Security - Chapter 2
Irsandi Hasan
 
UTM Cyberoam
Rodrigo Martini
 
Brkcrt 1160 c3-rev2
Solomon Abavire Kobina,
 
oneM2M security summary
Jongseok Choi
 
Cisco asa cx firwewall
Anwesh Dixit
 
Barracuda company and product presentation
Softechms
 
Ixia anue maximum roi from your existing toolsets
responsedatacomms
 
CHECK POINT 5100 NEXT GENERATION SECURITY GATEWAY FOR THE SMALL ENTERPRISE AN...
Alexander Kravchenko
 
CHECK POINT 5900 NEXT GENERATION SECURITY GATEWAY FOR THE MID-SIZE ENTERPRISE
Alexander Kravchenko
 
CHECK POINT 3100 NEXT GENERATION SECURITY GATEWAY FOR THE BRANCH AND SMALL OF...
Alexander Kravchenko
 
Barracuda Networks Overview
AEC Networks
 
Barracuda ng firewall
Kappa Data
 
Data Center Security Now and into the Future
Cisco Security
 
SDN_and_NFV_technologies_in_IoT_Networks
Srinivasa Addepalli
 
Software defined security-framework_final
Lan & Wan Solutions
 
Dependable Cloud Comuting
Kazuhiko Kato
 
Ad

Similar to Wire-speed Cryptographic Acceleration for SOA and Java EE Security (20)

PDF
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Ramesh Nagappan
 
PDF
Toufic Boubez The Future Of S O A Security
SOA Symposium
 
PDF
Choosing Your Windows Azure Platform Strategy
drmarcustillett
 
PDF
Accelerating SOA Security and Gov
CA API Management
 
PDF
Ucs overview sap-rnicola
Robert Nicola
 
PDF
Big Data Smarter Networks
DataWorks Summit
 
PDF
Soa Security Testing
Jaipal Naidu
 
PDF
JDE & Peoplesoft 1 _ Roland Slee & Doug Hughes _ Oracle's Cloud Computing Str...
InSync2011
 
PPTX
Symantec Web Security Solutions
Symantec
 
PDF
Ultima - Mobile Data Security
trickey270
 
PDF
21st Century SOA
Bob Rhubart
 
PDF
Gartner Catalyst Savvis Cloud API Case Study
CA API Management
 
PDF
What's under the hood of Exadata X2-2 and X2-8?
Enkitec
 
PDF
My PC Mistook Me For A Hat
gopikurup
 
PDF
Cyberoam cr300i
puneet1990
 
PDF
Soa Test Methodology
chintala999
 
PPT
1610002 srx sales_deck
Augustus Katende
 
PDF
20071015 Architecting Enterprise Security
David Chou
 
PDF
21st Century Service Oriented Architecture
Bob Rhubart
 
PDF
Open_unified_dataprotection_framework
Lowell Abraham
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Ramesh Nagappan
 
Toufic Boubez The Future Of S O A Security
SOA Symposium
 
Choosing Your Windows Azure Platform Strategy
drmarcustillett
 
Accelerating SOA Security and Gov
CA API Management
 
Ucs overview sap-rnicola
Robert Nicola
 
Big Data Smarter Networks
DataWorks Summit
 
Soa Security Testing
Jaipal Naidu
 
JDE & Peoplesoft 1 _ Roland Slee & Doug Hughes _ Oracle's Cloud Computing Str...
InSync2011
 
Symantec Web Security Solutions
Symantec
 
Ultima - Mobile Data Security
trickey270
 
21st Century SOA
Bob Rhubart
 
Gartner Catalyst Savvis Cloud API Case Study
CA API Management
 
What's under the hood of Exadata X2-2 and X2-8?
Enkitec
 
My PC Mistook Me For A Hat
gopikurup
 
Cyberoam cr300i
puneet1990
 
Soa Test Methodology
chintala999
 
1610002 srx sales_deck
Augustus Katende
 
20071015 Architecting Enterprise Security
David Chou
 
21st Century Service Oriented Architecture
Bob Rhubart
 
Open_unified_dataprotection_framework
Lowell Abraham
 
Ad

More from Ramesh Nagappan (14)

PDF
Post Quantum Cryptography: Technical Overview
Ramesh Nagappan
 
PDF
Biometric Authentication for J2EE applications - JavaONE 2005
Ramesh Nagappan
 
PDF
Interoperable Provisioning in a distributed world
Ramesh Nagappan
 
PDF
Secure Multitenancy on Oracle SuperCluster
Ramesh Nagappan
 
PDF
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Ramesh Nagappan
 
PDF
High Performance Security and Virtualization for Oracle Database and Cloud-En...
Ramesh Nagappan
 
PDF
High Performance Security With SPARC T4 Hardware Assisted Cryptography
Ramesh Nagappan
 
PDF
ICAM - Demo Architecture review
Ramesh Nagappan
 
PDF
Government Citizen ID using Java Card Platform
Ramesh Nagappan
 
PDF
PIV Card based Identity Assurance in Sun Ray and IDM environment
Ramesh Nagappan
 
PDF
Java Platform Security Architecture
Ramesh Nagappan
 
PDF
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
Ramesh Nagappan
 
PDF
Stronger Authentication with Biometric SSO
Ramesh Nagappan
 
PDF
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
Post Quantum Cryptography: Technical Overview
Ramesh Nagappan
 
Biometric Authentication for J2EE applications - JavaONE 2005
Ramesh Nagappan
 
Interoperable Provisioning in a distributed world
Ramesh Nagappan
 
Secure Multitenancy on Oracle SuperCluster
Ramesh Nagappan
 
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Ramesh Nagappan
 
High Performance Security and Virtualization for Oracle Database and Cloud-En...
Ramesh Nagappan
 
High Performance Security With SPARC T4 Hardware Assisted Cryptography
Ramesh Nagappan
 
ICAM - Demo Architecture review
Ramesh Nagappan
 
Government Citizen ID using Java Card Platform
Ramesh Nagappan
 
PIV Card based Identity Assurance in Sun Ray and IDM environment
Ramesh Nagappan
 
Java Platform Security Architecture
Ramesh Nagappan
 
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
Ramesh Nagappan
 
Stronger Authentication with Biometric SSO
Ramesh Nagappan
 
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 

Recently uploaded (20)

PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Encapsulation theory and applications.pdf
gurumoop
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 

Wire-speed Cryptographic Acceleration for SOA and Java EE Security

  • 1. Wire-speed Cryptography for Securing Oracle SOA & Java EE Applications on Solaris (Emphasis on using Sun Chip Multi-threading (CMT) systems) Chad Prucha, Solutions Engineer Ramesh Nagappan, Security Architect 1
  • 2. • SOA Security : Challenges and Motivators > Prejudicial Barriers > Relevance of Cryptography in SOA • Sun CMT and its On-chip Crypto Accelerator > Comparing On-chip vs. Off-chip Crypto accelerators > Sun CMT Crypto accelerator – How it works ? > Role of Solaris Cryptographic Framework (SCF) • Enabling Crypto Acceleration for Oracle SOA > SOA Security: Applied Crypto Acceleration • Realizing Wire-speed Security Performance > Performance studies on SSL and WS-Security scenarios • Adopting Sun CMT Systems for Oracle SOA Agenda > Security, Virtualization and 10GbE networking > Achieving compliance goals – PCI DSS, HIPPA > Introduction to Sun CMT Servers family • Call To Action • Q&A 2
  • 4. Security Requires a Delicate Balance Cost Risk 4
  • 5. SOA Security : Challenges and Motivators Fortifying SOA with Bolstering Compliance and Mitigating Risks • Security is one of today's most critical business challenges. > Greater business impacts due to increasing threats and application exploits. > Increasing need for stronger access control and data security. • Regulatory statutes enforce organizations act proactively secure information throughout its business life cycle. > PCI DSS, HIPAA, FISMA, EU Data Protection and many.. > Mandates to enforce data confidentiality and compliance – Negligence claims leads to penalties and jail sentences ! • Predictable Scalability and Performance is critical to catering mission-critical application deployments > Optimize utilization for QoS demands – ex. High availability, Reliability > Deliver end-to-end security – Network, Communication, Application, Data • Improve ROI while reducing Cost and Complexity > Simplify management while lowering system acquisition and operating costs 5
  • 6. SOA Security : Prejudicial Barriers • Growing IT costs and complexity to identify and defend against cyber threats. > Security overheads leads to performance degradation of mission-critical applications. – Cryptographic operations, Non-deterministic payloads burdens CPU and Network bandwidth. > Need for high-performance security solutions that protects application at network speed – Increasing costs due to need for specialized appliances. • Mounting Regulatory pressures to manage and mitigate risks. > Mandates organizations to ensure compliance with effective security controls. – End-to-end data protection – Stronger access control – Tamper-proof audit controls. > Need to meet Compliance goals, SLAs and avoiding penalties. 6
  • 7. Role and Relevance of Cryptography SOA Security: Using Crypto for Transport/Message/Application-level Security • Cryptographic operations plays a vital role in SOA security and trustworthy Java EE applications. > Confidentiality > Data integrity > Non-repudiation > Access Control. • SSL/TLS has been the de facto standard for securing application-to-application communication and data in transit. > Use Public-key algorithms : RSA, DSA, ECC • Securing XML Web services mandates the use of public- key encryption and digital signature services > To deliver XML message-level confidentiality, integrity and non-repudiation > Use standards such as WS-Security (XML Encryption, XML Signature), SAML 2.0, XACML, WS-Policy, WS-SecurityPolicy, WS-Trust and Liberty Alliance standards 7
  • 8. Adopting Cryptography – Pain points Know the stumbling issues with adopting to Cryptography • Cryptographic functions tends to be consuming more CPU and Network bandwidth. > Crypto functions are usually compute-intensive operations, which taxes high CPU and Network bandwidth utilization. • Compelling need to perform acceleration of Cryptographic operations. > To avoid performance degradation and meet mission-critical application requirements and SLAs. > Use of dedicated cryptographic appliances help eliminate performance overheads. • Increasing costs and complexity with supporting Cryptographic operations > On-going acquisition and management costs > Integration with user applications and support virtualized deployments. 8
  • 9. SOA Security : Performance Overheads Understanding SOA performance overheads with SSL and WS-Security SOA Performance Overheads 4.5 4 3.5 Execution time 3 Zero Security 2.5 SSL SSL & WS-Security (in ms) 2 1.5 1 0.5 0 Comparing SSL and WS-Security scenarios in SOA ● Significant performance overhead occurs after introduction of SSL and WS-Security. 9
  • 10. Effect of Crypto Acceleration in SOA Understanding the overheads and relevance of crypto acceleration 1 NonSSL Handshake RSA RC4 MD5 0.9 0.8 0.7 Execution time 0.6 0.5 (in ms) 0.4 0.3 0.2 0.1 0 No accelerator Crypto Accelerated Comparing SSL scenarios w. Cryptographic Acceleration in SOA ● Performance gains can be achieved ONLY by using hardware-based cryptographic acceleration. 10
  • 11. Delivering Sun CMT Based On-Chip Cryptographic Acceleration 11
  • 12. Sun Chip Multithreading Technology (CMT) Modular arithmetic unit • Multi-core & Multi-threaded processor MA Scratchpad > 8 Cores/chip & 8 Threads/Core 160x64b, 2R/1W MA – Available as part of UltraSPARC T1/T2 based Sun Servers Sources To FGU • Industry's first “System on Chip” rs rs processor technology Multiply Result 1 MA Execution 2 > Integrates computing, networking and security on a single From FGU chip. Store Data, Address Address • Built-in Crypto Accelerator per Core. DMA Engine Data to/from L2 > 8 crypto accelerators per chip > Composed of two independent units Hash Cipher – Modular Arithmetic Unit (MAU) and Cipher/Hash Unit Engine Engines > Runs in parallel at core CPU speed and offloads target cryptographic operations from CPU. Cipher/hash unit – Performs public-key encryption, bulk encryption, hashing and random functions with CPU bus speed Sun CMT Servers deliver Wire-speed Crypto Acceleration 12
  • 13. CMT Crypto Accelerators and its Ciphers Understanding Sun CMT processors and supporting Ciphers • UltraSPARC T1 Processor > First generation CMT processor that introduced built-in Cryptographic accelerator > Capable of accelerating public-key encryption operations. – RSA, DSA, Diffie-Hellman • UltraSPARC T2 Processor > Second-generation CMT processor > Crypto accelerators are enhanced to support more cryptographic operations. – Bulk encryption (RC4, DES, 3DES, AES) – Message digests (MD5, SHA-1, SHA-256) – Additional public-key encryptions (ECC) • Both T1 and T2 provide Light-weight accelerator drivers for Solaris. > NCP, N2CP and N2RNG drivers available on Solaris > Stateless communication just Fire and Forget – Consumer application is informed when operation is complete. 13
  • 14. Sun CMT On-Chip Vs Off-chip Crypto Accelerators Comparison : Sun Onchip Crypto with Competition Off-chip Accelerators Sun On-Chip Accelerator Off-Chip Accelerator • Zero-cost Security • Additional Costs incurred > No additional investment > Cost per accelerator > No installation and tuning > Installation and Maintenance > Minimal configuration required > Extensive configuration and • Runs in parallel with CPU testing required speed • Runs as add-on PCI-E > Offloads target crypto overheads device/appliance efficiently > Not effective on smaller object > Object and session size does'nt offloads matter – effective on all > Limited to No. of SSL sessions or • Non-Intrusive & Ready-to-use memory size with applications • Custom integration required > PKCS11 and Solaris Crypto > Needs driver configuration and > Kernel SSL support device mapping > Virtualization support > No out-of-box virtualization 14
  • 15. CMT Crypto Acceleration: How it works ? Operational model of Sun CMT based Cryptographic Acceleration • Access to CMT cryptographic acceleration provider is controlled via Solaris Cryptographic Framework (SCF). > Applications can access accelerator via PKCS11 standard interfaces – Most applications can use Solaris SunPKCS11 provider. – SOA and Java EE applications can access via JCE (Java SunPKCS11 provider) – OpenSSL interfaces also supported > All requests from user application traverses from userland applications to accelerator via SCF PKCS11 libraries • Solaris kernel modules can communicate directly with accelerator using SCF. > ex. KSSL and IPSec drivers support 15
  • 16. Solaris Cryptographic Framework (SCF) ● Common framework for providing cryptographic services for Solaris Apache Web Server Sun Java Web Server SOA & Java EE applications and users ● PKCS11 interfaces for consumers and OpenSSL NSS JCE providers ● Allows performing, consuming and Commercial App w. PKCS 11 Consumer Interface (PKCS 11) integrating cryptographic operations and providers. – Kernel or userland providers Solaris Cryptographic Framework – Hardware or software based (JCE, NSS, OpenSSL, Files and PKCS11) Provider Interface (PKCS 11) ● Implements major Ciphers and algorithms Sun Software Hardware Hardware – AES, Blowfish, RC4, DES, 3DES, RSA Crypto. Plug-in Accelerator Crypto. (DES, 3DES, UltraSPARC T1 Accelerator – MD5, SHA-1, SHA-256, SHA-384, SHA-512 AES, Blowfish, RSA, UltraSPARC T2 MD5, SHA_, RC4) (Third-party) – DES MAC, MD5 HMAC, SHA-1 HMAC, SHA-256 HMAC, SHA-384 HMAC, SHA-512 HMAC ● Key Management ● Optimized for SPARC, Intel and AMD processors 16
  • 17. Solaris Kernel SSL (KSSL) • Solaris KSSL > Facilitates an SSL Proxy service for applications and performs SSL operations right in the Solaris kernel. > Integral part of Solaris Cryptographic Framework (SCF) and makes use of its SSL/TLS cipher suites. > Supports using hardware-based cryptographic accelerators and HSMs (via PKCS11) for Private key storage. – Can use non-extractable RSA private keys stored in HSM > Non-intrusive SSL configuration independent of applications. – Managed via Solaris Service Management Facility (SMF) – ksslcfg to create and configure KSSL SMF service – FMRI is svc:/network/ssl/proxy > Can act as a SSL proxy for both SSL and Non-SSL capable applications. > Delivers 20% - 35% faster SSL performance in comparison with traditional applications managed SSL – Kernel consumers tends to have less overhead when using hardware accelerators 17
  • 18. Sun CMT Cryptographic Acceleration for Oracle SOA/XML Web Services and Java EE Applications 18
  • 19. Accelerating SOA Security: Ground Up Applied SOA Security Usecases with Sun CMT Crypto Acceleration • Message-layer Security > WS-Security (XML Encryption and XML Signature) – Use WS-Policy/WS-SecurityPolicy and enable JCE/SunPKCS11 provider configuration for offloading to CMT acceleration • Transport-layer Security > SSL/TLS – Option 1: Use KSSL as SSL Proxy – Option 2: Use Application Server managed SSL and then enable JCE/SunPKCS11 provider configuration for offloading to CMT acceleration • Network-layer Security > IPSec enabled – Follow Sun CMT driver configuration guide for IPSec 19
  • 20. Anatomy of an SSL Scenario in SOA 1 MD5 0.9 0.8 RC4 0.7 Significant computation time Execution time 0.6 RSA spent on cryptography 0.5 (AU) 0.4 0.3 Handshake (non-RSA) 0.2 0.1 Non SSL (Web payload) 0 Web Application 20
  • 21. Option 1: Solaris KSSL as SSL Proxy Non-invasive way for enabling SSL with Sun CMT Crypto Acceleration 1.Obtain your SSL certificate from your CA • Make sure the certificate artifacts (including CA certs) are available in a single file or a PKCS11 store. • Certificates may need to be in PKCS#12 or PEM formats. 2.Configure the KSSL proxy and its redirect HTTP/Cleartext port 3.Verify KSSL using Solaris SMF 4.Make sure your application/web server listens to the KSSL redirect port 5.Test for SSL interaction with your target Web server 21
  • 22. Option 1: Solaris KSSL as SSL Proxy - Quick Configuration 1.Obtain your SSL certificate > For example using OpenSSL: – openssl req -x509 -nodes -days 365 -subj "/C=US/ST=Massachusetts/L=Burlington/CN=myhostname" -newkey rsa:1024 -keyout /etc/pki/mySSLKey.pem -out /etc/pki/mySSLServerCert.pem – KSSL requires all certificate artifacts in a single file (in case of file based keystore, concatenate them to a single file), otherwise import your certificates to a PKCS#11 keystore. 2.Configure the KSSL proxy and its redirect HTTP/Cleartext port – ksslcfg create -f pem -i /etc/pki/mySSLCerts.pem -x 7001 -p /etc/pki/passwordfile myhostname 443 – 7001 is the cleartext port (Your Weblogic application server listens) 3.Verify KSSL using Solaris SMF – svcs -a | grep "kssl" 4.Make sure your application/web server listens to the KSSL redirect port – Test drive https://myhostname.com:443/ 22
  • 23. Option 2: SSL Acceleration for Weblogic Configuring Weblogic SSL and offload to Sun CMT Crypto Acceleration 1.Setup SSL listener for your Weblogic Server instance > Follow your Admin guide instructions for configuring SSL > Install the SSL certificates 2.Enable cryptographic acceleration for Weblogic SSL by editing JRE's SunPKCS11 provider configuration. > SunPKCS#11 provider is a generic provider to utilize any PKCS11 provider implementation. > The sunpkcs11 configuration file contains the attributes for accessing the hardware accelerator. – Located at <weblogic-java-home>/jre/lib/security/sunpkcs11-solaris.cfg > Mechanisms/attributes supported by the underlying hardware accelerator can be enabled or disabled at SunPKCS11 configuration file. – Include the RSA mechanisms in disableMechanisms list of SunPKCS11 softoken. – Helps to force those RSA mechanisms performed by NCP (Sun CMT accelerator) 3.Restart the Weblogic server instance. 23
  • 24. Example: SunPKCS11 Provider configuration Disabling Soft-token and enabling RSA mechanisms to use HW accelerator name = Solaris description = SunPKCS11 accessing Solaris Cryptographic Framework library = /usr/lib/$ISA/libpkcs11.so handleStartupErrors = ignoreAll attributes = compatibility disabledMechanisms = { CKM_MD2 CKM_MD5 CKM_SHA_1 CKM_SHA256 CKM_SHA384 CKM_SHA512 CKM_DSA_KEY_PAIR_GEN CKM_SHA1_RSA_PKCS CKM_MD5_RSA_PKCS CKM_DSA_SHA1 CKM_TLS_KEY_AND_MAC_DERIVE CKM_RSA_PKCS_KEY_PAIR_GEN CKM_SSL3_PRE_MASTER_KEY_GEN CKM_SSL3_MASTER_KEY_DERIVE CKM_SSL3_KEY_AND_MAC_DERIVE CKM_SSL3_MASTER_KEY_DERIVE_DH CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC } 24
  • 25. Anatomy of WS-Security Scenario 25
  • 26. Enforcing WS-Security in Oracle SOA • Oracle Fusion Middleware builds on Oracle Weblogic 10.3.x for implementing WS-Security 1.1 – X.509 certificates to sign and encrypt a SOAP message – SOAP message targets (SOAP Body, Headers, Elements) are signed and encrypted. – Authentication token support – username/password, SAML, X.509 • Allows representing WS-Security scenarios using pre-defined WS-Policy and WS-SecurityPolicy based assertions. – Based on OASIS WS-SecurityPolicy 1.2 and WS-Policy 1.2 specifications – Applications use Java annotations to configure security policies – Attach a relevant WS-Policy to define a WS-Security scenario – ex. @Policy(uri=policy:Wssp1.2-2007-Wss1.0-UsernameToken-Plain-X509-Basic256) – Refers to the WS-Policy including WS-SecurityPolicy – Service to authenticate the client with a username token – Both request and response messages are encrypted + signed with X509 certificates. – Basic256 identifies the cipher algorithm suite to use. – Alternatively, you may use JAX-WS (Metro) for attaching WS-Policy ( via Netbeans IDE). 26
  • 27. Accelerating WS-Security : Configuration 1.Identify the algorithm suite used in the WS-Policy > For example: Basic128Sha256Rsa15 refers to – Encryption algorithm: AES 128 – Digest algorithm: SHA256 – Symmetric Key Wrap: KwAes128 – Asymmetric Key Wrap: KwRSA15 – Signature Key Derivation: Psha1L128 2.Install keys and certificates in Java keystore or your HSM. 3.Disable mechanisms in the Java SunPKCS11 provider configuration file, to force those operations performed by NCP and N2CP (Sun CMT accelerators) > Edit the SunPKCS11 provider configuration file – Located at <weblogic-java-home>/jre/lib/security/sunpkcs11-solaris.cfg > Force the RSA and AES mechanisms to use NCP and N2CP by including them in disableMechanisms list of softtoken. 27
  • 28. Solaris Crypto Admin commands Provider administration and Kernel Statistics • Crypto Provider Administration > To display the list of providers installed – cryptoadm list -p > To display the list of cryptographic mechanisms supported by the provider – cryptoadm list -m > To install the softtoken provider implementation – cryptoadm install provider=/usr/lib/security/$ISA/pkcs11_softtoken.so > To disable the selected mechanisms from the softtoken provider – cryptoadm disable provider=/usr/lib/security/$ISA/pkcs11_softtoken.so mechanism=<......> > To enable the selected mechanisms for the softtoken provider – cryptoadm enable provider=/usr/lib/security/$ISA/pkcs11_softtoken.so mechanism=<.....> • Kernel Statistics > To report the kernel statistics of NCP module – kstat -n ncp0 > To report the kernel statistics of N2CP module – kstat -n n2cp0 28
  • 29. Wire-speed SOA Security using Sun CMT Performance Studies 29
  • 30. Sun CMT based SSL Acceleration for Oracle Weblogic : Quick Look • No SSL Software SSL Hits/Sec Peak Xfer 2 Tests/min Hardware SSL - Sun CMT Acceleration 2.5 5 7.5 10 12.5 15 17.5 20 22.5 25 27.5 30 32.5 35 37.5 30
  • 31. Weblogic SSL Performance on Sun CMT Predictable SSL performance with/with-out Sun CMT Crypto Acceleration 40000 35000 30000 RSA operations/sec SSL w/ RSA-1024 (CMT Accel- 25000 erated w. Solaris KSSL) SSL w/ RSA-1024 (CMT Accelera- 20000 tion w. JCE/PKCS11) SSL w/ RSA-1024 (No Accelera- tion) 15000 10000 5000 0 1 8 16 32 64 # of CMT threads used Using Sun CMT for Weblogic SSL: Comparative Study Solaris KSSL vs. Sun JCE vs. No Acceleration on Sun SPARC Enterprise T5440 31
  • 32. Effect of Weblogic SSL vs. No SSL on Sun CMT Throughput performance on Sun CMT SSL vs. No SSL 2.25 2 1.75 1.5 Latency in ms SSL - JCE (No Acceleration) 1.25 SSL - JCE (Sun CMT Accelera- tion) 1 SSL with Solaris KSSL (Sun CMT Acceleration) 0.75 Zero Security 0.5 0.25 0 32 Threads 64 Threads No. of CMT threads Using Sun CMT for Weblogic SSL: Comparative Study Solaris KSSL vs. Sun JCE vs. No Acceleration on Sun SPARC Enterprise T5440 32
  • 33. SOA: WS-Security Performance (XML Signature) 10000 RSA Signature (RSA Private Ops/sec) 9000 8000 7000 6000 RSA-2048 5000 RSA-1024 RSA-512 4000 3000 2000 1000 0 Keysize RSA Keysize WS-Security (XML Signature) Performance (Using Basic128Sha256Rsa15 Algorithm Suite in WS-Policy) on Sun SPARC Enterprise T5440 33
  • 34. SOA Security: SSL and WS-Security Combined 1-socket 8-core 1.4GHz Sun UltraSPARC T2 (JCE/PKCS11 - SSL) 1-socket 8-core 1.4GHz Sun UltraSPARC T2 (Solaris KSSL) 40 Throughput (Gb/s) [2kb XML Payload] 35 30 25 20 15 10 5 0 12.5 25 37.5 50 62.5 75 87.5 100 CPU Utilization in % 34
  • 35. UltraSPARC T2 Processor Performance Peak Cryptographic Performance Bulk Cipher Secure Hash Public key Algorithm Gb/s/chip Algorithm Gb/s/chip Algorithm Ops/sec/chip RC4 83 MD5 41 RSA-1024 37K DES 83 SHA-1 32 RSA-2048 6K 3DES 27 SHA-256 41 ECCp-160 52K AES-128 44 ECCb-163 92K AES-192 36 AES-256 31 • Accelerators support most common ciphers, hashes and modes of operation 35
  • 36. Achieving Compliance Objectives PCI-DSS & HIPPA Scenarios 36
  • 37. Addressing PCI-DSS Checklists Adopting Sun CMT for achieving PCI-DSS goals • Sun CMT can contribute to core PCI-DSS requirements > Requirements 1 through 9 • PCI-DSS Section 2.3 > Encrypt all administrative access interfaces – Use SSH, VPN, SSL/TLS based administrator interactions • PCI-DSS Section 4.1 > Use Strong cryptography and security protocols such as SSL/TLS or IPSec to safeguard sensitive cardholder data during transit over public networks. – Use SSL/TLS and IPSec for securing transmission over public networks 37
  • 38. Addressing HIPPA Compliance Adopting Sun CMT for achieving HIPPA • Sun CMT can contribute to HIPPA data confidentiality requirements > CFR 63, No 155, 43255 • Guard against unauthorized access that is transmitted over a communication network > Data confidentiality, Integrity controls > Message authentication – Encryption and Digital signature mechanisms for LANs or ... – Private-wire exception 38
  • 40. Built-in, On-Chip Wire-speed Security • Save Money > Don't pay extra for a separate cryptographic processor, and keep your PCI-Express slots free for other uses • Highest Security with minimal performance impact > Supports ten most common ciphers and secure hashing functions, including NSA approved algorithms > Enable SSL, WS-Security and IPSec > Securing Web applications, servers, networks, filesystems • • Faster Performance > Outperforms competing accelerators by more than 10x > Avoid the performance penalty previously associated with secure operation 40
  • 41. Revolutionary Multi-Threaded Networking • Integrated 10 gigabit ethernet (10GbE) on the UltraSPARC T2 processor • 10GbE on the motherboard of T2 Plus servers • Save Money > Add low-cost XAUI interface cards instead of costly 10GbE NICs • Faster Performance > Delivers up to 4x the performance of current network interface cards > Total bandwidth nearly 40 Gb/sec. > On-chip network interface reduces bottlenecks, enables faster network access 41
  • 43. CMT Product Line Dramatically Changing Your Business Application ROI Sun SPARC Enterprise T5440 Sun SPARC Enterprise T5240 Sun SPARC Enterprise T5220 Sun SPARC Enterprise T5140 Sun SPARC Enterprise T5120 Sun Blade TM T6340 and T6320 43
  • 44. Summary & Call To Action 44
  • 45. Call To Action • Visit the Sun booth in Moscone South #1101 > See the Sun Storage and Server portfolio in person > View Sun Oracle solutions that bring Extreme Innovation to the Enterprise > Talk to Sun experts and leave with answers > Get briefed on next-gen Sun Storage and Servers under NDA • After the show... > Feel free to contact us for more information > Visit sun.com for our Blueprint on this topic 45
  • 46. Thank You Chad Prucha Chad.Prucha@sun.com http://blogs.sun.com/soyuz Ramesh Nagappan Ramesh.Nagappan@sun.com http://www.coresecuritypatterns.com/blogs 46
  • 47. Sun, Sun Microsystems, the Sun logo, Sun SPARC Enterprise, Sun Blade, Sun Ultra, Java, Solaris, OpenSolaris, StorageTek, Coolthreads, GlassFish,Sun Fire, and The Network Is The Computer are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. AMD, Opteron, the AMD logo, the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. ORACLE is a registered trademark of Oracle Corporation. 47