java - Using SunPKCS11 security provider on Solaris SPARC 11.3 shoots up JVM CPU consumption -


we have solaris sparc system (oracle solaris 11.3 sparc) running apache tomcat 8.0.41. on system, observing high cpu consumption under small web server load. specifically, running 10-15 concurrent https requests threads causes cpu consumption on 64 vcpu machine reach 80-90%.

however, when change security provider ordering in java.security file moving sunpkcs11 provider bottom of list, cpu consumption goes lower (below 5%) in same scenarios.

we ran similar tests on older solaris 10 sparc system (oracle solaris 10 1/13 sparc), there not see problem though java.security settings sunpkcs11-solaris.cfg files same on both systems. java version being used same (1.8.0_131).

my questions: 1. there known issues 11.3 version of solaris sparc w.r.t. sunpkcs11 security provider? 2. there workaround/solutions problem other changing security provider order in java.security file?

here logs output using -djava.security.debug=sunpkcs11 option:

sunpkcs11 loading /opt/java/jre/lib/security/sunpkcs11-solaris.cfg information provider sunpkcs11-solaris library info:   cryptokiversion: 2.20   manufacturerid: oracle corporation   flags: 0   librarydescription: sun crypto softtoken   libraryversion: 1.01 slots: 0 slots tokens: 0 slot info slot 0:   slotdescription: sun metaslot   manufacturerid: oracle corporation   flags: ckf_token_present   hardwareversion: 0.00   firmwareversion: 0.00 token info token in slot 0:   label: sun metaslot   manufacturerid: oracle corporation   model: 1.0   serialnumber:   flags: ckf_rng | ckf_dual_crypto_operations | ckf_token_initialized   ulmaxsessioncount: ck_effectively_infinite   ulsessioncount: 0   ulmaxrwsessioncount: ck_effectively_infinite   ulrwsessioncount: 0   ulmaxpinlen: 256   ulminpinlen: 1   ultotalpublicmemory: ck_unavailable_information   ulfreepublicmemory: ck_unavailable_information   ultotalprivatememory: ck_unavailable_information   ulfreeprivatememory: ck_unavailable_information   hardwareversion: 0.00   firmwareversion: 0.00   utctime:

some of configuration information:

# pkg info entire              name: entire           summary: entire incorporation including support repository update (oracle solaris 11.3.13.4.0).       description: package constrains system package versions same                    build.  warning: proper system update , correct package                    selection depend on presence of incorporation.                    removing package result in unsupported system.                    more information see:                    https://support.oracle.com/rs?type=doc&id=2045311.1          category: meta packages/incorporations             state: installed         publisher: solaris           version: 0.5.11 (oracle solaris 11.3.13.4.0)     build release: 5.11            branch: 0.175.3.13.0.4.0    packaging date: september 29, 2016 05:55:02 pm last install time: may 16, 2017 08:37:07 pm              size: 5.46 kb              fmri: pkg://solaris/entire@0.5.11,5.11-0.175.3.13.0.4.0:20160929t175502z  # virtinfo name            class logical-domain  current non-global-zone supported kernel-zone     supported logical-domain  supported   # zonename global

cryptoadm output:

# cryptoadm list -vm   user-level providers: =====================  provider: /usr/lib/security/$isa/pkcs11_kernel.so /usr/lib/security/$isa/pkcs11_kernel.so: no slots presented.  provider: /usr/lib/security/$isa/pkcs11_softtoken.so number of slots: 1  slot #1 description: sun crypto softtoken                                             manufacturer: oracle corporation               pkcs#11 version: 2.20 hardware version: 0.0 firmware version: 0.0 token present: true slot flags: ckf_token_present  token label: sun software pkcs#11 softtoken   manufacturer id: oracle corporation               model: 1.0              serial number:                  hardware version: 0.0 firmware version: 0.0 utc time:                  pin min length: 1 pin max length: 256 flags: ckf_rng ckf_restore_key_not_needed ckf_dual_crypto_operations  mechanisms:                                                      e d     s   v   p       e                                                      n e d   v e k   u d c                                                      c c   g e r e   n e                                                        r r g s + r + y r w w r c                                                      y y e r r g g r r                                                    h p p s g e f e e e a v p mechanism name                 minimum    maximum  w t t t n c y c n n p p e s ----------------------------- -------- ----------  - - - - - - - - - - - - - - ckm_camellia_cbc                    16         32  . x x . . . . . . . x x . . ckm_camellia_cbc_pad                16         32  . x x . . . . . . . x x . . ckm_camellia_ecb                    16         32  . x x . . . . . . . x x . . ckm_camellia_key_gen                16         32  . . . . . . . . x . . . . . ckm_des_cbc                          8          8  x x x . . . . . . . x x . . ckm_des_cbc_pad                      8          8  x x x . . . . . . . x x . . ckm_des_ecb                          8          8  x x x . . . . . . . x x . . ckm_des_key_gen                      8          8  x . . . . . . . x . . . . . ckm_des_mac_general                  8          8  x . . . x . x . . . . . . . ckm_des_mac                          8          8  x . . . x . x . . . . . . . ckm_des3_cbc                        16         24  x x x . . . . . . . x x . . ckm_des3_cbc_pad                    16         24  x x x . . . . . . . x x . . ckm_des3_ecb                        16         24  x x x . . . . . . . x x . . ckm_des2_key_gen                    16         16  x . . . . . . . x . . . . . ckm_des3_key_gen                    24         24  x . . . . . . . x . . . . . ckm_aes_cbc                         16         32  x x x . . . . . . . x x . . ckm_aes_cbc_pad                     16         32  x x x . . . . . . . x x . . ckm_aes_ctr                         16         32  x x x . . . . . . . x x . . ckm_aes_ecb                         16         32  x x x . . . . . . . x x . . ckm_aes_key_gen                     16         32  x . . . . . . . x . . . . . ckm_blowfish_cbc                     4         56  . x x . . . . . . . x x . . ckm_blowfish_key_gen                 4         56  . . . . . . . . x . . . . . ckm_sha_1                            0          0  x . . x . . . . . . . . . . ckm_sha_1_hmac                       1         64  x . . . x . x . . . . . . . ckm_sha_1_hmac_general               1         64  x . . . x . x . . . . . . . ckm_sha224                           0          0  x . . x . . . . . . . . . . ckm_sha224_hmac                      1         64  x . . . x . x . . . . . . . ckm_sha224_hmac_general              1         64  x . . . x . x . . . . . . . ckm_sha256                           0          0  x . . x . . . . . . . . . . ckm_sha256_hmac                      1         64  x . . . x . x . . . . . . . ckm_sha256_hmac_general              1         64  x . . . x . x . . . . . . . ckm_sha384                           0          0  x . . x . . . . . . . . . . ckm_sha384_hmac                      1        128  x . . . x . x . . . . . . . ckm_sha384_hmac_general              1        128  x . . . x . x . . . . . . . ckm_sha512                           0          0  x . . x . . . . . . . . . . ckm_sha512_hmac                      1        128  x . . . x . x . . . . . . . ckm_sha512_hmac_general              1        128  x . . . x . x . . . . . . . ckm_ssl3_sha1_mac                    1        512  . . . . x . x . . . . . . . ckm_md5                              0          0  x . . x . . . . . . . . . . ckm_md5_hmac                         1         64  x . . . x . x . . . . . . . ckm_md5_hmac_general                 1         64  x . . . x . x . . . . . . . ckm_ssl3_md5_mac                     1        512  . . . . x . x . . . . . . . ckm_rc4                              8       2048  . x x . . . . . . . . . . . ckm_rc4_key_gen                      8       2048  . . . . . . . . x . . . . . ckm_dsa                            512       3072  x . . . x . x . . . . . . . ckm_dsa_sha1                       512       1024  x . . . x . x . . . . . . . ckm_dsa_key_pair_gen               512       3072  x . . . . . . . . x . . . . ckm_rsa_pkcs                       256       8192  x x x . x x x x . . x x . . ckm_rsa_pkcs_key_pair_gen          256       8192  x . . . . . . . . x . . . . ckm_rsa_x_509                      256       8192  x x x . x x x x . . x x . . ckm_md5_rsa_pkcs                   256       8192  x . . . x . x . . . . . . . ckm_sha1_rsa_pkcs                  256       8192  x . . . x . x . . . . . . . ckm_sha224_rsa_pkcs                256       8192  x . . . x . x . . . . . . . ckm_sha256_rsa_pkcs                256       8192  x . . . x . x . . . . . . . ckm_sha384_rsa_pkcs                256       8192  x . . . x . x . . . . . . . ckm_sha512_rsa_pkcs                256       8192  x . . . x . x . . . . . . . ckm_dh_pkcs_key_pair_gen            64       8192  x . . . . . . . . x . . . . ckm_dh_pkcs_derive                  64       8192  x . . . . . . . . . . . x . ckm_md5_key_derivation               1         16  x . . . . . . . . . . . x . ckm_sha1_key_derivation              1         20  . . . . . . . . . . . . x . ckm_sha224_key_derivation            1         28  . . . . . . . . . . . . x . ckm_sha256_key_derivation            1         32  . . . . . . . . . . . . x . ckm_sha384_key_derivation            1         48  . . . . . . . . . . . . x . ckm_sha512_key_derivation            1         64  . . . . . . . . . . . . x . ckm_pbe_sha1_rc4_128                 0          0  . . . . . . . . x . . . . . ckm_pkcs5_pbkd2                      0          0  . . . . . . . . x . . . . . ckm_ssl3_pre_master_key_gen         48         48  . . . . . . . . x . . . . . ckm_tls_pre_master_key_gen          48         48  . . . . . . . . x . . . . . ckm_ssl3_master_key_derive          48         48  . . . . . . . . . . . . x . ckm_tls_master_key_derive           48         48  . . . . . . . . . . . . x . ckm_ssl3_master_key_derive_dh       48         48  . . . . . . . . . . . . x . ckm_tls_master_key_derive_dh        48         48  . . . . . . . . . . . . x . ckm_ssl3_key_and_mac_derive          0          0  . . . . . . . . . . . . x . ckm_tls_key_and_mac_derive           0          0  . . . . . . . . . . . . x . ckm_tls_prf                          0          0  . . . . . . . . . . . . x . ckm_ec_key_pair_gen                112        571  x . . . . . . . . x . . . . ckm_ecdsa                          112        571  x . . . x . x . . . . . . . ckm_ecdsa_sha1                     112        571  x . . . x . x . . . . . . . ckm_ecdh1_derive                   112        571  x . . . . . . . . . . . x .  provider: /usr/lib/security/$isa/pkcs11_tpm.so /usr/lib/security/$isa/pkcs11_tpm.so: no slots presented.  kernel providers: ================= des: ckm_des_ecb,ckm_des_cbc,ckm_des3_ecb,ckm_des3_cbc aes: ckm_aes_ecb,ckm_aes_cbc,ckm_aes_ctr,ckm_aes_ccm,ckm_aes_gcm,ckm_aes_gmac,ckm_aes_cfb128,ckm_aes_xts,ckm_aes_xcbc_mac arcfour: ckm_rc4 blowfish: ckm_blowfish_ecb,ckm_blowfish_cbc camellia: ckm_camellia_ecb,ckm_camellia_cbc ecc: ckm_ec_key_pair_gen,ckm_ecdh1_derive,ckm_ecdsa,ckm_ecdsa_sha1 sha1: ckm_sha_1,ckm_sha_1_hmac,ckm_sha_1_hmac_general sha2: ckm_sha224,ckm_sha224_hmac,ckm_sha224_hmac_general,ckm_sha256,ckm_sha256_hmac,ckm_sha256_hmac_general,ckm_sha384,ckm_sha384_hmac,ckm_sha384_hmac_general,ckm_sha512,ckm_sha512_hmac,ckm_sha512_hmac_general,ckm_sha512_160,ckm_sha512_160_hmac,ckm_sha512_160_hmac_general,ckm_sha512_224,ckm_sha512_224_hmac,ckm_sha512_224_hmac_general,ckm_sha512_256,ckm_sha512_256_hmac,ckm_sha512_256_hmac_general md4: ckm_md4 md5: ckm_md5,ckm_md5_hmac,ckm_md5_hmac_general rsa: ckm_rsa_pkcs,ckm_rsa_x_509,ckm_md5_rsa_pkcs,ckm_sha1_rsa_pkcs,ckm_sha224_rsa_pkcs,ckm_sha256_rsa_pkcs,ckm_sha384_rsa_pkcs,ckm_sha512_rsa_pkcs swrand: no mechanisms presented. n2rng/0: no mechanisms presented.


Comments

Post a Comment

Popular posts from this blog

android - InAppBilling registering BroadcastReceiver in AndroidManifest -

i'm implementing inapp billing in android app. works well, however, i'm trying decouple broadcast receiver activity manifest. suggestion in android's trivialdrive sample: // important: dynamically register broadcast messages updated purchases. // register receiver here instead of <receiver> in manifest // because call getpurchases() @ startup, therefore can ignore // broadcasts sent while app isn't running. // note: registering listener in activity bad idea, done here // because sample. regardless, receiver must registered after // iabhelper setup, before first call getpurchases(). currently there's class extends broadcastreceiver : public class iabbroadcastreceiver extends broadcastreceiver { /** * intent action receiver should filter for. */ public static final string action = "com.android.vending.billing.purchases_updated"; private final iabbroadcastlistener mlistener; public iabbroadcastreceiver(iabbroadcastlistener listener) { m
Read more

python Tkinter Capturing keyboard events save as one single string -

is possible store keyboard events 1 string? code below stores 1 char , prints it. card reader or bar code reader, contains collection of character/ string not 1 character @ time. goal save char pressed text variable. from tkinter import * root = tk() def key(event): text= event.char text+= event.char print ("pressed", text) def callback(event): frame.focus_set() print ("clicked at", event.x, event.y) frame = frame(root, width=100, height=100) frame.bind("<key>", key) frame.bind("<button-1>", callback) frame.pack() root.mainloop() currently, creating text variable , everytime key() function gets called, , text stores last character typed. you can define text module level variable , , use module level text inside key function - text = '' def key(event): global text text+= event.char print("pressed", text)
Read more

sql server - Why does Linq-to-SQL add unnecessary COUNT()? -

here tables: create table customer ( cid int primary key, name varchar(32) ) create table ord ( oid int primary key, cid int foreign key references customer, address varchar(20) ) here's linq-to-sql statement: var aaa = c in db.customer select new { c, o = c.ord.tolist() }; and here's inexplicable query generated linq-to-sql: select [t0].[cid] [cid], [t0].[name] [name], [t1].[oid] [oid], [t1].[cid] [cid2], [t1].[address] [address], (select count(*) [dbo].[ord] [t2] [t2].[cid] = [t0].[cid]) [value] [dbo].[customer] [t0] left outer join [dbo].[ord] [t1] on [t1].[cid] = [t0].[cid] order [t0].[cid], [t1].[oid] i want understand how rid of count(*) part. it's entirely uncalled for! linq needs count(*) in order determine number of entries returned o = c.ord.tolist() .
Read more