Java 在Solaris SPARC 11.3上使用SunPKCS11安全提供程序会增加JVM CPU消耗
我们有一个运行ApacheTomcat 8.0.41的Solaris SPARC系统(Oracle Solaris 11.3 SPARC)。在这个系统上,我们发现在web服务器负载很小的情况下,CPU消耗非常高。具体来说,运行10-15个并发HTTPS请求线程会导致此64 vCPU机器上的CPU消耗高达80-90% 但是,当我们通过将SunPKCS11提供程序移到列表底部来更改java.security文件中的安全提供程序顺序时,在相同的场景中,CPU消耗会显著降低(低于5%) 我们在较旧的Solaris 10 SPARC系统(Oracle Solaris 10 1/13 SPARC)上运行了类似的测试,尽管两个系统上的java.security设置以及sunpkcs11-Solaris.cfg文件相同,但我们没有发现此问题。使用的Java版本也相同(1.8.0131) 我的问题是: 1.Solaris SPARC w.r.t.SunPKCS11安全提供程序的11.3版本是否存在任何已知问题? 2.除了更改java.security文件中的安全提供程序顺序外,是否还有其他解决方案 以下是使用-Djava.security.debug=sunpkcs11选项输出的一些日志:Java 在Solaris SPARC 11.3上使用SunPKCS11安全提供程序会增加JVM CPU消耗,java,solaris,sparc,Java,Solaris,Sparc,我们有一个运行ApacheTomcat 8.0.41的Solaris SPARC系统(Oracle Solaris 11.3 SPARC)。在这个系统上,我们发现在web服务器负载很小的情况下,CPU消耗非常高。具体来说,运行10-15个并发HTTPS请求线程会导致此64 vCPU机器上的CPU消耗高达80-90% 但是,当我们通过将SunPKCS11提供程序移到列表底部来更改java.security文件中的安全提供程序顺序时,在相同的场景中,CPU消耗会显著降低(低于5%) 我们在较旧的So
SunPKCS11 loading /opt/java/jre/lib/security/sunpkcs11-solaris.cfg
Information for provider SunPKCS11-Solaris
Library info:
cryptokiVersion: 2.20
manufacturerID: Oracle Corporation
flags: 0
libraryDescription: Sun Crypto Softtoken
libraryVersion: 1.01
All slots: 0
Slots with tokens: 0
Slot info for slot 0:
slotDescription: Sun Metaslot
manufacturerID: Oracle Corporation
flags: CKF_TOKEN_PRESENT
hardwareVersion: 0.00
firmwareVersion: 0.00
Token info for token in slot 0:
label: Sun Metaslot
manufacturerID: Oracle Corporation
model: 1.0
serialNumber:
flags: CKF_RNG | CKF_DUAL_CRYPTO_OPERATIONS | CKF_TOKEN_INITIALIZED
ulMaxSessionCount: CK_EFFECTIVELY_INFINITE
ulSessionCount: 0
ulMaxRwSessionCount: CK_EFFECTIVELY_INFINITE
ulRwSessionCount: 0
ulMaxPinLen: 256
ulMinPinLen: 1
ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
hardwareVersion: 0.00
firmwareVersion: 0.00
utcTime:
# pkg info entire
Name: entire
Summary: entire incorporation including Support Repository Update (Oracle Solaris 11.3.13.4.0).
Description: This package constrains system package versions to the same
build. WARNING: Proper system update and correct package
selection depend on the presence of this incorporation.
Removing this package will result in an unsupported system.
For more information see:
https://support.oracle.com/rs?type=doc&id=2045311.1
Category: Meta Packages/Incorporations
State: Installed
Publisher: solaris
Version: 0.5.11 (Oracle Solaris 11.3.13.4.0)
Build Release: 5.11
Branch: 0.175.3.13.0.4.0
Packaging Date: September 29, 2016 05:55:02 PM
Last Install Time: May 16, 2017 08:37:07 PM
Size: 5.46 kB
FMRI: pkg://solaris/entire@0.5.11,5.11-0.175.3.13.0.4.0:20160929T175502Z
# virtinfo
NAME CLASS
logical-domain current
non-global-zone supported
kernel-zone supported
logical-domain supported
# zonename
global
# cryptoadm list -vm
User-level providers:
=====================
Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
/usr/lib/security/$ISA/pkcs11_kernel.so: no slots presented.
Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
Number of slots: 1
Slot #1
Description: Sun Crypto Softtoken
Manufacturer: Oracle Corporation
PKCS#11 Version: 2.20
Hardware Version: 0.0
Firmware Version: 0.0
Token Present: True
Slot Flags: CKF_TOKEN_PRESENT
Token Label: Sun Software PKCS#11 softtoken
Manufacturer ID: Oracle Corporation
Model: 1.0
Serial Number:
Hardware Version: 0.0
Firmware Version: 0.0
UTC Time:
PIN Min Length: 1
PIN Max Length: 256
Flags: CKF_RNG CKF_RESTORE_KEY_NOT_NEEDED CKF_DUAL_CRYPTO_OPERATIONS
Mechanisms:
E D S V P E
n e D i V e K a U D C
c c i g e r e i n e
r r g S + r + y r W w r C
y y e i R i R G G r r i a
H p p s g e f e e e a a v p
Mechanism Name Minimum Maximum W t t t n c y c n n p p e s
----------------------------- -------- ---------- - - - - - - - - - - - - - -
CKM_CAMELLIA_CBC 16 32 . X X . . . . . . . X X . .
CKM_CAMELLIA_CBC_PAD 16 32 . X X . . . . . . . X X . .
CKM_CAMELLIA_ECB 16 32 . X X . . . . . . . X X . .
CKM_CAMELLIA_KEY_GEN 16 32 . . . . . . . . X . . . . .
CKM_DES_CBC 8 8 X X X . . . . . . . X X . .
CKM_DES_CBC_PAD 8 8 X X X . . . . . . . X X . .
CKM_DES_ECB 8 8 X X X . . . . . . . X X . .
CKM_DES_KEY_GEN 8 8 X . . . . . . . X . . . . .
CKM_DES_MAC_GENERAL 8 8 X . . . X . X . . . . . . .
CKM_DES_MAC 8 8 X . . . X . X . . . . . . .
CKM_DES3_CBC 16 24 X X X . . . . . . . X X . .
CKM_DES3_CBC_PAD 16 24 X X X . . . . . . . X X . .
CKM_DES3_ECB 16 24 X X X . . . . . . . X X . .
CKM_DES2_KEY_GEN 16 16 X . . . . . . . X . . . . .
CKM_DES3_KEY_GEN 24 24 X . . . . . . . X . . . . .
CKM_AES_CBC 16 32 X X X . . . . . . . X X . .
CKM_AES_CBC_PAD 16 32 X X X . . . . . . . X X . .
CKM_AES_CTR 16 32 X X X . . . . . . . X X . .
CKM_AES_ECB 16 32 X X X . . . . . . . X X . .
CKM_AES_KEY_GEN 16 32 X . . . . . . . X . . . . .
CKM_BLOWFISH_CBC 4 56 . X X . . . . . . . X X . .
CKM_BLOWFISH_KEY_GEN 4 56 . . . . . . . . X . . . . .
CKM_SHA_1 0 0 X . . X . . . . . . . . . .
CKM_SHA_1_HMAC 1 64 X . . . X . X . . . . . . .
CKM_SHA_1_HMAC_GENERAL 1 64 X . . . X . X . . . . . . .
CKM_SHA224 0 0 X . . X . . . . . . . . . .
CKM_SHA224_HMAC 1 64 X . . . X . X . . . . . . .
CKM_SHA224_HMAC_GENERAL 1 64 X . . . X . X . . . . . . .
CKM_SHA256 0 0 X . . X . . . . . . . . . .
CKM_SHA256_HMAC 1 64 X . . . X . X . . . . . . .
CKM_SHA256_HMAC_GENERAL 1 64 X . . . X . X . . . . . . .
CKM_SHA384 0 0 X . . X . . . . . . . . . .
CKM_SHA384_HMAC 1 128 X . . . X . X . . . . . . .
CKM_SHA384_HMAC_GENERAL 1 128 X . . . X . X . . . . . . .
CKM_SHA512 0 0 X . . X . . . . . . . . . .
CKM_SHA512_HMAC 1 128 X . . . X . X . . . . . . .
CKM_SHA512_HMAC_GENERAL 1 128 X . . . X . X . . . . . . .
CKM_SSL3_SHA1_MAC 1 512 . . . . X . X . . . . . . .
CKM_MD5 0 0 X . . X . . . . . . . . . .
CKM_MD5_HMAC 1 64 X . . . X . X . . . . . . .
CKM_MD5_HMAC_GENERAL 1 64 X . . . X . X . . . . . . .
CKM_SSL3_MD5_MAC 1 512 . . . . X . X . . . . . . .
CKM_RC4 8 2048 . X X . . . . . . . . . . .
CKM_RC4_KEY_GEN 8 2048 . . . . . . . . X . . . . .
CKM_DSA 512 3072 X . . . X . X . . . . . . .
CKM_DSA_SHA1 512 1024 X . . . X . X . . . . . . .
CKM_DSA_KEY_PAIR_GEN 512 3072 X . . . . . . . . X . . . .
CKM_RSA_PKCS 256 8192 X X X . X X X X . . X X . .
CKM_RSA_PKCS_KEY_PAIR_GEN 256 8192 X . . . . . . . . X . . . .
CKM_RSA_X_509 256 8192 X X X . X X X X . . X X . .
CKM_MD5_RSA_PKCS 256 8192 X . . . X . X . . . . . . .
CKM_SHA1_RSA_PKCS 256 8192 X . . . X . X . . . . . . .
CKM_SHA224_RSA_PKCS 256 8192 X . . . X . X . . . . . . .
CKM_SHA256_RSA_PKCS 256 8192 X . . . X . X . . . . . . .
CKM_SHA384_RSA_PKCS 256 8192 X . . . X . X . . . . . . .
CKM_SHA512_RSA_PKCS 256 8192 X . . . X . X . . . . . . .
CKM_DH_PKCS_KEY_PAIR_GEN 64 8192 X . . . . . . . . X . . . .
CKM_DH_PKCS_DERIVE 64 8192 X . . . . . . . . . . . X .
CKM_MD5_KEY_DERIVATION 1 16 X . . . . . . . . . . . X .
CKM_SHA1_KEY_DERIVATION 1 20 . . . . . . . . . . . . X .
CKM_SHA224_KEY_DERIVATION 1 28 . . . . . . . . . . . . X .
CKM_SHA256_KEY_DERIVATION 1 32 . . . . . . . . . . . . X .
CKM_SHA384_KEY_DERIVATION 1 48 . . . . . . . . . . . . X .
CKM_SHA512_KEY_DERIVATION 1 64 . . . . . . . . . . . . X .
CKM_PBE_SHA1_RC4_128 0 0 . . . . . . . . X . . . . .
CKM_PKCS5_PBKD2 0 0 . . . . . . . . X . . . . .
CKM_SSL3_PRE_MASTER_KEY_GEN 48 48 . . . . . . . . X . . . . .
CKM_TLS_PRE_MASTER_KEY_GEN 48 48 . . . . . . . . X . . . . .
CKM_SSL3_MASTER_KEY_DERIVE 48 48 . . . . . . . . . . . . X .
CKM_TLS_MASTER_KEY_DERIVE 48 48 . . . . . . . . . . . . X .
CKM_SSL3_MASTER_KEY_DERIVE_DH 48 48 . . . . . . . . . . . . X .
CKM_TLS_MASTER_KEY_DERIVE_DH 48 48 . . . . . . . . . . . . X .
CKM_SSL3_KEY_AND_MAC_DERIVE 0 0 . . . . . . . . . . . . X .
CKM_TLS_KEY_AND_MAC_DERIVE 0 0 . . . . . . . . . . . . X .
CKM_TLS_PRF 0 0 . . . . . . . . . . . . X .
CKM_EC_KEY_PAIR_GEN 112 571 X . . . . . . . . X . . . .
CKM_ECDSA 112 571 X . . . X . X . . . . . . .
CKM_ECDSA_SHA1 112 571 X . . . X . X . . . . . . .
CKM_ECDH1_DERIVE 112 571 X . . . . . . . . . . . X .
Provider: /usr/lib/security/$ISA/pkcs11_tpm.so
/usr/lib/security/$ISA/pkcs11_tpm.so: no slots presented.
Kernel providers:
=================
des: CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC
aes: CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR,CKM_AES_CCM,CKM_AES_GCM,CKM_AES_GMAC,CKM_AES_CFB128,CKM_AES_XTS,CKM_AES_XCBC_MAC
arcfour: CKM_RC4
blowfish: CKM_BLOWFISH_ECB,CKM_BLOWFISH_CBC
camellia: CKM_CAMELLIA_ECB,CKM_CAMELLIA_CBC
ecc: CKM_EC_KEY_PAIR_GEN,CKM_ECDH1_DERIVE,CKM_ECDSA,CKM_ECDSA_SHA1
sha1: CKM_SHA_1,CKM_SHA_1_HMAC,CKM_SHA_1_HMAC_GENERAL
sha2: CKM_SHA224,CKM_SHA224_HMAC,CKM_SHA224_HMAC_GENERAL,CKM_SHA256,CKM_SHA256_HMAC,CKM_SHA256_HMAC_GENERAL,CKM_SHA384,CKM_SHA384_HMAC,CKM_SHA384_HMAC_GENERAL,CKM_SHA512,CKM_SHA512_HMAC,CKM_SHA512_HMAC_GENERAL,CKM_SHA512_160,CKM_SHA512_160_HMAC,CKM_SHA512_160_HMAC_GENERAL,CKM_SHA512_224,CKM_SHA512_224_HMAC,CKM_SHA512_224_HMAC_GENERAL,CKM_SHA512_256,CKM_SHA512_256_HMAC,CKM_SHA512_256_HMAC_GENERAL
md4: CKM_MD4
md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL
rsa: CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS,CKM_SHA224_RSA_PKCS,CKM_SHA256_RSA_PKCS,CKM_SHA384_RSA_PKCS,CKM_SHA512_RSA_PKCS
swrand: No mechanisms presented.
n2rng/0: No mechanisms presented.
不同的实例运行在什么硬件上?SPARC服务器可以使用硬件加速加密,SunPKCS11实现也可以使用硬件加速加密。您可以设置
-Djava.security.debug=sunpkcs11