Cryptographic Acceleration for SSL
The SSL hand-shake is computationally expensive. The client needs to send some 'secret' key data to the web server, and this data is encrypted using the server's public key. The server must perform a decrypt operation (modular exponentiation) which is computationally expensive; consequently, the speed of a web server may be limited by the rate at which it can perform this cryptographic operation.
Cryptographic Accelerators
Various vendors provide cryptographic accelerators which can perform modular exponentiation much more efficiently than the general-purpose processor(s) on the hardware which is running the web server. The Zeus Web Server can exploit such hardware to off-load the decrypts operations. This frees your primary processor to serve web pages at full speed!A cryptographic accelerator comprises a piece of dedicated hardware, on which hand-crafted software performs high speed cryptographic computations, and a shared (dynamically linked) library on the host computer which is to exploit this accelerator hardware (call this the `host library'). This host library is supplied by your accelerator vendor.
Configuring Zeus
To activate the Zeus SSL daemon, you need to specify how the daemon is to talk to the accelerator and where it is to find the host library. You do this by modifying the $ZEUSHOME/web/global.cfg configuration file:
- tuning!modules!ssld!library
This specifies the Zeus Device Driver library which enables the Zeus SSL daemon to communicate with the host library. If the given name is a relative path (that is, it does not start with a / after any uses of %zeushome% have been translated to the value of $ZEUSHOME), it is assumed to be given relative to the directory $ZEUSHOME/web/lib/.
- tuning!modules!ssld!libdir
This indicates the directory in which the host library (or libraries) will be found; if necessary, several directories may be given as a colon-separated list, for example:
tuning!modules!ssld!libdir /usr/lib:/usr/local/libThere is no need to mention directories in the standard shared library search path (LD_LIBRARY_PATH or SHLIB_PATH).
If no Zeus Device Driver library is specified, the Zeus Web Server will do its own cryptography. It will not start up an SSL daemon, and all other SSLD configuration parameters will be ignored.
If the Device Driver library is specified but the SSL daemon has trouble deploying it - perhaps because the hardware is inaccessible - the Zeus Web Server will transparently fall back on doing its cryptographic computations internally.
Tuning Zeus
The Zeus SSL daemon endeavours to get the maximum throughput from your acceleration hardware. It manages multiple concurrent requests, and maintains a queue of pending requests so that the hardware is not overloaded by requests. If the hardware is operating at maximum performance, the Zeus Web Server will fall back to performing some of the requests in software, and if the hardware fails, the Web Server will automatically perform all subsequent requests in software.You can tune the maximum concurrency and queue size that the SSL daemon manages. You should not need to modify the parameters for a real-life deployment:
- tuning!modules!ssld!nworkers
This specifies a limit on the maximum number of concurrent requests the SSL daemon will sustain with the hardware device. The default value is 128.
- tuning!modules!ssld!queuelen
This specifies the length of queue to be used by the Zeus SSLD. Requests which cannot be started immediately (because the maximum number of concurrent requests has been reached) are added to this queue. The requests are serviced as the current requests complete. This defaults to 64.
If the SSLD queue fills up with pending requests, Zeus will log a warning message to $ZEUSHOME/web/log/errors saying that the SSLD sub-system is `over-busy'. In this case, requests will be serviced directly in software until the SSL daemon becomes free to accept more requests, and it may be a good idea to specify higher values for the queuelen and nworkers parameters.
If the SSLD daemon becomes unresponsive, the Web Server will transparently switch to performing all cryptographic operations in software.
As ever, when modifying $ZEUSHOME/web/global.cfg, your configuration changes will not take effect until you restart the web server using:
$ZEUSHOME/web/rc stop $ZEUSHOME/web/rc startExample Configurations
The Zeus Web Server comes with a selection of SSLD libraries; which of these are available will depend on availability of host libraries for the platform on which you are running the web server.
- libZsoft.so
- This `pure software' SSLD library does not use an accelerator; it only moves the cryptographic computations out of the web server so that they are run by a separate process. Your web server's performance using it should be roughly the same as if the SSL daemon were not being used, since the cryptographic computations are still performed on the same processor as is running the web server. Since the software SSLD library does not depend on external hardware (or software), it has no need of a libdir; the configuration for it is simply
tuning!modules!ssld!library libZsoft.so- libZnFast.so
- This supports the nCipher® nFast ® family of products. It uses the CHIL® (hardware crypto hook) interface, whose host libraries are generally to be found in /opt/nfast/lib/, so standard configuration is
tuning!modules!ssld!library libZnFast.so tuning!modules!ssld!libdir /opt/nfast/lib- libZcryptoSwift.so
- This supports the Rainbow Technologies CryptoSwift® accelerator. Since the CryptoSwift® installation generally places its host libraries in /usr/lib/, standard configuration is
tuning!modules!ssld!library libZcryptoSwift.so tuning!modules!ssld!libdir /usr/libThe Zeus Device Driver library files supported by your platform are located in $ZEUSHOME/web/lib/; their names begin `libZ' and end `.so':
$ cd $ZEUSHOME/web/lib $ ls libZ*.soThe following table lists the support available at the time of this product release. Zeus are actively working with several hardware vendors to enable support for a range of hardware and OS platforms.
platform nFast CryptoSwift Sun Solaris yes E/N Linux 2.2.5-15 yes PCI HP-UX 10.20 yes E/N If you have, or are considering using, and unsupported hardware or OS platform, please contact Zeus Technical Support (support@zeus.com) for information on the most recent hardware compatibility list.