Re: WSS4J 1.5.4 Encryption Performance Question

Fri, 10 Oct 2008 19:29:08 -0700

wss4j's performance issue is widely known.. w3c is working on new specs to speed up things, 
stay tuned
----- Original Message ----- From: "Shawn McKinney" <[EMAIL PROTECTED]> 
To: <[email protected]>
Sent: Friday, October 10, 2008 10:49 AM
Subject: Re: WSS4J 1.5.4 Encryption Performance Question



Here are some jar versions being used in test:

29 AXIS 2 Client JARS:

1. activation.jar

2. addressing-1.4.jar

3. axiom-api-1.2.7.jar

4. axiom-dom-1.2.7.jar

5. axiom-impl-1.2.7.jar

6. axis2-codegen-1.4.jar

7. axis2-kernel-1.4.jar

8. backport-util-concurrent-3.1.jar

9. commons-codec-1.3.jar

10. commons-fileupload-1.2.jar

11. commons-httpclient-3.1.jar

12. commons-logging-1.1.1.jar

13. FastInfoset.jar

14. geronimo-stax-api_1.0_spec-1.0.1.jar

15. mail.jar

16. neethi-2.0.4.jar

17. opensaml-1.1.jar

18. rampart-1.4

19. rampart-core-1.4.jar

20. rampart-policy-1.4.jar

21. rampart-trust-1.4.jar

22. serializer-2.7.1.jar

23. woden-api-1.0M8.jar

24. wsdl4j-1.6.2.jar

25. wss4j-1.5.4.jar

26. wstx-asl-3.2.4.jar

27. xalan-2.7.1.jar

28. XmlSchema-1.4.2.jar

29. xmlsec-1.4.0.jar



--- On Fri, 10/10/08, Shawn McKinney <[EMAIL PROTECTED]> wrote:


From: Shawn McKinney <[EMAIL PROTECTED]>
Subject: Re: WSS4J 1.5.4 Encryption Performance Question
To: [email protected]
Date: Friday, October 10, 2008, 11:20 AM
Apologize for duplicate post but had the client-side
configuration details wrong.

Here goes again:

*******************************

We have been using Axis1 and WSS4J in production for 3
years now.  Our token configuration varies by client but
typically is Usernametoken encrypt, timestamp with nonce.

Recently we have begun the preparations to convert our
clients and services to support Axis2 and Rampart.

Out of this effort I have been running micro benchmarks for
the following 4 scenarios:

UNT1: Usernametoken, unencrypt, unsigned, timestamp, nonce
UNT2: Usernametoken, unencrypt, signed, timestamp, nonce
UNT3: Usernametoken, encrypt, signed, timestamp, nonce
UNT4: Usernametoken, encrypt, signed, timestamp, nonce

Each of the 4 scenarios are encrypting and signing the
username token itself.  No encryption of elements within XML
payload have been benchmarked.

The test results show:
  * signing username token is relatively unexpensive.
  * encrypting username token is relatively expensive.

Related to 2nd bullet above.  Is there something we are
doing wrong?  Our results show a 35% dropoff in overall
throughput when enabling
encryption of the username token.  Are these results
consistent with others findings on same, or are we likely
doing something wrong here?

More details on the tests can be found below:

Client Machine 1:
 * AMD 64 Dual Core
 * 2 GHz, 2 GB RAM
 * WinXP
 * Axis2 client driven by Jmeter

Server Machine 2:
 * Intel Dual core
 * 2 GHz, 3 GB RAM
 * Linux - Centos 5
 * Running in Tomcat 5.5.x

* Both machines using Java 1.5

Test Objective:
    * Compare the 4 UNT types, measure relative performance
costs for performing cryptographic functions.

4 Test Cases:
    * 10 threads X 5000 service transactions = 50K
transactions per test.

Benchmark Summary
1. UNT1
i.  Avg response time: 116 ms
ii. Avg throughput: 85.2/s
iii.Avg CPU utilization (client): 37%

2. UNT2
i.  Avg response time: 127 ms
ii. Avg throughput: 78.3/s
iii.Avg CPU utilization (client): 42%

3. UNT3
i.  Avg response time: 177 ms
ii. Avg throughput: 56.2/s
iii.Avg CPU utilization (client): 34%

4. UNT4
i.  Avg response time: 181 ms
ii. Avg throughput: 54.8/s
iii.Avg CPU utilization (client): 36%


Client-side config:
<parameter name="OutflowSecurity">
 <action>
    ...

  <!-- UNT1: -->
  <items>UsernameToken Timestamp</items>

  <!-- UNT2: -->
  <!--items>UsernameTokenSignature
Timestamp</items-->

  <!-- UNT3: -->
  <!--items>UsernameToken Encrypt
Timestamp</items-->

  <!-- UNT4: -->
  <!--items>UsernameTokenSignature Encrypt
Timestamp</items-->

  ...

  <passwordType>PasswordText</passwordType>
  <addUTElements>Nonce Created</addUTElements>

<encryptionParts>{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken</encryptionParts>



signatureParts>{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken</signatureParts>
 </action>



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to