High Performance Security for Oracle Database and Fusion Middleware Applications Using SPARC T4
Total Page:16
File Type:pdf, Size:1020Kb
An Oracle Technical White Paper April 2012 High Performance Security For Oracle Database and Fusion Middleware Applications using SPARC T4 High performance Security for Oracle Database and Fusion Middleware Applications using SPARC T4 Introduction ......................................................................................................... 3 Target Audience and Assumed Knowledge ......................................................... 3 The Role of Oracle SPARC T4 Processor in Application Security ........................ 4 Oracle SPARC T4 – Integrated Cryptographic Acceleration ................................ 5 Cryptographic Operational Models: SPARC T4 versus SPARC T3 ................. 7 The Role of Oracle Solaris Cryptographic Framework ..................................... 7 Oracle SPARC T4: High Performance Security Characteristics ........................... 8 Hardware and Software Environments Used ................................................... 8 Oracle WebLogic Security – SSL/TLS Performance ........................................ 8 Oracle Fusion Middleware Security – WS-Security Performance ..................... 9 Oracle Database Security – TDE Performance .............................................. 10 Enabling Cryptographic Acceleration For End to End Security .......................... 13 Oracle Fusion Middleware: Applied Security Scenarios ..................................... 13 Transport-Layer Security Acceleration ............................................................... 14 Using Sun JCE .............................................................................................. 14 Accelerating SSL using SunPKCS11 Provider ........................................................ 15 Accelerating SSL using Oracle Ucrypto Provider ..................................................... 16 Using Solaris KSSL ....................................................................................... 16 Configuring KSSL for WebLogic SSL Acceleration .................................................. 18 Using OpenSSL Certificates (Flat-file Keystore) ...................................................... 18 Using PKCS#11 based Keystores and Hardware Security Modules ....................... 19 Using SSL Cipher Suites .......................................................................................... 20 Using Apache Web Server SSL ..................................................................... 20 Message-Layer Security Acceleration................................................................ 21 Accelerating Message-Layer Security using Oracle WSM ............................. 21 Verifying Hardware-Assisted Security for Oracle Fusion Middleware ............. 29 Oracle Database Security Using Oracle SPARC T4 Processor ......................... 30 Transparent Data Encryption (TDE): Applied Scenarios ................................ 31 High performance Security for Oracle Database and Fusion Middleware Applications using SPARC T4 Master key Management using Solaris PKCS#11 Softtoken .......................... 32 Accelerating Tablespace Encryption .............................................................. 33 Testing and Verifying Oracle TDE on Oracle SPARC T4 and Solaris 11 ................ 33 Accelerating Oracle Network Data Encryption ............................................... 36 Verifying Hardware-Assisted Security for Oracle TDE ................................... 36 Securing Data at Rest using ZFS Encryption ..................................................... 37 Summary ........................................................................................................... 37 Further References............................................................................................ 39 High performance Security for Oracle Database and Fusion Middleware Applications using SPARC T4 Introduction This document presents the high performance security characteristics of using the cryptographic acceleration capabilities of Oracle SPARC T4 processor based Servers for Oracle Fusion Middleware and Oracle Database applications. This document explores the technical details of Oracle SPARC T4 processor’s high-performance cryptography features and its applied techniques to secure Oracle Weblogic server, Oracle Fusion Middleware and Oracle Database server based applications. In addition, it also drills down on the technical pre-requisites, configuration, and deployment and its verification guidelines for delivering Oracle SPARC T4 hardware-assisted cryptographic acceleration solutions for end-to-end application security scenarios where the use of cryptography is deemed critical. The derived high performance security benefits can be leveraged into different application solutions of Oracle “Red Stack” that represents the complete set of application software, middleware and infrastructure software. Target Audience and Assumed Knowledge This document is intended for security enthusiasts, developers and administrators of Oracle Weblogic server, Oracle Fusion Middleware, Oracle Database and Solaris deployed applications, who have been tasked to design, deploy and integrate the on-chip cryptographic capabilities of Oracle SPARC T4 processor based servers. The developers and administrators should be familiar with the installation of Oracle SPARC T4 processor based servers, Oracle Solaris 11, Oracle Database Advanced Security for Transparent Data Encryption features, Oracle WebLogic server and Fusion Middleware security techniques for secure communication using SSL/TLS protocols and secure XML Web services using WS-Security standards. 3 High performance Security for Oracle Database and Fusion Middleware Applications using SPARC T4 The Role of Oracle SPARC T4 Processor in Application Security As security has taken unprecedented importance in all facets of the IT industry, today organizations are proactively adopting to cryptographic mechanisms to protect their business information from internal and external threats, unauthorized access and also to ensure its confidentiality and integrity during transit and storage. Cryptographic operations are heavily compute- intensive which burdens the host system with additional CPU cycles and network bandwidth resulting significant degradation of overall throughput of the system and its hosted applications. For example, a host server capable of processing 1000 transactions per second can perform only 10 transactions per sec after deploying SSL for securing the hosted application. To speed up cryptographic performance, security experts often recommend and use cryptographic accelerator appliances to offload cryptographic operations and save CPU cycles for enhancing the system throughput and its hosted applications. While useful, adopting a specialized appliance for offloading cryptographic operations introduces a new set of complexities and issues in terms of additional installation, configuration and testing procedures that significantly increases the power demands and costs of deployment projects. Foreseeing the need for special-purpose hardware that can outpace workload demands, Oracle introduced the industry's fastest on-chip hardware cryptographic capabilities into its family of Oracle SPARC T-series processors - UltraSPARC® T1, T2, T2 Plus, T3 and T4 processors equipped with CoolThreads™ technology. The following graph (Refer Figure 1) presents the security performance gains achieved by the Oracle SPARC T4 processor based on-core cryptographic instructions (hardware acceleration) for a Web application security (SSL/TLS communication scenario) in comparison with just using software-managed cryptographic operations (no acceleration). Figure 1: Web Application Security: No Acceleration vs. SPARC T4 Hardware Acceleration 4 High performance Security for Oracle Database and Fusion Middleware Applications using SPARC T4 Oracle SPARC T4 – Integrated Cryptographic Acceleration The Oracle’s new SPARC T4 processor is the fifth generation of Oracle SPARC T-series processors family that represents a fundamental redesign of the core within a SPARC multi- core/multi-threaded processor architecture. By redesigning the cores within each processor, introducing a new floating-point pipeline and further increasing network bandwidth, the new T4 processor is able to provide approximately 5X the single-threaded throughput gains comparing to its predecessor SPARC T3 processor. The T4 processor provides 64 threads per processor, on-chip memory management, two 10 GbE interfaces, dual on-chip based PCIe Generation 2 root complexes, on-chip/on-core based cryptographic acceleration and hardware-enabled virtualization capabilities. As a result, The SPARC T4 processor eliminates the need for expensive custom hardware and software development by integrating computing, security, and I/O onto a single chip. The SPARC T4 processor is shown in Figure 2. Figure 2: Oracle SPARC T4 processor The Oracle SPARC T4 features on-core cryptographic algorithms made available as unprivileged ISA instructions. To support cryptographic operations, each core of the Oracle SPARC T4 processor contains a Stream Processing Unit (SPU) that performs cryptographic functions at the same clock speed as the core. The SPU on each is implemented within the core pipelines, accessible by 29 new user-level instructions for performing cryptographic functions. During a cryptographic operation, the cryptographic function will leverage SPU and also use parts of Floating Point/Graphics Unit (FGU) and Integer