Home » RDBMS Server » Performance Tuning » SSL on database connections (Oracle EE ver 11, linux)
icon5.gif  SSL on database connections [message #568195] Wed, 10 October 2012 03:46 Go to next message
ndg123
Messages: 3
Registered: October 2012
Location: UK
Junior Member
Can any one offer some insight into the overheads for mutally authenticated SSL for database connections? This is over a fast local network, to a RAC cluster, with DB firewall in front. There's always a large element of "it depends", but your experience/insight would be valuable

Information I'm interested in are things like latency for initial session setup and subsequent data transfer. Also the increase in network packet size, and the increase in CPU cost for the database server. I guess there is some implications for session memory usage as well.

thanks in advance

Re: SSL on database connections [message #568203 is a reply to message #568195] Wed, 10 October 2012 04:22 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
I would not recommend SSL to connect to Oracle database but use native Oracle sqlnet encryption.
The performances are much better (from my own benchmarks) and it is very easy to set (a couple of parameters in sqlnet.ora, 5 minutes maximum to set it up).

Regards
Michel
Re: SSL on database connections [message #568214 is a reply to message #568203] Wed, 10 October 2012 04:45 Go to previous messageGo to next message
ndg123
Messages: 3
Registered: October 2012
Location: UK
Junior Member
Thanks for your reply Michel.

I am also wary about using SSL and trying to get some data about what it will mean - plus any mitigations/tuning if we do have to use it. I think the main driver for using it is mutual authentication rather than data integrity/privacy.

What were the findings of your benchmarking ? Appreciate the data might be lost in the mists of time, but if you can remember the overall outcomes it would be helpful.
Re: SSL on database connections [message #568217 is a reply to message #568214] Wed, 10 October 2012 05:01 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Sorry I have no more the details but what I can remember is that SSL roundtrips to authenticate at connection time was some quite long (about 30s) so we quickly removed this option and investigate further on native Oracle encryption (which I agree is not for you given your issue) performances.

Regards
Michel
Re: SSL on database connections [message #568235 is a reply to message #568195] Wed, 10 October 2012 05:36 Go to previous message
ndg123
Messages: 3
Registered: October 2012
Location: UK
Junior Member
The SSL handshake involves several network round trips, with some CPU intensive crypto. I'd expect this to be tens of milliseconds on two local/adjacent machines. To be honest I think 30 seconds would indicate a problem with the setup but appreciate you would have investigated it. But in any case I don't like the implications when a failover takes place.

After handshaking, I anticipate some additional time and CPU for encryption/decryption, plus headaches caused by the network transmission overheads (packet size/segment size mismatches etc). Any additional latency is going to add up with many round trips for a query & resulting data set.

Any one else got some experiences in this area ? Including gotchas/tuning hints seeing as its likely to go ahead !

Nick
Previous Topic: cluter in index
Next Topic: Improve performance postgre
Goto Forum:
  


Current Time: Thu Mar 28 09:55:49 CDT 2024