[SoapRMI] RE: gsi is very slow with XSOAP

Jarek Gawor gawor_at_mcs.anl.gov
Thu, 28 Mar 2002 11:47:02 -0600 

Hey Warren,

> Warren Smith wrote:
>
> > More importantly, we've found that using cog_delegation is amazingly,
> > unbearably slow. I timed it at about 25-30 seconds for the first method
> > call on a relatively new Sun box. This is much too slow for us to use. I
> > assume that it is CoG that is slow, not XSOAP, but do you know if the
> > globus folks are working on this?

Yes, this is way too slow. What VM version are you using? You can enable
debugging in cog to see exactly where it gets stuck. The actual problem is
not delegation but secure seed generation. However, once the seed is
generated everything will work fine. Under Linux for example, we use an
optimization to obtain the secure seed from a '/dev/urandom' device and so
the start up time is much faster.

> hi,
>
> i heard they plan to move away from IAIK in direction of JSSE
> and/or open source
> SSL toolkit but did not hear recently anything about it.
>
> > Do you have any ideas for how it can
> > be sped up?

We are currently working on the new API based on JSSE.... There are two ways
to speed it up. One is to install the /dev/urandom device on your machine
(the last time I looked it was supported under Solaris - it comes standard
with Linux) Another way is to implement a faster seed generator (it can be
easily plugged into Java and will work with any SSL impl.) However, the main
problem with implementing a seed generator is implementing it correctly so
it truly returns a random number....

> when we add HTTP keep-alive on client side then at least this
> cost will be only in
> the first method call and next calls will be using already opened
> SSL channel ...
>
> > I tried using just "cog" for the security model to see if
> > that would do no delegation and go faster but it didn't seem to have any
> > effect.
>
> it *should* be faster!

It's really the seed generator that takes a while.

> > Is the IAIK library very slow? If CoG could be moved to JSSE,
> > would that help?
>
> SSL initial handshake is slow and using Java does not help. i do
> not think that
> JSSE is much faster but do not have any hard data about it.

No, it won't help. It's the seed algorithm impl. issue.

Jarek