[SoapRMI] RE: gsi is very slow with XSOAP

Jarek Gawor gawor_at_mcs.anl.gov
Fri, 29 Mar 2002 16:47:09 -0600 

> >We are currently working on the new API based on JSSE.... There
> are two ways
> >to speed it up. One is to install the /dev/urandom device on your machine
> >(the last time I looked it was supported under Solaris - it
> comes standard
> >with Linux) Another way is to implement a faster seed generator
> (it can be
> >easily plugged into Java and will work with any SSL impl.)
> However, the main
> >problem with implementing a seed generator is implementing it
> correctly so
> >it truly returns a random number....
> >
> Ah ha! I was using a Solaris box and I don't see any /dev/urandom or
> similar.
>
> I'm doing this same test on an irix box but without doing any delegating
> (jdk 1.3 again). I don't see any /dev/urandom or similar. It is taking
> about 15 seconds for a xsoap client to connect to and call a method on
> an xsoap server on the same machine using cog security. But, it takes a
> fraction of a second to gsissh from the irix box, to itself (or to any
> other machine around here).

This still takes too long... How many VMs are you running at the same time?
Remember, that each separate VM needs to initialize the seed generator. If
you have two (or more) VMs doing the initialization at the same time it will
be very slow. However, the next time you connect to the server (assuming you
have a server running somewhere) only one VM will be doing the
initialization....

> It seems to me the exact same security mechanisms are being used. Is
> this correct? If this is true, why is the Java code so much slower?
> Different seed generator? Java is 50 or 100 times slower than C? The
> algorithms are implemented better in C? Has anyone done any benchmarks
> of OpenSSL vs IAIK vs JSSE vs ...?

This is a seed generation algorithm/implementation issue. The Sun's default
implementation uses some weird thread-timing algorithm. But you can always
replace this algorithm with something different and better (the seeding
algorithm is totally independent from JSSE or IAIK) I'm not sure what
algorithm OpenSSL uses for seed generation but obviously it is faster.
I don't see this issue as a problem on the server side. However, on the
client it is a problem especially for clients that just need to send
something to the server and die. For a while we were considering providing a
better seed generator but basically we never had enough resources to do so
(or had more pressing issues to worry about) This is still on our TODO
list... and of course, anyone can contribute to our code and provide a
better seeding algorithm :)

Jarek