Forum Stats

  • 3,824,756 Users
  • 2,260,414 Discussions
  • 7,896,306 Comments

Discussions

High response times for new Layer7 version on 11g ODSEE

Hi all,

Observed that a spike in response time for BINDs for the users from new/upgraded Layer7 application (A Broadcom Product) where as the same product was receiving no latency with lower version.

Identified that there exists a difference in Java version on the old and new Lsayer7 application servers. The response times (etimes) for the binds from new servers of Layer7 are a bit high when compared to the old servers and below are the details of the logs from LDAP (ODSEE 11.1.1.7.171017  B2017.1007.1320 ZIP) server.

The response times are etime=0.153810 Vs etime=0.002370.

OLD Layer7 server:

Java(TM) SE Runtime Environment (build 1.8.0_73-b02)

LDAP access logs for BINDs -

[02/Sep/2020:13:55:00 -0400] conn=2955427 op=-1 msgId=-1 - fd=106 slot=106 LDAPS connection from 10.230.57.145:17284 to 10.123.8.80

[02/Sep/2020:13:55:00 -0400] conn=2955427 op=-1 msgId=-1 - SSL 128-bit AES-128-GCM  prot=TLS1.2

[02/Sep/2020:13:55:00 -0400] conn=2955427 op=0 msgId=1 - BIND dn="uid=bkaladhar,ou=RegisteredUsers,ou=People,o=nextel.com" method=128 version=3

[02/Sep/2020:13:55:00 -0400] conn=2955427 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0.002370 dn="uid=bkaladhar,ou=registeredusers,ou=people,o=nextel.com"

[02/Sep/2020:13:55:00 -0400] conn=2955427 op=1 msgId=2 - UNBIND

[02/Sep/2020:13:55:00 -0400] conn=2955427 op=1 msgId=-1 - closing from 10.230.57.145:17284 - U1 - Connection closed by unbind client -

[02/Sep/2020:13:55:00 -0400] conn=2955427 op=-1 msgId=-1 - closed.

New Layer7 Server:

OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_252-b09)

LDAP access logs for BINDs -

[02/Sep/2020:14:02:46 -0400] conn=2955571 op=-1 msgId=-1 - fd=72 slot=72 LDAPS connection from 10.230.57.145:56214 to 10.123.8.80

[02/Sep/2020:14:02:46 -0400] conn=2955571 op=-1 msgId=-1 - SSL 128-bit AES-128-GCM  prot=TLS1.2

[02/Sep/2020:14:02:46 -0400] conn=2955571 op=0 msgId=1 - BIND dn="uid=bkaladhar,ou=RegisteredUsers,ou=People,o=nextel.com" method=128 version=3

[02/Sep/2020:14:02:46 -0400] conn=2955571 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0.153810 dn="uid=bkaladhar,ou=registeredusers,ou=people,o=nextel.com"

[02/Sep/2020:14:02:46 -0400] conn=2955571 op=1 msgId=2 - UNBIND

[02/Sep/2020:14:02:46 -0400] conn=2955571 op=1 msgId=-1 - closing from 10.230.57.145:56214 - U1 - Connection closed by unbind client -

[02/Sep/2020:14:02:46 -0400] conn=2955571 op=-1 msgId=-1 - closed.

ODSEE & java Versions:

[dsadm]

dsadm               : 11.1.1.7.171017      B2017.1007.1320 ZIP

Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.

[slapd 64-bit]

Oracle Corporation.

Sun-Directory-Server/11.1.1.7.171017 B2017.1007.1320 64-bit

ns-slapd            : 11.1.1.7.171017      B2017.1007.1320 ZIP

Slapd Library       : 11.1.1.7.171017      B2017.1007.1320

Front-End Library   : 11.1.1.7.171017      B2017.1007.1320

java version "1.6.0_211"

Java(TM) SE Runtime Environment (build 1.6.0_211-b11)

Java HotSpot(TM) Server VM (build 20.211-b11, mixed mode)

The PCAP results for by network sniffers show that there is a difference in change of SSL handshake process due to change in the sequence of handshake process which is because of difference in java versions on the source servers.

Questions/Clarifications:

1). Does the java version really make this difference for response times?

2). If the java version on the ODSEE server (build 1.6.0_211-b11) is matched with the new layer7 server version (build 1.8.0_252-b09) will there be any improvement in response times from the LDAP? If YES, then will there be any impact on the current ODSEE Version and the data in it?

3). From the SSL supported ciphers, if we remove/disable cipher family for SSL 128-bit AES-128-GCM (TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384) on LDAP server then will there be any impact on the data in the LDAP and what impact will the LDAP have post the change for the cipher family?

Please let me know if any other details are required. Any details/information/expertise on the above points is greatly appreciated.

Thanks!

Murali

Can someone suggest/clarify on the above points? Also there are 12 supported ciphers for GCM wanted to know if any one is removed from the list by using ssl-cipher-family-:TLS_AES_128_GCM_SHA256 will the LDAP force the handshake to use another GCM cipher just trying to identify what way the removal of GCM cipher family is to be eliminated, one at a time or all in one step.

Thanks!

Murali

Message was edited by: 2921058

Answers