-
Type:
Bug
-
Resolution: Won't Fix
-
Priority:
P3
-
Affects Version/s: 5.0u9
-
Component/s: security-libs
-
None
-
sparc
-
solaris_10
During our performance test, we detected slowness in establishing multiple ssh connections to multiple servers and Exceptions.
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
One a 4 T1 CPUs threads at 1Ghz, there should no problem handling hundreds of ssh sessions, but when ssh using Jsch in a java problem does not scale any all. There is no
special pkcs11 setup, kerberos is the default provider.
Then, we used Jetm instrumentation to measure the ssh connect, we found that
when concurrency ~15 , it took 1.5 seconds to complete
when concurrency ~30 , it took 9.7 seconds
when concurrency ~50, it tool 20 seconds
For 4 T1 CPU threads at 1Ghz, CPU peaks at 100% when concurrency ~20. Everything slowed.
Attached jstack showed 40 threads all synchronized at com.jcraft.jsch.Session.connect
most threads synchronized in pkcs11 GSS API native call, many in
- sun.security.pkcs11.wrapper.PKCS11.C_DeriveKey(long, sun.security.pkcs11.wrapper.CK_MECHANISM, long, sun.security.pkcs11.wrapper.CK_ATTRIBUTE[]) @bci=0 (Interpreted frame)
- sun.security.pkcs11.wrapper.PKCS11.C_DeriveKey(long, sun.security.pkcs11.wrapper.CK_MECHANISM, long, sun.security.pkcs11.wrapper.CK_ATTRIBUTE[]) @bci=0 (Interpreted frame)
- sun.security.pkcs11.P11KeyAgreement.engineGenerateSecret() @bci=142, line=178 (Compiled frame)
- javax.crypto.KeyAgreement.generateSecret() @bci=8 (Interpreted frame)
- com.jcraft.jsch.jce.DH.getK() @bci=53, line=73 (Interpreted frame)
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
One a 4 T1 CPUs threads at 1Ghz, there should no problem handling hundreds of ssh sessions, but when ssh using Jsch in a java problem does not scale any all. There is no
special pkcs11 setup, kerberos is the default provider.
Then, we used Jetm instrumentation to measure the ssh connect, we found that
when concurrency ~15 , it took 1.5 seconds to complete
when concurrency ~30 , it took 9.7 seconds
when concurrency ~50, it tool 20 seconds
For 4 T1 CPU threads at 1Ghz, CPU peaks at 100% when concurrency ~20. Everything slowed.
Attached jstack showed 40 threads all synchronized at com.jcraft.jsch.Session.connect
most threads synchronized in pkcs11 GSS API native call, many in
- sun.security.pkcs11.wrapper.PKCS11.C_DeriveKey(long, sun.security.pkcs11.wrapper.CK_MECHANISM, long, sun.security.pkcs11.wrapper.CK_ATTRIBUTE[]) @bci=0 (Interpreted frame)
- sun.security.pkcs11.wrapper.PKCS11.C_DeriveKey(long, sun.security.pkcs11.wrapper.CK_MECHANISM, long, sun.security.pkcs11.wrapper.CK_ATTRIBUTE[]) @bci=0 (Interpreted frame)
- sun.security.pkcs11.P11KeyAgreement.engineGenerateSecret() @bci=142, line=178 (Compiled frame)
- javax.crypto.KeyAgreement.generateSecret() @bci=8 (Interpreted frame)
- com.jcraft.jsch.jce.DH.getK() @bci=53, line=73 (Interpreted frame)