performance hit with search guard ssl

Search Guard
1

Hi,

we are using search guard ssl for encryption between elastic search nodes at the transport layer. we are collecting performance numbers with and without encryption for search requests. And we see the core elastic search api ActionRequestBuilder.execute() is taking about 30% more time with encryption enabled. we are digging deeper to see where the performance hit is.Entire time increase seems to be because of AbstractChannel.write as bseen from snapshot below

The setup i used is a 2 node cluster, one is an index node and other is a non index node. search requests are triggered from a non index node so that we can know the overhead of trasnporting data across a channel and thereby making the encryption come to play.

Only reason i could think of is the data payload size is more with encryption enabled and the AbstractChannel.write method below is taking more time and this is the only method which i see is causing the performance degradation from the snapshot.

in the below snapshot, old time refres to encrypition on and new time refers to encryptiono off

My questions?

  1. How do we actually know where the performance hit is actually coming from ? is my above theory right ?

  2. Do we already have any benchmark numbers on enabling encryption through search guard ssl ?

  3. What could be the parameters which can affect performance at the transport layer

2

Do you use OpenSSL or Java SSL (if so pls. use OpenSSL and measure again)?

Few other questions:
- Which Elasticsearch/Search Guard SSL version?
- Which JVM version and vendor? Did you install "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files"?
- Which Operating system?
- Which SSL ciphers?
- Does your CPU support AES-NI instruction set?
- Which OpenSSL version?

All these can affect performance, so benchmarks makes only sense if they are comparable.

With Elasticsearch 5 and Search Guard 5 and recent OpenSSL on modern hardware and well choosen cipher suites (for example TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256) you should not face a real performance impact.
Without OpenSSL and Java 7 and non hardware accelerated ciphers you will face an impact for sure!

···

Am 15.02.2017 um 15:41 schrieb supraj <shashanka981@gmail.com>:

Hi,

we are using search guard ssl for encryption between elastic search nodes at the transport layer. we are collecting performance numbers with and without encryption for search requests. And we see the core elastic search api ActionRequestBuilder.execute() is taking about 30% more time with encryption enabled. we are digging deeper to see where the performance hit is.Entire time increase seems to be because of AbstractChannel.write as bseen from snapshot below

The setup i used is a 2 node cluster, one is an index node and other is a non index node. search requests are triggered from a non index node so that we can know the overhead of trasnporting data across a channel and thereby making the encryption come to play.
Only reason i could think of is the data payload size is more with encryption enabled and the AbstractChannel.write method below is taking more time and this is the only method which i see is causing the performance degradation from the snapshot.

in the below snapshot, old time refres to encrypition on and new time refers to encryptiono off
My questions?

1) How do we actually know where the performance hit is actually coming from ? is my above theory right ?
2) Do we already have any benchmark numbers on enabling encryption through search guard ssl ?
3) What could be the parameters which can affect performance at the transport layer

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d9aa50ed-7fd0-4c25-904a-4c2da4b10070%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

3
  • Which Elasticsearch/Search Guard SSL version? 2.4.0 / 2.4.0.19
  • Which JVM version and vendor? Did you install “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files”? Oracle JDK 1.7.0_34/ JCE Not installed
  • Which Operating system? Windows
  • Which SSL ciphers? We didnt touch the default list of ciphers configured through SearchGuard. So, i guess it picks up a random supported cipher.
    **Any recommendation would be helpful , Our concern is performance **
···
  • Does your CPU support AES-NI instruction set? Yes
  • Which OpenSSL version? Not using OpenSSL
4

What are the cipher suites recommended to use for better performance without compromising secuirty ?
i wanted to try Open SSL , however setup looks quite complex particularly installing APR.

Is it absolutely necessary to have APR installed for making Search Guard SSL use OpenSSL Implementation ?

I keep on getting the java.lang.UnsatisfiedLinkError though i downloaded the system dependent tcnative jar and placed it in plugins folder (in my case, it is windows-x64).

Any other configuration is needed to the rid of UnsatisfiedLinkError

Setup Details:

-Which Elasticsearch/Search Guard SSL version? 2.4.0 / 2.4.0.19

  • Which JVM version and vendor? Did you install “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files”? Oracle JDK 1.7.0_34/ JCE Not installed

  • Which Operating system? Windows

  • Which SSL ciphers? We didnt touch the default list of ciphers configured through SearchGuard. So, i guess it picks up a random supported cipher.

  • Does your CPU support AES-NI instruction set? Yes

  • Which OpenSSL version? Not using OpenSSL

exception details:

[2017-02-16 16:30:36,967][DEBUG][io.netty.util.internal.NativeLibraryLoader] Unable to load the library ‘netty-tcnative-windows-x86_64’, trying other loading mechanism.

java.lang.UnsatisfiedLinkError: no netty-tcnative-windows-x86_64 in java.library.path

at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1860)

at java.lang.Runtime.loadLibrary0(Runtime.java:845)

at java.lang.System.loadLibrary(System.java:1084)

at io.netty.util.internal.NativeLibraryUtil.loadLibrary(NativeLibraryUtil.java:38)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:601)

at io.netty.util.internal.NativeLibraryLoader$1.run(NativeLibraryLoader.java:273)

at java.security.AccessController.doPrivileged(Native Method)

at io.netty.util.internal.NativeLibraryLoader.loadLibraryByHelper(NativeLibraryLoader.java:264)

at io.netty.util.internal.NativeLibraryLoader.loadLibrary(NativeLibraryLoader.java:252)

at io.netty.util.internal.NativeLibraryLoader.load(NativeLibraryLoader.java:199)

at io.netty.util.internal.NativeLibraryLoader.loadFirstAvailable(NativeLibraryLoader.java:170)

at io.netty.handler.ssl.OpenSsl.loadTcNative(OpenSsl.java:412)

at io.netty.handler.ssl.OpenSsl.<clinit>(OpenSsl.java:90)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin$1.run(SearchGuardSSLPlugin.java:69)

at java.security.AccessController.doPrivileged(Native Method)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:65)

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

at java.lang.reflect.Constructor.newInstance(Constructor.java:525)

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:472)

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:432)

at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:129)

at org.elasticsearch.node.Node.<init>(Node.java:158)

at org.elasticsearch.node.Node.<init>(Node.java:140)

at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:194)

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:286)

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)

[2017-02-16 16:30:37,000][DEBUG][io.netty.util.internal.NativeLibraryLoader] Unable to load the library ‘netty-tcnative-windows-x86_64’, trying next name…

java.lang.UnsatisfiedLinkError: no netty-tcnative-windows-x86_64 in java.library.path

at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1860)

at java.lang.Runtime.loadLibrary0(Runtime.java:845)

at java.lang.System.loadLibrary(System.java:1084)

at io.netty.util.internal.NativeLibraryUtil.loadLibrary(NativeLibraryUtil.java:38)

at io.netty.util.internal.NativeLibraryLoader.loadLibrary(NativeLibraryLoader.java:259)

at io.netty.util.internal.NativeLibraryLoader.load(NativeLibraryLoader.java:199)

at io.netty.util.internal.NativeLibraryLoader.loadFirstAvailable(NativeLibraryLoader.java:170)

at io.netty.handler.ssl.OpenSsl.loadTcNative(OpenSsl.java:412)

at io.netty.handler.ssl.OpenSsl.<clinit>(OpenSsl.java:90)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin$1.run(SearchGuardSSLPlugin.java:69)

at java.security.AccessController.doPrivileged(Native Method)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:65)

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

at java.lang.reflect.Constructor.newInstance(Constructor.java:525)

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:472)

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:432)

at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:129)

at org.elasticsearch.node.Node.<init>(Node.java:158)

at org.elasticsearch.node.Node.<init>(Node.java:140)

at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:194)

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:286)

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)

[2017-02-16 16:30:37,774][DEBUG][io.netty.util.internal.NativeLibraryLoader] Unable to load the library ‘C:\Users\mogas\AppData\Local\Temp\netty-tcnative6458130543072664121.dll’, trying other loading mechanism.

java.lang.UnsatisfiedLinkError: C:\Users\supraj\AppData\Local\Temp\netty-tcnative6458130543072664121.dll: The operating system cannot run %1

at java.lang.ClassLoader$NativeLibrary.load(Native Method)

at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1928)

at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1825)

at java.lang.Runtime.load0(Runtime.java:792)

at java.lang.System.load(System.java:1059)

at io.netty.util.internal.NativeLibraryUtil.loadLibrary(NativeLibraryUtil.java:36)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:601)

at io.netty.util.internal.NativeLibraryLoader$1.run(NativeLibraryLoader.java:273)

at java.security.AccessController.doPrivileged(Native Method)

at io.netty.util.internal.NativeLibraryLoader.loadLibraryByHelper(NativeLibraryLoader.java:264)

at io.netty.util.internal.NativeLibraryLoader.loadLibrary(NativeLibraryLoader.java:252)

at io.netty.util.internal.NativeLibraryLoader.load(NativeLibraryLoader.java:226)

at io.netty.util.internal.NativeLibraryLoader.loadFirstAvailable(NativeLibraryLoader.java:170)

at io.netty.handler.ssl.OpenSsl.loadTcNative(OpenSsl.java:412)

at io.netty.handler.ssl.OpenSsl.<clinit>(OpenSsl.java:90)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin$1.run(SearchGuardSSLPlugin.java:69)

at java.security.AccessController.doPrivileged(Native Method)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:65)

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

at java.lang.reflect.Constructor.newInstance(Constructor.java:525)

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:472)

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:432)

at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:129)

at org.elasticsearch.node.Node.<init>(Node.java:158)

at org.elasticsearch.node.Node.<init>(Node.java:140)

at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:194)

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:286)

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)

[2017-02-16 16:30:37,865][DEBUG][io.netty.util.internal.NativeLibraryLoader] Unable to load the library ‘netty-tcnative’, trying next name…

java.lang.UnsatisfiedLinkError: C:\Users\supraj\AppData\Local\Temp\netty-tcnative6458130543072664121.dll: The operating system cannot run %1

at java.lang.ClassLoader$NativeLibrary.load(Native Method)

at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1928)

at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1825)

at java.lang.Runtime.load0(Runtime.java:792)

at java.lang.System.load(System.java:1059)

at io.netty.util.internal.NativeLibraryUtil.loadLibrary(NativeLibraryUtil.java:36)

at io.netty.util.internal.NativeLibraryLoader.loadLibrary(NativeLibraryLoader.java:259)

at io.netty.util.internal.NativeLibraryLoader.load(NativeLibraryLoader.java:226)

at io.netty.util.internal.NativeLibraryLoader.loadFirstAvailable(NativeLibraryLoader.java:170)

at io.netty.handler.ssl.OpenSsl.loadTcNative(OpenSsl.java:412)

at io.netty.handler.ssl.OpenSsl.<clinit>(OpenSsl.java:90)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin$1.run(SearchGuardSSLPlugin.java:69)

at java.security.AccessController.doPrivileged(Native Method)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:65)

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

at java.lang.reflect.Constructor.newInstance(Constructor.java:525)

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:472)

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:432)

at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:129)

at org.elasticsearch.node.Node.<init>(Node.java:158)

at org.elasticsearch.node.Node.<init>(Node.java:140)

at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:194)

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:286)

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)

[2017-02-16 16:30:37,890][DEBUG][io.netty.handler.ssl.OpenSsl] Failed to load netty-tcnative; OpenSslEngine will be unavailable, unless the application has already loaded the symbols by some other means. See http://netty.io/wiki/forked-tomcat-native.html for more information.

java.lang.IllegalArgumentException: Failed to load any of the given libraries: [netty-tcnative-windows-x86_64, netty-tcnative]

at io.netty.util.internal.NativeLibraryLoader.loadFirstAvailable(NativeLibraryLoader.java:177)

at io.netty.handler.ssl.OpenSsl.loadTcNative(OpenSsl.java:412)

at io.netty.handler.ssl.OpenSsl.<clinit>(OpenSsl.java:90)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin$1.run(SearchGuardSSLPlugin.java:69)

at java.security.AccessController.doPrivileged(Native Method)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:65)

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

at java.lang.reflect.Constructor.newInstance(Constructor.java:525)

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:472)

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:432)

at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:129)

at org.elasticsearch.node.Node.<init>(Node.java:158)

at org.elasticsearch.node.Node.<init>(Node.java:140)

at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:194)

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:286)

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)

[2017-02-16 16:30:37,924][DEBUG][io.netty.handler.ssl.OpenSsl] Failed to initialize netty-tcnative; OpenSslEngine will be unavailable. See http://netty.io/wiki/forked-tomcat-native.html for more information.

java.lang.UnsatisfiedLinkError: org.apache.tomcat.jni.Library.version(I)I

at org.apache.tomcat.jni.Library.version(Native Method)

at org.apache.tomcat.jni.Library.initialize(Library.java:176)

at io.netty.handler.ssl.OpenSsl.initializeTcNative(OpenSsl.java:417)

at io.netty.handler.ssl.OpenSsl.<clinit>(OpenSsl.java:101)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin$1.run(SearchGuardSSLPlugin.java:69)

at java.security.AccessController.doPrivileged(Native Method)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:65)

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

at java.lang.reflect.Constructor.newInstance(Constructor.java:525)

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:472)

at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:432)

at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:129)

at org.elasticsearch.node.Node.<init>(Node.java:158)

at org.elasticsearch.node.Node.<init>(Node.java:140)

at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)

at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:194)

at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:286)

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)
···

On Wednesday, 15 February 2017 20:37:32 UTC+5:30, Search Guard wrote:

Do you use OpenSSL or Java SSL (if so pls. use OpenSSL and measure again)?

Few other questions:

  • Which Elasticsearch/Search Guard SSL version?

  • Which JVM version and vendor? Did you install “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files”?

  • Which Operating system?

  • Which SSL ciphers?

  • Does your CPU support AES-NI instruction set?

  • Which OpenSSL version?

All these can affect performance, so benchmarks makes only sense if they are comparable.

With Elasticsearch 5 and Search Guard 5 and recent OpenSSL on modern hardware and well choosen cipher suites (for example TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256) you should not face a real performance impact.

Without OpenSSL and Java 7 and non hardware accelerated ciphers you will face an impact for sure!

Am 15.02.2017 um 15:41 schrieb supraj shasha...@gmail.com:

Hi,

we are using search guard ssl for encryption between elastic search nodes at the transport layer. we are collecting performance numbers with and without encryption for search requests. And we see the core elastic search api ActionRequestBuilder.execute() is taking about 30% more time with encryption enabled. we are digging deeper to see where the performance hit is.Entire time increase seems to be because of AbstractChannel.write as bseen from snapshot below

The setup i used is a 2 node cluster, one is an index node and other is a non index node. search requests are triggered from a non index node so that we can know the overhead of trasnporting data across a channel and thereby making the encryption come to play.

Only reason i could think of is the data payload size is more with encryption enabled and the AbstractChannel.write method below is taking more time and this is the only method which i see is causing the performance degradation from the snapshot.

in the below snapshot, old time refres to encrypition on and new time refers to encryptiono off

My questions?

  1. How do we actually know where the performance hit is actually coming from ? is my above theory right ?
  1. Do we already have any benchmark numbers on enabling encryption through search guard ssl ?
  1. What could be the parameters which can affect performance at the transport layer


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d9aa50ed-7fd0-4c25-904a-4c2da4b10070%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.