Sun Java Enterprise System Deployment Planning Guide

Estimating Processor Requirements for Secure Transactions

Secure transport of data involves handling transactions over a secure transport protocol such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS). Transactions handled over a secure transport typically require additional computing power to first, establish a secure session (known as the handshake) and then to encrypt and decrypt transported data. Depending on the encryption algorithm used (for example, 40-bit or 128-bit encryption algorithms), the additional computing power can be substantial.

For secure transactions to perform at the same level as nonsecure transactions, you must plan for additional computing power. Depending on the nature of the transaction and the Sun JavaTM Enterprise System services that handle it, secure transactions might require up to four times more computing power than nonsecure transactions.

When estimating the processing power to handle secure transactions, analyze use cases to determine the percentage of transactions that require secure transport. If the performance requirements for secure transactions are the same as for non-secure transactions, modify the CPU estimates to account for the additional computing power needed for the secure transactions.

In some usage scenarios, secure transport might only be required for authentication. Once a user is authenticated to the system, no additional security measures for transport of data is required. In other scenarios, secure transport might be required for all transactions.

For example, when browsing a product catalog for an online e-commerce site, all transactions can be nonsecure until the customer has finished making selections and is ready to “check out” to make a purchase. However, some usage scenarios, such as deployments for banks or brokerage houses, require most or all, transactions to be secure and apply the same performance standard for both secure and nonsecure transactions.

CPU Estimates for Secure Transactions

This section continues the example deployment to illustrate how to calculate CPU requirements for a theoretical use case that includes both secure and nonsecure transactions.

To estimate the CPU requirements for secure transactions, make the following calculations:

  1. Start with a baseline figure for the CPU estimates (as illustrated in the previous section, Example Estimating Processor Requirements).

  2. Calculate the percentage of transactions that require secure transport, and calculate the CPU estimates for the secure transactions.

  3. Calculate reduced CPU estimates for non-secure transactions.

  4. Tally the secure estimate and nonsecure estimate to calculate the total CPU estimates.

  5. Round up the total CPU estimate to an even number.

CPU Estimates for Secure Transactions shows an example calculation based on use cases and usage analysis for the Portal Server that assume the following:

Table 5–5 Modifying CPU Estimates for Secure Transactions





Start with baseline estimate for all Portal Server transactions. 

Baseline estimate from Study Use Cases for Peak Load Usage is 4 CPUs.

- - - - - 

Calculate additional CPU estimates for secure transactions. Assume secure transactions require four times the CPU power as nonsecure transactions. 

Ten percent of the baseline estimate require secure transport: 


0.10 x 4 CPUs = 0.4 CPUs


Increase CPU power for secure transactions by a factor of four: 


4 x 0.4 = 1.6 CPUs

1.6 CPUs 

Calculate reduced CPU estimates for nonsecure transactions. 

Ninety percent of the baseline estimate are non-secure: 


0.9 x 4 CPUs = 3.6 CPUs

3.6 CPUs 

Calculate adjusted total CPU estimates for secure and nonsecure transactions. 

Secure estimate + non-secure estimate = total: 


1.6 CPUs + 3.6 CPUs = 5.2 CPUs

5.2 CPUs 

Round up to even number. 

5.2 CPUs ==> 6 CPUs

6 CPUs 

From the calculations for secure transactions in this example, you would modify the total CPU estimates in CPU Estimates for Secure Transactions by adding an additional two CPUs and four gigabytes of memory to get the following total for Portal Server.




Portal Server 

12 GB 

Specialized Hardware to Handle SSL Transactions

Specialized hardware devices, such as SSL accelerator cards and other appliances, are available to provide computing power to handle establishment of secure sessions and the encryption and decryption of data. When using specialized hardware for SSL operations, computational power is dedicated to some part of the SSL computations, typically the “handshake” operation that establishes a secure session.

This hardware might be of benefit to your final deployment architecture. However, because of the specialized nature of the hardware, estimate secure transaction performance requirements first in terms of CPU power, and then consider the benefits of using specialized hardware to handle the additional load.

Some factors to consider when using specialized hardware are whether the use cases support using the hardware (for example, use cases that require a large number of SSL handshake operations) and the added layer of complexity this type of hardware brings to the design. This complexity includes the installation, configuration, testing, and administration of these devices.