High CPU load and slowness in GCM cipher encryption

Solution Verified - Updated

Environment

  • JBoss Enterprise Application Platform (EAP)
    • 6.x
    • 7.x
  • Java 8

Issue

  • We are seeing slowness and high CPU in GCM cipher encryption operations:
"http-0.0.0.0:8443-48" #1277 prio=5 os_prio=0 tid=0x00007fa7a41ff000 nid=0x121f0 runnable [0x00007fa6db4c8000]
   java.lang.Thread.State: RUNNABLE
	at com.sun.crypto.provider.GHASH.update(GHASH.java:167)
	at com.sun.crypto.provider.GaloisCounterMode.doLastBlock(GaloisCounterMode.java:362)
	at com.sun.crypto.provider.GaloisCounterMode.encryptFinal(GaloisCounterMode.java:419)
	at com.sun.crypto.provider.CipherCore.finalNoPadding(CipherCore.java:1025)
	at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:984)
	at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:479)
	at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:776)
	at javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730)
	at javax.crypto.Cipher.doFinal(Cipher.java:2460)
	at sun.security.ssl.CipherBox.encrypt(CipherBox.java:396)
	at sun.security.ssl.EngineOutputRecord.write(EngineOutputRecord.java:300)
	at sun.security.ssl.EngineOutputRecord.write(EngineOutputRecord.java:225)
	at sun.security.ssl.EngineWriter.writeRecord(EngineWriter.java:186)
	- locked <0x0000000780e5b560> (a sun.security.ssl.EngineWriter)
	at sun.security.ssl.SSLEngineImpl.writeRecord(SSLEngineImpl.java:1300)
	at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1271)
	- locked <0x0000000780e5d2c0> (a java.lang.Object)
	at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
	- locked <0x0000000780e5d2a0> (a java.lang.Object)
	at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)

Resolution

  • Move to the latest java update for GCM performance improvements
  • As a workaround, add GCM to the jdk.tls.disabledAlgorithms line in your JAVA_HOME/jre/lib/security/java.security file as a potential workaround to any GCM cipher specific issue
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.