Public Key Infrastructure Configuration Guide, Cisco IOS Release 15MT
IOS PKI Performance Monitoring and Optimization
Downloads: This chapterpdf (PDF - 1.29MB) The complete bookPDF (PDF - 4.85MB) | The complete bookePub (ePub - 1.01MB) | Feedback

IOS PKI Performance Monitoring and Optimization

IOS PKI Performance Monitoring and Optimization

The IOS Performance Monitoring and Optimization feature provides a way to identify the performance within the Public Key Infrastructure (PKI) subsystem and debug and analyze PKI performance related issues.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About IOS PKI Performance Monitoring and Optimization

When PKI applications are deployed in a environment that scales, they can sometimes create challenging problems that are difficult to debug and identify. Traditional use of debug commands may be less effective in this operating environment. However, the IOS PKI Performance Monitoring and Optimization feature provides an efficient way to gather data and report PKI operations to identify performance related issues.

The IOS PKI Performance Monitoring and Optimization feature enables you to collect the following types of PKI performance data:

  • Time to validate entire certificate chain.

  • Time to verify each certificate.

  • Time to check revocation status for each certificate.

  • Time to fetch certificate revocation list (CRL) database for each fetch location.

  • Time to fetch Simple Certificate Enrollment Protocol (SCEP) method capabilities to retrieve the CRL.

  • Time to process each CRL.

  • Time to process the Online Certificate Status Protocol (OCSP) response. OCSP is a certificate revocation mechanism.

  • Time to fetch Authentication, Authorization, and Accounting (AAA).

  • CRL size.

  • Validation result.

  • Validation Bypass (pubkey cached).

  • Method used to fetch a CRL.

  • PKI session identifier.

  • Crypto engine used (hardware, software, etoken).

How to Configure IOS PKI Performance Monitoring and Optimization

Use this task to start, stop and verify IOS PKI performance monitoring and optimization data.

SUMMARY STEPS

    1.    enable

    2.    crypto pki benchmark start limit [wrap]

    3.    crypto pki benchmark stop

    4.    show crypto pki benchmarks [ failures ]

    5.    clear crypto pki benchmarks


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Router> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 crypto pki benchmark start limit [wrap]


    Example:
    Router# crypto pki benchmark start 20 wrap
     

    Enables PKI benchmarking.

    The limit argument states the number of records from 0 to 9990 that can be stored for the benchmarking session. A limit of 0 indicates an unlimited number of records can be stored.

    (Optional) The wrap keyword specifies a continuous flow of records. Once the maximum number of records is gathered, they are released and a new set of records is generated. If the wrap keyword is not specified, then benchmarking stops once the limit for the maximum number of records has been reached.

     
    Step 3 crypto pki benchmark stop


    Example:
    Router# crypto pki benchmark stop
     

    Terminates PKI benchmarking data collection.

     
    Step 4 show crypto pki benchmarks [ failures ]


    Example:
    Router# show crypto pki benchmarks
     

    Displays the PKI benchmarking data that was collected.

    (Optional) Select the failures keyword to only display validation failures.

     
    Step 5 clear crypto pki benchmarks


    Example:
    Router# clear crypto pki benchmarks
     

    Clears the PKI benchmarking data and all memory used is released.

     

    Configuration Examples for IOS PKI Performance Monitoring and Optimization

    Example Displaying All PKI Benchmarking Data

    The following example displays show crypto pki benchmarks command output of all PKI benchmarking data:

    Router# show crypto pki benchmarks
    Session Descriptor: 10008
    Validation Start: 22:58:45.704 GMT Tue Oct 13 2009
    Validation Duration: 14 ms
    Pubkey Bypass: no
    Validation Result: Success
    Certificates To Validate: 1
    Revocation for certificate 1
      Cert Index: 0
       Start: 22:58:45.714 GMT Tue Oct 13 2009
       Duration: 3 ms
      SCEP Capabilities: Skipped
    Session Descriptor: 10007
    Validation Start: 22:54:38.969 GMT Tue Oct 13 2009
    Validation Duration: 14 ms
    Pubkey Bypass: no
    Validation Result: Success
    Certificates To Validate: 1
    Revocation for certificate 1
      Cert Index: 0
       Start: 22:54:38.979 GMT Tue Oct 13 2009
       Duration: 3 ms
      SCEP Capabilities: Skipped
      SCEP Capabilities Duration: 0 ms
    Session Descriptor: 10006
    Validation Start: 21:52:08.616 GMT Tue Oct 13 2009
    Validation Duration: 5 ms
    Pubkey Bypass: yes
    Validation Result: Success
    Session Descriptor: 10005
    Validation Start: 23:42:12.925 GMT Tue Oct 13 2009
    Validation Duration: 5 ms
    Pubkey Bypass: yes
    Session Descriptor: 10004
    Validation Start: 23:42:10.614 GMT Tue Oct 13 2009
    Validation Duration: 5 ms
    Pubkey Bypass: yes
    Validation Result: Success
    Session Descriptor: 10003
    Validation Start: 23:42:09.540 GMT Tue Oct 13 2009
    Validation Duration: 5 ms
    Pubkey Bypass: yes
    Validation Result: Success
    Session Descriptor: 10002
    Validation Start: 23:42:06.699 GMT Tue Oct 13 2009
    Validation Duration: 53 ms
    Pubkey Bypass: no
    Validation Result: Success
    Certificates To Validate: 1
    Revocation for certificate 1
      Cert Index: 0
       Start: 23:42:06.707 GMT Tue Oct 13 2009
       Duration: 44 ms
      CRL Fetch - HTTP Start: 23:42:06.707 GMT Tue Oct 13 2009
      CRL Fetch - HTTP Duration: 31 ms
      CRL Insert Start: 23:42:06.740 GMT Tue Oct 13 2009
      CRL Insert Duration: 8 ms
      CRL Size: 3892
      SCEP Capabilities Start: 23:42:06.709 GMT Tue Oct 13 2009
      SCEP Capabilities Duration: 7 ms
    Session Descriptor: 10001
    Validation Start: 20:47:14.860 GMT Thu Sep 24 2009
    Validation Duration: 57 ms
    Pubkey Bypass: no
    Validation Result: Failed
    Certificates To Validate: 1
    Revocation for certificate 1
      Cert Index: 0
       Start: 20:47:14.868 GMT Thu Sep 24 2009
       Duration: 49 ms
      CRL Fetch - HTTP Start: 20:47:14.868 GMT Thu Sep 24 2009
      CRL Fetch - HTTP Duration: 37 ms
      SCEP Capabilities Start: 20:47:14.870 GMT Thu Sep 24 2009
      SCEP Capabilities Duration: 11 ms

    Example Displaying Only Failures in PKI Benchmarking Data

    The following example displays show crypto pki benchmark failurescommand output of failure in PKI benchmarking data:

    Router# show crypto pki benchmark failures
    Session Descriptor: 10001
    Validation Start: 20:47:14.860 GMT Thu Sep 24 2009
    Validation Duration: 57 ms
    Pubkey Bypass: no
    Validation Result: Failed
    Certificates To Validate: 1
    Revocation for certificate 1
      Cert Index: 0
       Start: 20:47:14.868 GMT Thu Sep 24 2009
       Duration: 49 ms
      CRL Fetch - HTTP Start: 20:47:14.868 GMT Thu Sep 24 2009
      CRL Fetch - HTTP Duration: 37 ms
      SCEP Capabilities Start: 20:47:14.870 GMT Thu Sep 24 2009
      SCEP Capabilities Duration: 11 ms

    Example Displaying a Section Filter in PKI Benchmarking Data

    The following example displays show crypto pki benchmark
     command output of a section filter in PKI benchmarking data:
    Router# show crypto pki benchmark | section Revocation
      Revocation Check for Certificate 1 of 1
        Start: 20:47:29.063 GMT Wed Oct 27 2010
        Duration: 714 ms
      Revocation Check for Certificate 1 of 1
        Start: 20:49:15.076 GMT Wed Oct 27 2010
        Duration: 6 ms
    

    Additional References

    Related Documents

    Related Topic

    Document Title

    Cisco IOS commands

    Cisco IOS Master Commands List, All Releases

    Security commands

    Cisco IOS Security Command Reference

    PKI information

    Cisco IOS Security Configuration Guide: Secure Connectivity, Release 15.1

    MIBs

    MIB

    MIBs Link

    None

    To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

    http:/​/​www.cisco.com/​go/​mibs

    Technical Assistance

    Description

    Link

    The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

    Feature Information for IOS PKI Performance Monitoring and Optimization

    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

    Table 1 Feature Information for IOS PKI Performance Monitoring and Optimization

    Feature Name

    Releases

    Feature Information

    IOS PKI Performance Monitoring and Optimization

    15.1(3)T

    The IOS Performance Monitoring and Optimization feature provides a way to characterize the performance within the Public Key Infrastructure (PKI) subsystem and debug and analyze PKI performance related issues.

    This feature was introduced in Cisco IOS Release 15.1(3)T.

    The following commands were introduced or modified: crypto pki benchmark, show crypto pki benchmarks, clear crypto pki benchmarks.