This documentation has been moved
IOS PKI Performance Monitoring and Optimization
Downloads: This chapterpdf (PDF - 135.0KB) The complete bookPDF (PDF - 8.94MB) | Feedback

IOS PKI Performance Monitoring and Optimization

Table Of Contents

IOS PKI Performance Monitoring and Optimization

Finding Feature Information

Contents

Information About IOS PKI Performance Monitoring and Optimization

How to Configure IOS PKI Performance Monitoring and Optimization

Configuration Examples for IOS PKI Performance Monitoring and Optimization

Example: Displaying All PKI Benchmarking Data

Example: Displaying Only Failures in PKI Benchmarking Data

Example: Displaying a Section Filter in PKI Benchmarking Data

Additional References

Related Documents

MIBs

Technical Assistance

Feature Information for IOS PKI Performance Monitoring and Optimization


IOS PKI Performance Monitoring and Optimization


First Published: November 3, 2010
Last Updated: March 31, 2011

The IOS Performance Monitoring and Optimization feature provides a way to identify the performance within the Public Key Infrastructure (PKI) subsystem and debug and analyze PKI performance related issues.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for IOS PKI Performance Monitoring and Optimization" section.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Information About IOS PKI Performance Monitoring and Optimization

How to Configure IOS PKI Performance Monitoring and Optimization

Configuration Examples for IOS PKI Performance Monitoring and Optimization

Additional References

Feature Information for IOS PKI Performance Monitoring and Optimization

Information About IOS PKI Performance Monitoring and Optimization

When PKI applications are deployed in a environment that scales, they can sometimes create challenging problems that are difficult to debug and identify. Traditional use of debug commands may be less effective in this operating environment. However, the IOS PKI Performance Monitoring and Optimization feature provides an efficient way to gather data and report PKI operations to identify performance related issues.

The IOS PKI Performance Monitoring and Optimization feature enables you to collect the following types of PKI performance data:

Time to validate entire certificate chain.

Time to verify each certificate.

Time to check revocation status for each certificate.

Time to fetch certificate revocation list (CRL) database for each fetch location.

Time to fetch Simple Certificate Enrollment Protocol (SCEP) method capabilities to retrieve the CRL.

Time to process each CRL.

Time to process the Online Certificate Status Protocol (OCSP) response. OCSP is a certificate revocation mechanism.

Time to fetch Authentication, Authorization, and Accounting (AAA).

CRL size.

Validation result.

Validation Bypass (pubkey cached).

Method used to fetch a CRL.

PKI session identifier.

Crypto engine used (hardware, software, etoken).

How to Configure IOS PKI Performance Monitoring and Optimization

Use this task to start, stop and verify IOS PKI performance monitoring and optimization data.

SUMMARY STEPS

1. enable

2. crypto pki benchmark start limit [wrap]

3. crypto pki benchmark stop

4. show crypto pki benchmarks [failures]

5. clear crypto pki benchmarks

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

crypto pki benchmark start limit [wrap]

Example:

Router# crypto pki benchmark start 20 wrap

Enables PKI benchmarking.

The limit argument states the number of records from 0 to 9990 that can be stored for the benchmarking session. A limit of 0 indicates an unlimited number of records can be stored.

(Optional) The wrap keyword specifies a continuous flow of records. Once the maximum number of records is gathered, they are released and a new set of records is generated. If the wrap keyword is not specified, then benchmarking stops once the limit for the maximum number of records has been reached.

Step 3 

crypto pki benchmark stop

Example:

Router# crypto pki benchmark stop

Terminates PKI benchmarking data collection.

Step 4 

show crypto pki benchmarks [failures]

Example:

Router# show crypto pki benchmarks

Displays the PKI benchmarking data that was collected.

(Optional) Select the failures keyword to only display validation failures.

Step 5 

clear crypto pki benchmarks

Example:

Router# clear crypto pki benchmarks

Clears the PKI benchmarking data and all memory used is released.

Configuration Examples for IOS PKI Performance Monitoring and Optimization

Example: Displaying All PKI Benchmarking Data

Example: Displaying Only Failures in PKI Benchmarking Data

Example: Displaying a Section Filter in PKI Benchmarking Data

Example: Displaying All PKI Benchmarking Data

The following example displays show crypto pki benchmarks command output of all PKI benchmarking data:

Router# show crypto pki benchmarks

Session Descriptor: 10008
Validation Start: 22:58:45.704 GMT Tue Oct 13 2009
Validation Duration: 14 ms
Pubkey Bypass: no
Validation Result: Success
Certificates To Validate: 1
Revocation for certificate 1
  Cert Index: 0
   Start: 22:58:45.714 GMT Tue Oct 13 2009
   Duration: 3 ms
  SCEP Capabilities: Skipped

Session Descriptor: 10007
Validation Start: 22:54:38.969 GMT Tue Oct 13 2009
Validation Duration: 14 ms
Pubkey Bypass: no
Validation Result: Success
Certificates To Validate: 1
Revocation for certificate 1
  Cert Index: 0
   Start: 22:54:38.979 GMT Tue Oct 13 2009
   Duration: 3 ms
  SCEP Capabilities: Skipped
  SCEP Capabilities Duration: 0 ms

Session Descriptor: 10006
Validation Start: 21:52:08.616 GMT Tue Oct 13 2009
Validation Duration: 5 ms
Pubkey Bypass: yes
Validation Result: Success

Session Descriptor: 10005
Validation Start: 23:42:12.925 GMT Tue Oct 13 2009
Validation Duration: 5 ms
Pubkey Bypass: yes

Session Descriptor: 10004
Validation Start: 23:42:10.614 GMT Tue Oct 13 2009
Validation Duration: 5 ms
Pubkey Bypass: yes
Validation Result: Success

Session Descriptor: 10003
Validation Start: 23:42:09.540 GMT Tue Oct 13 2009
Validation Duration: 5 ms
Pubkey Bypass: yes
Validation Result: Success

Session Descriptor: 10002
Validation Start: 23:42:06.699 GMT Tue Oct 13 2009
Validation Duration: 53 ms
Pubkey Bypass: no
Validation Result: Success
Certificates To Validate: 1
Revocation for certificate 1
  Cert Index: 0
   Start: 23:42:06.707 GMT Tue Oct 13 2009
   Duration: 44 ms
  CRL Fetch - HTTP Start: 23:42:06.707 GMT Tue Oct 13 2009
  CRL Fetch - HTTP Duration: 31 ms
  CRL Insert Start: 23:42:06.740 GMT Tue Oct 13 2009
  CRL Insert Duration: 8 ms
  CRL Size: 3892
  SCEP Capabilities Start: 23:42:06.709 GMT Tue Oct 13 2009
  SCEP Capabilities Duration: 7 ms

Session Descriptor: 10001
Validation Start: 20:47:14.860 GMT Thu Sep 24 2009
Validation Duration: 57 ms
Pubkey Bypass: no
Validation Result: Failed
Certificates To Validate: 1
Revocation for certificate 1
  Cert Index: 0
   Start: 20:47:14.868 GMT Thu Sep 24 2009
   Duration: 49 ms
  CRL Fetch - HTTP Start: 20:47:14.868 GMT Thu Sep 24 2009
  CRL Fetch - HTTP Duration: 37 ms
  SCEP Capabilities Start: 20:47:14.870 GMT Thu Sep 24 2009
  SCEP Capabilities Duration: 11 ms

Example: Displaying Only Failures in PKI Benchmarking Data

The following example displays show crypto pki benchmark failures command output of failure in PKI benchmarking data:

Router# show crypto pki benchmark failures
Session Descriptor: 10001
Validation Start: 20:47:14.860 GMT Thu Sep 24 2009
Validation Duration: 57 ms
Pubkey Bypass: no
Validation Result: Failed
Certificates To Validate: 1
Revocation for certificate 1
  Cert Index: 0
   Start: 20:47:14.868 GMT Thu Sep 24 2009
   Duration: 49 ms
  CRL Fetch - HTTP Start: 20:47:14.868 GMT Thu Sep 24 2009
  CRL Fetch - HTTP Duration: 37 ms
  SCEP Capabilities Start: 20:47:14.870 GMT Thu Sep 24 2009
  SCEP Capabilities Duration: 11 ms

Example: Displaying a Section Filter in PKI Benchmarking Data

The following example displays show crypto pki benchmark command output of a section filter in 
PKI benchmarking data:

Router# show crypto pki benchmark | section Revocation
  Revocation Check for Certificate 1 of 1
    Start: 20:47:29.063 GMT Wed Oct 27 2010
    Duration: 714 ms
  Revocation Check for Certificate 1 of 1
    Start: 20:49:15.076 GMT Wed Oct 27 2010
    Duration: 6 ms

Additional References

Related Documents


MIBs

MIB
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


Technical Assistance

Description
Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html


Feature Information for IOS PKI Performance Monitoring and Optimization

Table 1 lists the release history for this feature.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.


Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.


Table 1 Feature Information for IOS PKI Performance Monitoring and Optimization

Feature Name
Releases
Feature Information

IOS PKI Performance Monitoring and Optimization

15.1(3)T

The IOS Performance Monitoring and Optimization feature provides a way to characterize the performance within the Public Key Infrastructure (PKI) subsystem and debug and analyze PKI performance related issues.

This feature was introduced in Cisco IOS Release 15.1(3)T.

The following commands were introduced or modified: crypto pki benchmark, show crypto pki benchmarks, clear crypto pki benchmarks.