This documentation has been moved
IOS PKI Performance Monitoring and Optimization
Download this chapter
IOS PKI Performance Monitoring and OptimizationIOS PKI Performance Monitoring and Optimization
Download the complete book
Cisco IOS Security Configuration Guide: Secure Connectivity, Release 15.1Cisco IOS Security Configuration Guide: Secure Connectivity, Release 15.1 (PDF - 8 MB)
 Feedback

Table Of Contents

IOS PKI Performance Monitoring and Optimization

Finding Feature Information

Contents

Information About IOS PKI Performance Monitoring and Optimization

How to Configure IOS PKI Performance Monitoring and Optimization

Configuration Examples for IOS PKI Performance Monitoring and Optimization

Example: Displaying All PKI Benchmarking Data

Example: Displaying Only Failures in PKI Benchmarking Data

Example: Displaying a Section Filter in PKI Benchmarking Data

Additional References

Related Documents

MIBs

Technical Assistance

Feature Information for IOS PKI Performance Monitoring and Optimization


IOS PKI Performance Monitoring and Optimization

First Published: November 3, 2010
Last Updated: March 31, 2011

The IOS Performance Monitoring and Optimization feature provides a way to identify the performance within the Public Key Infrastructure (PKI) subsystem and debug and analyze PKI performance related issues.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for IOS PKI Performance Monitoring and Optimization" section.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Information About IOS PKI Performance Monitoring and Optimization

How to Configure IOS PKI Performance Monitoring and Optimization

Configuration Examples for IOS PKI Performance Monitoring and Optimization

Additional References

Feature Information for IOS PKI Performance Monitoring and Optimization

Information About IOS PKI Performance Monitoring and Optimization

When PKI applications are deployed in a environment that scales, they can sometimes create challenging problems that are difficult to debug and identify. Traditional use of debug commands may be less effective in this operating environment. However, the IOS PKI Performance Monitoring and Optimization feature provides an efficient way to gather data and report PKI operations to identify performance related issues.

The IOS PKI Performance Monitoring and Optimization feature enables you to collect the following types of PKI performance data:

Time to validate entire certificate chain.

Time to verify each certificate.

Time to check revocation status for each certificate.

Time to fetch certificate revocation list (CRL) database for each fetch location.

Time to fetch Simple Certificate Enrollment Protocol (SCEP) method capabilities to retrieve the CRL.

Time to process each CRL.

Time to process the Online Certificate Status Protocol (OCSP) response. OCSP is a certificate revocation mechanism.

Time to fetch Authentication, Authorization, and Accounting (AAA).

CRL size.

Validation result.

Validation Bypass (pubkey cached).

Method used to fetch a CRL.

PKI session identifier.

Crypto engine used (hardware, software, etoken).

How to Configure IOS PKI Performance Monitoring and Optimization

Use this task to start, stop and verify IOS PKI performance monitoring and optimization data.

SUMMARY STEPS

1. enable

2. crypto pki benchmark start limit [wrap]

3. crypto pki benchmark stop

4. show crypto pki benchmarks [failures]

5. clear crypto pki benchmarks

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

crypto pki benchmark start limit [wrap]

Example:

Router# crypto pki benchmark start 20 wrap

Enables PKI benchmarking.

The limit argument states the number of records from 0 to 9990 that can be stored for the benchmarking session. A limit of 0 indicates an unlimited number of records can be stored.

(Optional) The wrap keyword specifies a continuous flow of records. Once the maximum number of records is gathered, they are released and a new set of records is generated. If the wrap keyword is not specified, then benchmarking stops once the limit for the maximum number of records has been reached.

Step 3 

crypto pki benchmark stop

Example:

Router# crypto pki benchmark stop

Terminates PKI benchmarking data collection.

Step 4 

show crypto pki benchmarks [failures]

Example:

Router# show crypto pki benchmarks

Displays the PKI benchmarking data that was collected.

(Optional) Select the failures keyword to only display validation failures.

Step 5 

clear crypto pki benchmarks

Example:

Router# clear crypto pki benchmarks

Clears the PKI benchmarking data and all memory used is released.

Configuration Examples for IOS PKI Performance Monitoring and Optimization

Example: Displaying All PKI Benchmarking Data

Example: Displaying Only Failures in PKI Benchmarking Data

Example: Displaying a Section Filter in PKI Benchmarking Data

Example: Displaying All PKI Benchmarking Data

The following example displays show crypto pki benchmarks command output of all PKI benchmarking data: 

Router# show crypto pki benchmarks


Session Descriptor: 10008

Validation Start: 22:58:45.704 GMT Tue Oct 13 2009

Validation Duration: 14 ms

Pubkey Bypass: no

Validation Result: Success

Certificates To Validate: 1

Revocation for certificate 1

  Cert Index: 0

   Start: 22:58:45.714 GMT Tue Oct 13 2009

   Duration: 3 ms

  SCEP Capabilities: Skipped


Session Descriptor: 10007

Validation Start: 22:54:38.969 GMT Tue Oct 13 2009

Validation Duration: 14 ms

Pubkey Bypass: no

Validation Result: Success

Certificates To Validate: 1

Revocation for certificate 1

  Cert Index: 0

   Start: 22:54:38.979 GMT Tue Oct 13 2009

   Duration: 3 ms

  SCEP Capabilities: Skipped

  SCEP Capabilities Duration: 0 ms


Session Descriptor: 10006

Validation Start: 21:52:08.616 GMT Tue Oct 13 2009

Validation Duration: 5 ms

Pubkey Bypass: yes

Validation Result: Success


Session Descriptor: 10005

Validation Start: 23:42:12.925 GMT Tue Oct 13 2009

Validation Duration: 5 ms

Pubkey Bypass: yes


Session Descriptor: 10004

Validation Start: 23:42:10.614 GMT Tue Oct 13 2009

Validation Duration: 5 ms

Pubkey Bypass: yes

Validation Result: Success


Session Descriptor: 10003

Validation Start: 23:42:09.540 GMT Tue Oct 13 2009

Validation Duration: 5 ms

Pubkey Bypass: yes

Validation Result: Success


Session Descriptor: 10002

Validation Start: 23:42:06.699 GMT Tue Oct 13 2009

Validation Duration: 53 ms

Pubkey Bypass: no

Validation Result: Success

Certificates To Validate: 1

Revocation for certificate 1

  Cert Index: 0

   Start: 23:42:06.707 GMT Tue Oct 13 2009

   Duration: 44 ms

  CRL Fetch - HTTP Start: 23:42:06.707 GMT Tue Oct 13 2009

  CRL Fetch - HTTP Duration: 31 ms

  CRL Insert Start: 23:42:06.740 GMT Tue Oct 13 2009

  CRL Insert Duration: 8 ms

  CRL Size: 3892

  SCEP Capabilities Start: 23:42:06.709 GMT Tue Oct 13 2009

  SCEP Capabilities Duration: 7 ms


Session Descriptor: 10001

Validation Start: 20:47:14.860 GMT Thu Sep 24 2009

Validation Duration: 57 ms

Pubkey Bypass: no

Validation Result: Failed

Certificates To Validate: 1

Revocation for certificate 1

  Cert Index: 0

   Start: 20:47:14.868 GMT Thu Sep 24 2009

   Duration: 49 ms

  CRL Fetch - HTTP Start: 20:47:14.868 GMT Thu Sep 24 2009

  CRL Fetch - HTTP Duration: 37 ms

  SCEP Capabilities Start: 20:47:14.870 GMT Thu Sep 24 2009

  SCEP Capabilities Duration: 11 ms

Example: Displaying Only Failures in PKI Benchmarking Data

The following example displays show crypto pki benchmark failures command output of failure in PKI benchmarking data: 

Router# show crypto pki benchmark failures

Session Descriptor: 10001

Validation Start: 20:47:14.860 GMT Thu Sep 24 2009

Validation Duration: 57 ms

Pubkey Bypass: no

Validation Result: Failed

Certificates To Validate: 1

Revocation for certificate 1

  Cert Index: 0

   Start: 20:47:14.868 GMT Thu Sep 24 2009

   Duration: 49 ms

  CRL Fetch - HTTP Start: 20:47:14.868 GMT Thu Sep 24 2009

  CRL Fetch - HTTP Duration: 37 ms

  SCEP Capabilities Start: 20:47:14.870 GMT Thu Sep 24 2009

  SCEP Capabilities Duration: 11 ms

Example: Displaying a Section Filter in PKI Benchmarking Data 

The following example displays show crypto pki benchmark command output of a section filter in 
PKI benchmarking data:


Router# show crypto pki benchmark | section Revocation

  Revocation Check for Certificate 1 of 1

    Start: 20:47:29.063 GMT Wed Oct 27 2010

    Duration: 714 ms

  Revocation Check for Certificate 1 of 1

    Start: 20:49:15.076 GMT Wed Oct 27 2010

    Duration: 6 ms

Additional References

Related Documents


MIBs

MIB
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


Technical Assistance

Description
Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html


Feature Information for IOS PKI Performance Monitoring and Optimization

Table 1 lists the release history for this feature.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 1 Feature Information for IOS PKI Performance Monitoring and Optimization

Feature Name
Releases
Feature Information

IOS PKI Performance Monitoring and Optimization

15.1(3)T

The IOS Performance Monitoring and Optimization feature provides a way to characterize the performance within the Public Key Infrastructure (PKI) subsystem and debug and analyze PKI performance related issues.

This feature was introduced in Cisco IOS Release 15.1(3)T.

The following commands were introduced or modified: crypto pki benchmark, show crypto pki benchmarks, clear crypto pki benchmarks.


Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2010 Cisco Systems, Inc. All rights reserved.