Poor Performance after enabling FIPS 140-2
(Doc ID 2279002.1)
Last updated on DECEMBER 06, 2019
Applies to:
Advanced Networking Option - Version 11.2.0.4 to 12.2.0.1 [Release 11.2 to 12.2]Information in this document applies to any platform.
Symptoms
After enabling FIPS 140-2 SSL/TLS connections to the database are delayed 8 - 20 seconds.
If TDE FIPS is configured there may also be a performance hit accessing encrypted tables.
Diagnostic analysis
A normal TLS client/server connection usually takes less than a second.
$ unset FIPS_HOME SQL*Plus: Release 12.1.0.2.0 Production on Fri May 13 14:15:48 2016 Connected to: SQL> Disconnected from Oracle Database 12c Enterprise Edition Release real 0m0.076s <==== ---------------- When FIPS is enabled the same connection experiences a delay > 6 seconds: $ export FIPS_HOME='/u01/app/oracle/product/12.1.0.2/network/admin' $ time sqlplus <user>@<TNS alias> < SQL*Plus: Release 12.1.0.2.0 Production on Fri May 13 14:17:32 2016 Connected to: SQL> Disconnected from Oracle Database 12c Enterprise Edition Release real 0m8.047s <==== --------------- Oracle Net Trace details FIPS 140-2 is enabled. FIPS patch 24507599 may be installed.
$ time sqlplus <user>@<TNS alias> <
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics
and Real Application Testing options
12.1.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics
and Real Application Testing options
user 0m0.023s
sys 0m0.015s
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics
and Real Application Testing options
12.1.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics
and Real Application Testing options
user 0m7.984s
sys 0m0.027s
The delay is occurring between ntzgbhapip (exit) and nzsuppgp_get_parameter
(entry). It occurs two times with each connection.
15:25:57:267] ntzgbhapip: entry
15:25:57:267] ntzgbhapip: no value for bhapi parameter specified - using
default value: "TRUE"
15:25:57:267] ntzgbhapip: exit <===== delay
15:26:01:633] nzsuppgp_get_parameter: entry <===== delay
15:26:01:633] nzsuppgp_get_parameter: "trace_level_server" does not exist.
15:26:01:633] nzsuppgp_get_parameter: exit
15:26:01:633] nzsuppgp_get_parameter: entry
15:26:01:633] nzsuppgp_get_parameter: "trace_level_client": 0.
15:26:01:633] nzsuppgp_get_parameter: exit
15:26:01:633] nztysgs_genseed: entry
15:26:01:634] nzsuppgp_get_parameter: entry
15:26:01:634] nzsuppgp_get_parameter: "ssl.renegotiate" does not exist.
15:26:01:634] nzsuppgp_get_parameter: exit
15:26:01:634] ntzSetupConnection: exit
15:26:01:634] ntzSetupConnection: entry
15:26:01:634] ntzgbhapip: entry
15:26:01:634] ntzgbhapip: no value for bhapi parameter specified - using
default value: "TRUE"
15:26:01:634] ntzgbhapip: exit <===== delay
15:26:05:211] nzsuppgp_get_parameter: entry <===== delay
15:26:05:211] nzsuppgp_get_parameter: "trace_level_server" does not exist.
15:26:05:211] nzsuppgp_get_parameter: exit
15:26:05:211] nzsuppgp_get_parameter: entry
15:26:05:211] nzsuppgp_get_parameter: "trace_level_client": 0.
15:26:05:211] nzsuppgp_get_parameter: exitChanges
Cause
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document
Symptoms Changes Cause Solution References