Poor Performance after enabling FIPS 140-2 (Doc ID 2279002.1)

Last updated on JUNE 22, 2017

Applies to:

Advanced Networking Option - Version 11.2.0.4 to 12.1.0.2 [Release 11.2 to 12.1]
Information in this document applies to any platform.

Symptoms

After enabling FIPS 140-2 SSL/TLS connections to the database are delayed 8 - 20 seconds.

If TDE FIPS is configured there may also be a performance hit accessing encrypted tables.

 

Diagnostic analysis

A normal TLS client/server connection usually takes less than a second.

[mseibt@bde admin]$ unset FIPS_HOME
[mseibt@bde admin]$ time sqlplus mike/mike@n12102p1ssl <<e

SQL*Plus: Release 12.1.0.2.0 Production on Fri May 13 14:15:48 2016

Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics
and Real Application Testing options

SQL> Disconnected from Oracle Database 12c Enterprise Edition Release
12.1.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics
and Real Application Testing options

real 0m0.076s                 <====
user 0m0.023s
sys 0m0.015s

----------------

When FIPS is enabled the same connection experiences a delay > 6 seconds:

[mseibt@bde-idm8 admin]$ export FIPS_HOME='/u01/app/oracle/product/12.1.0.2/network/admin'

[mseibt@bde-idm8 admin]$ time sqlplus mike/mike@n12102p1ssl <<e

SQL*Plus: Release 12.1.0.2.0 Production on Fri May 13 14:17:32 2016

Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics
and Real Application Testing options

SQL> Disconnected from Oracle Database 12c Enterprise Edition Release
12.1.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics
and Real Application Testing options

real 0m8.047s               <====
user 0m7.984s
sys 0m0.027s

---------------

Oracle Net Trace details

The delay is occurring between ntzgbhapip (exit) and nzsuppgp_get_parameter
(entry). It occurs two times with each connection.

15:25:57:267] ntzgbhapip: entry
15:25:57:267] ntzgbhapip: no value for bhapi parameter specified - using
default value: "TRUE"
15:25:57:267] ntzgbhapip: exit                                                                           <===== delay
15:26:01:633] nzsuppgp_get_parameter: entry                                                    <===== delay
15:26:01:633] nzsuppgp_get_parameter: "trace_level_server" does not exist.
15:26:01:633] nzsuppgp_get_parameter: exit
15:26:01:633] nzsuppgp_get_parameter: entry
15:26:01:633] nzsuppgp_get_parameter: "trace_level_client": 0.
15:26:01:633] nzsuppgp_get_parameter: exit
15:26:01:633] nztysgs_genseed: entry
15:26:01:634] nzsuppgp_get_parameter: entry
15:26:01:634] nzsuppgp_get_parameter: "ssl.renegotiate" does not exist.
15:26:01:634] nzsuppgp_get_parameter: exit
15:26:01:634] ntzSetupConnection: exit
15:26:01:634] ntzSetupConnection: entry
15:26:01:634] ntzgbhapip: entry
15:26:01:634] ntzgbhapip: no value for bhapi parameter specified - using
default value: "TRUE"
15:26:01:634] ntzgbhapip: exit                                                                          <===== delay
15:26:05:211] nzsuppgp_get_parameter: entry                                                   <===== delay
15:26:05:211] nzsuppgp_get_parameter: "trace_level_server" does not exist.
15:26:05:211] nzsuppgp_get_parameter: exit
15:26:05:211] nzsuppgp_get_parameter: entry
15:26:05:211] nzsuppgp_get_parameter: "trace_level_client": 0.
15:26:05:211] nzsuppgp_get_parameter: exit

 

Changes

FIPS 140-2 is enabled.

FIPS patch 24507599 may be installed.

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms