Last updated on JUNE 22, 2017
Applies to:
Advanced Networking Option - Version 11.2.0.4 to 12.1.0.2 [Release 11.2 to 12.1]Information in this document applies to any platform.
Symptoms
After enabling FIPS 140-2 SSL/TLS connections to the database are delayed 8 - 20 seconds.
If TDE FIPS is configured there may also be a performance hit accessing encrypted tables.
Diagnostic analysis
A normal TLS client/server connection usually takes less than a second.
[mseibt@bde admin]$ unset FIPS_HOME
[mseibt@bde admin]$ time sqlplus mike/mike@n12102p1ssl <<e
SQL*Plus: Release 12.1.0.2.0 Production on Fri May 13 14:15:48 2016
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics
and Real Application Testing options
SQL> Disconnected from Oracle Database 12c Enterprise Edition Release
12.1.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics
and Real Application Testing options
real 0m0.076s <====
user 0m0.023s
sys 0m0.015s
----------------
When FIPS is enabled the same connection experiences a delay > 6 seconds:
[mseibt@bde-idm8 admin]$ export FIPS_HOME='/u01/app/oracle/product/12.1.0.2/network/admin'
[mseibt@bde-idm8 admin]$ time sqlplus mike/mike@n12102p1ssl <<e
SQL*Plus: Release 12.1.0.2.0 Production on Fri May 13 14:17:32 2016
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics
and Real Application Testing options
SQL> Disconnected from Oracle Database 12c Enterprise Edition Release
12.1.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics
and Real Application Testing options
real 0m8.047s <====
user 0m7.984s
sys 0m0.027s
---------------
Oracle Net Trace details
The delay is occurring between ntzgbhapip (exit) and nzsuppgp_get_parameter
(entry). It occurs two times with each connection.
15:25:57:267] ntzgbhapip: entry
15:25:57:267] ntzgbhapip: no value for bhapi parameter specified - using
default value: "TRUE"
15:25:57:267] ntzgbhapip: exit <===== delay
15:26:01:633] nzsuppgp_get_parameter: entry <===== delay
15:26:01:633] nzsuppgp_get_parameter: "trace_level_server" does not exist.
15:26:01:633] nzsuppgp_get_parameter: exit
15:26:01:633] nzsuppgp_get_parameter: entry
15:26:01:633] nzsuppgp_get_parameter: "trace_level_client": 0.
15:26:01:633] nzsuppgp_get_parameter: exit
15:26:01:633] nztysgs_genseed: entry
15:26:01:634] nzsuppgp_get_parameter: entry
15:26:01:634] nzsuppgp_get_parameter: "ssl.renegotiate" does not exist.
15:26:01:634] nzsuppgp_get_parameter: exit
15:26:01:634] ntzSetupConnection: exit
15:26:01:634] ntzSetupConnection: entry
15:26:01:634] ntzgbhapip: entry
15:26:01:634] ntzgbhapip: no value for bhapi parameter specified - using
default value: "TRUE"
15:26:01:634] ntzgbhapip: exit <===== delay
15:26:05:211] nzsuppgp_get_parameter: entry <===== delay
15:26:05:211] nzsuppgp_get_parameter: "trace_level_server" does not exist.
15:26:05:211] nzsuppgp_get_parameter: exit
15:26:05:211] nzsuppgp_get_parameter: entry
15:26:05:211] nzsuppgp_get_parameter: "trace_level_client": 0.
15:26:05:211] nzsuppgp_get_parameter: exit
Changes
FIPS 140-2 is enabled.
FIPS patch 24507599 may be installed.
Cause
Sign In with your My Oracle Support account |
|
Don't have a My Oracle Support account? Click to get started |
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms