Knowledgebase:
XDQP SSL Performance
10 January 2022 04:57 PM

Summary

Default Inter-node communication within MarkLogic cluster is done by XDQP (XML Data Query Protocol) on non-secure channel, with the assumption that all nodes reside within same secure network. However, you can set the "XDQP SSL enabled"  flag to true in order to make all inter-node communication occur over SSL (Secure Socket Layer) channel. This article describes different component of XDQP SSL enabled Performance.

Few things about MarkLogic XDQP SSL Enabled...

  1. MarkLogic Server, by default, has TLS enabled and forced with FIPS mode (Federal Information Processing Standards). 
  2. MarkLogic uses OpenSSL library (open source) for Encryption implementation - industry standard for all major/most of the software vendors.
  3. Enabling SSL on XDQP does NOT change number of initial TCP channels (3) on XDQP Port (7999), rather MarkLogic will establish 3 SSL Channels instead of TCP channels. Overhead to establish 3 SSL channels, are extra SSL handshakes in addition to the 3-way TCP handshakes during cluster startup (which are needed in non-SSL scenario as well).
  4. Once SSL channel is established, nature and number of XDQP messages on top of SSL does not change purely because of SSL configuration (bandwidth usage will only change based on load).

MarkLogic Internal XDQP SSL Enable Performance Test results...

The following results are from a single MarkLogic Lab infrastructure test.  Results may vary depending on a number of other factors, some described later in this article.

XDQP+SSL:

  • a.(1 Threads) :
              4.124 % overhead
  • b.(4 Threads) :
              1.435 % overhead
  • c.(16 Threads) :
              5.034 % overhead
  • d.(64 Threads) :
              -3.395 % overhead

Based on our testing we do not expect XDQP SSL Performance difference of more then ~5%;

Understanding Performance Cost with SSL ?

While SSL does not add overhead to network traffic (except initial SSL handshake), Encryption itself has a Processing Cost.

1) Hardware/CPU support for Encryption: Once channel is established (cluster startup) XDQP data communicated are encrypted with symmetrical cryptography using OpenSSL library. However most of the modern CPUs do provide hardware based encryption support, accelerating the Encryption itself. If enabling SSL over XDQP results in considerable Performance cost, you should check with your hardware provider whether your hardware has encryption support and ask to see their test data.  

2) Resource Availability for Current Load pattern: Make sure that you have sufficient CPU and Memory on your environment with existing load so that enabling XDQP SSL does not tip you over the edge.

3) Firewall: There are various 3rd party tests that confirms that a Firewall (and other SSL inspection software) do contribute to SSL Performance (once SSL traffic grows beyond certain limit). If you are running into Performance issue - we recommend to test the Performance after disabling the Firewall & other Network inspections software across cluster (including Routers) and measure the difference, to see if that is the direction of the Performance issue resolution.

Further Reading

(1 vote(s))
Helpful
Not helpful

Comments (0)