We are running XCOM for z/OS file transfers between ourselves and a partner. XCOM regions on both systems are at the same level – and configured the same.
At the moment the transfers are using port 8044 , and so are non secure and so unencrypted.
We are trying to evaluate the impact on CPU resources and transfer time if/when we convert the transfers to use port 8045 and so be secure and encrypted.
Copied below are the default options that each XCOM region is configured with.
Could you provide any information around these questions?
1. Does the extra CPU resource required for the encryption/decryption use the standard CPU or the zIIP processor?
2. Is there any factor we can use, of how much extra CPU resource will be required? By that I mean if a transfer today uses X amount of CPU, then when sent securely it will use twice as much. That kind of thing.
3. Can we expect the transfer to take longer to complete than it does today? Again, like the extra CPU resource, any indication of how much longer?
The reason that we are focused on these questions is that we send/receive terabytes of data each night between ourselves and our partner.
The XCOM regions are both configured with;
SSL PORT = 08045
SSL_VERSION=SYSTEM
ZIIP=YES
Component: XCOM Data Transport for z/OS
1. Does the extra CPU resource required for the encryption/decryption use the standard CPU or the zIIP processor?
Per KB article XCOM capability to offload workload onto zIIP Processors section "Additional Information", XCOM does not support offloading SSL processing to zIIP.
There is additional overhead when using secured transfers, but XCOM and SSL are independent of each other. If using SSL with XCOM, there will be more CPU usage, but that is not influenced by XCOM. Any CPU difference between the non-secured transfers and those that are secured is the responsibility of the SSL software. See related KB article: Does using SSL cause overhead for XCOM transfers
Per article XCOM capability to offload workload onto zIIP Processors and the XCOM techdocs section for Secure Sockets Layer (SSL) Usage, because software-based data encryption is CPU-intensive, it is recommended to shift the workload to hardware data encryption using an IBM cryptographic processor (via the IBM ICSF interface).
2. Is there any factor we can use, of how much extra CPU resource will be required? By that I mean if a transfer today uses X amount of CPU, then when sent securely it will use twice as much. That kind of thing.
This is hard to answer because there are many factors that would be involved such as SSL software, workload, network, system resources, disk I/O.
3. Can we expect the transfer to take longer to complete than it does today? Again, like the extra CPU resource, any indication of how much longer?
That all depends, make sure to use packing, be current with XCOM maintenance, then use that large MAXPACK value. In addition to that:
- make sure to use the proper compression method if using one
- make sure that checkpoint is either a high value of 9999 or 0. The latter turns it off.
- make sure no tracing is taking place
Related KB article: Improving Performance for TCP/IP Transfers with XCOM for z/OS
NOTE: As OpenSSL is now deprecated under the XCOM Data Transport for z/OS latest maintenance it is assumed that IBM System SSL is being used and also the SSL_VERSION parameter is ignored.
XCOM™ Data Transport® for z/OS 12.0 > Release Notes > Deprecated Features