Characterizing secure dynamic Web applications scalability

Security in the access to Web contents and the interaction with Web sites is becoming one of the most important issues in Internet. Servers need to provide certain levels of security so that the user feels comfortable when running the applications that provide the services he/she requires. HTTP over SSL is the most used solution, providing mutual authentication between the two interacting parts. The SSL protocol does not introduce complexity in Web applications but increases the computational demand on the server, reducing its capacity to serve large number of clients and increasing the time to serve them. In order to compensate the degradation in the quality of service, the server needs to be upgraded with additional resources, mainly processors and memory. In this paper we analyze the scalability of servers that run secure dynamic Web applications. We analyze how the server behaves when it is stressed with different number of clients and how the quality of service is degraded. We perform a detailed analysis of the server behavior and analyze the impact of adding more processors to the system that runs the server. The analysis is done using a fine-grained analysis framework that considers all levels in the application server execution (i.e. application, server, JVM and OS kernel). The RUBiS auction site benchmark is used to stress a Tomcat application server running on a commodity 4-way multiprocessor Intel platform with Linux.

[1]  C. Amza,et al.  Specification and implementation of dynamic Web site benchmarks , 2002, 2002 IEEE International Workshop on Workload Characterization.

[2]  Ibrahim Haddad Open-source web servers: performance on carrier-class Linux platform , 2001 .

[3]  Gregory Butler,et al.  Experimental studies of scalability in clustered Web systems , 2004, 18th International Parallel and Distributed Processing Symposium, 2004. Proceedings..

[4]  Willy Zwaenepoel,et al.  Performance and scalability of EJB applications , 2002, OOPSLA '02.

[5]  Jordi Torres,et al.  Complete instrumentation requirements for performance analysis of Web based technologies , 2003, 2003 IEEE International Symposium on Performance Analysis of Systems and Software. ISPASS 2003..

[6]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[7]  R. Iyer,et al.  Architectural impact of secure socket layer on Internet servers , 2000, Proceedings 2000 International Conference on Computer Design.

[8]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[9]  Arthur P. Goldberg,et al.  Secure Web Server Performance Dramatically Improved by Caching SSL Session Keys , 1998 .

[10]  Paul Barford,et al.  Generating representative Web workloads for network and server performance evaluation , 1998, SIGMETRICS '98/PERFORMANCE '98.

[11]  Jordi Torres,et al.  Evaluating the scalability of Java event-driven Web servers , 2004, International Conference on Parallel Processing, 2004. ICPP 2004..

[12]  Jordi Torres,et al.  Tuning dynamic Web applications using fine-grain analysis , 2005, 13th Euromicro Conference on Parallel, Distributed and Network-Based Processing.

[13]  Jordi Torres,et al.  Performance impact of using SSL on dinamic Web Applications , 2004 .

[14]  T. Dierks,et al.  The TLS protocol , 1999 .

[15]  Ronald Mraz Secure Blue: an architecture for a scalable, reliable high volume SSL Internet server , 2001, Seventeenth Annual Computer Security Applications Conference.

[16]  Nataraj Nagaratnam,et al.  Web Services Security ( WS-Security ) Version 1 . 0 05 April 2002 , 2002 .

[17]  Dan S. Wallach,et al.  Performance analysis of TLS Web servers , 2006, TOCS.

[18]  Eric Rescorla,et al.  HTTP Over TLS , 2000, RFC.

[19]  David Mosberger,et al.  httperf—a tool for measuring web server performance , 1998, PERV.