IOS PKI Performance Monitoring and Optimization

The IOS Performance Monitoring and Optimization feature provides a way to identify the performance within the Public Key Infrastructure (PKI) subsystem and debug and analyze PKI performance related issues.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to https://cfnng.cisco.com/. An account on Cisco.com is not required.

Information About IOS PKI Performance Monitoring and Optimization

When PKI applications are deployed in a environment that scales, they can sometimes create challenging problems that are difficult to debug and identify. Traditional use of debug commands may be less effective in this operating environment. However, the IOS PKI Performance Monitoring and Optimization feature provides an efficient way to gather data and report PKI operations to identify performance related issues.

The IOS PKI Performance Monitoring and Optimization feature enables you to collect the following types of PKI performance data:

  • Time to validate entire certificate chain.

  • Time to verify each certificate.

  • Time to check revocation status for each certificate.

  • Time to fetch certificate revocation list (CRL) database for each fetch location.

  • Time to fetch Simple Certificate Enrollment Protocol (SCEP) method capabilities to retrieve the CRL.

  • Time to process each CRL.

  • Time to process the Online Certificate Status Protocol (OCSP) response. OCSP is a certificate revocation mechanism.

  • Time to fetch Authentication, Authorization, and Accounting (AAA).

  • CRL size.

  • Validation result.

  • Validation Bypass (pubkey cached).

  • Method used to fetch a CRL.

  • PKI session identifier.

  • Crypto engine used (hardware, software, etoken).

How to Configure IOS PKI Performance Monitoring and Optimization

Use this task to start, stop and verify IOS PKI performance monitoring and optimization data.

SUMMARY STEPS

  1. enable
  2. crypto pki benchmark start limit [wrap]
  3. crypto pki benchmark stop
  4. show crypto pki benchmarks [ failures ]
  5. clear crypto pki benchmarks

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

crypto pki benchmark start limit [wrap]

Example:


Router# crypto pki benchmark start 20 wrap

Enables PKI benchmarking.

The limit argument states the number of records from 0 to 9990 that can be stored for the benchmarking session. A limit of 0 indicates an unlimited number of records can be stored.

(Optional) The wrap keyword specifies a continuous flow of records. Once the maximum number of records is gathered, they are released and a new set of records is generated. If the wrap keyword is not specified, then benchmarking stops once the limit for the maximum number of records has been reached.

Step 3

crypto pki benchmark stop

Example:


Router# crypto pki benchmark stop

Terminates PKI benchmarking data collection.

Step 4

show crypto pki benchmarks [ failures ]

Example:


Router# show crypto pki benchmarks

Displays the PKI benchmarking data that was collected.

(Optional) Select the failures keyword to only display validation failures.

Step 5

clear crypto pki benchmarks

Example:


Router# clear crypto pki benchmarks

Clears the PKI benchmarking data and all memory used is released.

Configuration Examples for IOS PKI Performance Monitoring and Optimization

Example Displaying All PKI Benchmarking Data

The following example displays show crypto pki benchmarks command output of all PKI benchmarking data: 


Router# show crypto pki benchmarks
Session Descriptor: 10008
Validation Start: 22:58:45.704 GMT Tue Oct 13 2009
Validation Duration: 14 ms
Pubkey Bypass: no
Validation Result: Success
Certificates To Validate: 1
Revocation for certificate 1
  Cert Index: 0
   Start: 22:58:45.714 GMT Tue Oct 13 2009
   Duration: 3 ms
  SCEP Capabilities: Skipped
Session Descriptor: 10007
Validation Start: 22:54:38.969 GMT Tue Oct 13 2009
Validation Duration: 14 ms
Pubkey Bypass: no
Validation Result: Success
Certificates To Validate: 1
Revocation for certificate 1
  Cert Index: 0
   Start: 22:54:38.979 GMT Tue Oct 13 2009
   Duration: 3 ms
  SCEP Capabilities: Skipped
  SCEP Capabilities Duration: 0 ms
Session Descriptor: 10006
Validation Start: 21:52:08.616 GMT Tue Oct 13 2009
Validation Duration: 5 ms
Pubkey Bypass: yes
Validation Result: Success
Session Descriptor: 10005
Validation Start: 23:42:12.925 GMT Tue Oct 13 2009
Validation Duration: 5 ms
Pubkey Bypass: yes
Session Descriptor: 10004
Validation Start: 23:42:10.614 GMT Tue Oct 13 2009
Validation Duration: 5 ms
Pubkey Bypass: yes
Validation Result: Success
Session Descriptor: 10003
Validation Start: 23:42:09.540 GMT Tue Oct 13 2009
Validation Duration: 5 ms
Pubkey Bypass: yes
Validation Result: Success
Session Descriptor: 10002
Validation Start: 23:42:06.699 GMT Tue Oct 13 2009
Validation Duration: 53 ms
Pubkey Bypass: no
Validation Result: Success
Certificates To Validate: 1
Revocation for certificate 1
  Cert Index: 0
   Start: 23:42:06.707 GMT Tue Oct 13 2009
   Duration: 44 ms
  CRL Fetch - HTTP Start: 23:42:06.707 GMT Tue Oct 13 2009
  CRL Fetch - HTTP Duration: 31 ms
  CRL Insert Start: 23:42:06.740 GMT Tue Oct 13 2009
  CRL Insert Duration: 8 ms
  CRL Size: 3892
  SCEP Capabilities Start: 23:42:06.709 GMT Tue Oct 13 2009
  SCEP Capabilities Duration: 7 ms
Session Descriptor: 10001
Validation Start: 20:47:14.860 GMT Thu Sep 24 2009
Validation Duration: 57 ms
Pubkey Bypass: no
Validation Result: Failed
Certificates To Validate: 1
Revocation for certificate 1
  Cert Index: 0
   Start: 20:47:14.868 GMT Thu Sep 24 2009
   Duration: 49 ms
  CRL Fetch - HTTP Start: 20:47:14.868 GMT Thu Sep 24 2009
  CRL Fetch - HTTP Duration: 37 ms
  SCEP Capabilities Start: 20:47:14.870 GMT Thu Sep 24 2009
  SCEP Capabilities Duration: 11 ms

Example Displaying Only Failures in PKI Benchmarking Data

The following example displays show crypto pki benchmark failures command output of failure in PKI benchmarking data: 


Router# show crypto pki benchmark failures
Session Descriptor: 10001
Validation Start: 20:47:14.860 GMT Thu Sep 24 2009
Validation Duration: 57 ms
Pubkey Bypass: no
Validation Result: Failed
Certificates To Validate: 1
Revocation for certificate 1
  Cert Index: 0
   Start: 20:47:14.868 GMT Thu Sep 24 2009
   Duration: 49 ms
  CRL Fetch - HTTP Start: 20:47:14.868 GMT Thu Sep 24 2009
  CRL Fetch - HTTP Duration: 37 ms
  SCEP Capabilities Start: 20:47:14.870 GMT Thu Sep 24 2009
  SCEP Capabilities Duration: 11 ms

Example Displaying a Section Filter in PKI Benchmarking Data


The following example displays show crypto pki benchmark
 command output of a section filter in PKI benchmarking data:
Router# show crypto pki benchmark | section Revocation
  Revocation Check for Certificate 1 of 1
    Start: 20:47:29.063 GMT Wed Oct 27 2010
    Duration: 714 ms
  Revocation Check for Certificate 1 of 1
    Start: 20:49:15.076 GMT Wed Oct 27 2010
    Duration: 6 ms

Additional References

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

Security commands

Cisco IOS Security Command Reference

PKI information

Cisco IOS Security Configuration Guide: Secure Connectivity, Release 15.1

MIBs

MIB

MIBs Link

None

To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for IOS PKI Performance Monitoring and Optimization

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for IOS PKI Performance Monitoring and Optimization

Feature Name

Releases

Feature Information

IOS PKI Performance Monitoring and Optimization

15.1(3)T

The IOS Performance Monitoring and Optimization feature provides a way to characterize the performance within the Public Key Infrastructure (PKI) subsystem and debug and analyze PKI performance related issues.

This feature was introduced in Cisco IOS Release 15.1(3)T.

The following commands were introduced or modified: crypto pki benchmark , show crypto pki benchmarks , clear crypto pki benchmarks .