Product Documentation

Crypto Management

Jun 29, 2017

Important

This topic is applicable only for NetScaler SDX 8900 series appliance.

NetScaler SDX Appliances provide CPU cores, memory, storage, NIC interfaces, and SSL crypto hardware that can be shared across NetScaler VPX instances that are provisioned on the appliance.

In other NetScaler SDX platforms, the crypto capacity is currently represented and allocated in units of SSL cores and chips. During provisioning of the NetScaler VPX instances, you can allocate the number of SSL cores and chips to the NetScaler VPX instance for various crypto operations.

The introduction of NetScaler SDX 8900 series changes the way the SSL units are assigned to the NetScaler VPX instances. The Management Service now provides Asymmetric Crypto Units (ACUs), Symmetric Crypto Units (SCUs), and Crypto Virtual Interfaces to represent SSL capacity on the NetScaler SDX appliance and allows you to allocate the crypto capacity to the NetScaler VPX instances.

The following table provides a brief description about ACUs, SCUs, and Crypto Virtual Instances:

Crypto Units Description

Asymmetric Crypto Unit (ACU)

1 operation per second (ops) of a specified algorithm (RSA) 2K (2048-bit key size) decryption with Chinese Remainder Theorem

Symmetric Crypto Unit (SCU)

1Mbps for a specified operation type (cipher + authentication) algorithm (AES-128-CBC + SHA256-HMAC) with 1024 bytes buffer size

Crypto Virtual Interfaces

It represents the basic access of the SSL hardware, once these are exhausted then the SSL hardware cannot be further assigned to NetScaler VPX instances. It is also known as Virtual Functions.

While provisioning the NetScaler VPX instances, you need to allocate the number of ACUs and SCUs for crypto operations. And, the Crypto Virtual Interfaces are read-only entity and they are automatically allocated by the NetScaler SDX Appliance.

Viewing the Crypto Capacity of the NetScaler SDX Appliance Using Management Service

In Management Service, you can view the crypto capacity of the NetScaler SDX 8900 appliance in the dashboard. The dashboard displays the used and available ACUs, SCUs, and Virtual Interfaces on the NetScaler SDX Appliance. To view the crypto capacity, navigate to Dashboard > Crypto Capacity.

localized image

Allocating Crypto Capacity While Provisioning the NetScaler VPX Instance

While provisioning a NetScaler VPX instance on NetScaler SDX, in the Crypto Allocation section, you can allocate the number of ACUs and SCUs for the NetScaler VPX instance. For instructions to provision a NetScaler VPX instance, see Provisioning NetScaler Instances.

To allocate crypto capacity while provisioning a NetScaler VPX instance:
    1. Logon to the Management Service.
    2. Navigate to Configuration > NetScaler > Instances, and click Add.
    3. In the Provision NetScaler section, enter the Instance name, management address details, license type, administration profile and description.

localized image

    4. In the Crypto Allocation section, you can view the available ACUs, SCU, and Crypto Virtual Interfaces. Based on your requirement, you can allocate the number of ACUs and SCUs to the NetScaler VPX instance.

Note

Make sure that you allocate the ACUs and SCUs in multiples of 1000.

localized image

    5. In the Resource Allocation section, allocate the available resources, such as, memory, SSL cores, throughput allocation mode (fixed or burstable), minimum throughput (Mbps), Packets Per Second and CPU core assignment.

localized image

    6. In the Instance Administration section, define a dedicated user account for instance management.

localized image

    7. In the Network Settings and Management VLAN Settings sections, map the network connection to the NetScaler VPX instance. For more information, see Provisioning NetScaler Instances.

localized image

    8. Click Done.

Viewing the Health of the Crypto Hardware

In Management Service, you can view the health of the crypto hardware provided with the NetScaler SDX. The health of the crypto hardware is represented as Crypto Devices and Crypto Virtual Functions. To view the health of the crypto hardware, navigate to Dashboard > Resources.

localized image

NITRO Interface Changes for Crypto Management

If you are using NetScaler SDX NITRO interface to manage and monitor the NetScaler SDX appliance programmatically. The NetScaler SDX 8900 series, includes new parameters for crypto management in the following operations:

  • Adding a NetScaler VPX Instance
  • Modifying a NetScaler VPX Instance
  • Monitoring Crypto Hardware

Adding or Modifying a NetScaler VPX Instance
Using the NITRO interface, you can allocate the crypto capacity to the NetScaler VPX instance, while adding the NetScaler VPX instance or by modifying the existing NetScaler VPX instance. The following two fields are now provided in the resource “ns” to allocate the crypto capacity to the NetScaler VPX instance:

  • “number_of_acu” – Defines the number of ACUs that you want to allocate for the NetScaler VPX instance.
  • “number_of_scu” – Defines the number of SCUs that you want to allocate for the NetScaler VPX instance.

Important

If you are using NITRO interface to add or modify NetScaler VPX instance, make sure the you include these new parameters and remove the “number_of_ssl_cores” parameter from your existing NITRO interface.

Monitoring Crypto Hardware
Using the NITRO interface, you can monitor the status of the crypto hardware. The following fields are now provided in the resource “xen” to monitor the crypto hardware:

  • "acu_total" – The total number of ACUs provided by the NetScaler SDX Appliance
  • "acu_free" – The number of available ACUs that you can allocate to a NetScaler VPX instance.
  • "scu_total" – The total number of SCUs provided by the NetScaler SDX Appliance
  • "scu_free " – The number of available SCUs that you can allocate to a NetScaler VPX instance.

Note

Make sure that the new fields are read in the response to the GET request used to check the hardware resource status of the NetScaler SDX appliance.