Product Documentation

Managing Crypto Capacity

Jun 24, 2018

Starting with release 12.0 57.19, the interface to manage crypto capacity has changed. With the new interface, the Management Service provides asymmetric crypto units (ACUs), symmetric crypto units (SCUs), and crypto virtual interfaces to represent SSL capacity on the NetScaler SDX appliance. Earlier crypto capacity was assigned in units of SSL chips, SSL cores, and SSL virtual functions. See the Legacy SSL chips to ACU/SCU conversion table for more information about how legacy SSL chips translate into ACU and SCU units.

By using the Management Service GUI, you can allocate crypto capacity to the NetScaler VPX instance in units of ACU and SCU. 

The following table provides brief descriptions about ACUs, SCUs, and crypto virtual instances.

New crypto units

Description

Asymmetric crypto unit (ACU)

1 ACU = 1 operation per second (ops) of (RSA) 2 K (2048-bit key size) decryption.

For further details, refer to the ACU to PKE resource conversion table.

Symmetric crypto unit (SCU)

1 SCU = 1 Mbps of AES-128-CBC + SHA256-HMAC @ 1024B

This definition is applicable for all SDX platforms.

Crypto virtual interfaces

Also known as virtual functions, crypto virtual interfaces represent the basic unit of the SSL hardware. After these interfaces are exhausted, the SSL hardware cannot be further assigned to a NetScaler VPX instance. Crypto virtual interfaces are read-only entities, and the NetScaler SDX appliance automatically allocates these entities.

View Crypto Capacity of the SDX Appliance

You can view the crypto capacity of the SDX appliance in the dashboard of the NetScaler SDX GUI. The dashboard displays the used and available ACUs, SCUs, and virtual interfaces on the NetScaler SDX appliance. To view the crypto capacity, navigate to Dashboard > Crypto Capacity.

localized image

Allocate Crypto Capacity While Provisioning the NetScaler VPX Instance

While provisioning a NetScaler VPX instance on NetScaler SDX, under Crypto Allocation, you can allocate the number of ACUs and SCUs for the NetScaler VPX instance. For instructions to provision a NetScaler VPX instance, see Provisioning NetScaler Instances.

To allocate crypto capacity while provisioning a NetScaler VPX instance, follow these steps.

1. Log on to the Management Service.

2. Navigate to Configuration > NetScaler > Instances, and click Add. 

3. Under Crypto Allocation, you can view the available ACUs, SCU, and crypto virtual interfaces. The way to allocate ACUs and SCUs differs depending on the SDX appliance:

a. For the appliances listed in the Minimum value of an ACU counter available for different SDX appliances table, you can assign ACUs in multiples of a specified number. SCUs are automatically allocated and the SCU allocation field is not editable. You can increase ACU allocation in the multiples of the minimum ACU available for that model. For example, if minimum ACU is 4375, subsequent ACU increment is 8750, 13125, and so on. 

Example. Crypto allocation where SCUs are automatically assigned and ACUs are assigned in multiples of a specified number.

localized image

Table. Minimum value of an ACU counter available for different SDX appliances

NetScaler SDX platform

ACU counter minimum value

  • 22040, 22060, 22080, 22100, 22120, 24100, 24150 (36 ports)

2187

  • 8400, 8600, 8010, 8015
  • 17500, 19500, 21500
  • 17550, 19550, 20550, 21550
  • 11500, 13500, 14500, 16500, 18500, 20500

2812

  • 11515, 11520, 11530, 11540, 11542
  • 14xxx
  • 14xxx 40S
  • 14xxx 40G
  • 14xxx FIPS
  • 25xxx
  • 25xxx A

 

4375

b. For the rest of the SDX platforms, which are not listed on the above Minimum value of an ACU counter available for different SDX appliances table,  you can freely assign ACUs and SCUs. The NetScaler SDX appliance automatically allocates crypto virtual interfaces.

Example. Crypto allocation where both ACU and SCUs are freely assigned

localized image

4. . Complete all the steps for provisioning the NetScaler instance, and click Done. For more information, see Provisioning NetScaler Instances.

View Crypto Hardware Health

In Management Service, you can view the health of the crypto hardware provided with the NetScaler SDX. The health of the crypto hardware is represented as Crypto Devices and Crypto Virtual Functions. To view the health of the crypto hardware, navigate to Dashboard > Resources.

localized image

Points to Note

Keep the following points in mind when you upgrade the NetScaler SDX appliance to 12.0 57.xx and higher versions.

  • Only the SDX user interface gets upgraded, but the hardware capacity of the appliance remains the same.
  • The crypto allocation mechanism remains the same, and only the representation on SDX GUI changes.
  • Crypto interface is backward compatible, and it does not affect any existing automation mechanism that uses NITRO interface to manage the SDX appliance.
  • Upon SDX appliance upgrade, the crypto assigned to the existing VPX instances does not change; only its representation on Management Service changes.

Table: ACU to PKE resource conversion

NetScaler SDX platform

ACU

RSA-RSA1K

RSA-RSA2K

RSA-RSA4K

ECDHE-RSA

ECDHE-ECDSA

22040, 22060, 22080, 22100, 22120, 24100, 24150 (36 ports)

2187

12497

2187

312

256

190

8400, 8600, 8010, 8015

2812

17000

2812

424

330

N/A

11515, 11520, 11530, 11540, 11542

4375

25000

4375

625

512

381

22040, 22060, 22080,22100, 22120 (24 ports)

4375

25000

4375

625

512

381

17500, 19500, 21500

2812

17000

2812

424

330

N/A

17550, 19550, 20550, 21550

2812

17000

2812

424

330

N/A

11500, 13500, 14500, 16500, 18500, 20500

2812

17000

2812

424

330

N/A

14xxx, 14xxx 40G, 25xxx, 25xxx A

4375

25000

4375

625

512

381

14xxx FIPS

4375

25000

4375

625

512

381

14xxx 40S

4375

25000

4375

625

512

381

*89xx

1000

4615

1000

136

397

4949

*26xxx

1000

4615

1000

136

397

4949

*15000 50G

1000

4615

1000

136

397

4949

* On these platforms the PKE numbers are minimum guaranteed values.

How to read the ACU to PKE resource conversion table

The ACU to PKE resource conversion table is based on the following points:

  • Management Service helps allocate Crypto Resources to each individual VPX. Management Service cannot allocate or promise performance. 
  • Actual performance varies depending on packet size, cipher/Keyex/HMAC (or their variations) used, and so on

The following example helps you understand how to read and apply the ACU to PKE resource conversion table.

Example: ACU to PKE resource conversion for the SDX 22040 platform

Allocation of 2187 ACUs to a Netscaler VPX instance on an SDX 22040 platform allocates crypto resource equivalent to 256 ECDHE-RSA operations or 2187 RSA-2K operations and so on.

Table: Legacy SSL chips to ACU/SCU conversion

 

Before upgrade

After upgrade

NetScaler SDX platform

Total SSL chips

(As seen from Management Service, before upgrade.)

Total ACU

Total SCU

ACU/SCU equivalent to one SSL chip

(Multiplier used for allocation)

22040, 22060, 22080,22100, 22120 (24 ports)

128

560000

448000

4375/3500

22040, 22060, 22080, 22100, 22120, 24100, 24150 (36 ports)

64

139968

112000

2187/1750

14xxx 40S

64

280000

224000

4375/3500

17550, 19550, 20550, 21550

36

101232

90000

2812/2500

14xxx, 14xxx 40G, 25xxx, 25xxx A

32

140000

112000

4375/3500

11515, 11520, 11530, 11540, 11542

16

70000

56000

4375/3500

17500, 19500, 21500

16

44992

40000

2812/2500

11500, 13500, 14500, 16500, 18500, 20500

16

44992

40000

2812/2500

14xxx FIPS

8

35000

28000

4375/3500

8400, 8600, 8010, 8015

4

11248

10000

2812/2500

*89xx

NA

39000

41000

NA

*26xxx

NA

39000

41000

N/A

*15000 50G

 

N/A

39000

41000

N/A

* These platforms don’t have any legacy crypto interface.