Product Documentation

Managing Crypto Capacity

Apr 09, 2018

Starting with release 12.0 57.19, the interface to manage crypto capacity has changed. With the new interface, the Management Service provides asymmetric crypto units (ACUs), symmetric crypto units (SCUs), and crypto virtual interfaces to represent SSL capacity on the NetScaler SDX appliance. Crypto virtual interfaces are read-only entities, and the NetScaler SDX appliance automatically allocates these entities. Earlier crypto capacity was assigned in units of SSL chips, SSL cores, and SSL virtual functions.

By using the Management Service GUI, you can allocate crypto capacity to the NetScaler VPX instance in units of ACU and SCU. 

The following table provides a brief description about ACUs, SCUs, and crypto virtual instances.

Crypto Units Description

Asymmetric Crypto Unit (ACU)

1 ACU = 1 operation per second (ops) of a specified algorithm (RSA) 2 K (2048-bit key size) decryption.

Symmetric Crypto Unit (SCU)

1 SCU = 1 Mbps for a specified operation type (cipher + authentication) algorithm (AES-128-CBC + SHA256-HMAC) with 1024 bytes buffer size.

Crypto Virtual Interfaces

Also known as virtual functions, crypto virtual interfaces represent the basic unit of the SSL hardware. After these interfaces are exhausted, the SSL hardware cannot be further assigned to a NetScaler VPX instance.

View Crypto Capacity

You can view the crypto capacity of the SDX appliance in the dashboard of the NetScaler SDX GUI. The dashboard displays the used and available ACUs, SCUs, and virtual interfaces on the NetScaler SDX appliance. To view the crypto capacity, navigate to Dashboard > Crypto Capacity.

localized image

Allocate Crypto Capacity While Provisioning the NetScaler VPX Instance

While provisioning a NetScaler VPX instance on NetScaler SDX, in the Crypto Allocation section, you can allocate the number of ACUs and SCUs for the NetScaler VPX instance. For instructions to provision a NetScaler VPX instance, see Provisioning NetScaler Instances.

To allocate crypto capacity while provisioning a NetScaler VPX instance:

1. Log on to the Management Service.

2. Navigate to Configuration > NetScaler > Instances, and click Add. 

3. In the Crypto Allocation section, you can view the available ACUs, SCU, and crypto virtual interfaces. The way to allocate ACUs and SCUs differs depending on the SDX appliance:

a. For the appliances listed in the following table, you can assign ACUs in multiples of a specified number. SCUs are automatically allocated and the SCU allocation field is not editable. You can increase ACU allocation in the multiples of the minimum ACU available for that model. For example, if minimum ACU is 4375, subsequent ACU increment is 8750, 13125, and so on. 

Example. Crypto allocation where SCUs are automatically assigned and ACUs are assigned in multiples of a specified number.

localized image

Table. Minimum value of an ACU counter available for different SDX appliances

NetScaler SDX platform ACU counter minimum value
  • 22040, 22060, 22080, 22100, 22120, 24100, 24150 (36 ports)

2187

  • 8400, 8600, 8010, 8015
  • 17500, 19500, 21500
  • 17550, 19550, 20550, 21550
  • 11500, 13500, 14500, 16500, 18500, 20500

2812

  • 11515, 11520, 11530, 11540, 11542
  • 14xxx
  • 14xxx 40S
  • 14xxx 40G
  • 14xxx FIPS
  • 25xxx
  • 25xxx A

 

4375

b. For 89xx series appliances, you can freely assign ACUs and SCUs. The NetScaler SDX appliance automatically allocates crypto virtual interfaces.

Example. Crypto allocation where both ACU and SCUs are freely assigned

localized image

4. . Complete all the steps for provisioning the NetScaler instance, and click Done. For more information, see Provisioning NetScaler Instances.

View Crypto Hardware Health

In Management Service, you can view the health of the crypto hardware provided with the NetScaler SDX. The health of the crypto hardware is represented as Crypto Devices and Crypto Virtual Functions. To view the health of the crypto hardware, navigate to Dashboard > Resources.

localized image

Points to Note

Keep in mind the following points if you've upgraded the NetScaler SDX appliance to 12.0 57.xx and higher.

  • Only the SDX user interface gets updated, but the hardware capacity of the appliance remains the same.
  • The crypto allocation mechanism remains the same, and only the representation on SDX GUI changes.
  • Any existing automation that uses NITRO interface to manage the SDX appliance will not break because of the crypto management interface.