[gpfsug-discuss] Support for TLS 1.3 to work with SKLM

Wahl, Edward ewahl at osc.edu
Wed May 24 17:31:06 BST 2023 

Do not forget, There ARE some limitations to using encryption with GPFS.
Example: Using GPFS encryption means you lose the ability to put small files into the inode space (a HUGE speed increase normally) and HAWC (highly available write cache) and I thought LROC, but I could be wrong about that last one as it’s been a while since I read about that.

Scale still uses a primary/backup method for encryption access which I dislike. I would LOVE if it had options such as round robin or other method (random,etc). And their “hey, just change up the order in the config file on your nodes” isn’t simple at Scale if you use methods like NFS root or other stateless setups for moderate to large numbers of compute clients.

And lastly I REALLY REALLY REALLY hate that SKLM has dumped their command line for REST only access, and is also switching from PVUs to a capacity based-style license.

Just my .02

Ed Wahl
Ohio Supercomputer Center

From: gpfsug-discuss <gpfsug-discuss-bounces at gpfsug.org> On Behalf Of Alec
Sent: Tuesday, May 23, 2023 6:54 PM
To: gpfsug main discussion list <gpfsug-discuss at gpfsug.org>
Subject: Re: [gpfsug-discuss] Support for TLS 1.3 to work with SKLM

I'm not sure what it costs. . but I can say for sure that if it's properly leveraged the money it saves on hardware can be exceptional. I don't know how to put a value on a technology that has remained the best solution for so long. . . 

I'm not sure what it costs.. but I can say for sure that if it's properly leveraged the money it saves on hardware can be exceptional.

I don't know how to put a value on a technology that has remained the best solution for so long... We haven't had to reengineer anything to remain top dog on so many metrics (availability, throughput, enterprise standards, backups, failover, etc....)

So don't think about the line item cost think of the cost per user, gb, Gbps, whatever makes you happy to pay it.

。⁠◕⁠‿⁠◕⁠。

Alec


On Tue, May 23, 2023, 5:29 PM Ryan Novosielski <novosirj at rutgers.edu<mailto:novosirj at rutgers.edu>> wrote:
We looked into it, but couldn’t afford the licenses. As it stands now, our “standard” licenses (or the Lenovo equivalent — data management, or data access? I forget) are apparently about to double in price. Glad to hear that if something changed in that area, it works well.

On May 23, 2023, at 17:23, Alec <anacreo at gmail.com<mailto:anacreo at gmail.com>> wrote:

For those who don't use GPFS encryption.  I can say the GPFS version is fantastic.  Our write performance was nominally faster due to the compression of encryption I suppose. But it works flawlessly and at speed.

Alec

On Tue, May 23, 2023, 4:51 PM Ryan Novosielski <novosirj at rutgers.edu<mailto:novosirj at rutgers.edu>> wrote:
Thanks!

We don’t use encryption, which is I suppose why I was unfamiliar. Happy to vote for it though.

On May 23, 2023, at 16:31, Alec <anacreo at gmail.com<mailto:anacreo at gmail.com>> wrote:

For GPFS encryption we use an IBM SKLM (Key Server) and it uses SSL certificates for that communication.  The SKLM server needs to provide / use TLS 1.3 SSL to pass our security standards but GPFS doesn't state it will support that.

Alec

On Tue, May 23, 2023, 3:25 PM Ryan Novosielski <novosirj at rutgers.edu<mailto:novosirj at rutgers.edu>> wrote:
There’s very little detail there. Can you elaborate on what this is actually for/where it is used in GPFS?

--
#BlackLivesMatter
____
|| \\UTGERS<file://UTGERS>,    |---------------------------*O*---------------------------
||_// the State  |         Ryan Novosielski - novosirj at rutgers.edu<mailto:novosirj at rutgers.edu>
|| \\ University | Sr. Technologist - 973/972.0922 (2x0922) ~*~ RBHS Campus
||  \\    of NJ  | Office of Advanced Research Computing - MSB A555B, Newark
     `'


On May 22, 2023, at 23:16, Alec <anacreo at gmail.com<mailto:anacreo at gmail.com>> wrote:

Hello we are being asked to support TLS 1.3 in our configuration.

Can I ask that folks upvote this RFE to help get it addressed?


https://ibm-sys-storage.ideas.ibm.com/ideas/GPFS-I-964<https://urldefense.com/v3/__https:/ibm-sys-storage.ideas.ibm.com/ideas/GPFS-I-964__;!!KGKeukY!x8bxEo80KREwZ-romjUkrVzIa1VlCs95LFHFkRywpDUB9a3SeuVe6-vfEZHdv1WIX6z9qykqE9yF$>

Alec
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org<https://urldefense.com/v3/__http:/gpfsug.org/__;!!KGKeukY!x8bxEo80KREwZ-romjUkrVzIa1VlCs95LFHFkRywpDUB9a3SeuVe6-vfEZHdv1WIX6z9qyBaV9Oo$>
http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org<https://urldefense.com/v3/__http:/gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org__;!!KGKeukY!x8bxEo80KREwZ-romjUkrVzIa1VlCs95LFHFkRywpDUB9a3SeuVe6-vfEZHdv1WIX6z9qzm_kxZc$>

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org<https://urldefense.com/v3/__http:/gpfsug.org/__;!!KGKeukY!x8bxEo80KREwZ-romjUkrVzIa1VlCs95LFHFkRywpDUB9a3SeuVe6-vfEZHdv1WIX6z9qyBaV9Oo$>
http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org<https://urldefense.com/v3/__http:/gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org__;!!KGKeukY!x8bxEo80KREwZ-romjUkrVzIa1VlCs95LFHFkRywpDUB9a3SeuVe6-vfEZHdv1WIX6z9qzm_kxZc$>
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org<https://urldefense.com/v3/__http:/gpfsug.org/__;!!KGKeukY!x8bxEo80KREwZ-romjUkrVzIa1VlCs95LFHFkRywpDUB9a3SeuVe6-vfEZHdv1WIX6z9qyBaV9Oo$>
http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org<https://urldefense.com/v3/__http:/gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org__;!!KGKeukY!x8bxEo80KREwZ-romjUkrVzIa1VlCs95LFHFkRywpDUB9a3SeuVe6-vfEZHdv1WIX6z9qzm_kxZc$>

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org<https://urldefense.com/v3/__http:/gpfsug.org/__;!!KGKeukY!x8bxEo80KREwZ-romjUkrVzIa1VlCs95LFHFkRywpDUB9a3SeuVe6-vfEZHdv1WIX6z9qyBaV9Oo$>
http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org<https://urldefense.com/v3/__http:/gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org__;!!KGKeukY!x8bxEo80KREwZ-romjUkrVzIa1VlCs95LFHFkRywpDUB9a3SeuVe6-vfEZHdv1WIX6z9qzm_kxZc$>
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org<https://urldefense.com/v3/__http:/gpfsug.org__;!!KGKeukY!x8bxEo80KREwZ-romjUkrVzIa1VlCs95LFHFkRywpDUB9a3SeuVe6-vfEZHdv1WIX6z9q2EjJXiF$>
http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org<https://urldefense.com/v3/__http:/gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org__;!!KGKeukY!x8bxEo80KREwZ-romjUkrVzIa1VlCs95LFHFkRywpDUB9a3SeuVe6-vfEZHdv1WIX6z9qzm_kxZc$>

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org<https://urldefense.com/v3/__http:/gpfsug.org__;!!KGKeukY!x8bxEo80KREwZ-romjUkrVzIa1VlCs95LFHFkRywpDUB9a3SeuVe6-vfEZHdv1WIX6z9q2EjJXiF$>
http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org<https://urldefense.com/v3/__http:/gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org__;!!KGKeukY!x8bxEo80KREwZ-romjUkrVzIa1VlCs95LFHFkRywpDUB9a3SeuVe6-vfEZHdv1WIX6z9qzm_kxZc$>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20230524/d4e6d825/attachment-0001.htm>

More information about the gpfsug-discuss mailing list