Some installations use an nCipher card to offload the processing of SSL from the main processors. The following section explains how to set up this type of configuration.
Although nCipher cards can be used for SSL acceleration by offloading SSL operations to the card, its primary focus is to provide a highly secure keystore vault for SSL keys. It is also known as a Hardware Security Module (HSM) or the nCipher Key Management System.
Considerations
The number of instances that an nCipher card can handle depends on the card series you have and the number of CPUs.
nCipher has several models of their SSL accelerator and key management cards, each supporting different maximum number of SSL transactions/second. For example, a 4000-series nCipher SSL accelerator card can handle approximately 4000 transactions at a maximum. Overhead in card operations is likely to reduce the rate of throughput, and multiple PCA instances can also decrease this figure.
With the example above, the nCipher 4000 series card has a single instance capacity maximum of approximately 300-400 (1024-bit SSL) transactions/second. This figure varies with the number of PCA instances, typically in a downward direction.
CX PCA and nCipher compatibility
The following tables list the nCipher keys that are compatible with Tealeaf CX PCA.
nCipher key | Encryption strength (in bits) | Protocol |
---|---|---|
DES-CBC-SHA | 56-bit | SSL3, TLS1.0 |
RC4-MD5 | 128-bit | SSL3, TLS1.0, TLS1.1, TSL1.2 |
RC4-SHA | 128-bit | SSL3, TLS1.0, TLS1.2 |
AES128-SHA | 128-bit | SSL3, TLS1.0, DTLS1, TLS1.1, TLS1.2 |
AES256-SHA | 256-bit | SSL3, TLS1.0, DTLS1, TLS1.1, TLS1.2 |
DES-CBC3-SHA | 192-bit | SSL3, TLS1.0, DTLS1, TLS1.1, TLS1.2 |
AES128-SHA256 | 128-bit | TLS1.2 |
AES256-SHA256 | 256-bit | TLS1.2 |
AES128-GCM-SHA256 | 128-bit | TLS1.2 |
AES256-GCM-SHA384 | 256-bit | TLS1.2 |