Quality of Service
CTE-LDT runs in real time, while users actively interact with applications. This could impact performance. However, CTE-LDT is designed to not adversely affect application or system performance.
Purpose of QoS
Quality of Service (QoS) provides tools for an administrator to minimize the effect of CTE-LDT on system and application performance. It provides a set of parameters that administrators can set to control CTE-LDT use of system resources, primarily CPU and I/O bandwidth. When the QoS parameters are set appropriately, CTE-LDT stays within the defined boundaries to ensure that critical user applications are not adversely affected by CTE-LDT operations.
Manage CTE-LDT Impact
Administrators can pause or resume CTE-LDT operations to manage and control CTE-LDT impact to application workload. When data transformation occurs, either during initial or subsequent transformations, it requires substantial host CPU and I/O resources. This can cause contention for resources between the applications simultaneously running on the protected host. The administrator specifies QoS settings on each host, or at a host group level, that is using CTE-LDT. When CTE-LDT is running, QoS monitors CPU or rekey/scan rate on the host and enforces the QoS settings. QoS can also monitor and enforce an administrator imposed limit on the volume of data undergoing rekey per second. The QoS settings enable you to strike a balance between completing an CTE-LDT process and not interfering with host application performance.
Monitor and Control CPU Usage
QoS monitors and controls the use of host system resources during CTE-LDT, specifically, CPU usage and rekey/scan rate.
You can control CPU usage or rekey/scan I/O rate, but not both. The CPU usage and rekey/scan I/O rate options are mutually exclusive.
Monitor and Control Rekey/Scan I/O Rate
You can choose Rekey I/O Rate as a threshold to control the CTE-LDT processing rate. When this threshold is entered, the Quality of Service continuously monitors CTE-LDT transformation and enforces the specified amount of data during:
-
Rekeying: CTE-LDT is transforming the data on active GuardPoints based on the new key version.
-
Scanning: CTE-LDT is analyzing files in GuardPoints. Scanning occurs:
-
Before initial transformation (Linux only)
-
Before a rekey (Linux only)
-
Following an interrupted rekey, such as a reboot on Linux or Windows, and also a directory rename or directory deletion on Windows
-
You can set the Rekey I/O Rate or CPU Threshold for multiple clients through the QoS Settings section in a CipherTrust Manager client profile. All clients associated with a given client profile will use the QoS thresholds set in that profile unless the thresholds are overridden locally on the individual client. (The default setting for Rekey I/O Rate in the client profile is 0 (zero), which means QoS will run full throttle.)
To set the QoS thresholds locally on a particular client, use the voradmin ldt ior and <iorate>
command on that client. When you do so, the voradamin
setting overrides the Rekey I/O Rate or CPU Threshold set in the CipherTrust Manager client profile. If QoS was already set locally on this client and you use voradmin
to set the Rekey I/O Rate, CTE-LDT ignores any CPU threshold previously set.
To resume using the client profile QoS values for a client, use voradmin ldt ior 0
to set the Rekey I/O Rate to 0 (zero). When you do so, CTE returns to using the Quality of Service settings in the client profile.
A tolerance level is associated with the Rekey I/O Rate. Together, the tolerance and Rekey I/O Rate specify a range for the CTE-LDT processing rate. The Quality of Service selects a proper tolerance for a Rekey I/O Rate provided through the voradmin
command, and maintains the CTE-LDT processing rate at the specified Rekey I/O Rate plus or minus the tolerance. The tolerance is selected as follows:
-
When the Rekey I/O Rate is less than or equal to 10MB/sec, the tolerance is 3MB/sec.
-
When the Rekey I/O Rate is greater than 10MB/sec. and less than 50MB/sec, the tolerance is 4MB/sec.
-
When the Rekey I/O Rate is at 50MB/sec or higher, the tolerance is 10% of the specified Rekey I/O Rate.
To set or reset Rekey I/O Rate on a single host, use the voradmin
command as follows:
-
To set the threshold of 50 MB/sec., use the following command:
voradmin ldt ior 50
-
To reset the current threshold:
voradmin ldt ior 0
For more information about setting the Rekey I/O Rate using voradmin
, see Select and Set Rekey I/O Rate.
QoS Scheduling During Backup/Restore
QoS scheduling plays an important role when backing up/restoring data without the Apply Key rule applied to the backup/restore process. During backup/restore, you must pause CTE-LDT operations before taking backups. QoS scheduling allows the administrator to enter the schedule for QoS aligned with the backup schedule, and pause the CTE-LDT processes for the duration of the backup. The schedule specifies which days of the week, and what times of day, CTE-LDT is permitted to run. CTE-LDT cannot run at any time that is not permitted by the QoS schedule. QoS suspends CTE-LDT operations at all times outside of the schedule.
When setting a QoS schedule, consider your system and application peak demand periods during the day and week. Also consider your schedule for data backups. Schedule CTE-LDT to pause when you need all available system resources for other tasks, such as meeting peak user demand or performing data backups.
On Windows, if your backup applications are using VSS, then you do not need to pause CTE-LDT on Windows.