An ongoing discussion about SAP infrastructure

IBM Power Systems compared to x86 for SAP landscapes

It seems like every other day, someone asks me to help them justify why a customer should select IBM Power Systems over x86 alternatives for new or existing SAP customers. Here is a short summary of the key attributes that most customers require and the reasons why Power Systems excels or conversely, where x86 systems fall short.

TCO – Total Cost of Ownership is usually at the top of everyone’s list. Often this is confused with TCA or Total Cost of Acquisition. TCA can be very important for some individuals within customer organizations, especially when those individuals are only responsible for capital acquisition costs and not operational costs such as maintenance, power, cooling, floor space, personnel, software and other assorted costs. TCA can also be important when only capital budgets are restricted. For most customers, however, TCO is far more important. Some evaluators compare systems, one for one. While this might seem to make sense, would it be reasonable to compare a pickup truck and an 18-wheeler semi? Obviously not, so, to do a fair job of comparing TCO, a company must look at all aspects, purposes and effects of different choices. For instance, with IBM Power Systems, customers routinely utilize PowerVM, the IBM Power virtualization technology, to combine many different workloads including ERP, CRM, BW, EP, SCM, SRM and other production database and application servers, high availability servers, backup/recovery servers and non-production servers onto a single, small set of servers. While some of this is possible with x86 virtualization technologies, it is rarely done, partly due to “best practices” separation of workloads and also due to support restrictions by some software products, such as Oracle database, when used in a virtualized x86 environment. This typically results in a requirement for many more servers. Likewise, many Power Systems customers routinely drive their utilization to 80% or higher, where the best of x86 virtualization customers rarely drive to even 50% utilization. Taken together, it is very common to see 2 or 3 times the number of systems for x86 customers than for equivalently sized Power Systems customers and I provided only two reasons of the many frequently experienced by SAP customers. So, where an individual Power System might be slightly higher in cost than the equivalent x86 server, full SAP landscapes on Power Systems often require far fewer systems. Between a potentially lower cost of acquisition and the associated lower cost of management, less power, cooling, floor space and often lower cost of third party software, customers can see a significantly lower TCO with IBM Power Systems.

For customers which are approaching the limits on their data centers, either in terms of floor space, power or cooling, x86 horizontal proliferation may drive the need for data center expansion that could cost into the many millions of dollars. Power Systems may help customers to achieve radically higher levels of consolidation through its far more advanced virtualization and much higher scalability thereby potentially avoiding the need for that data center expansion. The savings, in this event, would make the other savings seem trivial by comparison.

Reliability – A system which is low cost but suffers relatively high numbers of outages may not be the best option for mission critical systems such as SAP. IBM Power Systems feature an impressive array of reliability technologies that are not available on any x86 system. This starts with failure detection circuitry which is built into the entire system including the processor chips and is called First Failure Data Capture (FFDC). FFDC has been offered and improved upon since the mid-90’s for Power Systems and its predecessors. This unique technology captures soft and hard errors from within the hardware allowing the service processor, standard with every system, to predict failures which could impact application availability and take preventive action such as dynamically deallocating components from adapter cards to memory and cache lines and even processor cores. Intel, starting with Nehalem-EX, offers Machine Check Architecture Recovery (MCA), their first version of a similar concept. As a first version, it is doubtful that it can approach the much more mature FFDC technology from IBM. Even more important is the “architecture” which, once errors are detected, passes that information, not to a service processor, but to the Operating System or Virtualization Manager with the “option” for that software to fix the problem in the hardware. This is like your car telling you that your braking system has a problem. Even if you have the mechanical ability to run advanced diagnostics, remove and replace parts, bleed the system, etc., this would involve a significant outage and most certainly could not be done on the fly. Likewise, it is extremely doubtful that Microsoft, for instance, is going to invest in software to fix a problem in an Intel processor especially since this area is likely going to change and only addresses one potential area of reliability. Furthermore, does Microsoft actually want to take on responsibility for hardware reliability? This is just one example, of many, that affect uptime, but without which SAP systems can be exposed.

Equally important is what happens if a problem does occur. Unless you are very lucky, you have experienced the Blue Screen of Death at least one or a hundred times in your past. This is one of those wonderful things that can occur when you don’t have a comprehensive reliability architecture such as that with IBM Power Systems. With x86 systems, essentially, the OS reports that a problem has occurred which could be related to the CPU, system hardware, OS, device driver, firmware, memory, application software, adapter cards, etc. and that your best course of action is to remove the last thing you installed and reboot your system. When you call your system vendor, they might suggest that you contact your OS vendor which might suggest you contact your virtualization vendor which might suggest the problem lies in your BIOS and on and on. Who takes responsibility and ownership and drives the problem to resolution? With IBM Power Systems, IBM develops and supports its own CPU, firmware, system hardware, virtualization, device drivers, OS (assuming AIX or i for Business), memory controllers and buffer chips and has a comprehensive set of rules and detection circuitry for third party hardware and software. This means that in the very rare event of an intermittent or hard to identify error occurs, which is not detected and corrected automatically, IBM takes ownership and resolves the problem unless it is determined that a third party piece of hardware or software caused the problem. In that case, IBM works diligently with its partners to resolve which includes IBM personnel that work on site at many of their partner locations such as Oracle and SAP.

Security – Often an afterthought, but potentially an extremely expensive one, should be carefully considered. PowerVM has never been successfully hacked as noted at AIX has approximately 0% of Critical and High Vulnerabilities and 2% of all OS vulnerabilities compared with 73% and 27% for Microsoft, respectively and 16% and 31% for Linux respectively. X-Force report – Mid-year 2010 . A successful hack could result in just a personnel inconvenience for the IT staff, the loss of systems and/or in a worst case scenario, the theft of proprietary and/or personal data. SAP systems usually hold the crown jewels of an enterprise customer and should be among the best protected of any customer systems.

Bottom line – Where individual x86 systems may have a lower price tag than the equivalent Power System, full SAP landscapes will often require far fewer systems with Power Systems resulting in a lower TCO. Add to that much better reliability, fault detection, comprehensive problem resolution and ownership and rock solid security and the case for IBM Power Systems for SAP landscapes is pretty overwhelming.


August 15, 2011 - Posted by | Uncategorized | , , , , , , , , , , , , , , , , , , , ,


  1. This is a very usefull document !

    Right now, in Lala Group, we’re avaluating the possibility to replace an HP superdome by any other solution. In terms of “Price” (TCA) the option is crystal clear (x86/blades/linux, etc.), but in holiistic vision, the GAP are dramatic. Aditional to this, the Lala’momentum is not “ok” to take any Risk at all. We continue working hard, in order to “find out” the best option for our company. We need a Trusted Advisor for that !!!

    Adrian Casillas
    SAP Architect Team Leader
    Grupo Lala

    Comment by Adrian Casillas | March 27, 2012 | Reply

  2. Good points except one: security. I think that this is an issue with market share & hacker focus. Apple used to say their Mac’s were practically immune to malware. In fact, the Mac’s were quite vulnerable & their market share was so small hackers didn’t care about them. Over the years, they became popular & now we have Mac botnets popping up. Now, Apple is pretending it didn’t make those claims & beefing up security of their Macs.

    So, now we have IBM’s security group saying they haven’t been hacked or had any critical vulnerabilities. I must ask, “Which high profile ‘breakers’ or skilled malware developers are targeting IBM PowerVM or AIX?” The answer is few, maybe none. Major offense on virtualization is focused on VMware & Xen, mostly. Most OS attacks focus on the mainstream desktop/server OS’s or smartphone OS’s. IBM’s POWER platform isn’t getting much negative press because most qualified attackers just don’t care about it. Let it start getting dominant or profitable for attackers/researchers, then we’ll see how much better [or worse] its security is.

    Note: Just like with using Mac’s, people using IBM’s offerings will get the security benefit of not being hit by the widespread, hypervisor- or system-attacks involving code injection. This is a benefit. However, you can get the same benefit by running Enterprise Linux on POWER or other non-x86 architecture.

    Comment by Nick P | September 2, 2012 | Reply

    • Nick, You raise a good point. Two years ago, KVM had 22 vulnerabilities, now it has 46, XEN had 61, now it has 98. As the use of each of those environments has increased, there seems to be a corresponding increase in vulnerabilities found. By the same token, eight years ago, PowerVM had 0 vulnerabilities and today it still has 0. Some hackers are targeting desktop users to steal credit card and bank account information or to use their systems as slaves, etc.. But we have also heard of large scale attacks by criminal gangs and organized crime targeting corporate data in order to steal credit card, social security and bank account data on a large scale. That data is found much more often on systems like Power than on systems utilizing x86 based virtualization. It is notable that despite a virtual treasure trove of such data, no one has figured out how to break into PowerVM. As mentioned in the blog, it is incredibly hard to do so as the hypervisor is built into the hardware and firmware as opposed to a software layer on top of the hardware. PowerVM I/O virtualization is separated into one or more different partitions, Virtual I/O Server (VIOS), so denial of service and other related overloading of network port attacks can only affect the VIO Server, not the hypervisor. The PowerVM hypervisor is also locked down and digitally signed. No company, other than IBM, knows the key or method of encryption, so no company, other than IBM, can create or update the hypervisor.

      Comment by Alfred Freudenberger | September 10, 2012 | Reply

      • I appreciate your response. It’s certainly designed well. IBM has a history of doing critical software/hardware projects with low defect rates. That said, the apparent lack of success for targeting POWER systems doesn’t prove much (ironically) for the general case. The hypervisor would seem to mostly protect systems at the OS level, plus resource exhaustion attacks. Most of the successful attacks against corporate and defense companies in past few years targeted their desktops & applications (server- or client-side). The data could have been hosted on a POWER, x86 or 386 (a bit slow haha). The “trusted” (read: privileged & untrustworthy) applications accessing that data were usually not so protected & were easily subverted.

        Meaning the majority of attackers don’t need to know how to break the power VM. They just need to know how to do a temporary subversion of a desktop, app server, or OS instance to reap benefits. Server-side APT’s are still possible if the OS instances aren’t discarded and clean-slated often (maybe due to mission-critical nature).

        The true value of a solid (and obscure) solution like PowerVM is as a foundation. Anyone who believes their virtualization layer isn’t going to be compromised can run the security-critical stuff side-by-side with the others. These might include monitoring systems, periodic “restore to clean slate” functions, authentication systems, etc. The MILS architectures are already aiming at something like this at a fine-grained level. Good server-side virtualization can do it at a coarse grained level. There might also be performance benefit from locality if security-critical actions can be performed without network overhead. Additionally, combining thin clients with carefully managed (POWER-vm-hosted) OS’s should be less risky than doing the same on mainstream x86 virtualization.

        So, there certainly might be security benefits. I still think most of them come from the fact that people rarely need to target POWER or PowerVM to steal secrets, make money, etc. Plenty of that in the x86 world. Additionally, they get a better ROI if they target x86 apps: one malicious investment just keeps paying and paying and (3 months in still not patched?) paying. 😉

        I still wish good luck to the POWER, System i & System Z teams. They make great stuff and keep Wintel on their toes. Good for many business use cases, whether “technically” more secure or not. I’m a big fan of diversity in ISA’s & OS’s as much as applications. Makes attackers’ job harder & all of us safer.

        Comment by Nick P | September 11, 2012

  3. […] and small SAP environments while offering outstanding, mission critical reliability.  As noted in, IBM does this while maintaining a similar or lower TCO when all production, HA and non-production […]

    Pingback by SAP performance report sponsored by HP, Intel and VMware shows startling results « SAPonPower | October 23, 2012 | Reply

  4. Excellent information – Thank you!

    Comment by Ralph Chuchul | October 23, 2012 | Reply

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: