PKI Publishing Queue

From Dogtag
Jump to: navigation, search

Introduction

Enrollment processing in profile framework includes certificate publishing. Publishing to external directory over congested network slows down issuance (189575) and it can lead to situations in which multiple certificates are issued base on single certificate request (325612).

Temporary network congestion can be overcome by separating certificate publishing from the enrollment process. Request records have to be updated in the request queue to avoid issuing multiple certificates from single request and to enable before publishing queue.

Associated Bugs

Issue Tracker:

  • 325612 Incorrectly Issuing Multiple Certificates from Single Request
  • 189575 certificate issuance transaction time performance issue

Bugzilla:

  • 516632 - CA can issue multiple certificates from single certificate request
  • 539604 - CA enrollment process depends on certificate publishing
  • 453834 - Certificate issuance transaction time performance issue
  • 649343 - Publishing queue should recover from CA crash

Enabling publishing queue

By default publishing queue is disabled. Publishing queue can be enabled by adding the following line to CS.cfg in ca section:

ca.publish.queue.enable=true

Enabled publishing queue assumes default parameters equivalent to following configuration:

ca.publish.queue.enable=true
ca.publish.queue.maxNumberOfThreads=3
ca.publish.queue.pageSize=40
ca.publish.queue.priorityLevel=0
ca.publish.queue.saveStatus=200

Publishing queue can be also enabled using pkiconsole:


Publishing-queue.png


Publishing queue will be recovered on CA restart if CS.cfg contains ca.publish.queue.saveStatus=N for N > 0.
See bug #649343 for more details.


Testing

Install external directory on separate system or VM and emulate network congestion by use the following command:

tc qdisc add dev eth0 root netem delay 4000ms 1000ms 25% 

This causes the added delay to be 4000ms ± 1000ms with the next random element depending 25% on the last one.

Multiple Certificates Issued from Single Request

  • Enable LDAP publishing to external directory with configured delay.
  • Submit certificate request, which has to be approved by CA agent.
  • Open two agent pages with submitted certificate request.
  • Approve above certificate request simultaneously through both pages.

Publishing Queue

  • Enable LDAP publishing to external directory with configured delay.
  • Create LDAP entry for UID=qqq,OU=People,DC=example,DC=com
dn: uid=qqq,ou=People,dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
uid: qqq
cn: qq qq
sn: qq
givenName: qq
userPassword: password
  • Make caIPAserviceCert profile visible
  • Add admin to "Registration Manager Agents" group.
  • Submit the following request using "IPA-RA Agent-Authenticated Server Certificate Enrollment" as long as required to see publishing queue working.
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICrTCCAZUCAQAwaDETMBEGCgmSJomT8ixkARkWA2NvbTEWMBQGCgmSJomT8ixk
ARkWBnJlZGhhdDETMBEGCgmSJomT8ixkARkWA3NqYzEPMA0GA1UECxMGUGVvcGxl
MRMwEQYKCZImiZPyLGQBARMDcXFxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAweukzCW9sC63xsKGP6ZMLwvfaIRgKFY3LFNyWVCg5PIm0A+tLzHZJSKe
SQ+im0N2lX+Ny8+0MvovTGiKxSFpv4LS7ZDy3aeqck/ozcQSbU9NM1FYfePck8BF
YyZBSdZDUASOD43q91lW4Mx+L2iBnn0Vj1726mtJO5dTBS4pdgjybTLXYKLOpOJS
8Ve13kjzqYMOppd+nsrjc6JlOqy9uvRLmWbbP78pBqNYmecezw/mdo12Ktgc7EcY
EkhqGvZDsKsJa32hfDB6VoA1Yvmjy/wF5wnHL4TQl+6S5FYkpv3u0BqkHStQfqnS
6KdZGZ/ktcqsYkTAvRParO98PWqzjwIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEB
ACNy1S2JeU+DOy3PItrOIhbn47U/7pvLAfv8/HtmldjIf1u98bK3Pn36d5boj5j+
zNhGdVl7C0al6UJT08lJn1OyQaUc8VqDkV7Yy9JGzZyQccWfe7dDVrHppMmzU2ok
S91hcyOhWu9iUb04T4taVEvO6ulN/J/Ncp8xstoH85e4dm35crkS5dq+KsOyL6sP
SeGaXx4J/rpwBWLE32F0Iks8lkoT9809X+EmtdIpSndbHjd4TkPJCqQixC0ZEjMn
eBFsBYnryqzmGAt+d4rVnisU+QJoMWaM+Lu6qfTZCvP7HOCmaw06UngQSKNrGc/u
zdl40huPFAeL8hrBScsaFhk=
-----END NEW CERTIFICATE REQUEST----- 

New-entry.png

Added-entry.png

Added-certificate.png

Publishing Queue Paging

  • Decrease page size to 9 and restart CA:
ca.publish.queue.enable=true
ca.publish.queue.maxNumberOfThreads=3
ca.publish.queue.priorityLevel=0
ca.publish.queue.pageSize=9
  • Follow the steps for Publishing Queue till the moment in which paging mechanism can be verified.


Testing Improvements

Submitting request can be automated. This automation should improve speed in which this feature can be tested.