Guys, here is a summary of the volume testing I performed. I hope it is useful.
Volume Testing ------ ------- Test System ----------- AMD Athlon 6 1.1Ghz PC SuSE 8.0 GNU/Linux OS OpenCA (v0.9.1-1) CA and RA servers on same machine (but each with a separate data base) Ldap (OpenLDAP v2.0.23-53) directory MySQL (v3.23.48-19) data base Apache (v1.3.23) OpenSSL (v0.9.7 beta3) Disk used at start of test 2862916 (8% full) Free space on box at start of test 35699932 CA mail off Summary ------- This test was designed to see if OpenCA could cope with managing 10,000 certificates. The certificates were generated using the OpenCA CA batch processes and two input files (perl program attatched to generate the input files). Process Time (mins) Notes ------- ----------- ------- Edit config 2 Edit user generation program to generate 10,000 records Gen start files 0.05 Generate user files (two files; batch_new_user.txt and batch_acl.txt). The next step is to tar the files (one at a time) and put them in the import directory. Import new users 2 CA batch process. Now tar the batch_acl.txt file and put it in the import directory. Import perms 2 CA batch process to import user permissions Create PINs 19 CA batch process Export PINs 39 CA batch process Gen key pairs 43 CA batch process Generate requests 62 CA batch process. The good news here is that it did not run out request serial numbers. Disk used 3080444 (8%). Approve requests 69 CA batch process Issue certs 600 The issuing rate started at 30 certs per minute. 1900 certificates issued in 1.5 hours. The issuing rate went down to 17 certs per minute. The ca command (the command doing the work) is using 30% cpu time on the box, idle time is running at about 1%. We must remember this box is also running X and Netscape. In order to speed up the process I periodically stopped the process from the browser and started it again, this was possible as the certs are signed sequentially. Export to RA 90 (to fail) This process failed due to runaway memory usage and disk thrashing. Michael modified the export-import.lib and it worked a lot better. The processes still failed when the browser lost its connection to the web server (this happened twice after a similar amount of time so it was not a one off). I found that the export directory structure had been generated, but the log file had not been updated, and no certs had been archived. I manually tar'ed the "enroll" directory. Import to RA 30 This worked but obviously the tar file did not have all of the normal data populated. Import to LDAP 47 Disk used (remember this is for CA, RA and LDAP) = 4650244 (13%) Performance Summary ----------- ------- Search for a certificate using the Public interface and the "Search" function = 2 seconds. Search for a certificate using "gq" LDAP client = 8 seconds. Export from RA after generating another single certificate request = 1 second (this worked fine just as normal). General ------- In general OpenCA performed well in these tests. The batch processes did their jobs and the generation of 10,000 certificates was not too much of a problem ! The major area of concern for me is the "Export" function. It is obvious at high certificate volumes (although I would not call this test a high volume !) the export function fails. I am a bit worried about the parsing of the log files (so that only certificates that have not yet been exported to each RA are exported), in this case the log file contains 10,000 entries 1 to 10,000. If I add one more certificate request, then the whole file is parsed to see which files need to be exported (i.e. if they are missing from this list). This takes a long time and I am not convinced is scaleable. I may be wrong on this and the manipulation of the file I had to do because of the failures I experienced is what is causing the problems. The next area of concern is the Issue certs batch process. It took 10 hours to sign and issue the 10,000 certificates. I suppose it all depends on how the PKI is going to be used in real life. I would sugest that this is not too much of a problem at the moment as it would be very rare to issue 10,000 certificates in one go ! I hope this is seen as a useful piece of work and indicated some pointers for further analysis. Chris...
genUsers
Description: Perl program
