chris, i just tried to redo the same volume test in our OpenCA PKI for 10,000 certificates. Everything goes fine until approve request. When i go for approve request, the connection closed was closed by server after 1000 certificates. Then i changed the server TimeOut time period to large figures and tried again. For few hours the screen was blank and after some time it started approving requests with 1001, 1002 etc. (i think it's starting the whole steps from first reques, Am i right here). But again i noticed different problem from apache log (MySQL deadlock problem and can't execute transaction. restart transaction) and the 'ca' script stopped its execution. I don't have any clue what it's reporting. Also is their any way in which i can stop and restart the approve process from where i stoped last time. since i have been trying this approval step for the last two days :(. I am running this test under RH 7.3, OpenCA version 0.9.1 with MySQL 3.2x
Any pointers on the problem will be more useful. Thanks. regards, venki. On Tuesday 22 July 2003 19:32, Chris Covell wrote: > Guys, > > here is a summary of the volume testing I performed. I hope it is useful. > > Volume Testing > ------ ------- > > Test System > ----------- > AMD Athlon 6 1.1Ghz PC > SuSE 8.0 GNU/Linux OS > > OpenCA (v0.9.1-1) > CA and RA servers on same machine (but each with a separate data base) > Ldap (OpenLDAP v2.0.23-53) directory MySQL (v3.23.48-19) data base > Apache (v1.3.23) OpenSSL (v0.9.7 beta3) > > Disk used at start of test 2862916 (8% full) > Free space on box at start of test 35699932 > CA mail off > > Summary > ------- > > This test was designed to see if OpenCA could cope with managing 10,000 > certificates. The certificates were generated using the OpenCA CA batch > processes and two input files (perl program attatched to generate the > input files). > > Process Time (mins) Notes > ------- ----------- ------- > Edit config 2 Edit user generation program to > generate 10,000 records > Gen start files 0.05 Generate user files (two files; > batch_new_user.txt and > batch_acl.txt). The next step is to tar the files (one at a time) and > put them in the import directory. > Import new users 2 CA batch process. Now tar the > batch_acl.txt file and put it in the import directory. > Import perms 2 CA batch process to import user > permissions > Create PINs 19 CA batch process > Export PINs 39 CA batch process > Gen key pairs 43 CA batch process > Generate requests 62 CA batch process. The good news > here is that it did not run out > request serial numbers. Disk used 3080444 (8%). > Approve requests 69 CA batch process > Issue certs 600 The issuing rate started at 30 > certs per minute. 1900 certificates issued in 1.5 hours. The issuing > rate went down to 17 certs per minute. The ca command (the command > doing the work) is using 30% cpu time on the box, idle time is running > at about 1%. We must remember this box is also running X and Netscape. > In order to speed up the process I periodically stopped the process from > the browser and started it again, this was possible as the certs are > signed sequentially. > Export to RA 90 (to fail) This process failed due to > runaway memory usage and disk thrashing. Michael modified the > export-import.lib and it worked a lot better. The processes still failed > when the browser lost its connection to the web server (this happened > twice after a similar amount of time so it was not a one off). I found > that the export directory structure had been generated, but the log file > had not been updated, and no certs had been archived. I manually tar'ed > the "enroll" directory. > Import to RA 30 This worked but obviously the tar file > did not have all of the normal data populated. > Import to LDAP 47 Disk used (remember this is for CA, RA > and LDAP) = 4650244 (13%) > > Performance Summary > ----------- ------- > > Search for a certificate using the Public interface and the "Search" > function = 2 seconds. > Search for a certificate using "gq" LDAP client = 8 seconds. > Export from RA after generating another single certificate request = 1 > second (this worked fine just as normal). > > General > ------- > > In general OpenCA performed well in these tests. The batch processes did > their jobs and the generation of 10,000 certificates was not too much of > a problem ! > > The major area of concern for me is the "Export" function. It is obvious > at high certificate volumes (although I would not call this test a high > volume !) the export function fails. I am a bit worried about the > parsing of the log files (so that only certificates that have not yet > been exported to each RA are exported), in this case the log file > contains 10,000 entries 1 to 10,000. If I add one more certificate > request, then the whole file is parsed to see which files need to be > exported (i.e. if they are missing from this list). This takes a long > time and I am not convinced is scaleable. I may be wrong on this and the > manipulation of the file I had to do because of the failures I > experienced is what is causing the problems. > > The next area of concern is the Issue certs batch process. It took 10 > hours to sign and issue the 10,000 certificates. I suppose it all > depends on how the PKI is going to be used in real life. I would sugest > that this is not too much of a problem at the moment as it would be very > rare to issue 10,000 certificates in one go ! > > I hope this is seen as a useful piece of work and indicated some > pointers for further analysis. > > Chris... ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
