Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-8432

OCSPkeyBinding Default Responder DB Queries

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 7.4.1
    • Component/s: None
    • Provenance:
      Internal Delivery

      Description

      For OCSP requests with an unknown CA, EJBCA goes through all Internal keybindings and queries for their certificate in CertificateData. This leads to a lot of CertificateData queries if you have a lot of keybindings.

      There is a patch to simply return the default respone (usually Unauthorized) in this case. This leads to a small latency from the time when a new CA is added, to the time when you get correct OCSP responses. This latency is controlled by the setting ocsp.signingCertsValidTime, which defaults to 5 minutes.

      Suggested solution

      • Disable the cache update, so the default response is returned if the CA certificate is absent
      • Add a some property or checkbox to restore the old behaviour (unchecked by default). This is for those who really want to keep the old behavior for some reason.
      • Add an upgrade note saying that if you need the old behaviour, you need to toggle the checkbox

      The relevant code in OcspResponeGeneratorSessionBean is:

                      
                      // Locate the CA which gave out the certificate
                      ocspSigningCacheEntry = OcspSigningCache.INSTANCE.getEntry(certId);
                      if(ocspSigningCacheEntry == null) {
                          //Could it be that we haven't updated the OCSP Signing Cache?
                          ocspSigningCacheEntry = findAndAddMissingCacheEntry(certId);
                      }         
                      final OcspDataConfigCacheEntry ocspDataConfig = OcspDataConfigCache.INSTANCE.getEntry(certId);
      

      For the "if", we should also check the new setting, to avoid searching for missing entries for unknown CAs.

      Previous information, kept for reference
      1. With the following setup: OCSP key binding as a default responder, when OCSP queries for Unknown CA (and unknown certificate of course) makes several CertificateData queries - see file unknown_ca.txt
      2. When using a local CA, there are much less queries - see file local_ca.txt
      3. Repeated several times to see if something got cached but not significant changes.
      4. To enable debug in the wildfly DB connector:

      (http://www.mastertheboss.com/jboss-server/jboss-datasource/how-to-trace-jdbc-statements-with-jboss-as
      https://developer.jboss.org/thread/242569)

      /subsystem=datasources/data-source=MySQLPool/:write-attribute(name=spy,value=true)

      In order to debug the JDBC statements in your server logs, you need to create a logger element which traces the jboss.jdbc.spy package. You can do it as follows:

      /subsystem=logging/logger=jboss.jdbc.spy/:add(level=TRACE)

      Additionally, if you want to activate tracing of your Connection Pool as well, you can enable the cached-connection-manager attribute which will inform you of every connection opening and closing:

      /subsystem=jca/cached-connection-manager=cached-connection-manager/:write-attribute(name=error,value=true)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              amin Amin Khorsandi
              Reporter:
              blanca.morales@primekey.com Blanca Morales
              Verified by:
              Jekaterina Bunina
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 3 days Original Estimate - 3 days
                  3d
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 3 days, 2 hours
                  3d 2h