For OCSP requests with an unknown CA, EJBCA goes through all Internal keybindings and queries for their certificate in CertificateData. This leads to a lot of CertificateData queries if you have a lot of keybindings.
There is a patch to simply return the default respone (usually Unauthorized) in this case. This leads to a small latency from the time when a new CA is added, to the time when you get correct OCSP responses. This latency is controlled by the setting ocsp.signingCertsValidTime, which defaults to 5 minutes.
- Disable the cache update, so the default response is returned if the CA certificate is absent
- Add a some property or checkbox to restore the old behaviour (unchecked by default). This is for those who really want to keep the old behavior for some reason.
- Add an upgrade note saying that if you need the old behaviour, you need to toggle the checkbox
The relevant code in OcspResponeGeneratorSessionBean is:
For the "if", we should also check the new setting, to avoid searching for missing entries for unknown CAs.
Previous information, kept for reference
1. With the following setup: OCSP key binding as a default responder, when OCSP queries for Unknown CA (and unknown certificate of course) makes several CertificateData queries - see file unknown_ca.txt
2. When using a local CA, there are much less queries - see file local_ca.txt
3. Repeated several times to see if something got cached but not significant changes.
4. To enable debug in the wildfly DB connector:
In order to debug the JDBC statements in your server logs, you need to create a logger element which traces the jboss.jdbc.spy package. You can do it as follows:
Additionally, if you want to activate tracing of your Connection Pool as well, you can enable the cached-connection-manager attribute which will inform you of every connection opening and closing: