000014302 - RSA Certificate Manager logs: Custom application 'CertGen' issued only 281 certificates from 500 requests

Document created by RSA Customer Support Employee on Jan 20, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000014302
Applies ToRSA Product Set: RSA Certificate Manager
RSA Version/Condition: 16.7, 6.8, 6.9
RSA Certificate Manager configured to use an external directory to replace the default Berkeley DB through the db plug-in feature
Microsoft Active Directory Application Mode (ADAM)

An External LDAP store exhibits poor performance from a custom RSA Certificate Manager API application. Events such as the following are logged:
Custom application "CertGen" issued only 281 certificates from 500 requests.

CauseWhen configured with an external LDAP, by default RSA Certificate Manager performs a dummy search before each transaction to ensure that the connection with the external LDAP Server is open.

The poor performance issue can be caused when there is a high transaction rate, due to a large number of dummy searches being triggered by RSA Certificate Manager.

To resolve this issue, the keepalive dummy searches of the external LDAP store must be turned off.

If a Certificate Manager API application is being used to issue certificates, it is possible to disable the keepalive search. A directive has been introduced in RSA Certificate Manager 6.7 build 422 to optionally turn off the keepalive search.

To add this directive:

  1. Locate plugin.conf at Installed-dir/Xudad/plugin/ldap.
  2. Open plugin.conf in a text editor and add the following directive:

    keepldapopen 0|1


    0 turns off the dummy search.

    1 maintains the dummy search. If the Secure Directory Server receives an LDAP_SERVER_DOWN error message, it will try to open a new connection again.

    The default if the directive is absent, is 1. Certificate Manager performs the dummy search.

    For transactions from other front-end applications, such as the WebServer and CMP Server, the Certificate Manager will make the dummy search.

    Installing RSA Certificate Manager 6.7 build 423 or later, and then adding keepldapopen directive to turn off the dummy search, enables a custom application to issue a large number of certificate requests.

Bz 72590

See also:  RSA Certificate Manager API 6.9 Reference Manual, chapter 3 "XUDA Session Resources", page 33 XresKEEPLDAPOPEN.

Legacy Article IDa44718