[Pki-users] OCSP Manager and large CRLs

[David Stutzman - US]

I'm attempting to configure an instance of the standalone OCSP Manager and I'm having an issue with it loading the active set of DoD CAs/CRLs.  I'm using the LDAP store and have the 17 active CAs/CRLs (Root 2, ID and Email 25-32) added in the configuration.  I loaded the directory server (389 ds) with a java program so I know all entries are configured exactly the same with caCertificate;binary and certificateRevocationList;binary attributes for each.  While loading, In the debug logs I see "Started CRL Update" for all 17 but then I'll only see 13 finish.  I see increased CPU usage (basically 100%) for several minutes after starting the service until the 14th CRL is processed when the machine goes back to idle and it just seems to stop processing the remaining 3 large CRLs.  The problem CRLs are understandably the 4 largest at 27.6Mb (this one loads about 4 min 45 seconds after startup), 30.6Mb, 29.5Mb, 33.5Mb.  The virtual machine I'm using has 4 cores and 8GB of memory (originally 4, but increasing to 8 didn't seem to help). I see nothing in the system or transaction logs to indicate what the problem is either.  The rpm version of the pki-ocsp package is 9.0.15-1.


Thanks,

Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150514/b4f60f84/attachment.htm>