Menu
▾
▴
Re: [Ejbca-develop] EJBCA OCSP Responder does not appear to
|
From: <oh...@ya...> - 2019-07-29 15:36:46
|
Hi,
It looks like the import that I started before going on vacation failed for some reason (possibly the machine got shutdown by our automatic shutdowns... I am not sure).
So I will start the import AGAIN today...
Bottom line is that I am still not able to import the large CRL successfully so far....
Jim
On Monday, July 22, 2019, 4:47:50 PM UTC, ohaya--- via Ejbca-develop <ejb...@li...> wrote:
Hi,
I had already changed that and started a new run before I saw your email, but then I have left for a vacation, and I don't have access to our system until I get back.
I will post when I check it after I get back home.
Jim
On Sunday, July 21, 2019, 5:32:31 PM UTC, Tomas Gustavsson <to...@pr...> wrote:
I edited bin/ejbca.sh and added these parameters to use 4GB for the CLI
tool itself.
-Xmx4096m -Xms4096m
i,e.
exec "$JAVACMD" -Xmx4096m -Xms4096m -jar "$CLI_JAR" "$@"
Regards,
Tomas
On 2019-07-21 17:19, oh...@ya... wrote:
> Hi,
>
> The import processing crashed :(....
>
> +++++ V2.00 SMALLER PRIVATE KEY BY TOMAS +++++ Certificate '273BED'
> missing in the database
> Exception in thread "main" java.lang.OutOfMemoryError: GC overhead limit
> exceeded
> at org.ejbca.util.crypto.BCrypt.initKey(BCrypt.java:547)
> at org.ejbca.util.crypto.BCrypt.cryptRaw(BCrypt.java:635)
> at org.ejbca.util.crypto.BCrypt.hashpw(BCrypt.java:700)
> at
> org.ejbca.core.ejb.authentication.cli.CliAuthenticationToken.generateSha1Hash(CliAuthenticationToken.java:102)
> at
> org.ejbca.core.ejb.authentication.cli.CliAuthenticationToken.setSha1HashFromHashedPassword(CliAuthenticationToken.java:168)
> at
> org.ejbca.core.ejb.authentication.cli.CliAuthenticationToken.setSha1HashFromCleartextPassword(CliAuthenticationToken.java:187)
> at
> org.ejbca.ui.cli.infrastructure.command.PasswordUsingCommandBase.getAuthenticationToken(PasswordUsingCommandBase.java:246)
> at
> org.ejbca.ui.cli.ca.CaImportCRLCommand.execute(CaImportCRLCommand.java:179)
> at
> org.ejbca.ui.cli.infrastructure.command.PasswordUsingCommandBase.execute(PasswordUsingCommandBase.java:202)
> at
> org.ejbca.ui.cli.infrastructure.library.CommandLibrary$Branch.execute(CommandLibrary.java:287)
> at
> org.ejbca.ui.cli.infrastructure.library.CommandLibrary$Branch.execute(CommandLibrary.java:297)
> at
> org.ejbca.ui.cli.infrastructure.library.CommandLibrary.findAndExecuteCommandFromParameters(CommandLibrary.java:78)
> at org.ejbca.ui.cli.EjbcaEjbCli.main(EjbcaEjbCli.java:33)
>
>
> It got through 242720 entries.
>
> Jim
>
> On Sunday, July 21, 2019, 1:53:13 AM UTC, ohaya--- via Ejbca-develop
> <ejb...@li...> wrote:
>
>
> Hi,
>
> I built the new class and JAR and am testing. This looks better. It's
> not quite the rate that you are seeing but it's much better than what I
> was seeing before.
>
> So now it looks like I am getting about 1073 per minute, which is about
> 17 per second. I added some text to the class before I built it (not a
> lot, just some additional strings so I could verify I was using the
> modified class), so I know for sure that I am using the modified Java class.
>
> So anyway, it looks like we are down to about 15 hours to import that
> one CRL now :) ...
>
> Jim
>
>
>
> On Saturday, July 20, 2019, 9:51:43 PM UTC, ohaya--- via Ejbca-develop
> <ejb...@li...> wrote:
>
>
> Hi,
>
> I was doing a diff/fc file compare between the one you attached, and the
> last one I had that I used before, and it seems like there is a
> difference between those. Is the code that you just attached different
> than the patch you gave me before? Here's the file compare output (the
> "CAIMPORTCRLCOMMAND.JAVA" is the one you just attached):
>
> Comparing files
> CaImportCRLCommand.java-C-WORKING-PATCH-B4-TOMAS-GAVE-NEW-ONE-ON-2019-07-20
> and CAIMPORTCRLCOMMAND.JAVA
> *****
> CaImportCRLCommand.java-C-WORKING-PATCH-B4-TOMAS-GAVE-NEW-ONE-ON-2019-07-20
> final EndEntityInformation
> missingUserEndEntityInformation = EjbRemoteHelper.INSTANCE.getRemoteSession(
>
>
> EndEntityAccessSessionRemote.class).findUser(getAuthenticationToken(),
> missing_user_name);
> ***** CAIMPORTCRLCOMMAND.JAVA
> final EndEntityInformation
> missingUserEndEntityInformation = EjbRemoteHelper.INSTANCE.getRemoteSession(
>
> EndEntityAccessSessionRemote.class).findUser(getAuthenticationToken(),
> missing_user_name);
> *****
>
> *****
> CaImportCRLCommand.java-C-WORKING-PATCH-B4-TOMAS-GAVE-NEW-ONE-ON-2019-07-20
>
> private KeyPair getStaticRSAKeyPair() {
> // A switch to use different keys depending on the sigAlg so we
> can sign using the CAs signature algorithm
> final StringReader reader = new
> StringReader(CaImportCRLCommand.PRESIGN_VALIDATION_KEY_RSA_PRIV);
> try (PEMParser pemParser = new PEMParser(reader)) {
> PEMKeyPair pemKeyPair = (PEMKeyPair) pemParser.readObject();
> JcaPEMKeyConverter keyConverter = new
> JcaPEMKeyConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME);
> return keyConverter.getKeyPair(pemKeyPair);
> } catch (IOException e) {
> throw new IllegalStateException("IOException parsing hard
> coded presign key. This should never happen: ", e);
> }
> }
> ***** CAIMPORTCRLCOMMAND.JAVA
>
> private static KeyPair staticKp = null;
> private KeyPair getStaticRSAKeyPair() {
> if (staticKp == null) {
> synchronized (this) {
> if (staticKp == null) {
> // A switch to use different keys depending on the
> sigAlg so we can sign using the CAs signature algorithm
> final StringReader reader = new
> StringReader(CaImportCRLCommand.PRESIGN_VALIDATION_KEY_RSA_PRIV);
> try (PEMParser pemParser = new PEMParser(reader)) {
> PEMKeyPair pemKeyPair = (PEMKeyPair)
> pemParser.readObject();
> JcaPEMKeyConverter keyConverter = new
> JcaPEMKeyConverter().setProvider(BouncyCastleProvider.PROVIDER_NA
> ME);
> staticKp = keyConverter.getKeyPair(pemKeyPair);
> } catch (IOException e) {
> throw new IllegalStateException("IOException
> parsing hard coded presign key. This should never happen:
> ", e);
> }
> }
> }
> }
> return staticKp;
> }
> *****
>
>
>
> On Saturday, July 20, 2019, 9:32:26 PM UTC, ohaya--- via Ejbca-develop
> <ejb...@li...> wrote:
>
>
> AACK! Yes, I forgot all about that and just used the vanilla software
> :(! Now, if I can remember how to do that patch, I will try it :(...
>
> Thanks,
> Jim
>
> On Saturday, July 20, 2019, 8:35:09 PM UTC, Tomas Gustavsson
> <to...@pr...> wrote:
>
>
>
> Did you forget to patch the java file? The top output suggest you did.
> Attached the latest patched file that I used for the import.
>
> Regards,
> Tomas
>
> On 2019-07-20 17:45, oh...@ya... <mailto:oh...@ya...> wrote:
>> Hi,
>>
>> FYI, I got the EJBCA installed on a Redhat 7.4 instance on AWS, and I
>> just started testing with that same CRL, and unfortunately, it is not
>> doing very well... actually even slower than on my earlier dev machine
>> under VBox :(!!
>>
>> The AWS machine is a t2.medium instance with 70GB disk, 4GB RAM, and 2
>> CPUs. I converted the tables to InnoDB and also ran the create index
>> SQL script.
>>
>> It looks like the import is only processing about 5000 entries per hour.
>
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> <mailto:Ejb...@li...>
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> <mailto:Ejb...@li...>
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
_______________________________________________
Ejbca-develop mailing list
Ejb...@li...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
|
