Hi all
This is basically a report on problems I encountered and how I worked
around them. Maybe it could be an idea for the new openxpki webui to
make things different.
Background
==========
I used a Nitrokey HSM 2 module as my secure storage for the signer
token. Usually they're quite nice and cheap (<100€) and work quite well
with openssl and so with OpenXPKI. It's easy to use them as offline hsm
tokens for the root ca and as online hsm token plugged into the pki
server for signing operations.
But they have one downside, they're quite slow. They take around 4s for
a each crypto operation with a 4k rsa key.
For the daily business with signing operations, that's not a real
problem as long as you don't have to sign hundreds or thousands of
certificate requests each day.
Problem
=======
The slow crypto modules aren't a problem in the beginning, but as soon
as your start rolling your signer certificate couple times, this leads
to a real performance problem.
The system status page starts to check each signer certificate for their
operational status (online, offline, etc) on every access/click! With
every signer generation it adds around 8-12s (sign+verify) of waiting
time until the page gets rendered.
With 2 signer tokens it still works, but the access of the status page
is quite slow but still accessible. With 3 signer tokens, the system
status page often hits the default timeout limitations of 30s to the
backend socket and you get a backend not responding error page. Over and
over again. Every other webui page works as expected.
Workaround
==========
While looking at the code, I saw that the new web client has the ability
to configure the timeout value when communication to the server backend.
https://github.com/openxpki/openxpki/blob/develop/core/server/OpenXPKI/Client/Web.pm#L176-L179
The old webui.fcgi lacks that ability, so I quickly added an increased
timeout value to my fcgi backend client. I know that the new client
seems to support changing the timeout, even it's not listed in the
example configuration.
Even the old fcgi client frontend will be deprecated some day soon, I
thought I would share it. Maybe someone else will encounter the same
problem in their existing installation without the direct possibility to
switch to the new frontend the same day.
https://github.com/openxpki/openxpki/pull/951
Idea
====
Maybe it could be possible to check the online status of the crypto
modules asynchronously. Then the system status page would be shown
instantly and the online status of the signer modules would show a
spinner until the backend reports back their status. Sure, file based
signer tokens won't have that problem, so it could be still optional.
Making the signer status async could also improve the new design where
backend and frontend gets split. Just an idea.
Hope that helps someone who could encounter the same performance issues.
Best regards
Daniel Hoffend
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
