diff options
author | Christina Fu <cfu@redhat.com> | 2016-02-22 14:35:38 -0800 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2016-03-02 14:15:28 -0800 |
commit | 3ff245abcf900ec30839d67a0120be42e7acff92 (patch) | |
tree | 6183a550c194ca56dc22ebb0827bd8235f3c0f9f /base/server | |
parent | 20a70830961f532e9483baefb64cc92af7cda8b2 (diff) | |
download | pki-3ff245abcf900ec30839d67a0120be42e7acff92.tar.gz pki-3ff245abcf900ec30839d67a0120be42e7acff92.tar.xz pki-3ff245abcf900ec30839d67a0120be42e7acff92.zip |
Ticket #1963 CRL generation enters loop when CA loses connection to netHSM.
This patch makes a low risk attempt to slow down the loop that could be
caused by an unexpected exception caused by the unavailability of a
dependant component (e.g. HSM, LDAP) in the middle of CRL generation/update.
New configuration parameters are:
ca.crl.MasterCRL.unexpectedExceptionWaitTime
- the wait time in minutes; default is 30
- normally you want it to be less than ca.crl.MasterCRL.autoUpdateInterval
and ca.crl.MasterCRL.cacheUpdateInterval
ca.crl.MasterCRL.unexpectedExceptionLoopMax
- the max number of tries allowed before the slow down mechanism kicks in;
default is 10
When such unexpected failure happens, a loop counter is kept and checked
against the unexpectedExceptionLoopMax. If the loop counter exceeds the
unexpectedExceptionLoopMax, then the current time is checked against the
time of the failure, where the time lapse must exceed the
unexpectedExceptionWaitTime to trigger a delay. This delay is the
counter measure to mitigate the amount of log messages that could flood
the log(s).
The delay is calcuated like this:
waitTime = mUnexpectedExceptionWaitTime - (now - timeOfUnexpectedFailure);
Diffstat (limited to 'base/server')
0 files changed, 0 insertions, 0 deletions