ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

CA Directory pbkdf2 password-store causes performance issue specially when Password Policy is being used

book

Article ID: 213869

calendar_today

Updated On:

Products

CA Directory

Issue/Introduction

When we do performance testing which includes binding, searching operations only, we have seen high CA Directory response times and errors potentially due to LDAP timeouts. We have noticed the following
    - high CPU usage of dxserver process on the 1st write precedence DSA node
    - other DSA nodes do not show high CPU usage
    - if we turn off Password Policy the performance is much better, but higher pressure tests still cause performance issue

Cause

This issue is happened due to password-storage has been set to pbkdf2 algorithm with default number of iterations, i.e. 64000, which requires high computation cost.
Binding operation when Password Policy is turned on is a WRITE operation. This is why the high CPU usage of dxserver process on the 1st write precedence DSA node.

Environment

Release : 14.x

Component : CA Directory

Resolution

Based on below documentation under "Supporting Commands for the PBKDF2 Hashing Method" section, this pbkdf2 storage required high computation cost.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/directory/14-1/reference/commands-reference/set-password-storage-command.html

When you decide to use the PBKDF2 hashing method for improved security, keep in mind the computation cost. The larger the number of iterations, the higher is the cost. By default pbkdf2-iterations is set to 64000. You can lower this number of iterations or you can change to different password-storage algorithm that has no much computation cost.

Please refer the following document for details about "Convert Passwords Already in a DSA to a New Encryption Method"

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/directory/14-0/administrating/manage-user-accounts-and-passwords/password-encryption.html#concept.dita_869dd524377390b24841d3af48dd2da0f15b8a4c_ConvertPasswordsAlreadyinaDSAtoaNewEncryptionMethod

Additional Information

Please also refer CA Directory Password Storage hashing method - additional information