search cancel

CA Directory pbkdf2 password-store causes performance issue specially when Password Policy is being used


Article ID: 213869


Updated On:


CA Directory


When we do performance testing which includes binding, searching operations only, we have seen high CA Directory response times and errors potentially due to LDAP timeouts. We have noticed the following
    - high CPU usage of dxserver process on the 1st write precedence DSA node
    - other DSA nodes do not show high CPU usage
    - if we turn off Password Policy the performance is much better, but higher pressure tests still cause performance issue


This issue is happened due to password-storage has been set to pbkdf2 algorithm with default number of iterations, i.e. 64000, which requires high computation cost.
Binding operation when Password Policy is turned on is a WRITE operation. This is why the high CPU usage of dxserver process on the 1st write precedence DSA node.


Release : 14.x

Component : CA Directory


Based on below documentation under "Supporting Commands for the PBKDF2 Hashing Method" section, this pbkdf2 storage required high computation cost.

When you decide to use the PBKDF2 hashing method for improved security, keep in mind the computation cost. The larger the number of iterations, the higher is the cost. By default pbkdf2-iterations is set to 64000. You can lower this number of iterations or you can change to different password-storage algorithm that has no much computation cost.

Please refer the following document for details about "Convert Passwords Already in a DSA to a New Encryption Method"

Additional Information

Please also refer CA Directory Password Storage hashing method - additional information