Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-2080

Certificate Revocation List (CRL) Caching for Performance Improvement

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected

      Narrative

      The Keycloak's current method of loading Certificate Revocation Lists (CRLs) appears to be slow and resource-intensive, causing high memory and CPU usage during logins. This problem worsens with larger CRLs, sometimes leading to Keycloak crashes. For instance, for CRLs like the ones found here (https://crl.gds.disa.mil/) Keycloak can crash out of memory and can take up to 5 or 6 seconds for every login attempt to complete.
      Additionally, CRLs aren't automatically refreshed, requiring manual management.
      It is needed to have a caching mechanism and a more efficient CRL parser to enhance the memory handling and overall performance.

      Value Proposition

      • Addresses critical performance issue
      • FedRAMP Rev 5 control IA-05 (02) requires implementing a local cache of revocation data to supplement in situations when the system is unable to access revocation information via the network.
      • As a FedRAMP authorized organization, we must comply with these controls.

      Goals

      • Support for any number of CRLs of any size either as the primary certificate validation method or in concert with OCSP.
      • Ensure a CRL handling of multiple large CRLs with good performance

      Implementation note

              sthorger@redhat.com Stian Thorgersen
              rhn-support-igueye Issa Gueye
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: