Resolving the Certificate Revocation List (CRL) lookup performance issue

Article:HOWTO9585  |  Created: 2008-12-17  |  Updated: 2014-02-18  |  Article URL http://www.symantec.com/docs/HOWTO9585
Article Type
How To



Problem
 

The symptoms of the Certificate Revocation List (CRL) lookup performance issue on the Symantec Management Platform computer are:

  • Windows services on the Platform computer sometimes fail during startup.
  • Some Symantec Management Console pages take a very long time to load.

Environment
This problem typically happens if the Symantec Management Platform computer is not connected to the internet, or is unable to resolve the Microsoft CRL server address. However, the problem may also arise if the Symantec Management Platform computer goes offline for an extended period. The computer will start exhibiting these performance issues after being offline for 15 days, as the CRL data is cached for 15 days.

Cause
 

This problem is caused by the Certificate Revocation List (CRL) lookup.  
 
If the Symantec Management Platform computer does not have internet access, the .NET runtime cannot access the Microsoft Certificate Revocation List servers to verify the Authenticode assembly. Although none of the applications that comprise the Symantec Management Platform make use of Authenticode assembly signing evidence, the standard Microsoft assemblies that are included with the .NET framework are all Authenticode signed. When the computer has no internet connection, .NET will try for up to 15 seconds to access the CRL before timing out as a failure.
 
This delay can lead to Windows services failing during startup, as some services take a long time to start and may time out. This delay also causes some Symantec Management Console pages to take a very long time to load. 
 
 

Resolution
 

To resolve this problem, we recommend that you disable CRL lookups if the Symantec Management Platform computer is offline, or is likely to be offline for an extended period of time. You can re-enable CRL lookups later, if necessary.

Disabling CRL lookups 

To disable CRL lookups on the Symantec Management Platform computer, you need to edit the machine.config file on the computer, as follows:

  1. Open the machine.config file in a text editor.

    The machine.config file is located at %runtime install path%\Config\machine.config, where the runtime install path is usually C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG.
     
  2. Edit the XML of the machine.config file:

    Find the <runtime> node.
    If it looks like <runtime/>, replace it with:

    <runtime> 
        <generatePublisherEvidence enabled="false"/> 
    </runtime>


    otherwise, simply add:

    <generatePublisherEvidence enabled="false"/>

    between the start and end tags.

     
  3. Save the machine.config file.

Note: For the Windows 2008 64-bit site server, updated the machine.config in two places:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG

 

Re-enabling CRL lookups

If the Symantec Management Platform computer is later given internet access, you may need to re-enable CRL lookups. The Symantec Management Platform does not detect when access to the CRL server is restored, so will not make any changes to the machine.config file automatically. You only need to reverse the change to the machine.config file if applications or .NET security policies that require publisher evidence are installed on the computer. This is not common.
 
To re-enable CRL lookups manually, do the following:

  1. Open the machine.config file in a text editor.
     
  2. Delete the following XML element from the machine.config file:

    <generatePublisherEvidence enabled="false"/ >

    Ensure that you delete only this line from the machine.config file. Do not delete any other XML elements (such as the surrounding <configuration> and <runtime> elements), as they could be required for other customized options specified in the file.
     
  3. Save the machine.config file.

Disabling CRL lookups for individual applications

In some circumstances you may not want to disable CRL lookups computer-wide, but need to disable them for individual applications. To disable CRL lookups for a particular application, open the appropriate application .config file (the naming convention is application name.config), and add the required XML element as specified for the machine.config file. If the necessary .config file does not exist for the application, you can create it.

The same applies to web.config files for web applications.

Note

When you install the Symantec Management Platform, the Install Readiness Check now includes a check for CRL access. If the computer does not have the necessary access, the check recommends that you disable CRL lookups for all .NET applications on the computer. You can do this automatically by accepting the "Fix" prompt displayed in the Symantec Installation Manager.

For more information, refer to the following KB article: About the Install Readiness Check for Certificate Revocation List access.



Legacy ID



44769


Article URL http://www.symantec.com/docs/HOWTO9585


Terms of use for this information are found in Legal Notices