Resolving the Certificate Revocation List (CRL) lookup performance issue

Article:TECH193594  |  Created: 2012-07-24  |  Updated: 2014-04-22  |  Article URL http://www.symantec.com/docs/TECH193594
Article Type
Technical Solution

Product(s)

Issue



The symptoms of the Certificate Revocation List (CRL) lookup performance issue on the Symantec Management Platform computer are:

  • Windows services on the Platform computer sometimes fail during startup. (EX. CTDATALOADER.exe)
  • Some Symantec Management Console pages take a very long time to load.

 

**** The Certificate Revocation List (CRL) is a list of revoked certificates. Applications that use .Net can be signed with a certificate. Disabling the CRL lookup will cause any application disabled to no longer check if the certificate that is being used has been revoked. Only disable this check for non-internet facing computers ****

 


Error



Could not start the Altiris Client Task Data Loader service on Local Computer
Error 1053: The service did not respond to the start or control request in a timely fashion


Environment



This problem typically happens if the Symantec Management Platform computer (Notification Server, or Site Servers with Task Services installed) is not connected to the internet, or is unable to resolve the Microsoft CRL server address. However, the problem may also arise if the Symantec Management Platform computer goes offline for an extended period. The computer will start exhibiting these performance issues after being offline for 15 days, as the CRL data is cached for 15 days.


Cause



This problem is caused by the Certificate Revocation List (CRL) lookup.

If the Symantec Management Platform computer does not have internet access, the .NET runtime cannot access the Microsoft Certificate Revocation List servers to verify the Authenticode assembly. Although none of the applications that comprise the Symantec Management Platform make use of Authenticode assembly signing evidence, the standard Microsoft assemblies that are included with the .NET framework are all Authenticode signed. When the computer has no internet connection, .NET will try for up to 15 seconds to access the CRL before timing out as a failure.

This delay can lead to Windows services failing during startup, as some services take a long time to start and may time out. This delay also causes some Symantec Management Console pages to take a very long time to load.

Microsoft update KB2686831 has been seen to cause issues with CRL lookup and restricted network environments, which causes the CTDataloader.exe to not start up properly.


Solution



To resolve this problem, for offline Servers or Servers likely to be offline for an extended period of time, we recommend that you disable CRL lookups (Option #2). You can re-enable CRL lookups later, if necessary. For Computers online we recommend trying Option #1 first.

Option #1 Use Windows fix for .NET Framework 2.0 Windows Service may time out

Go to http://support.microsoft.com/kb/941990 and use Method 3 to resolve the time out of CTDataloader.exe services.

Option #2 Delayed Start

Under the Data Loader service(CTDataloader.exe), moving it to Automatic (Delayed Start) will also allow for enough time to get the network online for the CRL check. Delayed start is by default 2 mintues after the last automatic service has started.

 

Option #3 Disabling CRL lookups

Only disable for offline computers. For online computers use "Disabling CRL lookups for individual applications"

 

To disable CRL lookups on the Symantec Management Platform computer, you need to edit the machine.config file on the computer, as follows:

  1. Open the machine.config file in a text editor. (If you run in a x64 environment you will need to edit the x64 framework file)
    (x86) The machine.config file is located at %runtime install path%\Config\machine.config, where the runtime install path is usually C:\Windows\Microsoft.NET\Framework\v2.0.50727\.
    (x64) The machine.config file is located at %runtime install path%\Config\machine.config, where the runtime install path is usually C:\Windows\Microsoft.NET\Framework64\v2.0.50727\.
  2. Look for <runtime /> in the machine.config file and change to this:
      <runtime>
        <generatePublisherEvidence enabled="false" />
      </runtime>
  3. Save the machine.config file.
  4. Open a command prompt with Administrator rights, and type iisreset.

This resets the system with the new changes. You are now able to start the services this was affecting such as the CTDataloader.exe.

 

Re-enabling CRL lookups

If the Windows server is later given internet access, you may wish to re-enable CRL lookups. Windows does not detect when access to the CRL server is restored, so it will not make any changes to the machine.config file automatically. You only need to reverse the change to the machine.config file if applications or .NET security policies that require publisher evidence are installed on the computer. This is not common.

To re-enable CRL lookups manually, do the following:

  1. Open the machine.config file in a text editor.
  2. Delete the following XML element from the machine.config file:
      <generatePublisherEvidence enabled="false" />
  3. Ensure that you delete only this line from the machine.config file. Do not delete any other XML elements (such as the surrounding <configuration> and <runtime> elements), as they could be required for other customized options specified in the file.
  4. Save the machine.config file.
  5. Open a command prompt with Administrator rights, and type iisreset.

Disabling CRL lookups for individual applications

In some circumstances you may not want to disable CRL lookups computer-wide, but need to disable them for individual applications. To disable CRL lookups for a particular application, open the appropriate application .config file (the naming convention is application name.config), and add the required XML element as specified for the machine.config file. If the necessary .config file does not exist for the application, you can create it.

The same applies to web.config files for web applications.

Note: When you install the Symantec Management Platform via Symantec Installation Manager, the Install Readiness Check now includes a check for CRL access. If the computer does not have the necessary access, the check recommends that you disable CRL lookups for all .NET applications on the computer. You can do this automatically by accepting the "Fix" prompt displayed in the Symantec Installation Manager.

For more information, refer to the following KB article: About the Install Readiness Check for Certificate Revocation List access.




Article URL http://www.symantec.com/docs/TECH193594


Terms of use for this information are found in Legal Notices