Bug 2028447

Summary: After ipa-backup completes, starting pki-tomcatd service failed with result 'timeout'
Product: Red Hat Enterprise Linux 8 Reporter: Sam Wachira <swachira>
Component: pki-coreAssignee: RHCS Maintainers <rhcs-maint>
Status: NEW --- QA Contact: idm-cs-qe-bugs
Severity: medium Docs Contact:
Priority: medium    
Version: 8.4CC: ckelley, frenaud, mreynolds, msauton, rcritten, rhcs-maint, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: ckelley: needinfo-
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 12 Florence Blanc-Renaud 2022-02-04 15:55:13 UTC 
@mreynolds, thanks for the explanations.

Summary
--------

on startup, PKI server makes a VLV search that can take so much time that the startup sequence considers that PKI timed-out.

The culprit VLV search is the following:
SRCH base="ou=keyRepository,ou=kra,o=kra,o=ipaca" scope=1 filter="(&(&(objectClass=top)(objectClass=keyRecord))(serialno=*))" attrs=ALL

PKI needs to configure VLV indexes in order to speed up this type of query. Currently, the following is defined (from ./base/kra/shared/conf/vlv.ldif):

dn: cn=allKeys-pki-tomcat,cn=ipaca,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: vlvSearch
vlvFilter: (&(serialno=*)(!(realm=*)))
vlvScope: 1
vlvBase: ou=keyRepository,ou=kra,o=kra,o=ipaca
cn: allKeys-pki-tomcat

but it doesn't correspond to the searxh filter used in the slow query, and cannot improve its performance.

PKI needs to define VLV indexes corresponding to the queries it performs. Hence moving this BZ to PKI component.