Red Hat Bugzilla – Bug 179715
LTC20830-Large memory leak w/symmetric crypto & TAM WebSEAL
Last modified: 2015-03-04 20:15:29 EST
Description of problem:
When running a https workload against an application (Tivoli Access Manager
WebSEAL 6.0) with symmetric crypto enabled, we are seeing an increase in memory
usage to over 1 Gig in under 20 minutes.
Our application (Tivoli Access Manager WebSEAL 6.0) is configured to have an
SSL junction to an Apache webserver using a TDES cipher. The workload
consists of 12 clients getting a 10K gif over the SSL junction. Once we start
the workload memory usage for WebSEAL goes from 139M to over 1 Gig within 15-20
minutes. Eventually, the application (Tivoli Access Manager WebSEAL 6.0) dies.
If we disable the symmetric support, the workload runs fine ( no excessive
We also hit the problem using AES-128 cipher.
If this is a customer issue, please indicate the impact to the customer:
If this is not an installation problem,
Describe any custom patches installed.
openCryptoki-2.1.6-0.40.1 + bugzilla fix for 20096
openssl-0.9.7a-43.6 + bugzilla fix for 20455
Provide output from "uname -a", if possible:
VM00 Control Program: z/VM 5.2.0
Crypto card: CEX2C
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Tivoli Access Manager WebSEAL 6.0 runs oom due to memory leak.
Tivoli Access Manager WebSEAL 6.0 should continue working.
The problem essentially
makes the symmetric support non-usable.
openCryptoki asks libICA to allocate a mechanism list on the heap, which
it does. openCryptoki should then release that memory once it processes the
list. When the mechanism list code was ported back from the 2.2 branch to the
2.1 branch, some changes to the code were necessary to support the static table
of mechanisms in the older version. It looks as though in the process that the
code to free the memory allocated on the heap was inadvertently #if'd out in a
function called from C_GetMechanismList().
Created attachment 124043 [details]
Patch to fix the memory leak problem, also in upstream CVS.
Test packages can be found here:
Read ya, Phil
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.