Info: Venafi Agent certificate discovery performance

See Also: How Will The Venafi Server Agent Impact My Production Systems?


This article covers most commonly asked question about Venafi Agent performance.

More info:

Does the application need to be installed on all Linux, AIX and Solaris servers?

Any system that you wish to scan for the presence of certificate information must have the Agent installed on it.

How much data does the Agent generate?

There is no one answer to this question.  The data generated by the Agent application varies based upon the amount of certificates and or keys discovered.

Where does it store the data?

The Agent stores data within its own SQLite database files, this database size is configurable but base starts at 8MB.  The Agent will cease storing data if the O/S volume’s free disk space falls below 50MB.   The SQLite database is located:

  • Unix Platforms:  /var/opt/Venafi/data
  • Windows Platforms:  c:/Program Files/Venafi/Agent/Data

Does the Agent generate any log files? If so, where does it store them? Are the log files being rotated and older ones deleted so the disk doesn't fill up?

On Unix, the logs are written to the standard syslog, while on Windows to the event log. In Unix, you can, by modifying the /etc/syslog.conf, can redirect agent events to a specific log. Redirection of agent logs in Windows is not supported.

Does the Agent have any suid scripts/programs?

No. The Agent must be run as root.

How does it do scan?  Does it use unix ‘find’? or is there an ‘intelligent’ search?

The Agent utilizes an intelligent search.

How does it prioritize itself on the OS?

It uses the basic Unix 'fork' mechanism, the Agent is dormant until its scheduled scan time. CPU and disk IO will increase during scans, so it is recommended to schedule these scans during low usage or non-peak hours.

Some of our DB servers can have multi-terabytes (over 10 TB) of disk space. How does the Agent handle itself on these servers?

The agent does not scan the entire disk. The directories that are scanned are configured at the Director system level and pushed to the Agent.

Does the Agent process run in background?

The process does run in the background until the execution window at which point the agent will wake-up and begin scanning.  Once the scan is complete, the results are then uploaded to the KMIP server during the defined reporting window.

How does the Agent impact our environment?

This is dependent on how the Agent is configured, Venafi will assist in making base recommendation to ensure proper communications within the environment but the scheduling of the Agents execution window and check-in times should be reviewed to ensure that they do not conflict with other systems processing windows in your environment.

Was this article helpful?
0 out of 0 found this helpful