Caching Parameters
CAPI
The following table lists the caching parameters for CAPI.
| Parameter | Default | Recommended | Description |
|---|---|---|---|
| Symmetric_Key_Cache_Enabled | no | no | Enables the symmetric key caching. If enabled, the client can use the symmetric keys locally. Only symmetric keys can be cached. Possible settings: • no - disables symmetric key caching. Remote encryption (encryption performed on the CipherTrust Manager) is available as normal. This is the default and recommended setting. To disable the feature, set Symmetric_Key_Cache_Enabled=no.• yes - Key caching is enabled and the NAE XML protocol is used to export keys. Protocol must be set to ssl. To enable key caching and use NAE XML protocol for exporting keys, set Symmetric_Key_Cache_Enabled=yes. • kmip_yes - (Applicable to CADP CAPI only) Key caching is enabled and the KMIP protocol is used to export keys. Protocol must be set to ssl. To enable key caching and use KMIP protocol for exporting keys, set Symmetric_Key_Cache_Enabled=kmip_yes. • tcp_ok - Key caching is enabled over both tcp and ssl connections. The NAE XML protocol is used to export keys. To enable key caching over both tcp and ssl connections, set Symmetric_Key_Cache_Enabled=tcp_ok. |
| Symmetric_Key_Cache_Expiry | 43200 secs (12 hours) | Time period after which a cached symmetric key can be removed from the cache. If set to 0, the key will never be removed from the client cache.Note: It is highly recommended to keep short expiry time for the keys in the cache. | |
| Asymmetric_Key_Cache_Enabled | no | no | Enables the asymmetric key caching. If enabled, the client can use asymmetric keys locally. If enabled then only asymmetric keys can be cached. Possible settings: • no - disables asymmetric key caching. Remote encryption (encryption performed on the CipherTrust Manager) is available as normal. This is the default and recommended setting. To disable the feature, set Asymmetric_Key_Cache_Enabled=no. • yes - Key caching is enabled and the NAE XML protocol is used to export keys. Protocol must be set to ssl. To enable key caching and use NAE XML protocol for exporting keys, set Asymmetric_Key_Cache_Enabled=yes.• kmip_yes - (Applicable to CADP CAPI only) Key caching is enabled and the KMIP protocol is used to export keys. Protocol must be set to ssl. To enable key caching and use KMIP protocol for exporting keys, set Asymmetric_Key_Cache_Enabled=kmip_yes.• tcp_ok - Key caching is enabled over both tcp and ssl connections. The NAE XML protocol is used to export keys. To enable key caching over both tcp and ssl connections, set Asymmetric_Key_Cache_Enabled=tcp_ok. |
| EvpContext_Idle_Timeout | 0 | The minimum amount of time after which the openssl context, initialized with cached key, expires and is reinitialized. It is specified in seconds. This parameter is applicable only when the symmetric key caching feature is enabled. • If the value is negative then this time is set to Symmetric_Key_Cache_Expiry. • If the value is 0, then EVP Context will be deleted each time the Crypto operation is performed. | |
| Persistent_Cache_Enabled | no | no | Determines if the persistent key caching feature is enabled. Possible settings: • yes- Enables the feature. To enable this feature, the Symmetric_Key_Cache_Enabled or Asymmetric_Key_Cache_Enabled parameter must be set to yes, tcp_ok, or kmip_yes.• no- Disables the feature. |
| Persistent_Cache_Directory | No default | Directory where CADP for C creates the persistent cache files. The directory must already exist. The path need to be absolute. Don’t use quotes, even if the path contains spaces. | |
| Persistent_Cache_Expiry_Keys | 43200 seconds (12 hours) | Determines the number of seconds after which key is fetched from the CipherTrust Manager. If CipherTrust Manager is not reachable, key will not be deleted and insertion time of the key will be updated. If any other error comes from the CipherTrust Manager, the key will be deleted. To enable the persistent cache, the value of Persistent_Cache_Expiry_Keys property must be greater than zero.Valid values: • 0: This is the infinite timeout setting. Keys are never removed from the cache. • Any positive integer - At the end of this interval, the key is fetched from the CipherTrust Manager the next time the operation is performed on this key. Note: If client is not able to access the CipherTrust Manager, the expired keys are not deleted from the persistent cache. Even if the key is updated on the CipherTrust Manager, client will continue to use the stored persistent key. Hence, it is recommended to keep the CipherTrust Manager accessible to work with the updated keys. | |
| Persistent_Cache_Max_Size | 100 keys | Maximum number of keys that can be stored in the persistent cache. This value should be greater than 0 for key caching to work. | |
| Key_non_exportable_policy | no | no | Used to perform crypto operations remotely when symmetric cache is enabled and the key is non exportable. Possible settings: • yes - Enables the feature • no - Disables the feature |
Note: The kmip_yes parameter for Symmetric_Key_Cache_Enabled is applicable for I_C_Crypt and I_C_ExportSymmetricKey APIs only.
PKCS#11
The following table lists the caching parameters for PKCS#11.
| Parameter | Default | Recommended | Description |
|---|---|---|---|
| Symmetric_Key_Cache_Enabled | no | no | Enables the symmetric key caching. If enabled, the client can use the symmetric keys locally. Only symmetric keys can be cached. Possible settings: • no - disables symmetric key caching. Remote encryption (encryption performed on the CipherTrust Manager) is available as normal. This is the default and recommended setting. To disable the feature, set Symmetric_Key_Cache_Enabled=no.• yes - Key caching is enabled and the NAE XML protocol is used to export keys. Protocol must be set to ssl. To enable key caching and use NAE XML protocol for exporting keys, set Symmetric_Key_Cache_Enabled=yes.• tcp_ok - Key caching is enabled over both tcp and ssl connections. The NAE XML protocol is used to export keys. To enable key caching over both tcp and ssl connections, set Symmetric_Key_Cache_Enabled=tcp_ok. |
| Symmetric_Key_Cache_Expiry | 43200 secs (12 hours) | Time period after which a cached symmetric key can be removed from the cache. If set to 0, the key will never be removed from the client cache.Note: It is highly recommended to keep short expiry time for the keys in the cache. | |
| Asymmetric_Key_Cache_Enabled | no | no | Enables the asymmetric key caching. If enabled, the client can use asymmetric keys locally. If enabled then only asymmetric keys can be cached. Possible settings: • no - disables asymmetric key caching. Remote encryption (encryption performed on the CipherTrust Manager) is available as normal. This is the default and recommended setting. To disable the feature, set Asymmetric_Key_Cache_Enabled=no. • yes - Key caching is enabled and the NAE XML protocol is used to export keys. Protocol must be set to ssl. To enable key caching and use NAE XML protocol for exporting keys, set Asymmetric_Key_Cache_Enabled=yes.• tcp_ok - Key caching is enabled over both tcp and ssl connections. The NAE XML protocol is used to export keys. To enable key caching over both tcp and ssl connections, set Asymmetric_Key_Cache_Enabled=tcp_ok. |
