Please Note:

User Guide
Quick Start
- Installation
  - Installing CADP for C on Linux
  - Installing CADP for C on Windows
  - Client Certificate Renewal in Linux/Windows
- Installed Directories
  - Installed Directory on Linux
  - Installed Directory on Windows
Tasks
- Tasks for CAPI
  - Setting up SSL/TLS on CipherTrust Manager and CADP for C
  - Create an NAE Session
  - Configuring CADP for C CAPI Properties File
  - Connecting to a Server through Single Properties File
  - Connecting to a Server through Multiple Properties File
  - Connecting to a Server through NAE and KMIP Session in a Single configuration
  - Adding CipherTrust Manager Servers
  - Adding Syslog Server
  - Enabling Connection Pooling
  - Securing Passphrase
  - Enabling Asymmetric Key Caching
  - Enabling Symmetric Key Caching
  - Setting Logging Parameters
  - Working with Certificates
    - Importing a Certificate
    - Exporting a Certificate
    - Creating a CA Chain using OpenSSL and Uploading on the CipherTrust Manager
    - Exporting a CA Chain
    - Deleting a Certificate
    - Creating a Certificate Signing Request
    - Signing a CSR with an existing local certificate authority
  - NAE Key Management Operations
    - Creating versioned key
    - Creating a new version of a key
    - Destroying versioned key
    - Creating a CipherSpec for a versioned key
    - Exporting a public versioned key
    - Exporting a symmetric versioned key
    - Getting key attributes of a versioned key
    - Modifying the state of a versioned key
    - Calculating the size of ciphertext created by versioned keys
    - Calculating the size of the ciphertext header for a versioned key
    - Deleting the EVP context created using I_C_Crypt_Fast
    - Deriving AES/HMAC symmetric key from any AES/HMAC symmetric key
    - Wrapping AES Key
    - Search key names by multiple attributes
- Tasks for PKCS#11
  - Configuring CADP for C PKCS11 Properties File
  - Configuring Registry Editor on Windows for CADP for C PKCS11
  - Initializing CADP PKCS#11 Library
  - Adding CipherTrust Manager Servers
  - Creating a Key
  - Enabling Connection Pooling
  - Enabling Symmetric Key Caching
  - Enabling Asymmetric Key Caching
  - Setting Logging Parameters
  - Migrating VAE to CADP for C
- Modifying the CADP for C Basic Configuration File
Advanced Topics
- Configuration
  - Logging Parameters
  - Network Configuration Parameters
  - Connection Configuration Parameters
  - Caching Parameters
  - SSL Configuration Parameters
  - Miscellaneous Parameters
- Symmetric/Asymmetric Caching
  - Symmetric/Asymmetric Caching, CADP for C CAPI
  - Symmetric/Asymmetric Caching, CADP for C PKCS#11
- Connection Pooling
- Load Balancing Group
- Multi-tier Load Balancing Group
- Persistent Key Caching
- Key Management, CADP for C PKCS#11
- Supported Cryptographic Operations
  - Supported Cryptographic Operations for CAPI
  - Supported Cryptographic Operations for PKCS#11
- Format Preserving Encryption
- KMIP Key Management in C
- Utilities
  - CryptoDataUtility
  - SelfSignedCertificate
  - RSAEncryptionUtility
- Pkcs11Interop Library for .Net Core
- Upgrade
  - Upgrade from CADP CAPI to CADP for C
  - Recompiling with CADP for C Library
  - For Already Existing CAPI Sample Executables
  - Upgrade from VAE to CADP for C
- Uninstall

CADP for C
User Guide
Advanced Topics
Load Balancing Group

Load Balancing Group

A load balancing group is a group of CipherTrust Manager servers that a client can connect to. The load balancer is a client feature that determines how best to connect to the servers in the load balancing group. When concurrent requests are made, the load balancer determines which server to use - the goal is to distribute connections equally among the servers.

You create a load balancing group by listing multiple server IP addresses/Hostnames (separated by colons) in the NAE_IP or KMIP_IP parameter.

Example

NAE_IP.1=192.168.1.10:192.168.1.11:192.168.1.12

KMIP_IP.1=192.168.1.10:192.168.1.11:192.168.1.12

All the members of a load balacing group must use the same CADP_CAPI.properties file for configurations. If the client uses NAE_Port 9000, all NAE servers must use port 9000. Likewise, if the client uses KMIP_Port 9001, all KMIP compliant servers must use port 9001.

Note

It is recommended that all the devices in a load balancing group are also members of the same cluster. Clustered servers use the same port and protocol, keys and users. For more information on clustering, refer to CipherTrust Manager Administration Guide

How it Works

The following steps describe what happens when the client attempts to connect to the load balancing group for the first time.

Client attempts to connect to server 1.
The client waits the duration of Connection_Timeout for a server response.
Server 1 does not respond within the timeout period. The client ignores server 1 for the duration of the Connection_Retry_Interval.
Client attempts to connect to server 2.
The client creates a session. This, in turn, creates a new load balancer, which stores the Server IP, Port, Protocol, Connection_Timeout, and Connection_Retry_Interval parameters. If persistent connections are enabled, the load balancer also creates a new connection pool for each server in the load balancing group.
Note
If persistent connections are not enabled, the load balancer does not create a connection pool. Connection pools enable the client to reuse existing connections if it needs them after it receives the server response. It recommends enabling persistent connections, because the performance cost of maintaining a connection pool is much less than the cost of opening a new connection for each client request.
The client requests a connection from the load balancer. Since this is the first connection request, the load balancer chooses one of the servers at random and creates a connection. (When the client makes future requests, the load balancer applies the Load_Balancing_Algorithm (which can be set to round-robin, random, or none) to decide which server to use.)
The client waits the duration of Connection_Timeout for a server response.
Server 1 does not respond within the timeout period. The client ignores Server 1 for the duration specified by Connection_Retry_Interval.
The client attempts to connect to Server 2.
The client obtains the connection.
The client uses the connection to send a cryptographic request to Server 2.
Server 2 sends the response.
The client receives the response. If persistent connections are enabled, the load balancer keeps the connection in the connection pool; otherwise, the connection is closed.
The client requests another connection. The load balancer uses either of round-robin, random algorithm, or none to determine which CipherTrust Manager to use. If persistent connections are enabled, the load balancer searches the connection pool for an existing connection.

Related Parameters

To connect to a load balancing group, you need to set the following parameters in the properties file:

NAE_IP
KMIP_IP
NAE_Port
KMIP_Port
Protocol
Load_Balancing_Algorithm
Connection_Timeout
Connection_Retry_Interval

Refer to Network Configuration Parameters and Connection Configuration Parameters to know more about the network and connection configuration related properties.

Examples

Example 1 - Default Values

As delivered, the `CADP_CAPI.properties` file uses the following values:
Connection_Timeout=30000
Connection_Retry_Interval=600000
For this example, let’s set NAE_IP.1=alpha:beta:gamma or KMIP_IP.1=alpha:beta:gamma and look at the Connection Configuration parameters one by one:
Connection_Timeout: The client gets an error if it takes longer than 30 seconds to get a response from a server.
Connection_Retry_Interval: If the client can’t reach a server before Connection_Timeout, the client takes that server out of the round-robin rotation for 10 minutes (600000 milliseconds).

Example 2 - Setting Connection_Timeout

We’ll still use NAE_IP.1=alpha:beta:gamma or KMIP_IP.1=alpha:beta:gamma, but this time we’ll set Connection_Timeout.
Connection_Timeout=2000
Connection_Retry_Interval=600000
Connection_Retry_Interval is unchanged.
Connection_Timeout: The client gets an error if it takes more than two seconds to get a response from a server. If the server (or your network) is under heavy load, then you could get a timeout even for a running server. In this case, if you set Connection_Retry_Interval too low, you just end up bombarding an already overloaded server.

Suggest A Change

Load Balancing Group

How it Works

Examples

On this page