Refresh Cached Keys
This page provides the information to refresh key cache through the following options:
Note
This functionality:
supports only Cypto APIs
does not support Key Management APIs
Auto refresh
Auto refresh feature allows you to automatically refresh the cached key using the Key_Cache_AutoRefresh_Interval parameter. This parameter defines the time interval (in seconds) after which a cached key becomes eligible for refresh.
Auto Refresh is applicable only if the symmetric or asymmetric key cache is enabled.
Auto refresh occurs when:
A crypto operation is performed, and
The auto refresh interval has passed for the cached key.
If the auto refresh operation fails, the cached key again becomes eligible for auto refresh after the Key_Cache_AutoRefresh_Interval has passed.
Note
Auto Refresh works only before the cached key expires.
Symmetric_Key_Cache_Expiryvalue contains higher preference over theKey_Cache_AutoRefresh_Intervalvalue. So, Auto refresh is checked only if key cache is not expired.Each time an auto refresh operation occurs, the
Symmetric_Key_Cache_Expiryis reset to its configured value.
How Auto refresh works?
When a crypto operation is performed, it checks for the auto refresh interval. The auto refresh functionality is triggered only when the configured auto refresh interval has elapsed. If the interval has not been reached, the functionality will not be executed.
Trigger / Initiation
After the auto refresh interval has passed, a background thread will run to update keys in cache and persistent cache file, provided the persistent cache is enabled.
The current crypto operation uses the existing key available in the cache at that moment. After the background thread updates the latest key (from CipherTrust Manager) in the cache, the next crypto operation uses the refreshed key.
When the crypto operation is being performed and completed successfully but in the background thread, key auto refresh is still running, the application will wait for the auto refresh to complete before control moves out of the application.
The auto refresh request will be sent only for the key utilized in the crypto operation and not for all the keys present in your cache.
Tip
Setting a lower value for key auto-refresh interval can negatively impact performance due to frequent background threads making network calls to update the cached key. So, it is recommended to set a higher value for key auto-refresh interval. Refer to below example.
Example:
If Symmetric_Key_Cache_Expiry = 500 seconds and Key_Cache_AutoRefresh_Interval = 200 seconds, the cached key becomes eligible for refresh after 200 seconds. If the cached key is queried between 200 and 500 seconds, the cached key is refreshed in the cache, otherwise, the cached key is removed from the cache after its expiry.
Refresh using API
Note
To refresh the key cache without using the Auto Refresh Interval, you can manually perform the operation through the API.
The I_C_RefreshCache API allows you to refresh the cache keys. The following code snippet shows its usage:
I_C_RefreshCache(I_O_Session handle, char * keyname, I_T_KeyType keytype)
Enum I_T_KeyType is defined as:
enum I_T_KeyType
{
I_T_None = 0
};
where, I_T_None=0, signifies the symmetric key.
Note
Currently, I_C_RefreshCache API is only supported with Symmetric key.
The key name is passed to the API. The API exports the key from Key Manager(based on the keyType) and stores the refreshed key in the persistent and symmetric cache.
If the Key Manager is unreachable, the API will not refresh the key. However, if you still want to perform any crypto operation, the API will fetch the key from in-memory cache or persistent cache file.
