Please Note:

Administration
Overview
Quick Start
Upgrade from PA/CAP for .NET Core to CADP for .NET Core
Tasks
- Create an NAE Session
- Setting up SSL with CipherTrust Manager
- Add Multiple CipherTrust Manager Servers
- Key Operations
  - Creating a Key
  - Creating a New Version of the Versioned Key
  - Using a Versioned Key to Decrypt, SignV, and MACV
  - Getting an Instance of a Key Object
  - Alternative Method to Get an Instance of a Key Object
  - Deleting a Key using the Key Name
  - Exporting a Key
  - Exporting a Warapped Key
  - Setting a Key Mode and Padding
  - Getting Attributes of a Key
  - Exporting all Versions of a Versioned Key
- Generate and Verify MAC
- Encrypt a String Using an AES Key
- Decrypt a String Using an AES Key
- Encrypt a String Using an RSA Key
- Decrypt a String Using an RSA Key
- Sign and SignVerify Data using an RSA Key
- Enable Connection Pooling
- Enable Symmetric Key Caching
- Enable Asymmetric Key Caching
- Set Logging Parameters
- Change the Default Value of Connection Timeout
Advanced Topics
- Configuration
  - Network Configuration Parameters
  - Connection Configuration Parameters
  - Caching Parameters
  - Logging Parameters
  - SSL Configuration Parameters
  - Miscellaneous Configuration Parameters
- Concepts
  - Connection Pooling
  - Load Balancing Group
  - Multi-tier Load Balancing Group
  - Symmetric/Asymmetric Key Caching
- Connection Pooling
- Supported Services & Operations
  - Supported Cryptographic Operations
- NAE Supported Functions
  - Supporting Calls
  - Connection Calls
  - Key-related Calls
  - MAC/Hash-related Calls
  - Security Considerations
- Format Preserving Encryption
- API Definitions
- Alternate Method to Add Nuget Package
- Troubleshooting

CADP for .NET Core
Administration
Advanced Topics
Concepts
Multi-tier Load Balancing Group

Multi-tier Load Balancing Group

The multi-tier load balancing feature enables you to create multiple levels of load balancing groups, called tiers. When one tier is unreachable, the system fails over to the next tier. You can have a maximum of three tiers. You must configure the tiers in order; for example, you can’t have tier 3 without having tiers 1 and 2.

The following properties are tier-aware, which means their values can vary by tier:

NAE_IP
NAE_Port

For example, to set up the IP address for tiers 1, 2, and 3, you can set the following:

<NAE_IP Tier="1">110.164.73.222:10.164.73.212:110.164.73.215</NAE_IP>

<NAE_IP Tier="2">110.164.73.223:10.164.73.213:110.164.73.216</NAE_IP>

<NAE_IP Tier="3">110.164.73.224:10.164.73.214:110.164.73.217</NAE_IP>

For example, to set up the port for tiers 1, 2, and 3, you can set the following:

<NAE_Port Tier="1">9000</NAE_Port>

<NAE_Port Tier="2">9000</NAE_Port>

<NAE_Port Tier="3">7000</NAE_Port>

How it Works

The following steps describe what happens when the client attempts to connect to the multi-tier load balancing group for the first time:

The client creates a session. This in turn creates a new load balancer, which stores the NAE_IP, NAE_ Port, Protocol, Connection_Timeout, and Connection_Retry_Interval properties. The load balancer also creates a new connection pool for each server in the load balancing group.
The client requests a connection from the load balancer. Since this is the first connection request, the load balancer chooses one of the CipherTrust Manager servers on tier 1 and creates a connection in a round-robin fashion.
The client waits the duration of Connection_Timeout for Server 1’s response.
Server 1 does not respond within the timeout period. The client ignores Server 1 for the duration of the Connection_Retry_Interval.
The client attempts to connect to Server 2 on tier 1.
The client waits the duration of Connection_Timeout for server 2’s response.
The client can’t connect to any Server on tier 1.
The client attempts to connect to a Server on tier 2. The load balancer chooses the first CipherTrust Manager server on tier 2 and tries to create a connection. When the client makes future requests, the load balancer will apply the round-robin algorithm to decide which CipherTrust Manager server to use. (The client will continue to use tier 2 until tier 1 is available.) The client will cycle through all of the CipherTrust Manager servers on all tiers.
The client obtains the connection from Server 3 on tier 2.
The client uses the connection to send a cryptographic request to Server 3.
Server 3 sends the response.
The client receives the response. The load balancer keeps the connection in the pool.
The client requests another connection. The load balancer uses the round-robin algorithm to determine which CipherTrust Manager server to use. The load balancer searches that CipherTrust Manager server’s connection pool for an existing connection.

Related Properties

To connect to a multi-tier load balancing group, you need to set the following parameters in the properties file:

NAE_IP
NAE_Port
Protocol
Connection_Timeout
Connection_Retry_Interval
Load_Balancing_Algorithm

To know more about these properties, refer to Network Configuration Parameters and Connection Configuration Parameters.

Examples

Example 1 - Default Values

The CADP.NETCore_Properties.xml file may contain the following values:

Connection_Timeout=30000

Connection_Retry_Interval=600000

For this example, let’s set:

<NAE_IP Tier="1">alpha:beta:gamma</NAE_IP> , <NAE_IP Tier="2">psi:omega</NAE_IP>

Connection_Timeout: The client will get an error if it takes longer than 30 seconds to get a response from the server.

Connection_Retry_Interval: If the client cannot connect to a server within the Connection_Timeout, the client will take that server out of the round-robin rotation for 10 minutes (600000 milliseconds).

Example 2 - Setting Connection_Timeout

<NAE_IP Tier="1">alpha:beta:gamma</NAE_IP> and <NAE_IP Tier="2">psi:omega</NAE_IP>

This time, let's set Connection_Timeout:

Connection_Timeout=2000

Connection_Retry_Interval=600000

The Connection_Retry_Interval is unchanged.

Connection_Timeout: The client will get an error if it takes more than 2 seconds to get a response from the server. In the event that the server (or your network) is under a heavy load, you can get a timeout even for a running server. In this case, if you set Connection_Retry_Interval too low, you will just end up having an already overloaded server.

Example 3 - Automatic Failover

You can use the following settings to ensure a speedy failover from one tier to another:

Connection_Timeout=600

Connection_Retry_Interval=600

Result

Connection_Timeout: The client will get an error if it cannot get a connection within .01 minutes.

Connection_Retry_Interval: The client will ignore an unavailable server for .01 minutes.

This configuration is useful when testing the Multi-Tier Load Balancing setup.

Suggest A Change

Multi-tier Load Balancing Group

How it Works

Examples

Example 1 - Default Values

Example 2 - Setting Connection_Timeout

Example 3 - Automatic Failover

On this page