Refresh Cached Keys
This page provides the information to refresh key cache through the following options:
Note
This functionality:
supports only Cypto APIs
does not support Key Management APIs
Auto refresh
Auto refresh feature allows you to automatically refresh the cached key using the Key_Cache_AutoRefresh_Interval parameter. This parameter defines the time interval (in seconds) after which a cached key becomes eligible for refresh.
Auto Refresh is applicable only if the symmetric or asymmetric key cache is enabled.
Auto refresh occurs when:
A crypto operation is performed, and
The auto refresh interval has passed for the cached key.
If the auto refresh operation fails, the cached key again becomes eligible for auto refresh after the Key_Cache_AutoRefresh_Interval has passed.
Note
Auto Refresh works only before the cached key expires.
Key_Cache_Expiryvalue contains higher preference over theKey_Cache_AutoRefresh_Intervalvalue. So, Auto refresh is checked only if key cache is not expired.Each time an auto refresh operation occurs, the
Key_Cache_Expiryis reset to its configured value.
How Auto refresh works?
When a crypto operation is performed, it checks for the auto refresh interval. The auto refresh functionality is triggered only when the configured auto refresh interval has elapsed. If the interval has not been reached, the functionality will not be executed.
Trigger / Initiation
After the auto refresh interval has passed, a background thread will run to update keys in cache and persistent cache file, provided the persistent cache is enabled.
The current crypto operation uses the existing key available in the cache at that moment. After the background thread updates the latest key (from CipherTrust Manager) in the cache, the next crypto operation uses the refreshed key.
When the crypto operation is being performed and completed successfully but in the background thread, key auto refresh is still running, the application will wait for the auto refresh to complete before control moves out of the application.
The auto refresh request will be sent only for the key utilized in the crypto operation and not for all the keys present in your cache.
Tip
Setting a lower value for key auto-refresh interval can negatively impact performance due to frequent background threads making network calls to update the cached key. So, it is recommended to use Remote mode to perform crypto operations, that is, disabling the key caching.
Example:
If Key_Cache_Expiry = 500 seconds and Key_Cache_AutoRefresh_Interval = 200 seconds, the cached key becomes eligible for refresh after 200 seconds. If the cached key is queried between 200 and 500 seconds, the cached key is refreshed in the cache, otherwise, the cached key is removed from the cache after its expiry.
Refresh using API
Note
To refresh the key cache without using the Auto Refresh Interval, you can manually perform the operation through the API.
The RefreshCache API allows you to refresh the cache keys. The following code snippet shows its usage:
var naeKeyManagement = new NaeKeyManagement(session);
naeKeyManagement.RefreshCache("keyname", NaeKeyManagement.KeyType.None);
Enum KeyType is defined as:
public enum KeyType
{
None
}
where, None signifies the symmetric key.
The key name is passed to the API. This API refreshes the key from CipherTrust Manager and stores the refreshed key in the persistent cache file and symmetric cache.
If the CipherTrust Manager is unreachable, the API will not refresh the key. However, if you still want to perform any crypto operation, the client needs to execute GetKey(keyname), which will fetch the key from persistent cache file, provided the key is present in the persistent cache file.
