Home » Articles » Security Features »Unique Product Features » A KMIP Managed Object Cache

A KMIP Managed Object Cache

By Mark Joseph - October 19, 2021 @ 9:34 am

This document was updated on 17 Feb 2022.

To improve performance by reducing network traffic to a KMIP server for frequently used Keys, Certificates, Secret Data, and other KMIP objects we have added an object cache to our client side products
(i.e., Secure KMIP Client SDK (SKC) and our PKCS11 library’s KMIP token). For SKC a unique cache instance is created and shared for each KMIP server’s FQDN or IP address. For our PKCS11 library a unique cache instance is created for each slot defined to use a KMIP token.

To implement our object cache we have extended our existing Keystore. We have added a special “mode” to the Keystore that implements standard cache eviction policies to its entries (i.e., time to live, LRU). The benefits of using our Keystore are two-fold. First, key material is already field encrypted in the Keystore and so it is encrypted in an object cache instance. And second the Keystore can use the SQLite database and thus can be created on disk or in memory with no additional work. Thus, our KMIP object cache has options to store it on disk or just to keep it in memory for the current KMIP TLS session.

For SKC, it is also possible to use a Postgres database to hold the cache. This can be setup to be either local to the KMIP client or on a remote server. An application can configure the Managed Object Cache so that one cache exists per KMIP server or one cache is used to share Managed objects of multiple KMIP servers.

Both the managed object bytes and many of the object’s associated attributes can be stored in the object cache. Objects in the cache are stored under their KMIP unique identifier attribute. The object cache defaults off and a customer has to enable and configure it to use it. The object cache functionality is available for any KMIP protocol version and both the PKCS11 versions 2.40 and 3.0.

The object cache is very easy to use and after configured its use is transparent to the customer. For SKC, the object cache requires a customer to call a couple of new API calls. For the PKCS11 library, the object cache setup is done completely by setting values into a configuration file. For example, when a customer’s code calls the KMIP Client Get operation the API implementation will first look into an object cache (if enabled) and return the required KMIP object if present. Otherwise the client will request the object from a KMIP server and store the response into an object cache instance for future reference before returning it to the caller.

Our object cache maintains a standard set of statistics which are available via a new cache API and also via a setting to produce them via logging. The new cache API allows the caller to set different logging preferences to see exactly what the cache is doing (e.g., what objects are being evicted or referenced). The new cache API also provides a function that forces the cache to run its time-to-live eviction policy so a caller could force a cache clean up if desired.

"A KMIP Managed Object Cache" was published on October 19th, 2021 and is listed in Security Features, Unique Product Features.

Follow comments via the RSS Feed | Leave a comment | Trackback URL

Leave Your Comment