How Agents Retrieve Keys from a KMA

Agents retrieve keys from the KMA cluster through discovery, load balancing, and failover.

Discovery

Agents (encryption endpoints) send a discover cluster request to a KMA. The KMA that receives the discover cluster request provides the following information for each KMA: IP addresses (IPv4 and IPv6), Site Name, KMA ID, KMA Name, KMA Version, KMA Status. The status can be either responding (indicates if the KMA is responding on the network) or locked (indicates if the KMA is currently locked).

Agents periodically retrieve this information as part of a key request operation (not when the endpoint is idle) and always request it as part of enrollment and whenever the agent is IPLed. Whenever an agent discovers a new response state for a KMA, it updates the cluster information with the new status.

Load Balancing

During normal operations, agents use their local table of cluster information to select a KMA for key retrieval. The agents use an algorithm to select a KMA from the same site as the agent. If all KMAs within a site are either locked or not responding, then the agents attempts to access a KMA from another site. If KMAs from other sites cannot be reached, the attempt to retrieve keys will time out and force a failover.

Failover

The ability for agents to failover to remote sites can improve agent reliability and availability when local KMAs are down or slow to respond (such as timeout situations because of heavy workloads).

Whenever an agent cannot communicate with any of the KMAs in a cluster, the agent then uses an algorithm to select a KMA for a failover attempt. When selecting, the agent's information about the cluster state is used again. agents attempt a failover up to three times before giving up and returning an error to the host application.

An agent may occasionally choose a non-responding KMA during a failover attempt if all other KMAs are not responding. However, because information about the cluster may be stale, the KMA may actually be online and responding