Load Balancing and Failover When Using pkcs11_kms

The cluster helps with load balancing and failover when using pkcs11_kms.

The pkcs11_kms provider is aware of the OKM cluster through use of OKM cluster services, a load balancer, and cluster failover logic. The pkcs11_kms provider transparently maintains client-side awareness of the OKM cluster by periodically issuing cluster discovery operations. Network changes and changes in the OKM cluster or KMA availability are handled by the agent on behalf of the pkcs11_kms provider and TDE. PKCS#11 key generation and key retrieval operations are load balanced across KMAs in the OKM cluster.

To further optimize key retrieval performance, agents may be configured to be associated with KMAs through use of OKM sites. This feature allows definition of sites according to network topology. Typically, KMAs and agents within a site would have low network latency as opposed to member KMAs and agents across a WAN.

When a network segment or KMA is unavailable, the failover logic within the agent chooses another KMA to complete the operation. TDE is unaware of any failovers, so key management operations are very reliable. Failover preferences KMAs within the same site as the agent.

You can use the kmscfg(1M) utility to tune the discovery frequency and the failover properties of the agent. See the kmscfg man page for more information.