ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Key Cache with Encryption Management Server FAQ (Caching Keys for inbound email)

book

Article ID: 158748

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

This article will go over some of the FAQs for Key Cache, or "Caching Keys" on Symantec Encryption Management Server (SEMS).

One of the core features of SEMS is that of being a keyserver.  Keys are managed by the SEMS for further use via key lookups/searches from various sources.  Having keys on the local SEMS speeds up encryption operations as there is no need to search for keys elsewhere.  One of the methods to benefit from this speed of using these keys is to cache keys on the "Inbound" mailflow.  If someone sends an SMIME email and SEMS processes it, the SMIME key is typically attached to the email and it is then cached on SEMS in its own Key Cache.  Keys are cached temporarily (configurable duration) so that further messages to these recipients can be encrypted, and the key lookup process will find the key quickly in the local key store and the overall process is faster. 

Environment

Symantec Encryption Management Server 10.5 and above.

Resolution

The Key Cache on SEMS can be accessed by going to Keys, and then clicking on "Key Cache":

 

Question 1: Do keys in the Key Cache get purged periodically?
Answer: Yes, they are cleaned out after 1 day by default.

 

For additional information, see the following article:

162609 - Symantec Encryption Management Server (SEMS) Key Cache purge routines differ depending on how keys are retrieved


Question 2: What is the Max Duration for the Key Cache on SEMS?

Answer: The lowest value keys can be cached is 1 hour and the maximum value configurable for this is 999 days.


Question 3: I have my server in the mailflow, but it's not caching keys--why?

Answer: In order for the keys to be cached, the email containing the key must be an "Inbound" message.  In other words, the SEMS does not harvest keys that are sent "Outbound" as typically all the keys for users sending outbound already exist as "Internal Users" on the SEMS.  Only Inbound emails will harvest these keys.


Question 4: I have an email that came from an external domain, why is it still not caching it?

Answer: Depending on how the proxies of SEMS are configured, the email from an external recipient may be interpreted by SEMS as an "Outbound" message.  If the Proxies are configured with an MTA that is the inbound and outbound connector into SEMS, then having two interfaces on the SEMS with different IP Addresses is recommended.  In this way, the messages for "Inbound" always go to the Inbound IP, and the messages destined for the external domains will always use the Outbound IP Address.


Question 5: Should I purge the Key Cache before the timeout value is reached?

Answer: If you know a single key has been updated, then delete the single key in question from the Key Cache.


Question 6: Immediately after I created a cluster member, the cached keys on the host server are removed and are not replicated.

Answer: The timeout value for cached keys has expired.  After one or more servers are joined to the host server during the creation of a server cluster, one of the services checks the cached key timeout setting as it restarts. If the current date minus the keys’ create date exceeds the defined timeout value, the service flushes the key cache.

Attachments