search cancel

CA SSO/Single Sign-On :Communication focused on Shared Secret between WebAgent and Policy Server

book

Article ID: 113306

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction



1. What is the difference of Shared Secret stored in SmHost.conf and in Policy Store ?

2. How are they used this Shared Secret when handshake between WebAgent and Policy Server ?

Environment

CA Single Sign-On

Resolution

1.
SmHost.conf :
Encrypted by WebAgent Host Key emedded in software.
# If Linux OS, it is rencrypted using hostid.

Policy Store :
Encrypted by Policy Store Key drived from configured Encryption Key Seed.

2.
a. WebAgent decrypt the Shared Secret in SmHost.conf by Host Key/hostid and create Hello Message with recalculate (MD5) Shared Secret and AgentName and random data.

b. Policy Server receives the Hello Message and decrypt Shared Secret in Policy Store by Host Key, and recalculate (MD5) Shared Secret and AgentName and compare them with the value from the Hello Message.
And send encrypted (RC2/AES) Session Keys and random data in Hello Message with Hello Reply Message.

c. WebAgent receive the Hello Reply Message and decrypt and extract Session Keys and random data.
And compare this random data with it in Hello Message, and send Hello Confirm Message to Policy Server.

d. Policy Server receive the Hello Confirm Message, and the handshake is successful between Web Agent and Policy server and it then establish and AgentAPI session with the Policy Server.
 

Additional Information

FIPS 140-2 Algorithms:
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/administrating/manage-encryption-keys/fips-140-2-algorithms