CA SSO/Single Sign-On :Communication focused on Shared Secret between WebAgent and Policy Server
Article ID: 113306
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
1. What is the difference of Shared Secret stored in SmHost.conf and in Policy Store ?
2. How are they used this Shared Secret when handshake between WebAgent and Policy Server ?
Environment
CA Single Sign-On
Resolution
1.
SmHost.conf :
Encrypted by WebAgent Host Key emedded in software.
# If Linux OS, it is rencrypted using hostid.
Policy Store :
Encrypted by Policy Store Key drived from configured Encryption Key Seed.
2.
a. WebAgent decrypt the Shared Secret in SmHost.conf by Host Key/hostid and create Hello Message with recalculate (MD5) Shared Secret and AgentName and random data.
b. Policy Server receives the Hello Message and decrypt Shared Secret in Policy Store by Host Key, and recalculate (MD5) Shared Secret and AgentName and compare them with the value from the Hello Message.
And send encrypted (RC2/AES) Session Keys and random data in Hello Message with Hello Reply Message.
c. WebAgent receive the Hello Reply Message and decrypt and extract Session Keys and random data.
And compare this random data with it in Hello Message, and send Hello Confirm Message to Policy Server.
d. Policy Server receive the Hello Confirm Message, and the handshake is successful between Web Agent and Policy server and it then establish and AgentAPI session with the Policy Server.
SmHost.conf :
Encrypted by WebAgent Host Key emedded in software.
# If Linux OS, it is rencrypted using hostid.
Policy Store :
Encrypted by Policy Store Key drived from configured Encryption Key Seed.
2.
a. WebAgent decrypt the Shared Secret in SmHost.conf by Host Key/hostid and create Hello Message with recalculate (MD5) Shared Secret and AgentName and random data.
b. Policy Server receives the Hello Message and decrypt Shared Secret in Policy Store by Host Key, and recalculate (MD5) Shared Secret and AgentName and compare them with the value from the Hello Message.
And send encrypted (RC2/AES) Session Keys and random data in Hello Message with Hello Reply Message.
c. WebAgent receive the Hello Reply Message and decrypt and extract Session Keys and random data.
And compare this random data with it in Hello Message, and send Hello Confirm Message to Policy Server.
d. Policy Server receive the Hello Confirm Message, and the handshake is successful between Web Agent and Policy server and it then establish and AgentAPI session with the Policy Server.
Additional Information
FIPS 140-2 Algorithms:
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/administrating/manage-encryption-keys/fips-140-2-algorithms
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/administrating/manage-encryption-keys/fips-140-2-algorithms
Feedback
Yes
No
Powered by
