search cancel

Enable key generation config in mixed environment Policy Server

book

Article ID: 202379

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Policy Server using separate Key Stores, and using Static Agent Keys, with this Registry Keys configuration:

  EnableKeyGeneration=                      0x0;  REG_DWORD
  EnableKeyUpdate=                          0x0;  REG_DWORD
  1. Does the "enable key generation" option needs to be enabled from at least one of the 12.8 SP03 Policy Server? 
  2. What will be the impact if they aren't enabled from the 12.8 Policy Server and bring down all the 12.52 Policy Servers?
  3. What is the difference between "enable key generation" and "key update"?

 

Environment

 

Policy Server 12.8SP3 on RedHat 6

 

Resolution

 

  1. As Static Keys are configured, only 1 Policy Server should be configured to generate the keys, the one to which the AdminUI connects. This will allow changing the static Agent Key if needed.
  2. When bringing down the Policy Server 12.52, then the Static Keys won't change, and as such, Web Agent will continue to use them.
  3. EnableKeyGeneration is to allow a given Policy Server the possibility to change the Agent Keys (dynamically or static-wise). If set to 0, then the AdminUI attached to this Policy Server won't get access to the "Key Management" feature.

EnableKeyUpdate is to tell the Policy Server to rely on a central Key Store to poll it regularly and retrieve the automatically updated Session Key.

Is the Session Ticket Key randomly generated?

It can be randomly generated or manually. This is useful when you configure in the AdminUI the feature "Generate a random Session Ticket Key" instead of "Specify a Session Ticket Key".
   
Set "enable key generation" on at least 1 Policy Server. As Static Keys are configured, only 1 Policy Server needs to generate the keys, the one to which the AdminUI connects. This will allow you to change the static Agent Key if needed.

Enabling an Admin Policy Server will have an impact on the Policy Server processing, as operations in the AdminUI will bring additional operations to the Admin Policy Server.

The given Admin Policy Server will roll the keys automatically only if Dynamic Keys are configured. When using Static ones, so the keys won't be rolled automatically, but only when they are explicitly and manually changed in the AdminUI.