Agent Key, Session Key and Agent Host Key Siteminder
Article ID: 240635
Updated On:
Products
Issue/Introduction
Functionality and generation of various Keys in the SiteMinder.
Environment
Policy Server: 12.8.06
Resolution
|
|
Key 1 |
Key 2 |
Key 3 |
|
Key name |
Session Key |
Agent Key |
Agent Host Key |
|
Purpose |
Protects Data sent by Policy Server to Agent |
Protects SMSESSION, SMIDENTITY or SMDATA Cookies |
Protects Shared Secret encrypt the data stored in the host configuration file (SmHost.conf)
|
|
Key Generation method (e.g. CMP, solution) |
Random. Generated by Policy Server. New for each connection
|
Static or dynamic Agent Key. Generated by Policy Server. Dynamic keys are random and rolled-over as configured. Static keys are either random or derived from the entered string and can be manually reset. |
Embedded in software |
|
Algorithm (e.g. RSA) |
FIPS and NON-FIPS |
FIPS and NON-FIPS |
FIPS and NON-FIPS |
|
Key length |
128 |
128 |
128 |
|
Key Lifetime |
New for each connection. |
Configurable |
N/A |
|
Key location path |
In Memory |
In Policy Store or Key Store. |
In Memory |
Q1. Please describe how the keys are generated. If they are generated inside the solution, please provide details on the algorithm (e.g. OpenSSL). If Operations will need to rely on a separate (manual) process for generating any keys, please state this.
A1 Siteminder is using CAPKI component that built with OpenSSL, this component generates the keys and encrypts and decrypts data with the keys.
Q2. If keys are being transmitted, entered or loaded, please provide detailed processes.
A2. Only Agent Keys are transmitted from Policy/Key Store to Policy server and from Server to Agents. Agent Keys are stored encrypted and loaded encrypted DB or LDAP repository and with FIPS or Non-FIPS encryption method depending on customer configurations. Agents receives the keys from Policy Server via DoManagment call where the TCP stream is encrypted FIPS or Non-FIPS methods. Keys transmitted during Agent-Policy Server 3-way handshake.
Q3. Please provide details on where the keys are stored (e.g. locally, HSM, JKS, pfx file) and if they are stored in an encrypted way. Please also provide information on how they are decrypted for use.
A3. Keys are stored in Memory or in Key/Policy Store. Keys are encrypted with FIPS or NON-FIPS mechanisms based on customer’s configuration.
Feedback
