Agent Key, Session Key and Agent Host Key Siteminder
search cancel

Agent Key, Session Key and Agent Host Key Siteminder

book

Article ID: 240635

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

Functionality and generation of various Keys in the SiteMinder.

Environment

Policy Server Version: All Supported versions.

Resolution

 

Key 1

Key 2

Key 3

Key name

Session Key

 Agent Key

 Agent Host Key

Purpose

Protects Data sent by Policy Server to Agent

Protects SMSESSION, SMIDENTITY or SMDATA Cookies

Protects Shared Secret encrypt the data stored in the host configuration file (SmHost.conf)

 

Key Generation method (e.g. CMP, solution)

Random.

Generated by Policy Server. New for each connection

 

Static or dynamic Agent Key. Generated by Policy Server. Dynamic keys are random and rolled-over as configured.

Static keys are either random or derived from the entered string and can be manually reset.

Embedded in software

Algorithm (e.g. RSA)

FIPS and NON-FIPS

FIPS and NON-FIPS

FIPS and NON-FIPS

Key length

 128

 128

 128

Key Lifetime

New for each connection.

 Configurable

 N/A

Key location path

 In Memory

In Policy Store or Key Store.

 In Memory

 

Q1. Please describe how the keys are generated. If they are generated inside the solution, please provide details on the algorithm (e.g. OpenSSL). If Operations will need to rely on a separate (manual) process for generating any keys, please state this.
A1 Siteminder is using CAPKI component that built with OpenSSL, this component generates the keys and encrypts and decrypts data with the keys. 

Q2. If keys are being transmitted, entered or loaded, please provide detailed processes.
A2. Only Agent Keys are transmitted from Policy/Key Store to Policy server and from Server to Agents. Agent Keys are stored encrypted and loaded encrypted DB or LDAP repository and with FIPS or Non-FIPS encryption method depending on customer configurations. Agents receives the keys from Policy Server via DoManagment call where the TCP stream is encrypted FIPS or Non-FIPS methods. Keys transmitted during Agent-Policy Server 3-way handshake.

Q3. Please provide details on where the keys are stored (e.g. locally, HSM, JKS, pfx file) and if they are stored in an encrypted way. Please also provide information on how they are decrypted for use.
A3. Keys are stored in Memory or in Key/Policy Store. Keys are encrypted with FIPS or NON-FIPS mechanisms based on customer’s configuration.