When running several Policy Servers in a different environment and planning to move from multiple Policy and Key Store configurations to a single Policy and Key Store environment.
How to renew the static key on each side to provide SSO?
Overview of keys use and storage (1)
| Key | Use | Location |
|------------------------+-----------------------------------------+---------------------------------|
| Agent Keys | To encrypt SiteMinder cookies | Policy Store and Agent memory |
| | | |
| Session Ticket Key | Session ticket key contain | Policy Store only |
| | credentials and other information | |
| | relating to a session | |
| | | |
| Encryption Key | To encrypt certain data in the Policy | Policy Server file |
| (Policy Store Key) | Store | bin/EncryptionKey.txt |
| | | |
| Key Store Key | To encrypt Agent and Session ticket | Policy Server registry |
| | keys | KeyStoreEncryptionKey |
| | | In single Key Store deployement |
| | | the value of the |
| | | Encryption Key above is used. |
| | | |
| Policy Server Host Key | To encrypt the Encryption Key above | In the Policy Server hardcoded |
| Agent Host Key | To encrypt shared secret | In the Agent hardcoded |
| | | |
| SharedSecret | To trust a connection between the Agent | SmHost.conf on the Agent |
| | and Policy Server | TrustedHost.secret object in |
| | | Policy Store |
(1)
(2)
A key store key is used to encrypt agent and session ticket keys in
a separately configured key store. The key store key is kept in the
registry (or UNIX equivalent) encrypted with the policy store key.
(3)
sharedsecrettime parameter explanation in Web Agent SmHost.conf
If the shared secret rollover is enabled when registering a trusted
host, a rollover of the shared secrets for trusted hosts can be done
either manually or periodically in the AdminUI.
(4)
Enable key generation config in mixed environment Policy Server
(5)
Agent Keys synchronization issue among distributed Policy Servers