Difference between Trusted Host Object with SharedSecret Rollover option
search cancel

Difference between Trusted Host Object with SharedSecret Rollover option

book

Article ID: 369902

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign-On

Issue/Introduction

Trusted Host Object gets created when running smreghost command.

There is an option to enable SharedSecret rollover.

This article will show both TrustedHost object that has SharedSecret rollover enabled and not.

Resolution

Following are samples extracted from policy store export file.
Actual SharedSecret values are replaced with {SharedSecretValue} for easy reference.

SmHost.conf files will look exactly the same for both use cases with no indicator to tell if SharedSecret Rollover is enabled or not.

 

[Sample#1 TrustedHost Object with static SharedSecret - Default]

<Object Class="CA.SM::TrustedHost" Xid="CA.SM::TrustedHost@24-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" CreatedDateTime="2024-05-21T06:13:22" ModifiedDateTime="2024-05-21T06:13:22" UpdatedBy="os:NT AUTHORITY/SYSTEM" UpdateMethod="Internal" ExportType="Replace">
    <Property Name="CA.SM::TrustedHost.Name">
        <StringValue>sample-trusthost</StringValue>
    </Property>
    <Property Name="CA.SM::TrustedHost.Desc">
        <StringValue>Automatically generated TrustedHost object</StringValue>
    </Property>
    <Property Name="CA.SM::TrustedHost.RolloverEnabled">
        <BooleanValue>false</BooleanValue>
    </Property>
    <Property Name="CA.SM::TrustedHost.Secret" Sensitive="Yes">
        <StringValue>{SharedSecretValue:X}</StringValue>
    </Property>
    <Property Name="CA.SM::TrustedHost.SecretGenTime">
        <NumberValue>0</NumberValue>
    </Property>
    <Property Name="CA.SM::TrustedHost.SecretUsedTime">
        <NumberValue>0</NumberValue>
    </Property>
</Object><!-- Xid="CA.SM::TrustedHost@24-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" -->

 

[Sample#2 TrustedHost Object with SharedSecret Rollover - Optional]

<Object Class="CA.SM::TrustedHost" Xid="CA.SM::TrustedHost@24-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" CreatedDateTime="2024-06-06T04:09:46" ModifiedDateTime="2024-06-06T04:16:32" UpdatedBy="SMSTUB" UpdateMethod="Internal" ExportType="Replace">
    <Property Name="CA.SM::TrustedHost.Name">
        <StringValue>test-host</StringValue>
    </Property>
    <Property Name="CA.SM::TrustedHost.Desc">
        <StringValue>Automatically generated TrustedHost object</StringValue>
    </Property>
    <Property Name="CA.SM::TrustedHost.RolloverEnabled">
        <BooleanValue>true</BooleanValue>
    </Property>
    <Property Name="CA.SM::TrustedHost.Secret" Sensitive="Yes">
        <StringValue>{SharedSecretValue:Y}</StringValue>
    </Property>
    <Property Name="CA.SM::TrustedHost.SecretGenTime">
        <NumberValue>0</NumberValue>
    </Property>
    <Property Name="CA.SM::TrustedHost.SecretUsedTime">
        <NumberValue>1717647392</NumberValue>
    </Property>
</Object><!-- Xid="CA.SM::TrustedHost@24-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" -->

 

When the SharedSecret is rolled over(either manually or by schedule), the TrustedHost objects having the "RolloverEnabled=true" will backup the current SharedSecret to "PrevSecret" and set a new "Secret".

And as long as the Agent picks up the DoManagement command that instructs the agent to update the SmHost.conf(User account running LLAWP will have read-write permission to SmHost.conf file) with the new Secret and if the update is successful, there would be no problem.

 

Problem is if the agent does not have the permission to update the SmHost.conf file because it will go out of sync.

 

Here is a sample trustedhost object after the sharedsecret is rolled over.

[Sample#3 - TrustedHost object after sharedsecret is rolled]

<Object Class="CA.SM::TrustedHost" Xid="CA.SM::TrustedHost@24-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" CreatedDateTime="2024-06-06T04:09:46" ModifiedDateTime="2024-06-06T04:17:29" UpdatedBy="SMSTUB" UpdateMethod="Internal" ExportType="Replace">
    <Property Name="CA.SM::TrustedHost.PrevSecret" Sensitive="Yes">
        <StringValue>{SharedSecretValue:Y}</StringValue>
    </Property>
    <Property Name="CA.SM::TrustedHost.Name">
        <StringValue>test-host</StringValue>
    </Property>
    <Property Name="CA.SM::TrustedHost.Desc">
        <StringValue>Automatically generated TrustedHost object</StringValue>
    </Property>
    <Property Name="CA.SM::TrustedHost.RolloverEnabled">
        <BooleanValue>true</BooleanValue>
    </Property>
    <Property Name="CA.SM::TrustedHost.Secret" Sensitive="Yes">
        <StringValue>{SharedSecretValue:Z}</StringValue>
    </Property>
    <Property Name="CA.SM::TrustedHost.SecretGenTime">
        <NumberValue>1717647449</NumberValue>
    </Property>
    <Property Name="CA.SM::TrustedHost.SecretUsedTime">
        <NumberValue>0</NumberValue>
    </Property>
</Object><!-- Xid="CA.SM::TrustedHost@24-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" -->

 

With the SmHost.conf having the previous sharedsecret, the agent should still be able to handshake with Policy Server because the Policy Server can check the "PrevSecret" and it is the correct secret.

 

Powered by Wolken Software