How does the manual shared secret rollover work?

book

Article ID: 51135

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

How does the manual shared secret rollover work? Does the SmHost.conf file get updated? and when?

Solution:

The shared secret rollover mechanism is as follows:

  1. While registering the host (Webagent/Webserver Machine) with the policy server, we need to enable the checkbox "Enable Shared Secret Rollover" during WebAgent Configuration wizard.

  2. Administrator issues the command for Shared Secret Rollover from the SiteMinder Admin UI.

  3. The policy server rolls over the shared secret and updates it in the policy store.

  4. The update of the new shared secret to the host happens during handshake process between the agent and the policy server. This happens in following two ways:

    1. New connection - When there is a new connection request from the web-agent (during boot up, timeout or otherwise) requiring handshake, the shared secret would be updated at the host.

    2. On existing connection - The policy server, after successfully negotiating a new connection using a current secret, records the "last check time" i.e. the last time the trusted host object was checked for a new secret and "Shared secret time" i.e. the secret timestamp of the shared secret used to authenticate the host.

So, each time a request is received on an existing connection and the current time is 15 minutes (or more) greater than the "last check time", the trusted host object is checked to see (by checking the shared secret timestamp) if rollover has occurred. If so, the connection is immediately marked as expired, in order to force a new handshake and deliver the new secret to the host. SMHost.conf gets updated to mark this.

Environment

Release:
Component: SMPLC