ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Unable to make SSO between multiple Policy Servers infrastructures due to "Invalid Key in Use" error.

book

Article ID: 53411

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

 

Trying to make Single Sign On between 2 different Policy Servers
infrastructures. Every Policy Server has its own Key Store with its
own encryption key and both Policy Server have the same Agent Static
Key. However SSO doesn't happen.

SiteMinder Profiler shows the following error:

    "Invalid Key in Use."

 

Environment

 

Policy Server all versions

 

Resolution

 

The issue is because the Policy Server is unable to decrypt session
ticket.

  'Invalid Key in Use' 

is usually thrown when there is a problem with the Session Ticket Key.

A technical description of this error is as follows:

The Policy Server encrypts the session spec with the Session Ticket
Key before sending it to the agent upon session creation
(Authentication). The agent uses the session spec for any Validate or
Authorize calls for that session.

If the session spec is invalid, the Policy Server will be unable to
decrypt it using the Session Ticket Key, and will report the error
"Invalid key in use".

Most likely you have switched from one policy server to another and
either the Session Ticket key has changed, or else the policy server
is running with a different Policy Store Encryption key (this value is
encrypted and stored in EncryptionKey.txt file).

The session key value is set during initial setup of the Policy
server; it is stored in the keystore. However, in environments where
the key-store is not replicated between Policy Servers, a common
static session key value must be explicitly configured in all Policy
Servers, in order for Single Sing On to work properly.

The session key value can be manually configured through the
SiteMinder Policy Server UI under "Tools -> Manage Keys" menu option.

Session ticket changes effects:

  - Rollover of the session key will result in active user sessions
    being invalidated, consequently resulting in these users having to
    re-authenticate to SiteMinder.

  - If password services are used all password history data is lost,
    this is because the password BLOB is encrypted with the session
    ticket.