search cancel

Unable to make SSO between multiple Policy Servers infrastructures due to "Invalid Key in Use" error.


Article ID: 53411


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



Trying to make Single Sign On between 2 different Policy Servers
infrastructures. Every Policy Server has its own Key Store with its
own encryption key and both Policy Server have the same Agent Static
Key. However SSO doesn't happen.

SiteMinder Profiler shows the following error:

    "Invalid Key in Use."




Policy Server all versions




The issue is because the Policy Server is unable to decrypt session

  'Invalid Key in Use' 

is usually thrown when there is a problem with the Session Ticket Key.

A technical description of this error is as follows:

The Policy Server encrypts the session spec with the Session Ticket
Key before sending it to the agent upon session creation
(Authentication). The agent uses the session spec for any Validate or
Authorize calls for that session.

If the session spec is invalid, the Policy Server will be unable to
decrypt it using the Session Ticket Key, and will report the error
"Invalid key in use".

Most likely you have switched from one policy server to another and
either the Session Ticket key has changed, or else the policy server
is running with a different Policy Store Encryption key (this value is
encrypted and stored in EncryptionKey.txt file).

The session key value is set during initial setup of the Policy
server; it is stored in the keystore. However, in environments where
the key-store is not replicated between Policy Servers, a common
static session key value must be explicitly configured in all Policy
Servers, in order for Single Sing On to work properly.

The session key value can be manually configured through the
SiteMinder Policy Server UI under "Tools -> Manage Keys" menu option.

Session ticket changes effects:

  - Rollover of the session key will result in active user sessions
    being invalidated, consequently resulting in these users having to
    re-authenticate to SiteMinder.

  - If password services are used all password history data is lost,
    this is because the password BLOB is encrypted with the session