Unable to make SSO between multiple Policy Servers infrastructures due to "Invalid Key in Use" error.
search cancel

Unable to make SSO between multiple Policy Servers infrastructures due to "Invalid Key in Use" error.


Article ID: 53411


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


- Implementation of SSO between two different Siteminder infrastructures.

- Each Policy Server has its own Key Store with its own encryption key and both Policy Servers have the same Agent Static Keys but SSO still failing with following message

    "Invalid Key in Use."




Policy Server all versions




The issue is because the Policy Server is unable to decrypt session ticket.

  'Invalid Key in Use' 

is usually thrown when there is a problem with the Session Ticket Key.

A technical description of this error is as follows:

The Policy Server encrypts the session spec with the Session Ticket Key before sending it to the agent upon session creation (Authentication) where the Agent builds the SMSESSION cookie that included the session ID and session Spec from Policy server Auth response.

If the Session ticket key must be the same in both Siteminder Infrastructures otherwise the policy Server Validating the session will not be able to decrypt the session spec resulting in such issue.

Recommendations is to use the  smkeyexport tool with -c switch (for clear text key export) to export from both  siteminder (policy Server) infrastructures  which will show the agent keys and Session ticket keys in clear text so you can compare and make sure it matches.

you can always reset the Agent keys on one of the Policy Servers either by using the Adminui (Tools -> Manage Keys" menu option) or importing the exported keys from one environment to the other using smkeyimport -c switch which will insure that Agent and session ticket keys are in sync in both.

If the session spec is invalid, the Policy Server will be unable to decrypt it using the Session Ticket Key, and will report the error "Invalid key in use".

Session ticket changes effects:

  - Rollover of the session key will result in active user sessions
    being invalidated, consequently resulting in these users having to
    re-authenticate to SiteMinder.

  - If password services are used all password history data is lost,
    this is because the password BLOB is encrypted with the session