When running a Web Agent Option Pack, this one cannot decrypt the zone SMSESSION cookie and reports:
Tried out all the decrypt keys, decryption failed..
FWStrace :
[06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87][SSO.java][processRequest][Request to validate the session [CHECKPOINT = SSOSAML2_SESSIONCOOKIEVALIDATE_REQ]]
[06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87][FWSBase.java][isValidSession][Checking for valid SESSION cookies.]
[06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87][FWSBase.java][isValidSession][Found SESSION cookie: SMSESSION]
[06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87][FWSBase.java][isValidSession][Trying to validate using SMSESSION cookie.]
[06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87][FWSBase.java][isValidSession][Could not decryptSMSESSION cookie. Error message: Tried out all the decrypt keys, decryption failed..]
It would be expected to see the following log line in the Policy Server log, but there's no such line showing a rollover of the keys:
[3372/3682724720][Thu Feb 16 2017 10:37:10][SmObjKeyManagement.cpp:400][INFO][sm-Server-04710] Key Roll over Request has been initiated automatically by Policy Server
There are 2 environments:
Web Agent 12.52SP1CR04 on IIS 7.5 64bit on Windows 2008R2;
Web Agent Option Pack 12.52SP1CR04 on Tomcat 7.0.63 with JDK 1.7.0_65 64bit on Windows 2008R2;
connected to :
1 Policy Store on SQL 2012 Always On in Compatibility 100 for 12.52 Policy Server;
1 Shared Key Store on SQL 2008;
1 Policy Server 12.52SP1CR04;
parallel environment:
2 Policy Servers 12SP3CR11
1 Policy Server 12SP3CR11 rolls the keys at 03:00 every morning;
1 Policy Store on SQL 2008 for 12SP3CR01 Policy ServerWhen a single Policy Server generates encryption keys in an environment with multiple Policy Servers that connect to disparate policy stores, but share a central key store, an additional registry setting is required.
This registry setting configures each Policy Server to poll the common key store and retrieve new encryption keys at regular intervals.
When a single Policy Server generates encryption keys in an environment with multiple Policy Servers that connect to disparate policy stores, but share a central key store, an additional registry setting is required.
This registry setting configures each Policy Server to poll the common key store and retrieve new encryption keys at regular intervals.
Setting Policy Server 12.52SP1CR04 registry key to 1 solved the issue (1):
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\ObjectStore\EnableKeyUpdate=1