I'm running a Web Agent Option Pack, this one cannot decrypt the zone
SMSESSION cookie and reports :
FWStrace :
[06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87]
[SSO.java][processRequest][Request to validate the session
[CHECKPOINT = SSOSAML2_SESSIONCOOKIEVALIDATE_REQ]]
[06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87]
[FWSBase.java][isValidSession][Checking for valid SESSION cookies.]
[06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87]
[FWSBase.java][isValidSession][Found SESSION cookie: SMSESSION]
[06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87]
[FWSBase.java][isValidSession][Trying to validate using SMSESSION cookie.]
[06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87]
[FWSBase.java][isValidSession][Could not decryptSMSESSION cookie. Error message:
Tried out all the decrypt keys, decryption failed..]
I would expect to see the following log line in the Policy Server
12.52SP1CR04 log, but I don't find it :
[3372/3682724720][Thu Feb 16 2017 10:37:10][SmObjKeyManagement.cpp:400][INFO]
[sm-Server-04710] Key Roll over Request has been initiated automatically by Policy Server
How can I solve it ?
When a single Policy Server generates encryption keys in an environment with multiple Policy Servers that connect to disparate policy stores, but share a central key store, an additional registry setting is required. This registry setting configures each Policy Server to poll the common key store and retrieve new encryption keys at a regular interval
Setting Policy Server 12.52SP1CR04 registry key to 1 solved the issue :
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\ObjectStore\EnableKeyUpdate= 1