When you register a trusted host, the installation process:
If you enabled shared secret rollover when registering a trusted host, you can roll over the shared secrets for trusted hosts either manually or periodically.
During a manual or periodic shared secret rollover, shared secrets are only rolled over for agents that were configured at installation to allow rollovers.
Note: For more information about installing web agents and registering trusted hosts, see the CA SiteMinder® Web Agent Installation Guide.
Shared secret rollover occurs automatically only on servers that are configured to enable agent key generation. You enable agent key generation by selecting the Enable Agent Key Generation check box in the Keys tab of the Policy Server Management Console. This setting is enabled by default.
Important! We recommend that you only enable one Policy Server to generate keys. If there are multiple policy stores in an environment, but only a single shared key store, not all shared secrets roll over automatically. The shared secrets are only rolled over automatically if the Policy Server to which the policy store is configured is enabled for key generation. All other policy stores require that you execute a rollover manually.
Use one of the following to roll over the shared secret manually:
Note: The shared secret policy object is kept in the key store. All policy stores that share the same key store share the same secret. The shared secrets themselves are kept in the trusted host objects, which are part of the policy store.
The Policy Server supports manual and periodic rollover of shared secrets for trusted hosts.
Periodic rollovers can be configured hourly, daily, weekly, or monthly; one hour is the shortest allowable period between rollovers. The Policy Server initiates periodic rollovers based on the age of the shared secret for each trusted host, rather than at a specific time of the day, week, or month. By rolling over each shared secret as it expires, the processing associated with the rollover is distributed over time, and avoids placing a heavy processing load on the Policy Server.
If you use the manual rollover feature, future periodic rollovers will generally be clustered together for all trusted hosts, since the manual rollover sets new shared secrets for all trusted hosts that allow shared secret rollover.
Important! If you enable key generation on more than one Policy Server associated with a single policy store, the same shared secret can be rolled over more than once in a short period of time due to object store propagation delays. This can result in orphaned hosts whose new shared secrets have been discarded. To avoid this potential problem, enable shared secret rollover for a single Policy Server per policy store.
To configure shared secret rollover for trusted hosts
The Shared Secret Rollover pane opens.
Rollover Frequency
Enter an integer for the number of times a rollover should occur. This number works together with the value of the rollover period.
Rollover Period
From the pull-down list, select Hours, Days, Weeks or Months for the occurrence of the rollover.
The Policy Server begins the process of rolling over shared secrets for all trusted hosts configured to allow shared secret rollover. The rollover may take some time depending on the number of trusted hosts in your deployment.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|