Policy Server Guides › Policy Server Administration Guide › Configuring and Managing Encryption Keys › Manage Agent Keys

Manage Agent Keys

The SiteMinder Key Management dialog box, which you access from the Administrative UI, enables you to configure periodic Agent key rollovers, execute manual rollovers, and change the static key. It also enables you to manage the session ticket key.

Note: To manage keys, you must log into the Administrative UI using an account with the Manage Keys and Password Policies privilege. For more information, see the Policy Server Configuration Guide.

More information:

Manage the Session Ticket Key

Configure Periodic Key Rollover

The Policy Server supports periodic Agent key rollovers at the following frequencies:

• Weekly
• Daily
• Fixed intervals in a single day

The shortest allowable period between rollovers is one hour.

Note: Be sure that your operating system is configured to adjust the system time for daylight savings time. A system that is not configured for daylight savings time can offset key rollover by one hour.

Follow these steps:

1. Access the Policy Server Management Console and open the Keys tab.
2. Select Enable Agent Key Generation and click OK.
3. Log in to the Administrative UI.
4. Click Administration, Policy Server.
5. Click Key Management, Agent Key Management.
6. Select Use dynamic Agent key in the Agent Key section.

   Important! After selecting Use dynamic Agent key, you cannot click Rollover Now until you save the periodic key rollover configuration settings.

7. Select Automatic key rollover in the Dynamic key Detail section.
8. Click Set rollover frequency.
9. Specify the frequency at which the rollovers must occur.
10. Click OK.
11. Click Submit.

    Agent key rollover is configured.

Manually Rollover the Key

You can roll over dynamic agent keys manually. This feature:

• Provides added security. You can execute a rollover at anytime.
• Permits flexibility. You can configure the Policy Server to generate dynamic keys, but do not have to specify a rollover frequency.

Follow these steps:

1. Access the Policy Server Management Console and open the Keys tab.
2. Select Enable Agent Key Generation and click OK.
3. Log in to the Administrative UI.
4. Click Administration, Policy Server.
5. Click Key Management, Agent Key Management.
6. Select Use dynamic Agent key in the Agent Key section.
7. Select Manual key rollover in the Dynamic key detail section.
8. Click Rollover Now.

   The Policy Server generates new agent keys immediately. Unless you manually execute an agent key rollover, the Policy Server does not generate new dynamic keys automatically.

Note: Do not click this button multiple times, unless you want to roll over keys more than once.

Web agents pick up the new keys the next time they poll the Policy Server. This action can take up to 3 minutes due to cache synchronization. If you want to use an entirely new set of keys for security reasons, roll over dynamic keys twice. This action removes the old key and the current key from the key store.

Coordinate Agent Key Management and Session Timeouts

You must coordinate the updating of agent keys and session timeouts or you may invalidate cookies that contain session information. This coordination is critical because the person designing policies in your organization may be different than the person configuring dynamic key rollover.

Session timeouts should be less than or equal to two times the interval configured between Agent key rollovers. If an administrator configures an agent key rollover to occur two times before a session expires, cookies written by the Web Agent before the first key rollover will no longer be valid and users will be re-challenged for their identification before their session terminates.

For example, if you configure key rollover to occur every three hours, you should to set the Maximum Session timeout to six hours or less to ensure that multiple key rollovers do not invalidate the session cookie.

Change Static Keys

You can change the static gent key web agents use to encrypt identity information for certain features.

Important! We do not recommend changing the static key. Change the static key only in extreme situations, such as security breaches. This action can cause some CA SiteMinder® features to lose the data they require to function properly. Features that establish and use an identity stored in a persistent cookie will no longer work. Authenticated users can be forced to log in again before single sign–on functions across multiple CA SiteMinder® installations.

A static key can also be used to maintain a single sign–on environment that requires multiple Policy Servers and multiple master key stores.

Follow these steps:

1. Log in to the Administrative UI.
2. Click Administration, Policy Server.
3. Click Key Management, Agent Key Management.
4. Select Use static Agent key in the Agent Key section.
5. Do one of the following:
   • Click Rollover Now in the Generate a random Agent Key section.

     The Policy Server generates a new random static key.

   • Enter a static agent key in the Specify an Agent Key section.

     Use this option in situations where two key stores must use the static key to maintain a single sign–on.

6. Click Rollover Now.
7. Click Submit.

   The static key rolls over within 3 minutes.