|
|
|
Agent keys are used by Web Agents to encrypt and decrypt cookies passed to a user's browser. The value of an Agent key is initially set by the Policy Server when the Policy Server receives its first request from a Web Agent. The key is then used by the Web Agent to encrypt the contents of cookies it passes to the user's browser. All Web Agents in a SiteMinder deployment must be set to the same value to participate in a single sign-on environment.
Changing the value of Agent keys on a regular basis provides the strongest security. If keys are updated on a regular basis, a key that may have lost its integrity would only be in use for a minimal amount of time.
The challenge of managing Agent keys in large organizations is that all Agent keys must be updated simultaneously. If the Agent keys in a SiteMinder installation are not all identical, communication between multiple Web Agents using single sign-on cookies cannot take place.
To address the challenge of changing all keys simultaneously, the Policy Server provides dynamic Agent key rollover. When the Policy Server is configured to use this feature, the Policy Server generates an Agent key dynamically and distributes the key to associated Web Agents. If the Web Agents are configured to work with multiple Policy Servers, new Agent keys are pushed out to these other Policy Servers in the SiteMinder installation, as well.
Note: Session timeouts must be less than two times the interval between Agent key rollovers. If a session timeout is not less than twice the interval, users may be challenged for credentials before their sessions terminate. For information about session timeouts, see the Web Agent Configuration Guide.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |