Policy Server Guides › Policy Server Administration Guide › Configuring and Managing Encryption Keys

Configuring and Managing Encryption Keys

This section contains the following topics:

Policy Server Encryption Keys Overview

Key Management Overview

FIPS 140-2

Agent Keys

Dynamic Agent Key Rollover

Static Keys

Session Ticket Keys

Key Management Scenarios

Reset the r6.x Policy Store Encryption Key

Reset the r12.x Policy Store Encryption Key

Configure Agent Key Generation

Manage Agent Keys

Manage the Session Ticket Key

Shared Secret for a Trusted Host

Policy Server Encryption Keys Overview

The Policy Server and Agents use encryption keys to encrypt and decrypt sensitive data passed between Policy Servers and Agents in a SiteMinder environment.

Agent keys are used to encrypt SiteMinder cookies that may be read by all agents in a single sign-on environment, and are shared by all agents in a single sign-on environment, since each agent must be able to decrypt cookies encrypted by the other agents. Agent keys are managed by the Policy Server, and distributed to agents periodically.
Session ticket keys are used by the Policy Server to encrypt session tickets. Session tickets contain credentials and other information relating to a session (including user credentials). Agents embed session tickets in SiteMinder cookies, but cannot access the contents since they do not have access to session ticket keys which never leave the Policy Server.

Both types of keys are kept in the Policy Server's key store and distributed to Agents at runtime. By default, the key store is part of the Policy Store, but a separate key store database can be created if desired.

Other, special keys are:

A policy store key is used to encrypt certain data in the policy store. The policy store key is stored, encrypted, in an on-disk file. The Policy Server encrypts the policy store key using a proprietary technique. The policy store key is derived from the encryption key specified when you installed the Policy Server.
A key store key is used to encrypt agent and session ticket keys in a separately configured key store. The key store key is kept in the registry (or UNIX equivalent) encrypted with the policy store key.