Policy Server Guides › Policy Server Administration Guide › Configuring and Managing Encryption Keys
Configuring and Managing Encryption Keys
This section contains the following topics:
Policy Server Encryption Keys Overview
Key Management Overview
FIPS 140-2
Agent Keys
Dynamic Agent Key Rollover
Static Keys
Session Ticket Keys
Key Management Scenarios
Reset the r6.x Policy Store Encryption Key
Reset the r12.x Policy Store Encryption Key
Configure Agent Key Generation
Manage Agent Keys
Manage the Session Ticket Key
Shared Secret for a Trusted Host
Policy Server Encryption Keys Overview
The Policy Server and Agents use encryption keys to encrypt and decrypt sensitive data passed between Policy Servers and Agents in a SiteMinder environment.
- Agent keys are used to encrypt SiteMinder cookies that may be read by all agents in a single sign-on environment, and are shared by all agents in a single sign-on environment, since each agent must be able to decrypt cookies encrypted by the other agents. Agent keys are managed by the Policy Server, and distributed to agents periodically.
- Session ticket keys are used by the Policy Server to encrypt session tickets. Session tickets contain credentials and other information relating to a session (including user credentials). Agents embed session tickets in SiteMinder cookies, but cannot access the contents since they do not have access to session ticket keys which never leave the Policy Server.
Both types of keys are kept in the Policy Server's key store and distributed to Agents at runtime. By default, the key store is part of the Policy Store, but a separate key store database can be created if desired.
Other, special keys are:
- A policy store key is used to encrypt certain data in the policy store. The policy store key is stored, encrypted, in an on-disk file. The Policy Server encrypts the policy store key using a proprietary technique. The policy store key is derived from the encryption key specified when you installed the Policy Server.
- A key store key is used to encrypt agent and session ticket keys in a separately configured key store. The key store key is kept in the registry (or UNIX equivalent) encrypted with the policy store key.
Copyright © 2012 CA.
All rights reserved.
|
|