When you register a trusted host, the installation process automatically generates a shared secret for the Web Agent and stores that shared secret in the SmHost.conf file, the Host Configuration file. If you choose to enable shared secret rollover when registering a trusted host, you can rollover the shared secrets for trusted hosts. You can rollover shared secrets manually or periodically.
During a manual or periodic shared secret rollover, shared secrets are only rolled over for Agents that were configured at installation to allow rollovers.
For information about installing Web Agents and registering trusted hosts, see the SiteMinder Web Agent Installation Guide.
Shared secret rollover occurs automatically only on servers that are configured to enable Agent key generation. You enable Agent key generation by selecting the Enable Agent Key Generation check box in the Keys tab of the Policy Server Management Console. This setting is enabled by default.
Important! We recommend that only one Policy Server be enabled to generate keys. If there are multiple policy stores in an environment, but only a single shared key store, the shared secrets in the policy store are rolled over automatically only in the policy store for the Policy Server with key generation enabled. For the other policy stores, you can manually execute a rollover.
To manually rollover the shared secret, use the FSS Administrative UI or the C Policy Management API running on a Policy Server configured to the target policy store.
Note: The shared secret policy object is kept in the key store, and thus will be shared by all policy stores that share the same key store. The shared secrets themselves are kept in the trusted host objects, which are part of the policy store.
The Policy Server supports manual and periodic rollover of shared secrets for trusted hosts.
Periodic rollovers can be configured hourly, daily, weekly, or monthly; one hour is the shortest allowable period between rollovers. The Policy Server initiates periodic rollovers based on the age of the shared secret for each trusted host, rather than at a specific time of the day, week, or month. By rolling over each shared secret as it expires, the processing associated with the rollover is distributed over time, and avoids placing a heavy processing load on the Policy Server.
If you use the manual rollover feature, future periodic rollovers will generally be clustered together for all trusted hosts, since the manual rollover sets new shared secrets for all trusted hosts that allow shared secret rollover.
Important! If you enable key generation on more than one Policy Server associated with a single policy store, the same shared secret can be rolled over more than once in a short period of time due to object store propagation delays. This can result in orphaned hosts whose new shared secrets have been discarded. To avoid this potential problem, enable shared secret rollover for a single Policy Server per policy store.
To configure shared secret rollover for trusted hosts
The Shared Secret Rollover pane opens.
Rollover Frequency
Enter an integer for the number of times a rollover should occur. This number works together with the value of the rollover period.
Rollover Period
From the pull-down list, select Hours, Days, Weeks or Months for the occurrence of the rollover.
The Policy Server begins the process of rolling over shared secrets for all trusted hosts configured to allow shared secret rollover. The rollover may take some time depending on the number of trusted hosts in your deployment.
Copyright © 2012 CA.
All rights reserved.
|
|