One of the Agent key management features lets you manually rollover dynamic Agent keys. This feature provides added security because the keys can be rolled over at any time. You can also use this feature if you want the Policy Server to generate dynamic keys, but you do not want the keys to rollover at a fixed interval.
To manually rollover dynamic Agent keys
The Key Management pane opens.
The pane changes to support dynamic keys.
The Policy Server immediately generates new Agent keys. Unless you manually execute an Agent key rollover, the Policy Server does not generate new dynamic keys automatically.
Note: Do not click this button multiple times unless you want to rollover keys more than once.
Web Agents pick up the new keys the next time they poll the Policy Server, which may take up to three minutes due to cache synchronization. If you want to use an entirely new set of keys to for security reasons, you can rollover dynamic keys twice to remove the old key and the current key from the key store.
You must coordinate the updating of agent keys and session timeouts or you may invalidate cookies that contain session information. This coordination is critical because the person designing policies in your organization may be different than the person configuring dynamic key rollover.
Session timeouts should be less than or equal to two times the interval configured between Agent key rollovers. If an administrator configures an agent key rollover to occur two times before a session expires, cookies written by the Web Agent before the first key rollover will no longer be valid and users will be re-challenged for their identification before their session terminates.
For example, if you configure key rollover to occur every three hours, you should to set the Maximum Session timeout to six hours or less to ensure that multiple key rollovers do not invalidate the session cookie.
Copyright © 2012 CA.
All rights reserved.
|
|