Policy Server Guides › Policy Server Management Guide › Configuring and Managing Encryption Keys › Policy Server Encryption Keys Overview
Policy Server Encryption Keys Overview
The Policy Server and Agents (SiteMinder and TransactionMinder) use encryption keys to encrypt and decrypt sensitive data passed between Policy Servers and Agents in a SiteMinder environment.
- Agent keys are used to encrypt SiteMinder cookies that can be read by all agents in a single sign-on environment and that are shared by all agents in a single sign-on environment, because each agent must be able to decrypt cookies encrypted by the other agents. Agent keys are managed by the Policy Server and distributed to agents periodically.
- Session ticket keys are used by the Policy Server to encrypt session tickets. Session tickets contain credentials and other information relating to a session (including user credentials). Agents embed session tickets in SiteMinder cookies, but cannot access the contents, because they do not have access to session ticket keys which never leave the Policy Server.
Both types of keys are kept in the Policy Server's key store and distributed to Agents at runtime. By default, the key store is part of the Policy Store, but a separate key store database can be created if desired.
Note: More information about configuring a key store exists in Management Console--Data Tab Fields and Controls.
Other, special keys are:
- A Policy store key is used to encrypt certain data in the policy store. The policy store key is encrypted and stored in an on-disk file. The Policy Server encrypts the policy store key using a proprietary technique. The policy store key is derived from the encryption key specified when the Policy Server is installed.
- A key store key is used to encrypt agent and session ticket keys in a separately configured key store. The key store key is kept in the registry (or UNIX equivalent) encrypted with the policy store key.
