Agent Keys Introduced
CA Single Sign-OnWeb Agents use an Agent key to encrypt cookies before passing the cookies to a user’s browser. When a Web Agent receives a
CA Single Sign-Oncookie, the Agent key enables the Agent to decrypt the contents of the cookie. Keys must be set to the same value for all Web Agents communicating with a Policy Server.
The Policy Server provides the following types of Agent keys:
- Dynamic Keysare generated by a Policy Server algorithm and are distributed to connected Policy Servers and any associatedCA Single Sign-OnWeb Agents. Dynamic keys can be rolled over at a regular interval, or by using the Key Management dialog box of the Administrative UI. For security reasons, this is the recommended type of Agent key.
- Static Keysremain the same indefinitely, and can be generated by a Policy Server algorithm or entered manually.CA Single Sign-Ondeployments uses this type of key for a subset of features that require information to be stored in cookies on a user’s machine over extended periods of time.A static agent key is always generated at installation. This static key is used for certain other product features, such as user management, whether or not you use the static key as the Agent key.
Dynamic Agent Key Rollover
You configure dynamic agent key rollover in the Administrative UI. Web agents poll the Policy Server for key updates at a regular interval. If keys have been updated, web agents pick up the changes during polling. The default polling time is 30 seconds, but you can change the default by changing the pspollinterval parameter of a web agent.
The Policy Server uses an algorithm to generate dynamic keys at a regular interval. These keys are saved in the key store. When a web agent detects new keys, it retrieves them from the key store.
Agent Keys Used in Dynamic Key Rollover
CA Single Sign-Ondeployments use the following keys in a dynamic key rollover and maintain them in the key store:
- An Old Key is a Dynamic key that contains the last value used for the Agent key before the current value.
- A Current Key is a Dynamic key that contains the value of the current Agent key.
- A Future Key is a Dynamic key that contains the next value that will be used as the Current key in an Agent key rollover.
- Static Key
When the Policy Server processes a dynamic Agent key rollover, the value of the current key replaces the value of the old key. The value of the future key replaces the value of the current key, and the Policy Server generates a new value for the future key.
When receiving a cookie from a client browser, the Web Agent uses the current key from the key store to decrypt the cookie. If the decrypted value is not valid, the Web Agent tries the old key, and if necessary, the future key. The old key may be required to decrypt cookies from an Agent that has not yet been updated, or to decrypt existing cookies from a client’s browser. The future key may be required for cookies created by an updated Agent, but read by an Agent that has not yet polled the key store for updated keys.
Rollover Intervals for Agent Keys
At a specified time, the Agent key rollover process begins. To prevent multiple rollovers from multiple Policy Servers, each server sets a rollover wait time of up to 30 minutes. If no update has been performed by the end of the wait time, that Policy Server updates the keys.
All Policy Servers wait for updated keys and then process the new keys to their Agents. Even for a single Policy Server, the update time may be up to 30 minutes beyond the time specified for the rollover.
The Agent Key Rollover process begins at the time(s) specified in the
CA Single Sign-OnAgent Key Management dialog box. The process can take up to three minutes. In that time period, all Web Agents connected to the Policy Server receive updated keys.
In a deployment that involves multiple replicated Policy Servers, the process for distributing Agent keys may take up to 30 minutes.
A static key is a string used to encrypt data which remains constant. In a
CA Single Sign-Ondeployment that uses the Agent Key rollover feature, a static key provides a method for maintaining user information across an extended period of time.
CA Single Sign-Onfeatures and situations make use of the static key:
- Saving User Credentials for HTML Forms AuthenticationIf an HTML Forms authentication scheme has been configured to allow users to save credentials, the Policy Server uses the static key to encrypt the user’s credentials.
- User TrackingIf user tracking is turned on, the Policy Server uses the static key to encrypt user identity information.
- Single Sign-on Across Multiple Key StoresIn aCA Single Sign-Ondeployment that includes multiple key stores, the static key may be used for single sign-on. In this situation,CA Single Sign-OnAgents use the static key for all cookie encryption.If you change the static key, any cookies created with the former static key are invalid. Users may be forced to re-authenticate, and user tracking information becomes invalid. In addition, if the static key is used for single sign-on, users are challenged for credentials when they attempt to access resources in another cookie domain.