Manage the Session Ticket Key

Contents
casso127
Contents
The Policy Server can generate the session ticket key using an algorithm, or you can enter the session ticket key manually. A session ticket is established each time a user authenticates successfully and enables the Policy Server to determine how long a user’s session can continue.
The only implementation that requires a manually assigned session ticket key is one that includes multiple, independent key stores. Automatically generated keys cannot be propagated across independent key stores by the Policy Server. In all other instances it is recommended that you use the session ticket key generated by the Policy Server algorithm.
Generate a Session Ticket Key
The Policy Server can generate the session ticket key using a method similar to the one for generating dynamic agent keys. Randomly generating the session ticket key lets the Policy Server use an algorithm to create the key used for encryption and decryption.
Follow these steps:
  1. Log in to the Administrative UI.
  2. Click Administration, Policy Server.
  3. Click Key Management, Session Key Management.
  4. Do oneof the following:
    • Click Rollover Now in the Generate a Random Session Ticket Key section.
      The Policy Server generates a new session ticket key. This key immediately replaces the one that is used to encrypt and decrypt session tickets.
    • Specify a session ticket in the Specify Session Ticket Key section and click Rollover Now.
      The Policy Server immediately replaces the existing session ticket key with the value you entered.
  5. Click Submit.
Manually Enter the Session Ticket Key
If your Policy Server is part of an implementation that includes multiple key stores, you can manually enter the session ticket key.
Follow these steps:
  1. Log in to the Administrative UI.
  2. Click Administration, Policy Server.
  3. Click Key Management, Session Key Management.
  4. Specify a key in the Specify a Session Ticket key section.
  5. Click Rollover Now.
    The Policy Server immediately replaces the existing session ticket key with the value you entered.
  6. Click Submit.
Set the EnableKeyUpdate Registry Key
When a single Policy Server generates encryption keys in an environment with multiple Policy Servers that connect to disparate policy stores, but share a central key store, an additional registry setting is required. This registry setting configures each Policy Server to poll the common key store and retrieve new encryption keys at a regular interval.
To configure the EnableKeyUpdate registry key on a Windows Policy Server
  1. From the Windows Start menu, select Run.
  2. Enter regedit in the Run dialog box and click OK.
  3. In the Registry Editor, navigate to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\
    CurrentVersion\ObjectStore
  4. Change the following registry value:
    "EnableKeyUpdate"=0
    to
    "EnableKeyUpdate"=1
  5. Restart the Policy Server.
To configure the EnableKeyUpdate registry key on a UNIX Policy Server
  1. Navigate to:
    install_directory
    /siteminder/registry
  2. Open sm.registry in a text editor.
  3. Locate the following text in the file:
    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\
    CurrentVersion\ObjectStore
  4. Change the following registry value:
    "EnableKeyUpdate"=0
    to
    "EnableKeyUpdate"=1
  5. Restart the Policy Server.