Symantec Access Management

Hi All,

I am trying to test Single Sign On between existing R12   and newly built 12.52 SP2 environment. They both are in different domains: Lets suppose R12 is a.com and 12.52sp2 is b.com. We also have a separate policy store/ key store for b.com.

Done resetting the encryption key on 12.52 to match r12,  Weekly dynamic  Agent Key rollover is set on r12.

Questions:

1. Do I have to wait for the Agent key rollover to happen before i can test sso between both environments?

2. I understand that Agent key and session key has to be same for SSO to work. Is it going to be updated after rollover or do I need  to manually assign them?

3. Since they both are in different domains, what additional steps are required there?

Thanks,

DanishA 

Hi, You will need to match a few things.

1. encryption key

2. agent keys(and session ticket key)

3. user store name

4. userstore DN structure.(and userdn)

So you should make it look like it is the same(?) env.

the keystore, it should be replicated between your a.com and b.com

And your a.com PS(r12) should generate agent keys.

Your b.com PS(r12.52) should have "EnableKeyUpdate=1" in the registry.

This forces your b.com PS to poll the keystore for changes.

Thanks! I will post the results.

Just wanted to clarify on Enable Key Update. Is it required if I have separate Key Stores?

Hi Danish,

EnableKeyUpdate is required as long as there are multiple Policy Servers referencing disparate policy stores, but share a central keystore.