Layer 7 Access Management

Tech Tip : CA Single Sign-On : SDK Agent cannot decode SMSESSION Cookie after rolling 3 Times the Agent Keys

  • 1.  Tech Tip : CA Single Sign-On : SDK Agent cannot decode SMSESSION Cookie after rolling 3 Times the Agent Keys

    Posted 01-02-2017 06:26 AM

    Question :

     

      Running SDK Agent, once the Agent Keys have been rolled over two times,
      the decodeSSOToken() method isn't able to decode the SMSESSION cookie
      anymore and my SDK Agent always throws an exception.

     

      How often can the Agent Keys be rolled over before the SDK Agent cannot decode it anymore ?
      Two or three times?

     

      I'd say three times because there are 3 Keys : the PAST, CURRENT and FUTURE.

     

    Environment :

     

      This applies to all Agent versions.

     

    Answer :

     

       By design, if you roll 2 times the Agent Keys, then SDK Agent won't be able to decode the SMSESSION cookie anymore.

     

       1 - The SMSESSION cookie is encrypted with the Current Key (k1). (k0-k1-k2)
       2 - At the first roll, the Current Key value is set as the Old Key
           and the k0 old key isn't available anymore (k1-k2-k3).
       3 - At the second roll, the key value which has encrypted the SMSESSION
           cookie (k1) will not be available, and as such, the SMSESSION cookie cannot
           be decoded by the Web Agent (k2-k3-k4).

     

    KB : TEC1853933