Symantec Access Management

  • 1.  CA SPS & Agent Key Rollover

    Posted Jun 20, 2017 06:37 AM

    Hi all,

    in our environment I installed and configured a Secure Proxy Server and the Policy Server has the agent keys rotation enabled.

    During the configuration wizard I enabled shared secret rollover too, but it seams that the SPS has not been triggered when the Policy Server executes key rollover.

    Infact if I try to force a key rollover using Policy Server Administrative UI, I don't find any trace of this operation in the SPS log file.

    If I force the key rotation from Policy Server Administrative UI for three times, the SPS is not able to decode the SMSESSOIN cookie anymore and the only way to fix this problem is to restart the SPS service.

     

    Are anyone facing the same issue? Any idea about?

     

    Thanks in advance,

    Daniele



  • 2.  Re: CA SPS & Agent Key Rollover
    Best Answer

    Posted Jun 20, 2017 08:00 PM

    Hi Dainele,

     

    First of all, shared secret rollover and agent key rollover are two different things.

    For this thread, let's focus on Agent Key rollover.

     

    • How many policy servers do you have ?
    • Have you enabled Agent Key generation in more than one Policy server ?
    • What is the value of PSPollInterval ACO ? This determines the frequency at which the web agent polls the policy server fro key updates.Change How Often an Agent Checks for Policy or Key Updates - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentati… 
    • When the agent receives the new key update, you should see message like this in the agent log :
    • [4928/4976][Thu Jun 15 2017 11:05:49][CSmAdminManager.cpp:853][INFO][sm-AgentFramework-00320] ADMIN: Received key update attribute 'KEY_UPDATE_PERSISTENT'.
      [4928/4976][Thu Jun 15 2017 11:05:49][CSmAdminManager.cpp:871][INFO][sm-AgentFramework-00310] ADMIN: Successfully processed key update attribute 'PERSISTENT'.
      [4928/4976][Thu Jun 15 2017 11:05:49][CSmAdminManager.cpp:828][INFO][sm-AgentFramework-00320] ADMIN: Received key update attribute 'KEY_UPDATE_CURRENT'.
      [4928/4976][Thu Jun 15 2017 11:05:49][CSmAdminManager.cpp:845][INFO][sm-AgentFramework-00310] ADMIN: Successfully processed key update attribute 'CURRENT'.
      [4928/4976][Thu Jun 15 2017 11:05:49][CSmAdminManager.cpp:778][INFO][sm-AgentFramework-00320] ADMIN: Received key update attribute 'KEY_UPDATE_NEXT'.
      [4928/4976][Thu Jun 15 2017 11:05:49][CSmAdminManager.cpp:795][INFO][sm-AgentFramework-00310] ADMIN: Successfully processed key update attribute 'NEXT'.
      [4928/4976][Thu Jun 15 2017 11:05:49][CSmAdminManager.cpp:804][INFO][sm-AgentFramework-00320] ADMIN: Received key update attribute 'KEY_UPDATE_LAST'.
      [4928/4976][Thu Jun 15 2017 11:05:49][CSmAdminManager.cpp:820][INFO][sm-AgentFramework-00310] ADMIN: Successfully processed key update attribute 'LAST'.
      [4928/4976][Thu Jun 15 2017 11:05:49][CSmAdminManager.cpp:261][INFO][sm-AgentFramework-00280] ADMIN: Administration Manager initialized.

    Regards,

    Ujwol



  • 3.  Re: CA SPS & Agent Key Rollover

    Posted Jun 21, 2017 03:33 AM

    Hi Ujwol,

    first of all thanks for the clarifications. It's a while I don't have to deal with these concept and so I'm a little bit rusty.

    I'll check PSPollInterval ACO parameter and other suggestion you provided.

     

    I'll update you as soon as I'll perform needed verifactions.

     

    Thanks,

    Daniele