ValueOps ConnectALL Product Community

 View Only

Tech Tip : CA Single Sign-On :: Policy Server::An agent change key command was received that contained a set of null keys

By Ujwol posted Dec 03, 2017 08:06 PM

  

Issue

Mixed Policy servers environment where some agents points to r12.7(or any 64 bit version) Policy server, and other points to lower version of Policy server which are 32 bit (e.g. 12.52, 12.51 etc).

 

Observation:

  1. If the Agent Keys are rolled over from either 32 bit or 64 bit Policy server SSO fails betwen agents connected to 32 and 64 bit Policy server.
  2. If the Agent keys are rolled over from 64 bit Policy servers, 32 bit Policy server logs following error in smps.log 

 

(38855) [06/05/2017][14:55:24][5516][][DoManagement.cpp:288][][][][][][][][][][][][][LogMessage:ERROR:[sm-Server-04060] An agent change key command was received that contained a set of null keys]  

Environment

Mixed Policy servers environment where some agents points to r12.7(or any 64 bit version) Policy server, and other points to lower version of Policy server which are 32 bit (e.g. 12.52, 12.51 etc).

Cause

Whenever AgentKey rollover is done, all the keys are bundled into one array separated by sizeof(time_t) either 32 bit time_t or 64 bit time which depends on the bitness of the Policy server which rolls the agent keys. This information is stored in AgentCommand.

Now, while reading AgentCommand they need to be read using the matching time_t bit, or else the AgentCommand decryption will fail.

 

Workaround

  1. Specify the same matching static agent keys in both 64 & 32 bit Policy servers and restart Policy servers.
  2. Do not configure dynamic agent key or roll them manually while using mixed Policy server environment when the bitness of the Policy server being used are different.

 

Resolution

1.  Upgrade the 64 bit Policy server to at least Policy server version 12.7.01 or later.

2.  In 12.7.01 Policy server, perform one of the following steps:

Windows

Open regedit and navigate to the following location:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer

UNIX

Navigate to the following location:

 

install_directory/siteminder/registry

Open the sm.registry file.

Add the following registry key:

 

BackwardCompatibleMode

Set the registry key value to 1.

Restart Policy Server.

3. Enable Dynamic Agent Key Generation or Perform Manual key rollover ONLY from 32 bit Policy server.

 

NOTE : If Policy Server 12.7.01 (or 64 bit Policy server) generates agent keys in a mixed environment, the agents connected to 32 bit Policy Servers cannot decrypt the new agent keys.

So, in such environment you must configure the 32 bit Policy servers to generate agent keys and enable backward compatibility for 64 bit policy server (the registry "BackwardCompatibleMode" is available only from 12.7.01

1 comment
4 views