Symantec Access Management

Hi,

I would like to know what will happen if I skip the host registration and just copy the contents of SmHost.conf file from some other server. I hope it won't work but ..

• Can any expert me explain why?
• Is it because of shared secret key? If yes, what is the significance of the shared secret key?
• What checks will be made before/while establishing the connection between policy server and web agent?
• First of all, why do we need a host registration? 

Thanks.

Regards,

Dhilip

https://communities.ca.com/thread/241740417

If you have any further question , shoot me.

Hi Dhilip,

I think the thread that Ujwol mentioned answered most of your questions except following:

Why do we need host registration?

R: Policy server needs to trust the client while the client try to connect to policy server. In short, the purpose of host registration is to establish trust between PS and WA so the connection can be established.

Regards,

Kar Meng

Hi Ujwal and Karmeng,

Thanks for your quick replies!

That thread is very useful. But unfortunately, still I have few queries.

1) You have mentioned that hard coded value along with host ID is used to decrypt the shared secret in case of Linux. I would like to know more about this hard coded value.

• Is this hard coded value and 'Host key' represents the same?
• How it will be generated? Where it will stored?
• Is it constant or will it differ for every agent?

2) May i know how decryption of shared secret will happen in case of Windows environment?

3) What is the significance of "-sh" while registering the host by command line? Will it change the shared secret value?

Thanks and awaiting return!!

Regards,

Dhilip

Hi Dhilip,

Policy Server generates the SharedSecret during the time of host registration and send it to the WebAgent. Shared Secret is already encrypted but Unix/Linux Agents further encrypts this value with the hostid value of Unix/Linux and save it in the SmHost.conf.

During the agent initialization, webagent decrypts the value of shared secret in SmHost.conf file using the hostid value and then send it to the policy server for handshake. If the hostid value has changed then the decrypted value will not be correct and webagent will not be able to do a proper handshake with the policy server.

Hostid value does not change when the hostname or IP address of the system changes. Some hardware changes may cause the value of hostid to change. If the mount point is changed then also hostid value is changed. There may be other reasons too.

In Windows as the webagent does not further encrypts the value of shared secret sent to it by the policy server.

During initialization webagent sends the same value of shared secret as stored in SmHost.conf file to the Policy Server and handshake works.

Thanks,

Rajesh

Hi,

Thanks for your detailed and clear explanation.

1. May I know what is the reason behind this double encryption of shared secret in case of non Windows whereas single encryption in case of Windows?
2. As the shared secret will not be encrypted by agent (again) in Windows OS, shall we reuse the same SmHost.conf file in other Windows system. Will it work?
3. I would like to know the significance of "-sh" while registering the host by using command line. Will it change the shared secret value?

Regards,

Dhilip

Hi,

May I get a response from any expert for my above questions?

Thanks and awaiting returns!

Regards,

Dhilip

Hi ,

1. May I know what is the reason behind this double encryption of shared secret in case of non Windows whereas single encryption in case of Windows?

Ujwol => Not much info here. This is how the SSO architect designed.

1. As the shared secret will not be encrypted by agent (again) in Windows OS, shall we reuse the same SmHost.conf file in other Windows system. Will it work?

Ujwol => You can but you should not. If something goes wrong with that trusted host, then all your agents are impacted.

1. I would like to know the significance of "-sh" while registering the host by using command line. Will it change the shared secret value?

Ujwol => If you don't specify -sh this is how shared secret is created :

• Generate any random string e.g xxxx
• Encrypt it with Host Key (and using HostId in case of Linux)
• Result = shared secret

Now, when you specify the -sh option , all you are doing is , you are specifying this"seed" string.

If you hostId changes, the shared secret will still be invalid.

Hope this clarifies.

Cheers,

Ujwol

Hi Ujwol,

Thanks for your response. I just have few doubts regarding your above feedback.

1. Could you please confirm if Host Key will be used (because I thought Policy store key will be used) to encrypt the shared secret (in policy server before sharing the shared secret value with agent)?
2. If yes, will it be encrypted again with policy store key (for the purpose of storing it in policy store)?

Regards,

Dhilip

Yep, I can confirm.

Here is the full list of various keys used in SSO :

• Policy Store      Key - used by PS      to encrypt sensitive data in Policy Store
• Key Store      Key - used by PS      to encrypt data in the Key store
• Host Key - used by PS/WA to encrypt      data stored in files (EncryptionKey.txt , SmHost.conf)
• Session Keys- used to encrypt traffic      to/from the PS
• Agent Keys - used by Agent to encrypt      cookies
• Session      Ticket Keys/Persistent Key - used by PS to encrypt session and identity specs
• Shared      secret - used to      authenticate WA and PS to each other

If you have any follow up question please create a new thread, this has been stretched far too far :)

Hi Ujwol,

Thanks for your response.  But, still I have a query regarding your above feedback. I have created a new thread (https://communities.ca.com/thread/241750145) for the same.

Have a nice day!

Regards,

Dhilip

Hi Rajesh,

You said - "Hostid value does not change when the hostname or IP address of the system changes"

This is NOT true.

Please refer to the thread I have referred above for explanation.

Cheers,

Ujwol

Hi Ujwol,

You can check with your sustaining engineering as what I said is true.

Also my organization is going through IP and host name changes and I have first hand experience of whether it works or not. And we did not re-register the host. We are using R12 SP3 CR09. hostid does not change by changing IP or hostname.

Thanks,

Rajesh

What OS are we talking about here?

RedHat Linux

there is no /etc/hostid file in our system.

Do you have /etc/hostid file?

I don't want to get into any troubleshooting or discussion here. I know this for sure and even when I was in CA I have advised customers not to re-register webagent for any IP or hostname changes. And as I have said we have hundreds of Linux servers undergoing IP and hostname changes and there was no need for re-registration so far.

Let's look at Linux Man page:

http://linux.die.net/man/2/gethostid

"In the glibc implementation, the hostid is stored in the file /etc/hostid. (In glibc versions before 2.2, the file /var/adm/hostid was used.)

In the glibc implementation, if gethostid() cannot open the file containing the host ID, then it obtains the hostname using gethostname(2), passes that hostname to gethostbyname_r(3) in order to obtain the host's IPv4 address, and returns a value obtained by bit-twiddling the IPv4 address. (This value may not be unique.)"

So going by this, unless you have defined static hostid by creating /etc/hostid file, if your IPv4 address change, it will almsot certainly result in different hostid.

I have also verified this in my setup.