Symantec Access Management

Expand all | Collapse all

CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

Jump to Best Answer

Ujwol03-04-2016 04:33 AM

  • 1.  CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

    Posted 03-02-2016 08:11 AM

    Hi,

     

    I would like to know what will happen if I skip the host registration and just copy the contents of SmHost.conf file from some other server. I hope it won't work but ..

    • Can any expert me explain why?
    • Is it because of shared secret key? If yes, what is the significance of the shared secret key?
    • What checks will be made before/while establishing the connection between policy server and web agent?
    • First of all, why do we need a host registration? 

     

    Thanks.

     

    Regards,

    Dhilip



  • 2.  Re: CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?
    Best Answer

    Posted 03-02-2016 10:51 AM
    I have answered this earlier. Have alook at this thread :


    https://communities.ca.com/thread/241740417


    If you have any further question , shoot me.



  • 3.  Re: CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

    Posted 03-03-2016 01:41 AM

    Hi Dhilip,

     

    I think the thread that Ujwol mentioned answered most of your questions except following:

     

    Why do we need host registration?

    R: Policy server needs to trust the client while the client try to connect to policy server. In short, the purpose of host registration is to establish trust between PS and WA so the connection can be established.

     

    Regards,

    Kar Meng



  • 4.  Re: CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

    Posted 03-03-2016 06:20 AM

    Hi Ujwal and Karmeng,

     

    Thanks for your quick replies!

     

    That thread is very useful. But unfortunately, still I have few queries.

     

    1) You have mentioned that hard coded value along with host ID is used to decrypt the shared secret in case of Linux. I would like to know more about this hard coded value.

      • Is this hard coded value and 'Host key' represents the same?
      • How it will be generated? Where it will stored?
      • Is it constant or will it differ for every agent?

    2) May i know how decryption of shared secret will happen in case of Windows environment?

    3) What is the significance of "-sh" while registering the host by command line? Will it change the shared secret value?

     

    Thanks and awaiting return!!

     

    Regards,

    Dhilip



  • 5.  Re: CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

    Posted 03-04-2016 04:21 AM

    Hi Dhilip,

     

    Policy Server generates the SharedSecret during the time of host registration and send it to the WebAgent. Shared Secret is already encrypted but Unix/Linux Agents further encrypts this value with the hostid value of Unix/Linux and save it in the SmHost.conf.

    During the agent initialization, webagent decrypts the value of shared secret in SmHost.conf file using the hostid value and then send it to the policy server for handshake. If the hostid value has changed then the decrypted value will not be correct and webagent will not be able to do a proper handshake with the policy server.

     

    Hostid value does not change when the hostname or IP address of the system changes. Some hardware changes may cause the value of hostid to change. If the mount point is changed then also hostid value is changed. There may be other reasons too.

     

    In Windows as the webagent does not further encrypts the value of shared secret sent to it by the policy server.

    During initialization webagent sends the same value of shared secret as stored in SmHost.conf file to the Policy Server and handshake works.

     

    Thanks,

    Rajesh



  • 6.  Re: CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

    Posted 03-07-2016 01:53 AM

    Hi,

     

    Thanks for your detailed and clear explanation.

     

    1. May I know what is the reason behind this double encryption of shared secret in case of non Windows whereas single encryption in case of Windows?
    2. As the shared secret will not be encrypted by agent (again) in Windows OS, shall we reuse the same SmHost.conf file in other Windows system. Will it work?
    3. I would like to know the significance of "-sh" while registering the host by using command line. Will it change the shared secret value?

     

    Regards,

    Dhilip



  • 7.  Re: CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

    Posted 03-09-2016 08:04 AM

    Hi,

     

    May I get a response from any expert for my above questions?

     

    Thanks and awaiting returns!

     

    Regards,

    Dhilip



  • 8.  Re: CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

    Posted 03-09-2016 07:20 PM

    Hi ,

     

    1. May I know what is the reason behind this double encryption of shared secret in case of non Windows whereas single encryption in case of Windows?

    Ujwol => Not much info here. This is how the SSO architect designed.

    1. As the shared secret will not be encrypted by agent (again) in Windows OS, shall we reuse the same SmHost.conf file in other Windows system. Will it work?

    Ujwol => You can but you should not. If something goes wrong with that trusted host, then all your agents are impacted.

    1. I would like to know the significance of "-sh" while registering the host by using command line. Will it change the shared secret value?

    Ujwol => If you don't specify -sh this is how shared secret is created :

     

    • Generate any random string e.g xxxx
    • Encrypt it with Host Key (and using HostId in case of Linux)
    • Result = shared secret

     

    Now, when you specify the -sh option , all you are doing is , you are specifying this"seed" string.

    If you hostId changes, the shared secret will still be invalid.

     

    Hope this clarifies.


    Cheers,

    Ujwol



  • 9.  Re: CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

    Posted 03-10-2016 06:15 AM

    Hi Ujwol,

     

    Thanks for your response. I just have few doubts regarding your above feedback.

     

    1. Could you please confirm if Host Key will be used (because I thought Policy store key will be used) to encrypt the shared secret (in policy server before sharing the shared secret value with agent)?
    2. If yes, will it be encrypted again with policy store key (for the purpose of storing it in policy store)?

     

    Regards,

    Dhilip



  • 10.  Re: CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

    Posted 03-10-2016 06:19 AM

    Yep, I can confirm.

    Here is the full list of various keys used in SSO :


    • Policy Store      Key - used by PS      to encrypt sensitive data in Policy Store
    • Key Store      Key - used by PS      to encrypt data in the Key store
    • Host Key - used by PS/WA to encrypt      data stored in files (EncryptionKey.txt , SmHost.conf)
    • Session Keys- used to encrypt traffic      to/from the PS
    • Agent Keys - used by Agent to encrypt      cookies
    • Session      Ticket Keys/Persistent Key - used by PS to encrypt session and identity specs
    • Shared      secret - used to      authenticate WA and PS to each other

       

    If you have any follow up question please create a new thread, this has been stretched far too far :)



  • 11.  Re: CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

    Posted 03-14-2016 01:12 AM

    Hi Ujwol,

     

    Thanks for your response.  But, still I have a query regarding your above feedback. I have created a new thread (https://communities.ca.com/thread/241750145) for the same.

    Have a nice day!

     

    Regards,

    Dhilip



  • 12.  Re: CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

    Posted 03-04-2016 04:24 AM

    Hi Rajesh,


    You said - "Hostid value does not change when the hostname or IP address of the system changes"


    This is NOT true.

    Please refer to the thread I have referred above for explanation.


    Cheers,

    Ujwol



  • 13.  Re: CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

    Posted 03-04-2016 04:29 AM

    Hi Ujwol,

     

    You can check with your sustaining engineering as what I said is true.

    Also my organization is going through IP and host name changes and I have first hand experience of whether it works or not. And we did not re-register the host. We are using R12 SP3 CR09. hostid does not change by changing IP or hostname.

     

    Thanks,

    Rajesh



  • 14.  Re: CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

    Posted 03-04-2016 04:30 AM

    What OS are we talking about here?



  • 15.  Re: CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

    Posted 03-04-2016 04:32 AM

    RedHat Linux



  • 16.  Re: CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

    Posted 03-04-2016 04:44 AM

    there is no /etc/hostid file in our system.



  • 17.  Re: CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

    Posted 03-04-2016 04:33 AM

    Do you have /etc/hostid file?



  • 18.  Re: CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

    Posted 03-04-2016 04:38 AM

    I don't want to get into any troubleshooting or discussion here. I know this for sure and even when I was in CA I have advised customers not to re-register webagent for any IP or hostname changes. And as I have said we have hundreds of Linux servers undergoing IP and hostname changes and there was no need for re-registration so far.



  • 19.  Re: CA SSO : What will happen if we just copy and use SmHost.conf file of some other server?

    Posted 03-04-2016 04:40 AM

    Let's look at Linux Man page:


    http://linux.die.net/man/2/gethostid


    "In the glibc implementation, the hostid is stored in the file /etc/hostid. (In glibc versions before 2.2, the file /var/adm/hostid was used.)

    In the glibc implementation, if gethostid() cannot open the file containing the host ID, then it obtains the hostname using gethostname(2), passes that hostname to gethostbyname_r(3) in order to obtain the host's IPv4 address, and returns a value obtained by bit-twiddling the IPv4 address. (This value may not be unique.)"


    So going by this, unless you have defined static hostid by creating /etc/hostid file, if your IPv4 address change, it will almsot certainly result in different hostid.


    I have also verified this in my setup.