Symantec Access Management

Expand all | Collapse all

CA SSO : Which key will be used for encrypting the shared secret (at Policy server side)?

Jump to Best Answer
  • 1.  CA SSO : Which key will be used for encrypting the shared secret (at Policy server side)?

    Posted 03-14-2016 02:07 AM

    Hi,

     

    I am not asking about the second level of encryption (which will happen on agent side in case of Linux) but about the first level of encryption on policy server side(once the secret is generated).

     

    1) Is it using Policy Server Encryption key or Host Key? (I hope these two are different)

    2) Also, I would like to know more information about host key.

    • How its value will be determined?
    • Where it will be stored?
    • How this value will be encrypted?

     

    Regards,

    Dhilip.



  • 2.  Re: CA SSO : Which key will be used for encrypting the shared secret (at Policy server side)?
    Best Answer

    Posted 03-15-2016 02:15 PM

    The Policy Server Encryption Key is used to encrypt the Shared Secret.  It is stored in the Policy Store in the Trusted Host Object.   Here is an example of a Trusted Host Object from XPSExplorer:

     

    ------------------------- Object Meta Data ------------------------

    XID: CA.SM::TrustedHost@24-cec7a36f-f619-4000-a78e-263701eab312

    Actual Class: CA.SM::TrustedHost

    Base Class: CA.SM::TrustedHost

    In Cache: yes 4

    Created: 2015-04-24 08:56:57 GMT

    Last Updated: 2015-04-24 08:56:57 GMT

    By: os:NT AUTHORITY/SYSTEM (via Internal)

    ---------------- Attributes from CA.SM::TrustedHost ---------------

    Desc                            = "Automatically generated TrustedHost object"

    IpAddr

    Name                           = "u124537-agent"

    PrevSecret

    RolloverEnabled          = false

    Secret                          = <***>

    SecretGenTime           =  0

    SecretUsedTime          =  0

    -------------------------------------------------------------------



  • 3.  Re: CA SSO : Which key will be used for encrypting the shared secret (at Policy server side)?

    Posted 03-16-2016 10:22 AM

    Hi,

     

    Thanks for your response.

     

    Could you please let me know if the encrypted value of shared secret (using Policy Server Encryption key) will be used only for sharing with the agent or this encrypted value will only be used (instead of original value) for storing in the policy store as well?

     

    If it is the second case, then will double encryption happens here before storing in policy store (as the sensitive data in the policy store will be encrypted by Policy Store Key) ?

     

    Regards,

    Dhilip



  • 4.  Re: CA SSO : Which key will be used for encrypting the shared secret (at Policy server side)?

    Posted 03-17-2016 12:24 PM

    Dhilip,

     

    The shared secret is stored in the policy store as an encrypted data by encrypting with policy store key. The store shared secret will be used to compare with the shared secret that the agent sends during initial handshake.

     

    If it is the second case, then will double encryption happens here before storing in policy store (as the sensitive data in the policy store will be encrypted by Policy Store Key) ?

    No; all the data that is stored in the policy store is encrypted with encryption key (which is also called as policy store key).



  • 5.  Re: CA SSO : Which key will be used for encrypting the shared secret (at Policy server side)?

    Posted 03-17-2016 01:16 PM

    Hi Saravanan,

     

    Thanks for your response.

    Does policy server encryption key and policy store key represents the same key?

     

    Regards,

    Dhilip



  • 6.  Re: CA SSO : Which key will be used for encrypting the shared secret (at Policy server side)?

    Posted 03-17-2016 01:54 PM

    Yes Dhilip, they are same.

     

    Encryption key, policy store encryption key, policy server encryption key and policy store key are pointing to the same key that is in encryptionkey.txt file.



  • 7.  Re: CA SSO : Which key will be used for encrypting the shared secret (at Policy server side)?

    Posted 03-21-2016 02:00 AM

    Hi Saravanan,

     

    Thanks for the clarification.

     

    Could you please provide your feedback for my second point (of my initial query) as well. I have copied the same here for your reference.

    <<

    2) Also, I would like to know more information about host key.

    • How its value will be determined?
    • Where it will be stored?
    • How this value will be encrypted?

    >>

     

    Thanks and awaiting returns.

     

    Regards,

    Dhilip



  • 8.  Re: CA SSO : Which key will be used for encrypting the shared secret (at Policy server side)?

    Posted 03-21-2016 10:00 AM

    2) Also, I would like to know more information about host key.

    • How its value will be determined?
      • Policy server host key is auto generated and embedded in software.
    • Where it will be stored?
      • Host key is stored in policy server process memory.
    • How this value will be encrypted?
      • It is encrypted by using RC2 algorithm.

     

    I hope it answers all your questions.



  • 9.  Re: CA SSO : Which key will be used for encrypting the shared secret (at Policy server side)?

    Posted 03-22-2016 03:23 AM

    Hi Saravanan,

     

    Thanks for your continuous response.

    Could you please let me know which key will be used for encrypting the host key?

     

    Regards,

    Dhilip



  • 10.  Re: CA SSO : Which key will be used for encrypting the shared secret (at Policy server side)?

    Posted 03-22-2016 10:10 AM

    Host key is not encrypted by using any key but it is encrypted by using RC2 algorithm and stored in policy server memory.



  • 11.  Re: CA SSO : Which key will be used for encrypting the shared secret (at Policy server side)?

    Posted 03-23-2016 02:38 AM

    Hi Saravanan,

     

    Thanks for your feedback.

    Have a great day!

     

    Regards,

    Dhilip