Symantec Access Management

  • Private Community
 View Only

  • 1.  CA SSO : Session Key

    Posted Feb 09, 2018 01:36 AM

    Hi,

     

    I would like to know about the session key.

     

    Threads referred:

    https://communities.ca.com/message/241827432?commentID=241827432#comment-241827432 

    CA SSO :  FIPS modes 

     

    1. How Session key value will be generated (I am aware that it is auto generated using some seed)? Will all the policy servers, webagent and WAMUI (in an environment) share the same session key? If yes, how are controlling which policy server will be generating/sharing session key?
    2. How session keys will be shared with the agents/WAMUI? Will agents/WAMUI ask for the session keys to policy server? Would be very helpful if someone can explain this flow in detail.
    3. Where session key will be stored in Policy Server, Webagent and WAMUI?
    4. What is the validity of the Session key? When it will be rolled? Is there a way to control that?

     

    Regards,

    Dhilip



  • 2.  Re: CA SSO : Session Key
    Best Answer

    Posted Feb 09, 2018 01:56 AM

    Not much interesting about Session Keys.


    1. How Session key value will be generated (I am aware that it is auto generated using some seed)? Will all the policy servers, webagent and WAMUI (in an environment) share the same session key? If yes, how are controlling which policy server will be generating/sharing session key?

    Ujwol => Generated by PS using hardcoded seed in PS code.

    Yes, as it is geneated based on the same seed its same no matter which PS generates it.


    1. How session keys will be shared with the agents/WAMUI? Will agents/WAMUI ask for the session keys to policy server? Would be very helpful if someone can explain this flow in detail.
    2. Ujwol=> It is sent to webagent/wamui after the initial handshake.
    3. Where session key will be stored in Policy Server, Webagent and WAMUI?
    4. Ujwol=>It is shared in memory by each processes.
    5. What is the validity of the Session key? When it will be rolled? Is there a way to control that?
    6. Ujwol=> Unlimited validity. It doesn’t expire. It cannot be rolled.


  • 3.  Re: CA SSO : Session Key

    Posted Feb 09, 2018 05:25 AM

    Hi Ujwol,

     

    Thanks for your response.

     

    So, Will value of session key be same across all policy servers for different organizations as well(as seed is hard coded)?

     

    Will there be any entries in any logs about these that agent/wamui has successfully received session keys/Policy server has sent the same?

     

    Regards,

    Dhilip



  • 4.  Re: CA SSO : Session Key

    Posted Feb 09, 2018 05:42 AM

    So, Will value of session key be same across all policy servers for different organizations as well(as seed is hard coded)?

     

     

    YES

     

     

     

    Will there be any entries in any logs about these that agent/wamui has successfully received session keys/Policy server has sent the same?

     

     

    NO

     

     

     

     

     

     

    Sent from my iPhone



  • 5.  Re: CA SSO : Session Key

    Posted Feb 09, 2018 06:08 AM

    Hi Ujwol,

     

    Thanks again.

     

    Please confirm if my understanding is correct.

     

    When PS is in Compat Mode, 128 bit cipher will be generated from the Session Keys (using RC4 algorithm). This cipher will be used to encrypt/decrypt the traffic between Policy Server and Web Agent/WAMUI.

     

    When PS is in Migration Mode or FIPS Only Mode, 128 bit cipher will be generated from the same Session Keys (using AES algorithm). This cipher will be used to encrypt/decrypt the traffic between Policy Server and Web Agent.

     

    Regards,

    Dhilip



  • 6.  Re: CA SSO : Session Key

    Posted Feb 09, 2018 06:09 AM

     Correct.



  • 7.  Re: CA SSO : Session Key

    Posted Feb 10, 2018 10:54 AM

    Hi Ujwol,

     

    Thanks for your confirmation.

     

    Regards,

    Dhilip