Symantec Access Management

Expand all | Collapse all

CA SSO : Key, Encryption and Cache

  • 1.  CA SSO : Key, Encryption and Cache

    Posted 04-01-2018 12:15 PM

    Hi,

     

    1) I would like to know which key will be used to encrypt the shared secret before sharing the same with web agent? I hope it is Policy Store key. Please confirm.

    Note : I am aware that Policy Store key will be used for encryption (before storing in PStore) as it is sensitive information.

     

    2) If the PS is in FIPS ONLY mode, will AES algorithm be used only for encrypting the session keys or will it be used (instead of RC2) even for encrypting any sensitive information in Policy Store, Encrytionkey.txt file and smregistry?

     

    3) When Policy Store details will be cached in Policy Server? Will policy server caches all the policy store details during startup itself or is it similar to webagent cache (will update when that corresponding resource is accessed)?

     

    Regards,

    Dhilip



  • 2.  Re: CA SSO : Key, Encryption and Cache

    Posted 04-02-2018 09:01 AM

    Hi,

     

    Regarding first point, I think policy server will not share the encrypted shared secret key. But, the web agent will be using

    • Webagent Host key for encryption while storing in SmHost.conf file - in case of Windows
    • (Webagent Host key + Host Id) for encryption while storing in SmHost.conf file - in case on non-Windows

    Please confirm if my understanding is correct.

    References:

    Tech Tip : CA Single Sign-On : Data Protection, Key Management,Configuration & Common Issues 

    Is SmHost generated from SDK Portable ? 

     

    Regarding second point, if the PS in FIPS ONLY mode, I hope AES algorithm will only be used for all the encryption (Policy Store, Encrytionkey.txt, smregistry file and even password blob of user store). Please confirm.

    Reference: 

    https://docops.ca.com/ca-single-sign-on/12-52-sp2/en/upgrading/migrate-your-environment-to-use-fips-compliant-algorithms/re-encrypt-existing-sensitive-data-for-fips-migration

     

    Thanks.

     

    Regards,

    Dhilip