Layer 7 Access Management

Expand all | Collapse all

Impact on siteminder environment when rollover agent keys

Jump to Best Answer
  • 1.  Impact on siteminder environment when rollover agent keys

    Posted 04-25-2018 03:15 PM
      |   view attached

    Hello Everyone,

     

    we are having eight siteminder policy servers that are connecting to same policystore and keystore. we don't have a seperate key store. So policystore and key store are together. when i take a smkeyexport on these policy servers i observed it's having two sets of agent keys.

     

    So we are trying to clean up the key store based on this CA's KB article : How to Clean up a SiteMinder Key Store? - CA Knowledge  . Currently we are having 1500 siteminder web agents that are connecting to these policy servers.So my questions are:

     

    1) When we rollover the keys does siteminder agents needs a restart or they pick up changes automatically? (we are having siteminder web agents installed on IIS and IHS and Apache)

    2) Do we need to roll over agent keys four times from adminui? (i mean there are four keys in one set)

    3) Is it recommended to keep one policy server to generate agent keys and rest of policy servers don't generate agent keys? (I don't know how much this come into value when we are using static keys)

     

    Our environment:

    siteminder policy server: 12.52 SP1 CR06

    siteminder web agent : 12.52 SP1 CR05

    we are using static keys

    policystore/keystore: oracle 12c

     

    All replies are greatly appreciated.

     

    Thank you,

    Naveen

    Attachment(s)

    zip
    key.txt.zip   1K 1 version


  • 2.  Re: Impact on siteminder environment when rollover agent keys

    Posted 04-25-2018 08:15 PM

    Naveen Naveen007

     

    If you see you have different values when you run smkeyexport using -c flag, then there is some problem as it does not align with the fact that you have been using Static keys from day-1.

     

    If you have been using static key from the onset, then you need not follow the tech note of rolling multiple time. The Technote is for a case whereby you need to flush all your old keys, because of reasons stated (multiple PS generating Dynamic AgentKeys). When using Static Keys, you reset it only once and all 4 keys should be in sync.

     

    When resetting keys, Agents pick the new keys on PSPoll and based on AgentCommand being present in PolicyServer Cache. If we restart we are rest assured that new keys are picked. If we don't restart, we should be able to still confirm by looking at the WebAgent.log as we'll see new key update / refresh entries.

     

    I'd recommend keeping only one Policy Server designated to be as Key Generator irrespective of Dynamic OR static keys. One thing to consider it that this Policy Server should also be connected to WAMUI, to see the Keys link on WAMUI.

     

     

    Additional Reference

    CA SSO : How policy server(s) will be synchronized? 



  • 3.  Re: Impact on siteminder environment when rollover agent keys
    Best Answer

    Posted 04-25-2018 09:05 PM

    Hi Naveen,

     

    Your target goal is to have one set of agent keys (with key marker 1-4 with all with the same value (when exported in clear text -c ).

     

    Just like below : 

    objectclass: AgentKey
    Oid: 1b-e9bf02b0-4823-4259-a0cd-50af7e90f1b7
    KeyMarker: 3
    Key: iSvqiaMbslLW7n29IT4v4x4ttUM2yLcY
    objectclass: AgentKey
    Oid: 1b-13173f02-270c-4841-b0a6-450917503980
    KeyMarker: 2
    Key: iSvqiaMbslLW7n29IT4v4x4ttUM2yLcY
    objectclass: AgentKey
    Oid: 1b-f8ea756c-6698-4863-b641-a6eb17b5513c
    KeyMarker: 4
    Key: iSvqiaMbslLW7n29IT4v4x4ttUM2yLcY
    objectclass: AgentKey
    Oid: 1b-5ef9041e-af7e-43f8-9a6a-61c042c41a46
    KeyMarker: 1
    Key: iSvqiaMbslLW7n29IT4v4x4ttUM2yLcY

     

    As you can see here, the value for all the key is same "iSvqiaMbslLW7n29IT4v4x4ttUM2yLcY"

     

    1) When we rollover the keys does siteminder agents needs a restart or they pick up changes automatically? (we are having siteminder web agents installed on IIS and IHS and Apache)

    Ujwol => Agent doesn't need restart.

     

    2) Do we need to roll over agent keys four times from adminui? (i mean there are four keys in one set)

    Ujwol => Once is enough if using static agent keys. 

     

    3) Is it recommended to keep one policy server to generate agent keys and rest of policy servers don't generate agent keys? (I don't know how much this come into value when we are using static keys)

    Ujwol => Yes, always keep only one PS to generate/manage keys.

     

    Few more details on what these 4 different keys are :

    Tech Tip : CA Single Sign-On:: Policy Server : Best practice on importing Agent Keys 


    Regards,

    Ujwol



  • 4.  Re: Impact on siteminder environment when rollover agent keys

    Posted 04-30-2018 10:46 AM

    Hi Ujwol,

     

    we completed our production key store cleanup last saturday and it's successful. The reason for cleaning up our keystore is, we are having an integration in between CA API Gateway and CA SiteMinder policy server via Layer -7 agent.After the CA API Gateway upgraded from version 9.1 to 9.3 they are seeing the following errors more frequently.

     

    20180430 07:48:29.907

    WARNING

    10102

    CA Single Sign-On Authenticate Against CA Single Sign-On assertion: Unable to authenticate user using SSO Token:VSzzUIKgjyozGUoIabW0jtEEnSPVD6lTst77pRgJBjzJLryj6pCUAJhRiVugOp3WE6HNLRGjqYOhLtguanYwvbbSw8BMVusf8liF9JrqAfsIFs3/51CEDj5WRWg/S8a3OFG5hBfmHvUB/dJV6t2e1rYI2B52Cj7+i+GYqq9MH2KAjvVRujq+1+GurcdNhP27kXvqi8QltEN700kDNuhIj57lz/SghlOtXMknX5u1fLM9D+mGKmKdKD2Rt3ubTg2/LP4v7c0EV6kEXmXGNyd9Faw6LHTZyRKzJW/1iew4SGHpgReWi5eJFFSlwd970Gb5wyhMC3kCC/jZxSXFaqkk41sDAM76kKp3JzDyFV6CxOlBh2NpufSgnVS8oiKDcUDTIwMxKq0nZ3E2f3WWOKXbPSVnYd9s2rq6fEFA/xADzwoT4t39sPf/E4YqYf+aWy2Ar+kdQRsQ42FRe8uvX8tLoN00/5FckIdf7lb2YX53WJQBoM+55mmU6ziFrRqYFfTTbDBLXjRkrJ6I2b9R+W6uk+08fXSaxMuES3+1+0nSWxcw2pMu2G68+fG5IZJ/rhqycXReDmXjwO6xTvuU30qiOSq+2TZirankTICd3XfrlP0Pq5lDaFSP7ngDik/uNZw/oZQ+sVR3EfW9aDf/fxR7qff4GkyoirbAYE1+2pr7hpl5tUEFM7suNGdmYgxtBngNTf46yGzF4vrrq8Lp9X7kdB/hPqG63dIFKRWMSdHGXfmd4k7MPt+1f/GM4Ppztwr6cmhbe+Z3lh1iLa9cEIc/GKF3/8S3BZJut+aeX2DJkK7B2s4+sM74mAri6tdaMjyaoTlsCYV9sta89R0t0x9FxF/D16z3cKFshcX27rzGlSzlp4r9JKHdXfbeHSNauBFjEjpHrCtrVoh8LUONPIlKFsmXjW6x6vaCqa91+r7+yVwP3sVXoxPvdJaRWT2tNwnVJXqv77vIOAsa87v4vHXqPlFRzVTZ0sWNMmQWoVEbzTaxb294cFkvzN3ayGEYF9QokwU1ZwpKZQunn4k9rCsRekeakP0jPH1vYa61NczPskWyyAK6vMlZbwFPuTvfA68JliBPro5QZSaTIC0t4ewbbnqKaqRzJd1Bq8bvsJYvWrVZIN0EeC2CaO8sMJethS1OC/SnyfofvnZG71bEy+Yxdz8DRZ6Kn9UbH/zZ6mg+KmUkuV24dxLi39ZOZxMbAN6n8lIwI2C8DmxHSRdnh/SCBGbwipxfoD7G

     

    After i open a support ticket with CA, Support Engineer identified additional keys in our keystore and suggested to clean up the keystore to see if that resolves the issue. But even after the keystore clean up our API Gateway team still seeing these kind of errors. Not sure why it's happening. can you please advise?

     

    I am also including our API Gateway dashboard screenshot for reference.  Red indicates failure attempts and Green indicates success.

     

    Thank you,

    Naveen 

     

    API Gateway dashboard

     

    But I am able to decode the SMSESSION by using webagent SDK.

    Attribute name : DEVICENAME
    Attribute value: ServerName
    Attribute name : USERDN
    Attribute value: CN=XXXXX,OU=***,OU=***,DC=XXXX,DC=XXXX,DC=***
    Attribute name : SESSIONSPEC
    Attribute value: Ly4LVWM1C6brHrbAAauzly1W3nkAf2khgsoFen6+dz9TfkD4he+6yfZDEurkdJBiJSGF61LodOAPwbXkCQpVUbNIwThx3QntMlHtLi6KBkJfizs0Xprg4Qbq+r+ZedSlHmEpPxrv6i60477Nc8D7GWH3bpYNRQFTu137KIngRfKH0YZH9va32DP/0AWtgQ3wuZxM0B7eIaL8AbNvJM7f4VbWjDnw/2AhHeJs9genJiPYd986sezgF/RsqdLlFOlfpSSLNVLALrNvBekMoboxaqhv2AYuhEbTyUycL1TU3dfRWZVKCF1wbDP3trqoqlJtEOyDhjijZBseZXBoQDlZUrCAOhQk2ohoS1CK6d5tgJGygtk+qCLQAaFDLrqCbZWoYXSU/x4VZLKQDwDr27L3aZPDBtNh73UNLsndupujYLlPkSM4d23kTzqL8YjTnk1ZQBgbqJ0+S0MdGcOuCLIE4bJOxJc0FEjP74MEtK+MtJvVw2w2b6AW0efLjKhZYXIK
    Attribute name : SESSIONID
    Attribute value: 9P+B+6p3nPDoHYuFJZYQ3X5jdGk=
    Attribute name : USERNAME
    Attribute value: CORPORATE\***
    Attribute name : CLIENTIP
    Attribute value: 10.86.191.30
    Attribute name : IDLESESSIONTIMEOUT
    Attribute value: 0
    Attribute name : MAXSESSIONTIMEOUT
    Attribute value: 622393886
    Attribute name : STARTSESSIONTIME
    Attribute value: 1525089754
    Attribute name : LASTSESSIONTIME
    Attribute value: 1525092508
    Attribute name : UNKNOWN
    Attribute value: SM
    UserID: CN=***,OU=XXXX,OU=XXXX,DC=XXXX,DC=XXXX,DC=***
    Session start time: 04/30/2018 07:02:34
    Last session time : 04/30/2018 07:48:28

     

     Don't worry the XXXX's. Because it's a real user i masked those values. One Odd thing i noticed is the Max Session timeout value. It's very high.



  • 5.  Re: Impact on siteminder environment when rollover agent keys

    Posted 05-07-2018 11:12 AM

    We are also experiencing an issue like this after upgrading to API Gateway 9.3.  It seems to be related to agent key rollover.  If I re-register the siteminder configuration in the API gateway, it works again for a time.  However, it appears that after a cert number of key rollovers the API Gateway loses its ability to perform authorizations against smsession cookies with the policy servers.  It continues like this until I perform a re-registration.

     

    I have a case open as well, and will update if I get any information. 

     

    We're running Siteminder (single sign-on) 12.7.

     

    Dave



  • 6.  Re: Impact on siteminder environment when rollover agent keys

    Posted 05-07-2018 12:26 PM

    Thanks David. I also opened a Support ticket with CA regarding to this issue. Currently it's transferred to CA API Gateway team on CA Side. I will also update the discussion if i get any information.

     

    Thank you,

    Naveen



  • 7.  Re: Impact on siteminder environment when rollover agent keys

    Posted 05-10-2018 02:32 PM

    David,

     

    Got an update from CA API gateway Support Engineer:

     

     

    If "Idle Timeout" or "Maximum Timeout" at siteminder is not enabled (or even if they set to 0), we see Au or Az failures. If they are not enabled at siteminder, these values are set to 0. So when gateway is checking for the IdleTimeout, it always fails which is leading to Au/Az failures even though the session is just created/valid.

     

    Also discovered this is a recent known issue DE343361 which is being addressed in CR

     

     

    PRs request:
    9.2 CR8 : Released march 2018

    9.3 CR2 : Scheduled for release later this month

     

    Work around for this issue: Configure the MAX/IDLE timeouts for the REALMS authentication

     

    Currently CA released only two releases of CA API Gateway to customers. They are:

    CA API Gateway 9.3

    CA API Gateway 9.3 CR1

     

    This defect is fixed in CA API Gateway 9.2 CR8 (Released march 2018) and CA API Gateway 9.3 CR2 (Scheduled for release later this month) . we are waiting for gateway 9.3 CR2 release so that we can update our systems to get rid of this issue.

     

    Thank you,

    Naveen



  • 8.  Re: Impact on siteminder environment when rollover agent keys

    Posted 05-07-2018 08:32 PM

    That MaxSessionTimeOut is not right.

    What value have you configured on the realm ?



  • 9.  Re: Impact on siteminder environment when rollover agent keys

    Posted 05-08-2018 10:47 AM

    Shrestha,

     

    Seems like if the IDLE TIMEOUT and Maximum Timeout is not specified in the realm configuration SiteMinder is taking idlesessiontimeout as 0 and maximumsessiontimeout as a high random value.

     

     

    Upon decoding so many cookies with web agent SDK which are failing on API gateway side. I would say 85-90% of cookies are having idlesessiontimeout as zero and maximumsessiontimeout as a high random value. Not sure what's new introduced in CA API gateway 9.3 version. we don't have this issue with earlier versions of API gateway.

     

    Thank you,

    Naveen