Symantec Access Management

Hi,

I am not asking about the second level of encryption (which will happen on agent side in case of Linux) but about the first level of encryption on policy server side(once the secret is generated).

1) Is it using Policy Server Encryption key or Host Key? (I hope these two are different)

2) Also, I would like to know more information about host key.

• How its value will be determined?
• Where it will be stored?
• How this value will be encrypted?

Regards,

Dhilip.

The Policy Server Encryption Key is used to encrypt the Shared Secret.  It is stored in the Policy Store in the Trusted Host Object.   Here is an example of a Trusted Host Object from XPSExplorer:

------------------------- Object Meta Data ------------------------

XID: CA.SM::TrustedHost@24-cec7a36f-f619-4000-a78e-263701eab312

Actual Class: CA.SM::TrustedHost

Base Class: CA.SM::TrustedHost

In Cache: yes 4

Created: 2015-04-24 08:56:57 GMT

Last Updated: 2015-04-24 08:56:57 GMT

By: os:NT AUTHORITY/SYSTEM (via Internal)

---------------- Attributes from CA.SM::TrustedHost ---------------

Desc                            = "Automatically generated TrustedHost object"

IpAddr

Name                           = "u124537-agent"

PrevSecret

RolloverEnabled          = false

Secret                          = <***>

SecretGenTime           =  0

SecretUsedTime          =  0

-------------------------------------------------------------------

Hi,

Thanks for your response.

Could you please let me know if the encrypted value of shared secret (using Policy Server Encryption key) will be used only for sharing with the agent or this encrypted value will only be used (instead of original value) for storing in the policy store as well?

If it is the second case, then will double encryption happens here before storing in policy store (as the sensitive data in the policy store will be encrypted by Policy Store Key) ?

Regards,

Dhilip

Dhilip,

The shared secret is stored in the policy store as an encrypted data by encrypting with policy store key. The store shared secret will be used to compare with the shared secret that the agent sends during initial handshake.

If it is the second case, then will double encryption happens here before storing in policy store (as the sensitive data in the policy store will be encrypted by Policy Store Key) ?

No; all the data that is stored in the policy store is encrypted with encryption key (which is also called as policy store key).

Hi Saravanan,

Thanks for your response.

Does policy server encryption key and policy store key represents the same key?

Regards,

Dhilip

Yes Dhilip, they are same.

Encryption key, policy store encryption key, policy server encryption key and policy store key are pointing to the same key that is in encryptionkey.txt file.

Hi Saravanan,

Thanks for the clarification.

Could you please provide your feedback for my second point (of my initial query) as well. I have copied the same here for your reference.

<<

2) Also, I would like to know more information about host key.

• How its value will be determined?
• Where it will be stored?
• How this value will be encrypted?

>>

Thanks and awaiting returns.

Regards,

Dhilip

2) Also, I would like to know more information about host key.

• How its value will be determined?
  • Policy server host key is auto generated and embedded in software.
• Where it will be stored?
  • Host key is stored in policy server process memory.
• How this value will be encrypted?
  • It is encrypted by using RC2 algorithm.

I hope it answers all your questions.

Hi Saravanan,

Thanks for your continuous response.

Could you please let me know which key will be used for encrypting the host key?

Regards,

Dhilip

Host key is not encrypted by using any key but it is encrypted by using RC2 algorithm and stored in policy server memory.

Hi Saravanan,

Thanks for your feedback.

Have a great day!

Regards,

Dhilip