Best practice on importing Agent Keys

Document ID : KB000009568
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Key Store comprise of following :

  • One KeyManagement object ( This also contains the persistent Key)
  • Four Agent Keys (One set)

The four Agent Keys are :

  • An Old Key is a Dynamic key that contains the last value used for the Agent key before the current value.
  • A Current Key is a Dynamic key that contains the value of the current Agent key.
  • A Future Key is a Dynamic key that contains the next value that will be used as the Current key in an Agent key rollover.
  • Static Key

Note: While using static agent keys , the underlying value for all the 4 Agent Keys will be same , all though the encrypted value will be different in the key store.

At any point in time, key store should have only 4 agent keys (one set) as described above. 

Because, if there are more than 4 agent keys, there will be no guarantee which set of keys an Agent will utilize if more than one set is delivered from the Key Store on Agent start up. 

Consider a scenario , that there are two set of agent keys - set 1 & set 2. Now, if Web Agent 1 utilizes set 1 and Web Agent utilizes set 2, the SMSESSION cookie encrypted by one agent will not be decoded by another agent eventually breaking the SSO.

So it is very important that care should be taken not to duplicate Agent Keys.

 

 

 

Background:

In this guide, we will discuss one particular scenario during the key import which should be considered to avoid duplicate agent keys.

The OID of KeyManagement object is always "1a-fa347804-9d33-11d3-8025-006008aaae5b". However, the OID of an Agent Key object could be any random value.

Let's consider as sample key export from source Key Store :

smkeyexport.jpg

 

and lets check the existing OID of keys in the destination Key Store :

beforekeyimport.jpg

 

As you can see above, even though the OID for KeyManagement object is same between source and target Key store, the OIDs of Agent Keys are different.

Now, if you import this key store export file in the target key store the final key store after the successful import looks like this :

keystoreafterimport.jpg

 

As you can see above, during the import , the smkeyimport tool updated the existing KeyManagement object as the OID was the same.

However, as the OIDs for the Agent Keys were different, it created the new Agent Keys object resulting in the duplicate set of Agent Keys.

 

 

 

 

 

Environment:
Policy server : Any Key store : Any
Instructions:

To fix this , you will need to delete the old set of Agent Keys manually from the key store.

You can identify the OIDs of old set of Agent Keys by doing a smkeyexport from the target key store before doing the smkeyimport.

 

How to delete specific agent keys:

1) For RDBMS use the SQL commands to delete the keys that did not change between the two files.

Example command:

DELETE FROM smagentkey4 WHERE agentkeyoid '1b-4a79595f-9a40-1000-a34a-830cefdf0cb3'

Note: The commands are for example only and will need to be modified to match the OIDs for your environment.

2) For LDAP use the LDAPModify command to delete the keys that did not change between the two files.

Example command:

# ldapmodify -D "cn=directory manager" -w dirmanagerpassword -h localhost

dn: smAgentKeyOID4=1b-4a79595f-9a40-1000-a34a-830cefdf0cb3, ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,o=ghost

changetype: delete

 

Additional Information:

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/administrating/manage-encryption-keys/agent-keys-introduced