CA SSO/Single Sign-On :Communication focused on Shared Secret between WebAgent and Policy Server

Document ID : KB000113306
Last Modified Date : 17/10/2018
Show Technical Document Details
Question:
1. What is the difference of Shared Secret stored in SmHost.conf and in Policy Store ?

2. How are they used this Shared Secret when handshake between WebAgent and Policy Server ?
Environment:
CA Single Sign-On
Answer:
1.
SmHost.conf :
Encrypted by WebAgent Host Key emedded in software.
# If Linux OS, it is rencrypted using hostid.

Policy Store :
Encrypted by Policy Store Key drived from configured Encryption Key Seed.

2.
a. WebAgent decrypt the Shared Secret in SmHost.conf by Host Key/hostid and create Hello Message with recalculate (MD5) Shared Secret and AgentName and random data.

b. Policy Server receives the Hello Message and decrypt Shared Secret in Policy Store by Host Key, and recalculate (MD5) Shared Secret and AgentName and compare them with the value from the Hello Message.
And send encrypted (RC2/AES) Session Keys and random data in Hello Message with Hello Reply Message.

c. WebAgent receive the Hello Reply Message and decrypt and extract Session Keys and random data.
And compare this random data with it in Hello Message, and send Hello Confirm Message to Policy Server.

d. Policy Server receive the Hello Confirm Message, and the handshake is successful between Web Agent and Policy server and it then establish and AgentAPI session with the Policy Server.
 
Additional Information:
FIPS 140-2 Algorithms:
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/administrating/manage-encryption-keys/fips-140-2-algorithms