Persistent Key / Session Ticket Key Introduced

Document ID : KB000046216
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

  • What is Persistent Key / Session Ticket Key ? What is it used for ?
  • What is the impact of resetting Persistent Key/ Session Ticket Key?

Environment:

Policy Server : Any 

Answer:

 

What is Persistent Key / Session Ticket Key ? What is it used for ?

Persistent/Session Ticket Key is used for following purpose by Policy Server :

  1. To encrypt Session Ticket (Spec). The session ticket is what the Policy Server uses to determine how long a user’s authentication remains valid. This session ticket is encrypted using the session ticket key and cached in the Agent User Cache.The Session Ticket can only be decrypted only by Policy Server.

SESSION Ticket (Spec)contains following list of information :

  • SessionVersion
  • SessionStartTime
  • SessionLastTime
  • SessionMaxTimeout
  • SessionIdleTimeout
  • SessionLevel
  • SessionId
  • SessionIp
  • SessionDn
  • SessionDirOid
  • SessionDirName
  • SessionUnivId
  • SessionType
  • SessionAnonymous
  • SessionImpersonatorName
  • SessionLoginName
  • SessionPersistent
  • SessionDrift
  • SessionImpersonatorDirName
  • SessionAuthContext

    2.   To encrypt password service data (blob) in the user directory. The password blob contains following list of information:

    • LoginFailures (count)
    • LastLoginTime
    • PreviousLoginTime
    • PasswordHistory
    • LastPasswordChange (Date & Time)

 

What is the impact of resetting Persistent Key/ Session Ticket Key?

Resetting persistent Key has following impacts :

  • Existing logged in user sessions will not be valid anymore. User will have to re-login to establish a new session.
  • Existing password blob will be no more be valid, which means all the information related to password change, login tracking etc. is lost.

Additional Information:

https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/administrating/configuring-and-managing-encryption-keys