Unable to make SSO between multiple Policy Servers infrastructures due to "Invalid Key in Use" error.

Document ID : KB000053411
Last Modified Date : 14/02/2018
Show Technical Document Details

Description

I'm trying to make Single Sign On between 2 different Policy Servers infrastructures. Every Policy Server has its own Key Store with its own encryption key and both Policy Server have the same Agent Static Key. However I'm unable to make SSO.

SiteMinder Profiler shows the following error:

"Invalid Key in Use."

Solution

The issue is because the Policy Server is unable to decrypt session ticket.

'Invalid Key in Use' is usually thrown when there is a problem with the Session Ticket Key.

A technical description of this error is as follows:

The Policy Server encrypts the session spec with the Session Ticket Key before sending it to the agent upon session creation (Authentication). The agent uses the session spec for any Validate or Authorize calls for that session.

If the session spec is invalid, the Policy Server will be unable to decrypt it using the Session Ticket Key, and will report the error "Invalid key in use".

Most likely you have switched from one policy server to another and either the Session Ticket key has changed, or else the policy server is running with a different Policy Store Encryption key (this value is encrypted and stored in EncryptionKey.txt file).

The session key value is set during initial setup of the Policy server; it is stored in the keystore. However, in environments where the key-store is not replicated between Policy Servers, a common static session key value must be explicitly configured in all Policy Servers, in order for Single Sing On to work properly.

The session key value can be manually configured through the SiteMinder Policy Server UI under "Tools -> Manage Keys" menu option.

Session ticket changes effects:

* Rollover of the session key will result in active user sessions being invalidated, consequently resulting in these users having to re-authenticate to SiteMinder.

* If password services are used all password history data is lost, this is because the password BLOB is encrypted with the session ticket.