Wednesday, November 28, 2012

Siteminder Keystore


Siteminder uses different keys to maintain communication between Policy Server and Webagent infrastructures.Distributed Policy Server and Webagent present in a Siteminder environment use different type of keys to encrypt and decrypt the sensitive data to ensure security.Siteminder Keystore is the repository used by policy servers to store the these keys, keystore can be the the part of policy store or they can be separate entities. Keystore can be used in various ways in the distributed environment , there can a common keystore shared among different policy servers or different keystores for different policy servers (in this case keystores replicating data among each other) etc.
Different Keys used by Policy Server /Web Agents
1. Policy Server Encryption Key : Each policy Server requires a policy server encryption key. This key can be configured when a Policy Server is installed and installation program prompts for this value. This is used by policy server to encrypt sensitive data entered through SM Management console or through Admin UI. The example of such data is LDAP bind credentials , ODBC passwords , Key store keys , agent shared secrets etc. In distributed environments , it is mandatory for policy servers to use same keys.
2. The Session key : Policy Server required a session key to encrypt unique siteminder session ticket. Policy Server generates a session ticket and pass it on to web agents , web agents then reads this session ticket and create the SMSESSION cookie to pass to the user browser. Policy Server needs to encrypt this smsession ticket before sending it to webagent. Policy server use Session key to encrypt the smsession ticket. This key value is typically generated by the policy server and stored in keystore. The session key can be manually configured through siteminder policy management UI “tools -manage keys” option.Please note the rollover of these keys should be carefully designed as it can cause SSO to fail (if keys are not rolled over and replicated properly)
3. Agent Keys: These keys are used by web-agents to encrypt and decrypt the cookies issued by siteminder including the session cookie , identity cookie, and other temp cookies.These keys are downloaded by web-agent  as part of management call that happens at predefined intervals from agent to policy servers.
Policy Server supports 2 type of keys
A. Dynamic Keys: Dynamic keys are generated by policy server algorithm and distributed to webagents , dynamic keys can be rolled over at regular intervals or by using key management of Siteminder UI interface. There are 3 types of dynamic keys utilized by siteminder (old key , current key , future key ) . web agent can use any of them to encrypt and decrypt the data.
B. Static Keys: A static key remains indefinitely  and can be generated by Policy Server or entered manually. It can be used as agent key if dynamic keys are not used.
4. Key Store encryption key: Policy Server can encrypt the keys in the key-store with the policy server encryption key by default. How ever in SSO environment where policy servers are distributed and policy servers can be configured to use common key-store encryption key .
The above 4 type of keys are used by Policy server and web agent to encrypt and decrypt all the data which is used in the siteminder infrastructure.All these keys are stored in key store used by policy servers.

Source : http://www.siteminderconsulting.com