How the Agent Reads SiteMinder Cookies
- Web Agents use agent keys to encrypt and decrypt SiteMinder cookies so the data they contain can be read. The Agent uses the key to encrypt cookiesbefore sending them to a user’s browser and to decrypt cookies received fromother Web Agents.
- All Web Agents need to be aware of the same keys, and the keys must be set to the same value for all Agents communicating with a Policy Server. This rule is particularly important for Agents in a single sign-on environment. To ensure that the keys remain secure, the Policy Server performs a key rollover. A key rollover is the process of generating new keys, encrypting them, and distributing them to all Web Agents within a SiteMinder environment.
- When a Web Agent starts up and makes a management call request, the Policy Server supplies the current set of keys. Each time that the Web Agent polls the Policy Server, the agent again makes the management call. The Web Agent receives the updated keys.
The Policy Server provides two types of keys:
• Dynamic Keys—A dynamic key is generated by a Policy Server algorithm and distributed to other connected Policy Servers and their associated WebAgents. Dynamic keys can be rolled over at a regular interval, or by usingthe Key Management dialog box of the Policy Server User Interface.
• Static Keys—A static key remains the same indefinitely, and can be generated by a Policy Server algorithm or configured manually. SiteMinder uses this type of key for a subset of features that require information to be stored in cookies over extended periods of time.
Automated key changes ease the process of managing agent keys for largeSiteMinder installations that share a single key store. A key store is a storage location for all key information; all agents access the key store to obtain the current keys. For Agents that are configured for single sign-on, the key storemust be replicated and shared across all Policy Servers in the single sign-onenvironment. Automating key changes also ensures the integrity of the keys.
Agent Key Dynamic Rollovers
You can use the SiteMinder Key Management dialog box of the Policy ServerUser Interface to configure dynamic Agent key rollover. Web Agents poll thePolicy Server for key updates at regular intervals. If keys have been updated,Web Agents pick up the changes during polling. The default polling time is 30seconds, but can be configured by changing the PSPollInterval parameter of a Web Agent.
When a Web Agent detects that a key rollover has occurred, the Agent retrieves new values for the following Agent keys:
• Old Key—Last value used for the dynamic Agent key before the currentvalue.
• Current Key—Value of the current dynamic Agent key.
• Future Key—Next value that will be used as the current key in a dynamicAgent key rollover.
• Static Key—A long-term key that the Agent can use for SiteMinder featuresthat need to identify a user and maintain this information for long periods of time. Static keys also support cookie encryption for single sign-on whendynamic keys are not enabled.
Web Agents require multiple keys to preserve cookie data and ensure a smoothtransition between old keys and new keys.
When the Policy Server generates dynamic keys, it saves and maintains thesekeys in the key store. The key store is a repository from which all Web Agents retrieve the most current keys. The key store may be part of a SiteMinder policy store or maintained as a standalone key store.