Ujwol Shrestha

Tech Tip - CA Single Sign-On:Policy Server:Persistent Key/Session Ticket Key Introduced

Blog Post created by Ujwol Shrestha Employee on Sep 2, 2016

Question:

  • What is Persistent Key / Session Ticket Key ? What is it used for ?
  • Where and how is Session Ticket Key stored ?
  • What is the impact of resetting Persistent Key/ Session Ticket Key?

Environment:

Policy Server : Any 

Answer:

 

What is Persistent Key / Session Ticket Key ? What is it used for ?

Persistent/Session Ticket Key is used for following purpose by Policy Server :

  1. To encrypt Session Ticket (Spec). The session ticket is what the Policy Server uses to determine how long a user’s authentication remains valid. This session ticket is encrypted using the session ticket key and cached in the Agent User Cache.The Session Ticket can only be decrypted by Policy Server.

SESSION Ticket (Spec)contains following list of information :

  • SessionVersion
  • SessionStartTime
  • SessionLastTime
  • SessionMaxTimeout
  • SessionIdleTimeout
  • SessionLevel
  • SessionId
  • SessionIp
  • SessionDn
  • SessionDirOid
  • SessionDirName
  • SessionUnivId
  • SessionType
  • SessionAnonymous
  • SessionImpersonatorName
  • SessionLoginName
  • SessionPersistent
  • SessionDrift
  • SessionImpersonatorDirName
  • SessionAuthContext

    2.   To encrypt password service data (blob) in the user directory. The password blob contains following list of information:

    • LoginFailures (count)
    • LastLoginTime
    • PreviousLoginTime
    • PasswordHistory
    • LastPasswordChange (Date & Time)

Where and how is Session Ticket Key stored ?

Session Ticket key is stored in the Key Store.

In case of LDAP key store, it is stored under following DN :

smKeyManagementOID4=<id>,ou=PolicySrv4,ou=Siteminder,ou=Netegrity,<ROOT DN>


Example :

smKeyManagementOID4=1a-fa347804-9d33-11d3-8025-006008aaae5b,ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,o=siteminder,c=in

 

In case of ODBC Key store, it is stored in KeyMangement4 table :

 

What is the impact of resetting Persistent Key/ Session Ticket Key?

Resetting persistent Key has following impacts :

  • Existing logged in user sessions will not be valid anymore. User will have to re-login to establish a new session.
  • Existing password blob will be no more be valid, which means all the information related to password change, login tracking etc. is lost.

Additional Information:

https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/administrating/configuring-and-managing-encryption-keys

Outcomes