Hi Hubert,
Thanks for your detailed analysis and for providing screenshots.
Regarding rollover of Session ticket key,
From your previous mail, I understood that ChangeSessionKey(ServerCommand:11) will be generated for changing Session Ticket Key (or) Persistent Key.
1) May I know in which case, following smCommand4 will be triggered as initially I thought this will be used for above scenario.
ChangePersistentKey = 9 // data may contain optional key value
I hope ServerCommand:11 will be generated irrespective of rollover mode(Static or Dynamic).
Regarding rollover of Agent keys,
2) In your screenshots for both cases(static and dynamic), I noticed that ServerCommand was generated after AgentCommand. May I know if it is because of any setting( like JournalRefresh and ServerCmdDelay) which you have modified (because whenever I try to modify any object, ServerCommand was generated first and then AgentCommand was generated)? If yes, how to achieve this as I thought ServerCommand will be generated instantly (on modification)? If no, what is the reason for this?
<<
Previous comment:
Some ServerCommand's convey information that has to be carried over to the various agents. In order to achieve that, when persisting the ServerCommand object, an Agent Command is generated, buffered and scheduled to be saved within 15sec (configurable by JournalRefresh in sec). Every 10sec (configured by ServerCmdDelay), the Management Thread on Policy Server goes through the list of Agent Commands scheduled to be saved, and if their scheduled time was reached, saves them.
>>
3) I could see that generated Server Command(UpdateCachedOid = 6) is having reference to 1a-*** (i.e., smKeyManagementOID)? May I know the reason for the same? Why smKeyManagementOID in PS cache needs to be updated as it has no reference to agent keys?
Note : I presume smKeyManagementOID is used for storing only the details related to Persistent Key(Session Ticket key) as even in Root objectclass, KeyManagement(having smKeyManagementOID) and AgentKeys(having smAgentKeyOID) are stored as separate parameters.
4) I hope Agent keys will not be cached in policy server(like Persistent key), so server command will not be generated for updating agent key(though one ServerCommand is generated for updating smKeyManagementOID). Please confirm. If no, on which case policy server needs agent keys(apart from sharing it to the web agents)?
5) I could see AgentCommand is generated with smCommand4(UpdateCachedOid = 6 // data contains oid). Are we sure that smCommandData4 contains the encrypted value of agent key? Is there a chance that after receiving this AgentCommand(to update cache), agent has contacted policy server for the updated/latest set of keys? Have we verified(from the logs) that agent didn’t contacted policy server for the update?
6) Have we tired rolling over of dynamic key for second time? I would like to know if following smCommand4 is generated on second/following roll overs.
ChangeDynamicKeys = 8 // no data
7) Have we tried switching from dynamic key to static key (to know the generated smCommand4) because I would like to know how agents are being informed as it has to change all 4 agent keys at a time?
Sorry Hubert, we are using custom agents(as well) in our setup, I am not sure about how keys will be used by custom agents(maybe I will raise a new thread for the same ), that's why I have refrained myself from playing around regarding roll over of keys.
Thanks,
Dhilip