Tech Tip : CA Single Sign-On : SDK Agent cannot decode SMSESSION Cookie after rolling 3 Times the Agent Keys

Discussion created by Patrick-Dussault Employee on Jan 2, 2017

Question :


  Running SDK Agent, once the Agent Keys have been rolled over two times,
  the decodeSSOToken() method isn't able to decode the SMSESSION cookie
  anymore and my SDK Agent always throws an exception.


  How often can the Agent Keys be rolled over before the SDK Agent cannot decode it anymore ?
  Two or three times?


  I'd say three times because there are 3 Keys : the PAST, CURRENT and FUTURE.


Environment :


  This applies to all Agent versions.


Answer :


   By design, if you roll 2 times the Agent Keys, then SDK Agent won't be able to decode the SMSESSION cookie anymore.


   1 - The SMSESSION cookie is encrypted with the Current Key (k1). (k0-k1-k2)
   2 - At the first roll, the Current Key value is set as the Old Key
       and the k0 old key isn't available anymore (k1-k2-k3).
   3 - At the second roll, the key value which has encrypted the SMSESSION
       cookie (k1) will not be available, and as such, the SMSESSION cookie cannot
       be decoded by the Web Agent (k2-k3-k4).


KB : TEC1853933