Encrypting the authentication token data

WebSEAL must encrypt the authentication data placed in the token using a key generated through the LMI. We must "synchronize" this key by sharing the key file with each participating WebSEAL server in each participating domain. Each participating WebSEAL server in each domain needs to use the same key. Do not reuse key pairs (used to encrypt and decrypt token data) generated for a specific CDSSO environment in any other CDSSO environments. Always generate unique key pairs for each CDSSO environment.

The generated key is a triple DES 192 bit key. We cannot specify a life span time on this key. The distribution of key files is not a part of the ISAM CDSSO process. Specify this key file in the [cdsso-peers] stanza of the WebSEAL configuration file of the participating WebSEAL server in each domain. The format must include the fully qualified host name of the WebSEAL server and the name of the key file:

[cdsso-peers]
fully-qualified-host-name = keyfile-name

Configuration example for server websealA in domain A:

[cdsso-peers]
websealB.domainB.com = A-B.key

This setting specifies what key websealA uses to encrypt a token destined for websealB in domain B.

Configuration example for server websealB in domain B:

[cdsso-peers]
websealA.domainA.com = A-B.key

This setting specifies what key websealB (in domain B) uses to decrypt a token received from websealA in domain A.

In this example, the A-B.key file is generated on one machine (websealA, for example) and manually (and securely) copied to the other machine (websealB, for example).

Parent topic: Configuration of cross-domain single signon