Generating a key pair to encrypt and decrypt cookie data

Use the LMI to generate a key pair that can secure the cookie data. WebSEAL provides this utility. We can generate a symmetric key pair that can encrypt and decrypt the data in a failover cookie.

• Do not reuse key pairs (used to encrypt and decrypt cookie data) generated for a specific load-balanced environment (configured for failover) in any other load-balanced environments. Always generate unique key pairs for each load-balanced environment configured for failover authentication.

• If we do not configure WebSEAL to encrypt failover authentication cookies, and we have enabled failover authentication, WebSEAL generates an error and refuses to start. Failover authentication cookies must be encrypted.

Steps

1. Use the LMI to generate the key file, such as ws.key. Use the SSO Keys management page to create the key file. To access this page, go to Secure - Reverse Proxy Settings > Global Keys > SSO Keys.

2. Edit the WebSEAL configuration file. In the [failover] stanza, specify the key file.

   [failover]
   failover-cookies-keyfile = keyfile_name

3. Manually copy the key file to each of the remaining replicated servers.

4. On each replicated server, edit the WebSEAL configuration file to supply the correct path name to failover-cookies-keyfile in the [failover] stanza.

Parent topic: Failover authentication configuration