Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to change the nonce-lifetime on the Edge Proxy (EP) in Service Agent (SA) 2.0

Core Issue

In security engineering, a nonce is a number used once. It is often a random number issued in an authentication protocol to ensure that old communication cannot be reused in replay attacks. The nonce-lifetime is global, and is not specific for each device.

The EP nonce-lifetime by default is configured to 60 minutes. This means that the first message after the 60 minute period of time gets 407 challenge by the EP.

Resolution

The nonce-lifetime is configured only via script and not the CLI.

Complete these steps to change the nonce-lifetime to a longer period of time:

  1. As dsuser, login to the machines where EP is located.

  2. cd to the EP INSTALL_DIR/scripts.

  3. Edit the script called dsedge_auth.xcl with the new value.

    For example:

    dsuser$vi dsedge_auth.xcl

    ce-lifetime="$nonce-lifetime">

  4. For the changes to take affect, execute one of these steps:

  • Telnet to the EP CLI, and issue a commit with a new version number. A commit always forces the server to read the xcl scripts from the disk again.

    For example:

  dsedge>commit ["-v"]

  dsedge>commit -v nonce

  • Restart the EP.

1046
Views
0
Helpful
0
Comments