Adding A Second Policy Server Pointing To The Same Policy Store and Key Store
Article ID: 127169
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
After adding a second Policy server(PS2) that is pointing to the same policy store and keystore of policy server 1(PS1)to the HCO, we started observing below errors in the siteminder policy server smtracedefault.log:
[02/15/2019][10:21:55.503][10:21:55][3136][6008][CServer.cpp:2132][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Tunnel-00050] Handshake error: Shared secret incorrect for this client][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[02/15/2019][10:21:55.503][10:21:55][3136][6008][CServer.cpp:2078][GetSecretFunc][][][][][][][][][][][][][][][][][][][][][Error while fetching previous secret for the Agent abc][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[02/15/2019][10:21:55.503][10:21:55][3136][6008][CServer.cpp:2132][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Tunnel-00050] Handshake error: Shared secret incorrect for this client][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[02/15/2019][10:21:55.503][10:21:55][3136][6008][CServer.cpp:2078][GetSecretFunc][][][][][][][][][][][][][][][][][][][][][Error while fetching previous secret for the Agent abc][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
Cause
The encryption is not the same on both Policy Servers. You can confirm this by comparing the content of the EncryptionKey.txt on both Policy Server to check if they are the same.
Environment
Siteminder 12.8 SP1 on Windows 2012 R2
Resolution
1) Ensure that the Enable Agent Key Generation is disabled on the second policy server 2(PS2)
2) Stop Policy Server 2(PS2) and then take a backup of the the EncryptionKey.txt from the below directory from policy server and rename the EncryptionKey.txt to EncryptionKey.txt_backup
(<Policy_server_install_path>)/bin folder)
3) Copy the EncryptionKey.txt from the below directory from policy server 1(PS1) to policy server 2(PS2)
(<Policy_server_install_path>)/bin folder)
4) Restart the Policy Server
5) Re-enter the password for the DSNs for all the configured stores via the smconsole and test test all connection to confirm the connection is successful.
6) Confirm that there are no more errors in the smps.log
Note:
This solution is only valid for Policy servers on Windows platforms. For Policy Servers on Linux platforms, please follow instructions in the documentation to rest the encryption key:
Reset the r12.x Policy Store Encryption Key
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/administrating/manage-encryption-keys/reset-the-r12-x-policy-store-encryption-key.html
2) Stop Policy Server 2(PS2) and then take a backup of the the EncryptionKey.txt from the below directory from policy server and rename the EncryptionKey.txt to EncryptionKey.txt_backup
(<Policy_server_install_path>)/bin folder)
3) Copy the EncryptionKey.txt from the below directory from policy server 1(PS1) to policy server 2(PS2)
(<Policy_server_install_path>)/bin folder)
4) Restart the Policy Server
5) Re-enter the password for the DSNs for all the configured stores via the smconsole and test test all connection to confirm the connection is successful.
6) Confirm that there are no more errors in the smps.log
Note:
This solution is only valid for Policy servers on Windows platforms. For Policy Servers on Linux platforms, please follow instructions in the documentation to rest the encryption key:
Reset the r12.x Policy Store Encryption Key
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/administrating/manage-encryption-keys/reset-the-r12-x-policy-store-encryption-key.html
Feedback
Yes
No
Powered by
