We're upgrading the Siteminder environment from 12.7SP2 to 12.8SP3 and
we'd like to know :
1. If running a separated Key Store, do the following steps apply from
08 - From the Database list, select Key Store.
09 - From the Storage list, select LDAP.
10 - Select Use Policy Store database.
2. The upgrade will enroll new keys if we're running Static Keys ?
3. Do we have to unflag the key agent generation ?
Policy Server 12.8SP3 on RedHat 7;
1. Yes, you have to follow the documentation steps as
mentioned above. This is for the sake of upgrading the Policy
Store. Once the Policy Store is upgraded, then you will configure the
separate Key Store in the smconsole. This will be done before doing
that section :
Restart all Policy Servers
2. If it's statics keys, this is defined in the Policy Store data. So
the keys shouldn't be rolled.
3. If you unflag the "Enable Agent Key Generation" in smconsole, you
won't get the possibility to change the static key in the
AdminUI. If you think you might need to change the static key, then
you'll need at least 1 Policy Server having checked the "Enable
Agent Key Generation" in smconsole.
Key Management Considerations
When deciding on the key management scenario for your enterprise,
consider the following:
When configuring dynamic keys in an environment with multiple Policy
Servers that share a common key store, a single Policy Server must
be nominated to perform Agent Key generation. You should disable key
generation on all other Policy Servers.
If you use shared secret roll over, you'll also need the "Enable Agent
Key Generation" checked in smconsole on 1 Policy Server :
What is the meaning of "sharedsecrettime" parameter in SmHost.conf file?