Password Data blob when migrating User Directory data to a new store

Article Id: 16191

Status: Published

Updated On: 09-04-2020 13:34

Products:

CA Single Sign On Secure Proxy Server (SiteMinder) , CA Single Sign On SOA Security Manager (SiteMinder) , CA Single Sign-On , CA Single Sign-On

Issue/Introduction:

We are planning to migrate users from our current User Directory to a
new one, and we are currently using this User Directory for Password
Services. As part of the migration, the user password attributes
(including disabled flag, password blob) will be migrated to the new
store. Then, we will change the User Directory on the AdminUI settings
to use the new one.

When we do this, could the password data attribute be lost? Could this
cause any impact on losing the encrypted data from the password
attributes?

Environment:

Policy Server R12.52SP1
LDAP User Directory

Resolution:

As there are not going to be any other changes rather than the User
Directory itself, and the user structure and content will be
maintained, there will not be any problem, as the password blob is
still stored (and moved) so the Policy Server it is the same one using
the same session key to decrypt the password blob. So as long as the
password data attribute containing the blob is maintained in the new
User Directory, the Policy Server will be able to decrypt it when
needed again.

Additional Information:

Configure a LDAP User Store connection - Password Data

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/configuring/policy-server-configuration/user-directories/configure-an-active-directory-user-store-connection.html

Password policy data consideration when Upgrading Siteminder

https://knowledge.broadcom.com/external/article?articleId=38200