CA Single Sign On Secure Proxy Server (SiteMinder)CA Single Sign On Agents (SiteMinder)CA Single Sign On Federation (SiteMinder)CA Single Sign On SOA Security Manager (SiteMinder)SITEMINDER
Issue/Introduction
We're running the command smkeyexport, the command fails reporting the following error :
Unable to decrypt persistent key with policy store / key store key Unable to decrypt agent key with policy store / key store key Unable to decrypt agent key with policy store / key store key Unable to decrypt agent key with policy store / key store key Unable to decrypt agent key with policy store / key store key
We're doing parallel upgrade. Both environments share the same encryptionkey.
WE performed the below activities as part of parallel upgrade to siteminder 12.8.03
1. We created a Key Store DSA CA Directory instance in the new environment.
2. We copied the keystore.db file from the current environment CA Directory Key Store to the new environment directory server.
3. We renamed the keystore.db file as per the instance created in new environment.
We never copied any Keys from the Policy Servers. We only copied the complete key store from the existing directory server to new directory server.
How can we fix that ?
Environment
Policy Server 12.8SP3 on RedHat 7; Policy Store on CA Directory 14;
Cause
The sm.registry file has the KeyStoreEncryptionKey attribute is empty in new environment, where as in working fine environment it has some value.
Copy manually the same value of sm.registry KeyStoreEncryptionKey Key from working fine Policy Server to new one and restart the Policy Server to solve the issue.
To modify the KeyStoreEncryptionKey value from the registry without the use of smconsole, you can use the command XPSConfig too : SM Option 67-KeyStoreEncryptionKey