When running the command smkeyexport, the command fails and reports the following error:

  # ./smkeyexport -omykeysexport.txt -d<username> -w<password> -c

  Unable to decrypt persistent key with policy store / key store key
  Unable to decrypt agent key with policy store / key store key
  Unable to decrypt agent key with policy store / key store key
  Unable to decrypt agent key with policy store / key store key
  Unable to decrypt agent key with policy store / key store key

This is parallel upgrade. Both environments share the same Encryption Key.

The parallel upgrade to SiteMinder 12.8.03 consisted in:

1. Create a Key Store DSA CA Directory instance in the new environment;
2. Copy the keystore.db file from the current environment CA Directory Key Store to the new environment Directory Server;
3. Rename the keystore.db file as per the instance created in new environment.

Keys from the Policy Servers has never been copied. The only copy is the complete Key Store from the existing Directory Server to new Directory Server.

Policy Server 12.8SP3 on RedHat 7;
Policy Store on CA Directory 14;

The KeyStoreEncryptionKey attribute in the SM. Registry file is empty in the new environment, whereas it has some value in the working fine environment.

Working Environment :

  HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\ObjectStore=<value>
  KeyStoreEncryptionKey=  {RC2}<value>;  REG_SZ

Failing Environment :

  HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\ObjectStore=<value>
  KeyStoreEncryptionKey=                       ;  REG_SZ

Copy manually the same value of sm.registry KeyStoreEncryptionKey Key from working fine Policy Server to new one and restart the Policy Server to solve the issue.

To modify the KeyStoreEncryptionKey value from the registry without the use of smconsole, use the command XPSConfig:
 
 SM
 Option 71-KeyStoreEncryptionKey