smkeyexport command is returning no output in Policy Server
search cancel

smkeyexport command is returning no output in Policy Server

book

Article ID: 187873

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


When running the command smkeyexport, the command fails and reports the following error:

  # ./smkeyexport -omykeysexport.txt -d<username> -w<password> -c

  Unable to decrypt persistent key with policy store / key store key
  Unable to decrypt agent key with policy store / key store key
  Unable to decrypt agent key with policy store / key store key
  Unable to decrypt agent key with policy store / key store key
  Unable to decrypt agent key with policy store / key store key

This is parallel upgrade. Both environments share the same Encryption Key.

The parallel upgrade to SiteMinder 12.8.03 consisted in:

  1. Create a Key Store DSA CA Directory instance in the new environment;
  2. Copy the keystore.db file from the current environment CA Directory Key Store to the new environment Directory Server;
  3. Rename the keystore.db file as per the instance created in new environment.

Keys from the Policy Servers has never been copied. The only copy is the complete Key Store from the existing Directory Server to new Directory Server.

 

Environment


Policy Server 12.8SP3 on RedHat 7;
Policy Store on CA Directory 14;

 

Cause


The KeyStoreEncryptionKey attribute in the SM. Registry file is empty in the new environment, whereas it has some value in the working fine environment.

Working Environment :

  HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\ObjectStore=<value>
  KeyStoreEncryptionKey=  {RC2}<value>;  REG_SZ

Failing Environment :

  HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\ObjectStore=<value>
  KeyStoreEncryptionKey=                       ;  REG_SZ

 

Resolution

 

Copy manually the same value of sm.registry KeyStoreEncryptionKey Key from working fine Policy Server to new one and restart the Policy Server to solve the issue.

To modify the KeyStoreEncryptionKey value from the registry without the use of smconsole, use the command XPSConfig:
 
 SM
 Option 71-KeyStoreEncryptionKey