search cancel

smkeyexport command is returning no output

book

Article ID: 187873

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


We're running the command smkeyexport, the command fails reporting the

following error :

  $ ./smkeyexport -omykeysexport.txt -dsiteminder -wXXXXXX -c

  Unable to decrypt persistent key with policy store / key store key
  Unable to decrypt agent key with policy store / key store key
  Unable to decrypt agent key with policy store / key store key
  Unable to decrypt agent key with policy store / key store key
  Unable to decrypt agent key with policy store / key store key

  We're doing parallel upgrade. Both environments share the same
  encryptionkey.

  WE performed the below activities as part of parallel upgrade to
  siteminder 12.8.03

  1. We created a Key Store DSA CA Directory instance in the new
     environment.

  2. We copied the keystore.db file from the current environment CA
     Directory Key Store to the new environment directory server.

  3. We renamed the keystore.db file as per the instance created in
     new environment.

  We never copied any Keys from the Policy Servers. We only copied
  the complete key store from the existing directory server to new
  directory server.

How can we fix that ?

Cause


The sm.registry file has the KeyStoreEncryptionKey attribute is empty

in new environment, where as in working fine environment it has some
value.

Working Environment :

  HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\ObjectStore=142642540
  KeyStoreEncryptionKey=  {RC2}rskkkIIjdJAJSjsjajJjJIiolwLLoqQQ;  REG_SZ

Failing Environment :

  HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\ObjectStore=142642540
  KeyStoreEncryptionKey=                       ;  REG_SZ

Environment


Policy Server 12.8SP3 on RedHat 7;

Policy Store on CA Directory 14;

Resolution


Copy manually the same value of sm.registry KeyStoreEncryptionKey Key

from working fine Policy Server to new one and restart the Policy
Server to solve the issue.

To modify the KeyStoreEncryptionKey value from the registry without
the use of smconsole, you can use the command XPSConfig too :
 
 SM
 Option 67-KeyStoreEncryptionKey