When running Policy Server, when the user changes their password, the Password Data is set with the last password used. When the same user accesses a completely separated Siteminder environment, which uses the same User Directory, then the historic password list cannot be retrieved from the Password Data attribute.

For that, all Policy Servers from environments A and B should share the same Encryption Keys (1)(2)(3)(4)(5). 

So to share the same Password Data blob, all the Policy Servers have to have the same Encryption Key.

1. The key present in the EncryptionKey.txt should be the same on all Policy Servers. This implies having a shared Key Store between both environments. All the Keys are affected by the key change in EncryptionKey.txt;
2. The key change will make the current user browser sessions which might be invalidated.

Changing the EncryptionKey.txt will mean that the Policy Store encrypted data won't be available anymore. This is similar to resetting the Encryption Key (2)(6)(7).

It seems the SDK package provides DMS API which allows you to get the password state value for a user and modify it (8).

Indeed, the SDK DmsApiSample offers functions to handle the password data:

sdk/samples/javadmsapi/DmsApiSample.java:

    public void
    getCalls(SmDmsDirectory dmsDir)
    {


            //Get Password State
            Log(CRLF + bundle.getString("DMSAPI_GET_PWDSTATE"));
            SmDmsUserPWState pwstate = new SmDmsUserPWState();
            result = user.getUserPWState(pwstate);
            printObject(user, result, false);


    public void
    modifyCalls(SmDmsDirectory dmsDir)
    {
            // Set Password State
            Log(CRLF + bundle.getString("DMSAPI_SET_PWDSTATE"));
            SmDmsUserPWState pwstate = new SmDmsUserPWState();
            result = user.getUserPWState(pwstate);

            // As the time for password state is in second on Policy Server,
            // so the milliseconds will be ignored.
            long currentTime = System.currentTimeMillis() / 1000 * 1000;
            pwstate.setLoginFailures(10);
            pwstate.setLastLoginTime(currentTime);
            pwstate.setPrevLoginTime(currentTime);
            pwstate.setDisabledTime(currentTime);
            result = user.setUserPWState(pwstate, true);
            printObject(user, result, false);

(1)

    Password Data with value to 0 cannot be updated by Policy Server
    

(2)
  
    Password policy data consideration when Upgrading Siteminder
    

(3)
  
    Password Data blob when migrating User Directory data to a new store
    

(4)
  
    Problem to read the password data using SDK DMS API DmsApiSample.java
    

(5)

    Policy Server 12.0 to 12.8 migration - Password Data blob issue
    

(6)

    Reset the r12.x Policy Store Encryption Key
    

(7)

    Manage Encryption Keys
    

(8)

    Problem to read the password data using SDK DMS API DmsApiSample.java

      Using sdk\samples\javadmsapi\DmsApiSample.java to get a user's password state (SmDmsUserPWState).