search cancel

How to encrypt the Certificate DB Password in the Sm.registry file without using the Policy Server Management Console (SMConsole) on Linux

book

Article ID: 258405

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

The Policy Server Management Console (SMConsole) is a GUI-based application that runs natively on Windows Server or is accessed using X11 forwarding on Linux. By default the cert8.db (Siteminder 12.8.05 and earlier) or cert9.db (Siteminder 12.8.06 and later) password is encrypted using the Policy Store encryption key by the SMConsole in the Windows registry or the <Siteminder_Install_Dir>/CA/siteminder/registry/sm.registry file on Linux.

In Linux environments where X11 forwarding is not permitted for security or other reasons, any attempts to populate the certificate database password by altering sm.registry manually without using the SMConsole will cause the password to be stored in plain text.

Resolution

To encrypt the certificate database password manually without SMConsole, please follow the steps below.

  1. Log on to the Policy Server.
    1. Backup the following file.

      <Siteminder_Install_Dir>/CA/siteminder/registry/sm.registry

    2. For example:

      cp -R <Siteminder_Install_Dir>/CA/siteminder/registry/sm.registry <Siteminder_Install_Dir>/CA/siteminder/registry/sm.registry.BAK

  2. Run the following command:

    smldapsetup reg -g<Password>

This will update the CertDbPW value under the following registry key to the new, encrypted value.

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapPolicyStore