Upon upgrade, SSO is not achieved between the old and new infrastructure
search cancel

Upon upgrade, SSO is not achieved between the old and new infrastructure

book

Article ID: 281616

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Siteminder parallel upgrade with old and new infrastructure using the same Key store Agent keys / session ticket keys static values but still SSO is not achieved between both Environments 

Environment

Any 

Cause

if same Policy Server Encryption key same static Agent keys and session ticket key are used and still no SSO, this can be caused by duplicate agent keys in one of the infrastructure.

Resolution

In this scenario, the issue was indeed caused by 8 Agent keys in the Old Siteminder infrastructure.

To resolve the issue, the agent keys must be completely deleted from the Key store and recreated using the below steps 

** for LDAP Policy Store :

1) backup your policy Store and Key store (using XPSExport and smkeyexport

2)  if this is an ldap server , you can use jxplorer or any other tool to connect to the Policy Store / Key store and the agent keys should be located under the following OUs for example

smAgentKeyOID4=1b-0026e987-0d43-432b-87b3-c3eb923e4905,ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,o=example,c=us

* Agent keys will start with --> 1b-.....

* Session Ticket Key will start with --> 1a-.....

Same location for the session ticket key , example

smKeyManagementOID4=1a-fa347804-9d33-11d3-8025-006008aaae5b,ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,o=example,c=us

You can delete the DN directly from the LDAP tool or you can use ldapdelete to delete it .

NOTE --> do not Delete the session ticket key if not duplicate, if it was deleted by mistake, restarting the policy Server will recreate the key with random value ...

3) Once you delete the Agent keys that starts with 1b-... , you can restart the policy Server which will recreate the 4 keys with Random Values .

4) Verify that the keys were created after restart , now go ahead and login to the adminui and roll it with the static value you use .

5) Once done run and smkeyexport from both Siteminder infrastructures and make sure the value matches

NOTE --> you may need to restart your Agents so it can pick up the keys again from policy server to ensure the proper values are used and SSO should now work between old and new Siteminder infrustructures


** for RDMBS Policy Store :

Same concept except that the keys are stored in smagentkey4 table, use the delete sql query below to delete the keys and complete the rest of the steps as indicated above 

Example command:

DELETE FROM smagentkey4 WHERE agentkeyoid '1b-4a79595f-9a40-1000-a34a-830cefdf0cb3'

 

Powered by Wolken Software