How to Encrypt a Password in the Sm.registry File Without Using SmConsole
Article ID: 372984
Updated On:
Products
Issue/Introduction
How to encrypt the Database Administrator Password in the Sm.registry file without using the Policy Server Management Console (SmConsole) in Unix based systems.
The Policy Server Management Console (SmConsole) is GUI based utility and will need X11 forwarding to be able to work on Unix systems.
All of the configuration available in the SmConsole can also be performed by editing the 'sm.registry' file directly.
Default: <Install_Dir>/CA/siteminder/registry/sm.registry
When the SmConsole is used, the sensitive data such as the passwords for the Policy Store Admin., Key Store Admin., Session Store Admin., and Audit Store Admin. are encrypted when written to the 'sm.registry' file. When manually editing the 'sm.registry' file with a text editor the sensitive password data is written in clear text.
This KB details how to encrypt the sensitive password data in the 'sm.registry' file when editing the file manually, such as when the SMConsole is not available.
Environment
PRODUCT: Symantec Siteminder
COMPONENT: Policy Store
VERSION: Linux
OPERATING SYSTEM: Any
Cause
The Siteminder Policy Server Management Console (SMCONSOLE) will redact the password value in the GUI. The values populated in the SMCONSOLE are written to the 'sm.registry' file on the Policy Server. In some cases, such on a Linux server X11 is prohibited, making it impossible to configure the policy server through the SMCONSOLE. In these cases a Siteminder Admin. will need to configure the Siteminder Policy Server by configuring the settings and data store (Policy Store, Session Store, KEy Store, Audit Store) connection properties manually in the 'sm.registry' file.
When the fields in the 'sm.registry' file are populated manually, it is done so in clear text.
Resolution
Use the "smldapsetup" command to encrypt a password in the 'sm.registry' file.
SYNTAX: smldapsetup reg -h<Server> -p<Port> -d<AdminDN> -w<AdminPW> -r<PSRootDN> -ssl<0|1> -c<CertDbPath> -g<CertDbPW>
EXAMPLE: smldapsetup reg -hhost.domain.com -dAdmin -wPassword -rDC=Domain,o=Root
NOTE: There is no space between the switch (e.g. -h, -p, -d, -w, -r) and the value.
Running the 'smldapsetup reg' command will update the following keys in the 'LDAPPolicyStore' registry hive in the 'sm.registry' file.
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapPolicyStore
AdminDN= CN=<Admin>,CN=<Container>,DC=<Domain>,o=<root>}; REG_SZ
AdminPW= {RC2}AO7MTt+vMK+wOuJM2oPvAmhd6R2FvT9s; REG_SZ
AppSdk= 0x0; REG_DWORD
CertDbPath= ; REG_SZ
CertDbPW= ; REG_SZ
PSRootDN= DC=<Domain>,DC=<tLD>; REG_SZ
Server= <HostName/IP>; REG_SZ
Use SSL= 0x0; REG_DWORD
Version= 5.0; REG_SZ
-h <Server>
Name or IP address of LDAP server. IPv6 address must be enclosed within square brackets as in [IPv6 address]
-p <port> : LDAP port number, defaults to 389.
-d <AdminDN> : LDAP Admin DN.
-w <AdminPW> : LDAP Admin password.
-r <root> : Existing LDAP base DN to create SiteMinder branch under.
-s <suffix> : Parent suffix for the SiteMinder suffix.
-f <ldif> : File containing LDAP schema creation commands.
-t <tool> : ldapmodify command line tool, if not in default path.
-ssl<0|1> : If 1, use SSL connection, and port defaults to 636.
-c <CertDbPath> : Certificate db file for SSL connection.
-g <CertDbPW> : Certificate db password for SSL connection.
NOTE: "smldapsetup --help" launches the HELP file.
When you run the 'smldapsetup reg' command, whichever switches you specify will update the corresponding key in the [HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapPolicyStore] registry hive.
If you ONLY want to set the password as an encrypted value, then only run the 'smldapsetup reg' command with the following switches:
smldapsetup reg -w<Password>
f you need to populate encrypted passwords for the Audit Store, Session Store, Key Store, or and ODBC Policy Stores do the following:
1) Copy the current encrypted password value from the LdapPolicyStore key and save it somewhere.
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapPolicyStore
AdminPW= {RC2}AO7MTt+vMK+wOuJM2oPvAmhd6R2FvT9s; REG_SZ
2) run smldapsetup reg -w<Password> with the password of the user store admin. that you're configuring (e.g. Key Store Admin., Session Store Admin., Audit Store Admin., etc)
3) Copy the encrypted password value from the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapPolicyStore
AdminPW= {RC2}J5TDnMgtvcSdg+SOhTMEV+204ZJ0XJs3; REG_SZ
4) Paste in the appropriate registry key for the store being configured (include the {RC2} with the encrypted password.
LDAP Key Store
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapKeyStore
AdminPW= <Password>; REG_SZ
LDAP Session Store
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapSessionServer
AdminPW= <Password>; REG_SZ
ODBC Policy Store
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Database\Default
Password= <Password>; REG_SZ
ODBC Key Store
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Database\key
Password= <Password>; REG_SZ
ODBC Audit Store
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Database\Log
Password= <Password>; REG_SZ
ODBC Session Store
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Database\SessionServer
Password= <Password>; REG_SZ
5) Either re-run 'smldapsetup reg' with the password of the Policy Store Admin. or restore the encrypted value you saved in step #1.
Feedback
