Password policy data consideration when Upgrading Siteminder
search cancel

Password policy data consideration when Upgrading Siteminder


Article ID: 38200


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER



When upgrading Siteminder Environment, is it possible to lose my
Password Policy Data from the User Directory ?




Policy Server all versions




When having Password Policies and in the process of upgrading a
Siteminder environment, below is what's needed to consider:

  - When configuring a Password Policy for a User Directory, specify
    an attribute on the directory where Siteminder can store their
    Password Data (PasswordBlob).

  - The password data contains the user tracking details (last logon,
    password changes ....) and is created as data Blob which is
    encrypted by a session key.

  - This session key is stored within the key store along with the
    Agent keys.

  - The session key value is encrypted by the Policy Server encryption
    key by default.

When upgrading to a newer Siteminder Release, consider the below :

  - Make sure to migrate the Session Key to the new environment with
    the new environment having the same Encryption Key of the Policy
    Server as the old one otherwhise the Policy Server will not be
    able to read the Session Key to decrypt the Password Data blob.

  - If a change is needed to the Encryption Key for the new Policy
    Server, export the Session Key from the old environment Key Store
    in clear text so it can be set it up the same on the new

Smkeyexport tool can be used to export the session key in clear text
as indicated below

  smkeyexport -o<filename>.smdif -c -dsiteminder –w<password> 

In Summary --> The Policy server depends on the session key to decrypt
the password blob. Any changes to the session key will result in a
loss of the password data.


Additional Information

More information on the export / import steps: