Password policy data consideration when Upgrading Siteminder


Article ID: 38200


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


When upgrading Siteminder Environment, we'd like to know if it is

possible to lose my Password Policy Data from the User Directory ?


Policy Server all versions


If you have Password Policies and in the process of Upgrading your

Siteminder Environment, below what you need to consider:

- When configuring a Password policy for a User Directory, you need to
  specify an attribute on the directory where Siteminder can store
  their Password Data (PasswordBlob)

- The password data contains the user tracking details (last logon
  ,password changes ....) and is created as data Blob which is
  encrypted by a session key

- This session key is stored within the key store along with the Agent
  keys .

- The session key value is encrypted by the Policy server encryption
  key by Default.

When you upgrade to a newer Siteminder Release ,you need to consider
the below :

- Make sure to Migrate your Session Key to the new Environment with
  the new Environment having the same Encryption key of the policy
  server as the old one otherwhise your Policy server will not be able
  to read the session Key to decrypt the Password data blob

- IF you need to change your Encryption Key for the New Policy server
  ,you need to export your Session Key from the Old environment key
  store in clear text so you can set it up the same on the new

you can use the smkeyexport tool to export the session key in clear
text as indicated below

  smkeyexport -ocr1-2-keys.smdif -c -dsiteminder –w<password> 

In Summary --> The Policy server depends on the session key to decrypt
the password blob . Any changes to the session key will result in a
loss of the password data.