When you perform security scans on your SiteMinder r12.9 Policy Server, the report identifies critical and high vulnerabilities in the CAPKI OpenSSL version. The scan typically flags the following path and version details:

• Path: $nete_ps_root/etpki-install/bin/openssl (Linux) or %NETE_PS_ROOT%\etpki-install\bin\openssl (Windows)
• Reported Version: 3.0.18
• Fixed Version: 3.0.20

The scan reports multiple CVEs, including but not limited to:

• CVE-2025-15467
• CVE-2026-28387
• CVE-2026-28388
• CVE-2026-28389
• CVE-2026-28390
• CVE-2026-31789
• CVE-2026-31790

• Product: SiteMinder (formerly CA Single Sign-On)
• Component: Policy Server
• Version: r12.9
• Operating System: Windows, Linux

NOTE: This only applies to R12.9 Policy Server due to the OpenSSL version 3.x used in this version.

The version of CAPKI bundled with the r12.9 Policy Server utilizes OpenSSL 3.0.18, which contains known security vulnerabilities. Remediation requires an upgrade to CAPKI 6.0.3, which incorporates OpenSSL 3.0.20.

Fixed in release CAPKI 6.0.3 and higher. 

Steps to port the New CAPKI

CAPKI 6_0_3 with openssl 3.0.20 is attached please follow the steps to install new ETPKI in Policy server.

------------------
Windows
------------------
!! Run with privileged user which installed the Policy Server.
1. Stop the PS
2. Take the backup of original folder  "%NETE_PS_ROOT%\etpki-install" folder 
3. Take the back of original folder "C:\Program Files\CA\SC\CAPKI"
4. Unzip the attachment, copy the new etpki-install to %NETE_PS_ROOT% to replace the existing folder.  
5. Open cmd prompt and Go to %NETE_PS_ROOT%\etpki-install\redistrib\
6. Run:
  setup.exe install caller=ps12
7. it will install in C:\Program Files\CA\SC\CAPKI
8. Start the PS

------------------
Linux 
------------------

Steps to port the CAPKI 6_0_3 with openssl 3.0.20
!! Run as smuser or whichever user that has installed and runs Policy Server.
1. Stop the PS
2. Take the backup of "$NETE_PS_ROOT/etpki-install" folder 
3. Take the backup of "/opt/CA/SharedComponents/CAPKI/" folder
4. Ensure smuser (or whichever user install/run policy server) has full permission to "/opt/CA/SharedComponents" folder, CAPKI folder and its subdirectories.
5. Unzip the attachment and copy the new etpki-install to $NETE_PS_ROOT to replace the existing folder.  
6. run:
    EXPORT CAPKIHOME=CAPKIHOME=/opt/CA/SharedComponents/CAPKI
7. Go to "$NETE_PS_ROOT/etpki-install/redistrib/" in terminal
8. Run:
  chmod +x setup
  ./setup install caller=ps12
9. New CAPKI6 folder is created in path /opt/CA/SharedComponents/CAPKI/
!! If installation fails or you do not find CAPKI6 installed, check "/tmp/capki_install.log"
10. Copy the New CAPKI6 from /opt/CA/SharedComponents/CAPKI/ to $NETE_PS_ROOT/CAPKI/
11. "source ca_ps_env.ksh" to ensure CAPKIHOME switches back to "$NETE_PS_ROOT/CAPKI"
12 Start the PS

This obsoletes KB431025