CAPKI (Previously known as ETPKI) is a C language-based Software Development Kit (SDK) that provides CA Development Community with features required to implement Information Security services in its products.  CAPKI is a wrapper on OpenSSL which is robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

NOTE: Siteminder r12.9 Policy Server uses CAPKI 6.  For CAPKI 6 on Siteminder 12.9 use KB440135 CAPKI 6.0.3 with OpenSSL 3.0.20 for R12.9 Policy Server

.

PRODUCT: Symantec Siteminder

COMPONENT: Policy Server

VERSION: r12.8.8.1 and Older

OPERATING SYSTEM:  Windows and Linux

CAPKI (Previously known as ETPKI) is a wrapper on OpenSSL. CAPKI 5.2.x is built with OpenSSL 1.0.2.

The Siteminder Policy Server ships with the following versions of CAPKI:

Siteminder Policy Server r12.8.8.1 is shipped with CAPKI 5.2.14.0

Siteminder r12.8.7 and r12.8.8 are compiled with older versions of CAPKI built on older versions of OpenSSL 1.0.2

KB409211 (archived) delivered CAPKI 5.2.16
KB427908 (archived) delivered CAPKI 5.2.17

CAPKI 5.2.17 and older are compiled with versions of OpenSSL 1.0.2 which have vulnerabilities (CVE's) published.

Upgrade CAPKI to CAPKI 5.2.18 on the Siteminder Policy Server using this KB.

CAPKI 5.2.18 has been compiled with OpenSSL 1.0.2zp.   

This solution applies to the following Siteminder Policy Server versions:

• r12.8.8.1 and older

LINUX

1) Download "etpki-install_5_2_18_linux.zip" from this KB.

2) Copy  "etpki-install_5_2_18_linux.zip" to the Siteminder Policy Server on Linux and decompress it.

3) Stop the Policy  Server

4) Change to the following directory:

/<Install_Dir>/CA/siteminder/

5) Backup the '/CAPKI/' directory by renaming it '/CAPKI.BAK'

mv CAPKI CAPKI.BAK

6) Copy the '/etpki-install/' directory from "etpki-install_5_2_18_linux.zip" to /<Install_Dir>/CA/siteminder/

7) Change to the following directory*:

/<Install_Dir>/CA/SharedComponents/

* This directory may not exist in your system

8) (If Exists) Backup the '/CAPKI/' directory by renaming it '/CAPKI.BAK'

mv CAPKI CAPKI.BAK

9) Modify the $CAPKIHOME variable in the environment variable script:

/<Install_Dir>/CA/siteminder/ca_ps_env.ksh

CAPKIHOME=/<Install_Dir>/CA/SharedComponents/CAPKI
export CAPKIHOME

10) Run the updated Access Gateway Environment variable script.

cd /<Install_Dir>/CA/siteminder/

. ./ca_ps_env.ksh

11) Change to the following directory:

/<Install_Dir>/CA/siteminder/etpki-install/redist/

12) Ensure the user has execute permissions on the installation media (setup)

13) Run the following command:

./setup install caller=ps12

NOTE: This will create a new '/<Install_Dir>/CA/SharedComponents/CAPKI/CAPKI5/' directory

14) Start the Policy Server

15) Validate Policy Server functionality

16) Delete the following files:

/<Install_Dir>/CA/siteminder/CAPKI.BAK

(If Exists) /<Install_Dir>/CA/SharedComponents/CAPKI.BAK

WINDOWS

1) Download "etpki-install_5_2_18_win64.zip" from this KB.

2) Copy  "etpki-install_5_2_18_win64.zip" to the Policy Server on Windows and decompress it.

3) Stop the Policy Server

4) Change to the following directory:

<Drive>:\<Install_Dir>\CA\siteminder\

5) Backup the '\CAPKI\' directory by renaming it '\CAPKI.BAK\'

ren CAPKI CAPKI.BAK

6) Copy the '/etpki-install/' directory from "etpki-install_5_2_18_win64.zip" to <Drive>:\<Install_Dir>\siteminder\

7) Change to the following directory*:

<Drive>:\<Install_Dir>\CA\SC\

* This directory may not exist in your system

8) (If Exists) Backup the '\CAPKI\' directory by renaming it '\CAPKI.BAK\'

ren CAPKI CAPKI.BAK

9) Open a command prompt using cmd.exe as an administrator (Run As Administrator)

10) Change to the following directory:

<Drive>:\<Install_Dir>\CA\siteminder\etpki-install\redist\

11) Run the following command:

setup.exe install caller=ps12

NOTE: This will create a new '<Drive>:\<Install_Dir>\CA\SC\CAPKI\CAPKI5\' directory

12) Start the Policy Server

13) Validate Policy Server functionality

14) Delete the following files:

<Drive>:\<Install_Dir>\CA\siteminder\CAPKI.BAK

<Drive>:\<Install_Dir>\CA\SC\CAPKI.BAK

KB 441112: Vulnerability in CAPKI 5.2.17 and older on Siteminder Web Agents

KB 441111: Vulnerability in CAPKI 5.2.17 and older on Siteminder Sharepoint Agent r12.8.x

KB 441109: Vulnerability in CAPKI 5.2.17 and older on Siteminder Policy Server r12.8.8.1 and older

KB 441106: Vulnerability in CAPKI 5.2.17 and older on Siteminder Access Gateway Server r12.8.8.1 and older

KB 440135: CAPKI 6.0.3 with OpenSSL 3.0.20 for R12.9 Policy Server

KB 441155: Vulnerability in CAPKI 6.0.2 and older on Siteminder Access Gateway Server 12.9

OpenSSL 1.0.2 Vulnerabilities

OpenSSL 1.0.2zp within CAPKI 5.2.18 remediates the following CVE's:

CVE-2026-28388
CVE-2026-28389
CVE-2026-28390
CVE-2025-68160
CVE-2025-69421
CVE-2025-22796
CVE-2025-9230
CVE-2024-13176
CVE-2024-9143
CVE-2024-5535
CVE-2024-0727
CVE-2023-5678
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-0465
CVE-2023-0466
CVE-2023-0464
CVE-2023-0286
CVE-2023-0215
CVE-2022-4304
CVE-2022-2068
CVE-2022-1292
CVE-2022-0778
CVE-2021-4160
CVE-2021-3712
CVE-2021-23841
CVE-2021-23840
CVE-2021-23839
CVE-2020-1971
CVE-2020-1968
CVE-2019-1551
CVE-2019-1563
CVE-2019-1547
CVE-2019-1552
CVE-2019-1559