Incorrect/Additional set of keys in Key Store after manually deleting keys from key store, then start Policy server and perform key roll over.

book

Article ID: 51695

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We're seeing Incorrect and Additional set of Keys in Key Store after

manually deleting keys from key store, then start Policy server and

perform key roll over. How can we solve this ?


Cause

There are two known ways to end up with multiple key sets in the Key

Store.


By far the most common cause of having multiple sets of Agent Keys in

the Key Store, is by having multiple Policy Servers that generate

Agent Keys pointing at the same Key Store. This situation is entered

when an administrator adds Policy Servers to an existing environment

without un-checking the "Enable Agent Key Generation" check box prior

to start up. In this situation you generally see a set of keys for

each Policy Server in the environment still configured to generate

Agent Keys.


The other known cause that some may hit was due to improper caching of

the key store. The improper caching was causing the extra keys to be

added in the Key Store, even after Key Store cleanup, by performing a

key-rollover. This affects all 6.0 and earlier prior to fix 88165,

which was put into 6.0 SP5 CR31 and later. The 12.0 line is also

affected by this cache issue in versions prior to 12.0 SP2 CR00 where

fix 90465 was introduced.


Environment

Release:
Component: SMPLC

Resolution

To resolve multiple set of keys in the Key Store, the following steps should be taken:

  1. Ensure your Policy Server is at a version beyond 6.0 SP5 CR31 or 12.0 SP2 CR00
  2. Follow KD "How to Clean up a SiteMinder Key Store?"
    https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=50770
    (We recommend the latest release as that will always have the most issues resolved)