The two newly installed Policy Servers at Sprint pointing to 1 common Policy Store are getting - "Invalid agent key marker (0)" while performing manual key rollover.

book

Article ID: 52736

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

Environment

Policy Server: v6 SP5 CR20 on Solaris 10

Policy/key store: SunOne LDAP 6.0

Issue

Manually imported the key store from different domain sites caused the SSO was not working accordingly. Both sites were using static keys and no separate key store was setup in respective environment (Policy and key store under same LDAP instance).

The two newly installed Policy Servers at Site1 pointing to a common Policy Store were getting -- "Invalid agent key marker (0)" while performing manual key rollover.

We attempted to set the OldKeyTime parameter to zero and re-import the agent keys yet the same issue persists.

then we tried to reset Policy Server encryption key (to synchronize the encryption key between the Site2 environment and Site1 environment) via the smreg -key command.

Once the encryption key is reset, the Policy Servers were throwing following error in the PS log:

[ERROR] Failed to initialize policy store Policy store failed operation
'ProviderInit' for object type 'Policy store provider'. Failed to connect to the LDAP Policy Store.

The error was triggered as the new Policy Store was setup using the old encryption key. Thus, this proved that the encryption key entered while installing the new Policy Server at Site1 was different from the encryption key used in Site2.

Solution:

Issue is resolved after setup the Policy Store from scratch by using a new LDAP instance and import the existing Policy Store export.

Environment

Release:
Component: SMPLC