smmigratecds fails with error: java.lang.Exception: Unable to load private key using certificate. Exception Message: NativeDB$Access.pbeDecrypt: AES decryption failed
search cancel

smmigratecds fails with error: java.lang.Exception: Unable to load private key using certificate. Exception Message: NativeDB$Access.pbeDecrypt: AES decryption failed

book

Article ID: 8925

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

smmigratecds fails with error :

 

 

[[email protected] properties]$ smmigratecds.sh -validate -v -p changeit 

 

java.lang.Exception: Unable to load private key using certificate. Exception Message: NativeDB$Access.pbeDecrypt: AES decryption failed

        at com.netegrity.smkeydatabase.db.filebased.FileBasedCertificateDataStoreImpl.getPrivateKeyFromDB(FileBasedCertificateDataStoreImpl.java:982)

        at com.netegrity.smkeydatabase.db.filebased.FileBasedCertificateDataStoreImpl.switchToMemoryDB(FileBasedCertificateDataStoreImpl.java:2980)

        at com.netegrity.smkeydatabase.db.filebased.FileBasedCertificateDataStoreImpl.registerDB(FileBasedCertificateDataStoreImpl.java:539)

        at com.netegrity.smkeydatabase.db.filebased.FileBasedCertificateDataStoreImpl.registerDB(FileBasedCertificateDataStoreImpl.java:512)

        at com.netegrity.smkeydatabase.db.SMKeyDatabase.registerDB(SMKeyDatabase.java:1587)

        at com.netegrity.smkeydatabase.migrate.MigrateFBCDS.<init>(MigrateFBCDS.java:133)

        at com.netegrity.smkeydatabase.migrate.MigrateCertificateDataTool.process(MigrateCertificateDataTool.java:258)

        at com.netegrity.smkeydatabase.migrate.MigrateCertificateDataTool.main(MigrateCertificateDataTool.java:332)

Environment

New Policy server : 12.52SP1 and aboveOld Policy server : 12.0 Policy server encryption keys are different between old and new server.

Cause

Steps taken by customer In 12.52 Policy server :

  1. Renamed the smkeydatabase.properties located at siteminder_home\config\properties to newsmkeydatabase.properties
  2. Copied smkeydatabase.properties file from r12.0 to r12.52 Policy server to directory siteminder_home\config\properties
  3. Copied smkeydatabase folder from r12.0 to r12.52 Policy server.
  4. Edited smkeydatabase.properties to change DBLocation property to point to location of smkeydatabase folder.

Then ran command, 

 smmigratecds.sh -validate -v -p <password>

where the password "<password>" is for the smkeydatabase password from r12.0 setup.

 

Now, the issue here is that, the password in the smkeydatabse.properties file is encrypted using Policy server Encryption Key.

But  for this case, as the Policy server encryption key were different from r12.0 and r12.52 Policy server, the r12.52 Policy server was not able to decrypt the password encrypted using r12.0 Policy server encryption key.

Resolution

If the Policy server encryption keys are different, you should NOT copy the old smkeydatabase.properties file to the new Policy server.

i.e skip step 1 & 2 above.

The new policy server should use it's own smkeydatabase.properties file.

 

Powered by Wolken Software