This procedure helps in resetting the Policy server encryption key that is provided during policy server installation. The value is stored in EncryptionKey.txt

(<Policy_server_install_path>)/bin folder)

This key is used by the Policy server to encrypt and decrypt "sensitive" information that is entered in the

CA SSO (Siteminder) via policy server management console (SMConsole) as well as the CA SSO Policy Server User Interface.

This includes data such as LDAP bind-credentials, ODBC passwords, key-store keys, agent shared secrets etc.

No way for policy servers that use different Encryption key to share same policy store. In order for policy servers to decrypt

the sensitive information within policy store, they need to use the same encryption key. We can change it via smreg -key

<encryption_key>

SiteMinder  R12.8.x

In case of unknown encryption key while upgrade / migration procedures this can be useful.

Before performing the encryption key reset , Stop the Policy Server services and take the backup of policy store, key store, Encryptionkey.txt for quick restoration. Below commands can be used for backups.

Policy store full backup command.

xpsexport < export filename.xml> -xb -npass

Example :  

xpsexport  Policystore_fullbackup.xml  -xb -npass

Export keys from key store.

smkeyexport -o<output_file> -d<AdminName> -w<AdminPW> -c

Example : 

smkeyexport -o C:\keys_22022024.txt -dsiteminder -wpassword -c

Snippet of output file that shows 1 persistent key and 4 agent keys.
This should be the expected number of keys exist in key store.
If you have more than that (4 agent keys, 1 persistent key), the key store need to be clean by delete from key store database (SMKEYMANAGEMENT4, SMAGENTKEY4) OR LDAP (under ou=PolicySvr4,ou=Siteminder,ou=Netegrity,o=policystore)
@@@
objectclass: KeyManagement
Oid: 1a-fa347804-9d33-11d3-8025-006008aaae5b
IsEnabled: false
ChangeFrequency: 0
ChangeValue: 0
NewKeyTime: 0
OldKeyTime: 0
FireHour: 0
PersistentKey: tg2HnGjudTYxB4WIWs/o0gWwkx2++vlu

objectclass: AgentKey
Oid: 1b-a4a6dc2b-8fce-4f91-bf02-e532f8c457cb
KeyMarker: 1
Key: HOIvqhwgHCEaCm1zv1hmxBvwTupYWkx6

objectclass: AgentKey
Oid: 1b-ef0ee89b-7637-4a02-91e0-35628f7cc8b0
KeyMarker: 2
Key: HOIvqhwgHCEaCm1zv1hmxBvwTupYWkx6

objectclass: AgentKey
Oid: 1b-54a1351e-b0e7-45d9-986e-dc46b9623c4c
KeyMarker: 3
Key: HOIvqhwgHCEaCm1zv1hmxBvwTupYWkx6

objectclass: AgentKey
Oid: 1b-3dc0c9fb-539b-4c7b-ac48-edc9af333320
KeyMarker: 4
Key: HOIvqhwgHCEaCm1zv1hmxBvwTupYWkx6
@@@

4. Change encryption key via smreg -key command
ie:
smreg -key <encryption_key>

5. Import policies after encryption key changed.
ie:
xpsimport policy.xml -npass -fo

6. Import keys via smkeyimport
ie:
C:\>smkeyimport -iC:\keys_2202204.txt -dsiteminder -wpassword -c

7. Startup policy server services.

8. Rollover agent keys and persistent key via WAMUI. (optional)

http://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.TEC529432.html?intcmp=searchresultclick&resultnum=2