When upgrading Siteminder Environment, is it possible to lose my
Password Policy Data from the User Directory ?
Policy Server all versions
When having Password Policies and in the process of upgrading a
Siteminder environment, below is what's needed to consider:
- When configuring a Password Policy for a User Directory, specify
an attribute on the directory where Siteminder can store their
Password Data (PasswordBlob).
- The password data contains the user tracking details (last logon,
password changes ....) and is created as data Blob which is
encrypted by a session key.
- This session key is stored within the key store along with the
- The session key value is encrypted by the Policy Server encryption
key by default.
When upgrading to a newer Siteminder Release, consider the below :
- Make sure to migrate the Session Key to the new environment with
the new environment having the same Encryption Key of the Policy
Server as the old one otherwhise the Policy Server will not be
able to read the Session Key to decrypt the Password Data blob.
- If a change is needed to the Encryption Key for the new Policy
Server, export the Session Key from the old environment Key Store
in clear text so it can be set it up the same on the new
Smkeyexport tool can be used to export the session key in clear text
as indicated below
smkeyexport -ocr1-2-keys.smdif -c -dsiteminder –w<password>
In Summary --> The Policy server depends on the session key to decrypt
the password blob. Any changes to the session key will result in a
loss of the password data.
More information on the export / import steps: