Tech Tip : CA Single Sign-On :Policy Server : Steps needed prior and after update Encryptionkey

Blog Post created by Karmeng Employee on Nov 25, 2016


Policy server encryption key is provided during policy server installation. The value is stored in EncryptionKey.txt

(<Policy_server_install_path>)/bin folder)

This key is used by the Policy server to encrypt and decrypt "sensitive" information that is entered in the

CA SSO (Siteminder) via policy server management console (SMConsole) as well as the 

CA SSO Policy Server User Interface.

This includes data such as LDAP bind-credentials, ODBC passwords, key-store keys,

agent shared secrets etc.



No way for policy servers that use different Encryption key to share same policy store.

In order for policy servers to decrypt the sensitive information within policy store,

they need to use the same encryption key.

We can change it via smreg -key <encryption_key>



CA SSO R12.5x



1. Shut down PS. Backup policy store, key store, Encryptionkey.txt. This will ensure if something went wrong during the process, we can revert back to initial state.


2. Export all policies.


xpsexport policy.xml -xb -npass


3. Export keys from key store.

smkeyexport -o<output_file> -d<AdminName> -w<AdminPW> -c

smkeyexport -oC:\keys_24112016 -dsiteminder -wpassword -c


Snippet of output file that shown 1 persistent key and 4 agent keys.
This should be the expected number of keys exist in key store.
If you have more than that (4 agent keys, 1 persistent key), the key store need to be clean by delete from key store database (SMKEYMANAGEMENT4, SMAGENTKEY4) OR LDAP (under ou=PolicySvr4,ou=Siteminder,ou=Netegrity,o=policystore)
objectclass: KeyManagement
Oid: 1a-fa347804-9d33-11d3-8025-006008aaae5b
IsEnabled: false
ChangeFrequency: 0
ChangeValue: 0
NewKeyTime: 0
OldKeyTime: 0
FireHour: 0
PersistentKey: {RC2}dXy1BLg1cCxHOCTeMQVTPGdc9yuIZWifw56FolkCe5xgKnd22yyD04Ieym2MXApW

objectclass: AgentKey
Oid: 1b-ac33e28a-5d5b-4b4d-a058-a1cc81dfb060
KeyMarker: 4
Key: {RC2}O1pxVqlA6H4dWjNMUb+yuKiToj+JUhh236U+uxQyB2UDxBtNGUhzK5iN/MaRiGTs

objectclass: AgentKey
Oid: 1b-d1d8b57a-c5f4-40b4-ac28-2e59fa9e7826
KeyMarker: 1
Key: {RC2}h9ROaVGqNsg8kqlWf+cgfhzD0zcdvFyXD8bx0VhMPwXEmxsjq5vRm6AWus9mrtyr

objectclass: AgentKey
Oid: 1b-15ec7f7a-f6ff-4e3a-a9aa-7c5063bdf82c
KeyMarker: 2
Key: {RC2}iqT8BIdlWocHk93EQkk/6KydvXmZvBlksez5kU0uaO+H1SUkD80pmvMb6EJw5n9d

objectclass: AgentKey
Oid: 1b-af19bf4f-3792-42ae-b73b-dd2c70fac37d
KeyMarker: 3
Key: {RC2}dPb5P+wNcUCfE7HnPfv+HXpaE8r8wPix52KdQJO2K1tCAHnm/VcSfDYxQ6CvMY+k

4. Change encryption key via smreg -key command


smreg -key <encryption_key>


5. Import policies after encryption key changed.


xpsimport policy.xml -npass -fo


6. Import keys via smkeyimport


C:\>smkeyimport -iC:\keys_24112016 -dsiteminder -wpassword -c


7. Startup policy server


8. Rollover agent keys and persistent key via WAMUI. (Optional)


Additional Information: