Skip navigation
All Places > CA Security > CA Single Sign-On > Blog > Authors Karmeng

CA Single Sign-On

6 Posts authored by: Karmeng Employee


Upgrade DB2 database from 9.7 to 10.5 causing error in smps log. Error shown every 5 minutes.


[ERROR][sm-xpsxps-00870] An error occurred when calling "SQLExecute" for "Housekeeping Policy Data Read" query

[ERROR][sm-xpsxps-00810] Native Diagnostic: 22008:0 [NS][ODBC DB2 Wire Protocol driver]Datetime field overflow. Error in parameter 1.



Policy server: 12.52; Update: 01.02; Build: 766; CR: 02;

DB2 version:  IBM DB2 10.5

PS OS vendor and version: RHEL 5.11



HouseKeeping thread will be querying for modified objects every 5 min (default) OR based on configuration in XPSConfing value CacheCheckDelay.

The value sent in for "xpsObject.obModifiedDTM" in the select statement exceeds the allowed range of the field.

SELECT DISTINCT obNumber,obCategory,obClass,obParentObject,obGUID,obTombstone,obCreatedDTM,obModifiedDTM,obUpdateBy,obUpdateMethod,ppAttribute,ppSequence,ppValueInteger,ppValueDTM,ppValueBoolean,ppValueString,ppValueLink FROM xpsObject LEFT OUTER JOIN xpsProperty ON xpsObject.obNumber = xpsProperty.ppObject WHERE ((xpsObject.obModifiedDTM>=?) AND (xpsObject.obCategory > 1)) ORDER BY obModifiedDTM, obCategory, obNumber, ppAttribute, ppSequence



set WorkArounds2=2 to data source in system_odbc.ini based on (KB: TEC1466733

If this does not solve the issue, try

set TimestampTruncationBehavior=1


How to set this parameter in Windows environment

a) In regedit, browse to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ODBC\ODBC.INI\datasource

b) Select the DSN of the DB2 ODBC connection you want to modify

c) Add a new key as a 'String Value'

d) Name the new key "TimestampTruncationBehavior"

e) Set the Value of 'TimestampTruncationBehavior' to "1"


How to set this parameter in Unix environment

a) Modified system_odbc.ini to include TimestampTruncationBehavior


[SiteMinder Data Source]
Description=DataDirect 7.1 DB2 Wire Protocol


Additional Information:


Policy server encryption key is provided during policy server installation. The value is stored in EncryptionKey.txt

(<Policy_server_install_path>)/bin folder)

This key is used by the Policy server to encrypt and decrypt "sensitive" information that is entered in the

CA SSO (Siteminder) via policy server management console (SMConsole) as well as the 

CA SSO Policy Server User Interface.

This includes data such as LDAP bind-credentials, ODBC passwords, key-store keys,

agent shared secrets etc.



No way for policy servers that use different Encryption key to share same policy store.

In order for policy servers to decrypt the sensitive information within policy store,

they need to use the same encryption key.

We can change it via smreg -key <encryption_key>



CA SSO R12.5x



1. Shut down PS. Backup policy store, key store, Encryptionkey.txt. This will ensure if something went wrong during the process, we can revert back to initial state.


2. Export all policies.


xpsexport policy.xml -xb -npass


3. Export keys from key store.

smkeyexport -o<output_file> -d<AdminName> -w<AdminPW> -c

smkeyexport -oC:\keys_24112016 -dsiteminder -wpassword -c


Snippet of output file that shown 1 persistent key and 4 agent keys.
This should be the expected number of keys exist in key store.
If you have more than that (4 agent keys, 1 persistent key), the key store need to be clean by delete from key store database (SMKEYMANAGEMENT4, SMAGENTKEY4) OR LDAP (under ou=PolicySvr4,ou=Siteminder,ou=Netegrity,o=policystore)
objectclass: KeyManagement
Oid: 1a-fa347804-9d33-11d3-8025-006008aaae5b
IsEnabled: false
ChangeFrequency: 0
ChangeValue: 0
NewKeyTime: 0
OldKeyTime: 0
FireHour: 0
PersistentKey: {RC2}dXy1BLg1cCxHOCTeMQVTPGdc9yuIZWifw56FolkCe5xgKnd22yyD04Ieym2MXApW

objectclass: AgentKey
Oid: 1b-ac33e28a-5d5b-4b4d-a058-a1cc81dfb060
KeyMarker: 4
Key: {RC2}O1pxVqlA6H4dWjNMUb+yuKiToj+JUhh236U+uxQyB2UDxBtNGUhzK5iN/MaRiGTs

objectclass: AgentKey
Oid: 1b-d1d8b57a-c5f4-40b4-ac28-2e59fa9e7826
KeyMarker: 1
Key: {RC2}h9ROaVGqNsg8kqlWf+cgfhzD0zcdvFyXD8bx0VhMPwXEmxsjq5vRm6AWus9mrtyr

objectclass: AgentKey
Oid: 1b-15ec7f7a-f6ff-4e3a-a9aa-7c5063bdf82c
KeyMarker: 2
Key: {RC2}iqT8BIdlWocHk93EQkk/6KydvXmZvBlksez5kU0uaO+H1SUkD80pmvMb6EJw5n9d

objectclass: AgentKey
Oid: 1b-af19bf4f-3792-42ae-b73b-dd2c70fac37d
KeyMarker: 3
Key: {RC2}dPb5P+wNcUCfE7HnPfv+HXpaE8r8wPix52KdQJO2K1tCAHnm/VcSfDYxQ6CvMY+k

4. Change encryption key via smreg -key command


smreg -key <encryption_key>


5. Import policies after encryption key changed.


xpsimport policy.xml -npass -fo


6. Import keys via smkeyimport


C:\>smkeyimport -iC:\keys_24112016 -dsiteminder -wpassword -c


7. Startup policy server


8. Rollover agent keys and persistent key via WAMUI. (Optional)


Additional Information:

Initial version of R12.52SP1CR5 Policy server has an issue where JVM would not initialize on custom java invocation (related to saml asserter, active expression, custom authentication scheme etc.) and eventually policy server crashed.


Snippet of smps log prior to policy server crash

[SmJVMSupport.cpp:255][INFO][sm-JavaApi-01030] SmJVMSupport: Using the following JRE: <JRE_path>[SmJVMSupport.cpp:260][INFO][sm-JavaApi-01040] SmJVMSupport: Loaded the following JVM library: <JRE_path>/lib/i386/server/


This is known issue as per following KB.



This has been addressed in updated policy server binary


The updated policy server binary is for Unix version that it come with build number 2113 (ie Version: 12.52; Update: 01.05; Build: 2113; CR: 05;) while the initial version is build number 2112 (Windows version remain 2112 as the fix not applicable to Windows environment).

There are couple of reasons on Unable to startup apache server with error.

Following KB outline some common issue and further troubleshooting step if suggested resolution didn't help.

Unable to run Web agent uninstaller due to some dependency to the JDK. Following KB outline manual steps to uninstall IIS web agent.


After install the adminui pre-req and the adminui installer, there were no Admin UI services installed in the Windows Services screen and the JBoss was not started. The WAMUI install path is D:\Program Files (x86)





R12.52SP2 on Windows 2012R2


Folder created prior to enable 8dot3name has no short name set.
The shortname of D:\Program Files (x86) is not defined.
Enable the 8dot3name should have the shortname set if you create the folder after the enable 8dot3name.

If the folder was created prior to that enable, the short name is not defined.

You can check if short name set with dir /x command.


D:\>dir /x
Volume in drive D is New Volume
Volume Serial Number is 70DC-1E45

Directory of D:\

06/17/2016  12:53 PM    <DIR>          PROGRA~1     Program Files (x86)
07/11/2016  05:47 AM    <DIR>          PROGRA~3     Program FilesDisable
07/11/2016  05:49 AM    <DIR>          PROGRA~2     Program FilesEnable




a) Enable 8dot3name


fsutil 8dot3name set D:\

b) Set short name using fsutil


fsutil file setshortname "D:\Program Files" PROGRA~1
fsutil file setshortname "D:\Program Files (x86)" PROGRA~2

c) Reinstall WAMUI


a) Recreate the folder after enable 8dot3name for the drive


fsutil 8dot3name set D:\

b) Reinstall WAMUI