Symantec Access Management

  • 1.  CA Siteminder Encryption Key

    Posted Nov 03, 2016 02:16 PM

    Hi,

    We are doing an upgrade; Currently we have r12, moving to 12.52 SP2.

    Unfortunately, we don't know the value of our existing dev R12 Policy server encryption key. To test the procedure I build R12 test environment

    Here are few steps that I took:

    1. Copy encryption.txt  from dev r12 paste it into test enviornment

    2. Copy the registery value of the encryption key.

    3. smreg super user on test

    4. XPSregclient on test

    Now I am getting following error messages in smps:

     

     4880/4612][Thu Nov 03 2016 13:40:19][CServer.cpp:1740][ERROR] Bad security handshake attempt. Handshake error: 
    [4880/3900][Thu Nov 03 2016 13:41:19][CServer.cpp:1751][ERROR] Handshake error: Shared secret incorrect for this client
    [4880/3900][Thu Nov 03 2016 13:41:19][CServer.cpp:1913][ERROR] Failed handshake with 159.******:53605
    [4880/2684][Thu Nov 03 2016 13:41:23][PolicyCache.cpp:1211][INFO] Building policy cache ...
    [4880/2684][Thu Nov 03 2016 13:41:24][PolicyCache.cpp:1304][INFO] Building policy cache done
    [4880/4992][Thu Nov 03 2016 13:41:31][SmDsLdapConnMgr.cpp:883][ERROR] SmDsLdapConnMgr Bind. Server xxxxxxx Error 48-Inappropriate authentication

     

    Also, I am unable to Login to WAM UI as well.

    Any suggestions?

     

    Thanks,

    Danish Aziz



  • 2.  Re: CA Siteminder Encryption Key
    Best Answer

    Posted Nov 03, 2016 02:50 PM
    This is expected.


    What you are doing by replacing the EncryptionKey.txt is basically resetting it.


    There is whole lot of process you need to follow when you reset encryption key.


    Refer to this:


    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/administrating/manage-encryption-keys/reset-the-r12-x-policy-store-encryption-key


    You will need to perform all the steps mentioned in this guide except step 5 (smreg -key) as this is same as copying the EncryptionKey.txt file.



  • 3.  Re: CA Siteminder Encryption Key

    Posted Nov 03, 2016 03:08 PM

    Thanks for pointing me to the right direction

    I will update the blog once resolved.

     

    BR

    Danish



  • 4.  Re: CA Siteminder Encryption Key

    Posted Nov 04, 2016 12:38 AM

    Please note , there is a known issue in r12.0 version where the clear text export of the keys does NOT work.

    If you need to migrate the key store to the new envrionment as well, then you have two options :

    1. Get dev fix from CA for clear text export of key store

    2. Copy the key store data manually to the new key store.



  • 5.  Re: CA Siteminder Encryption Key

    Posted Nov 04, 2016 09:48 AM

    Due to some corruption in our existing dev policy store, we are unable to take  XPSexport. Instead we used smobjexport. Is there any KB document available on how to copy the key store data manually? 



  • 6.  Re: CA Siteminder Encryption Key

    Posted Nov 04, 2016 10:40 AM


  • 7.  Re: CA Siteminder Encryption Key

    Posted Nov 07, 2016 04:26 PM

    I have successfully tested the resetting of encryption key in our test environment.

    We do not have the value of our existing dev environment encryption key. I can always use the practice i did, but at the end of the day we still do not know the encryption key.  In order to add 12.52 SP2 Policy Server in the mix, we are going to reset the key on r12(dev). lets see how that goes.

    Thanks 



  • 8.  Re: CA Siteminder Encryption Key

    Posted Nov 07, 2016 04:52 PM

    That's a good news. Keep us posted.



  • 9.  Re: CA Siteminder Encryption Key

    Posted Nov 06, 2016 02:51 PM