Symantec Access Management

Hi All,

I am trying to get the encryption key updated and executing the smkeyexport command. But when doing it I am getting the below error,

[ewamsvc@sesbiuwsa00003 siteminder]$ smkeyexport -okeys.txt -d<SMAdminUserName> -wSMAdminPwd -c

Fatal Error: Check admin credentials or admin is not authorized for this operation.

Even though the SMAdminUserName I am using is the SuperUser in AdminUI and with the same credentials I am able to login to the Admin UI. But on the policy server I am getting this error.

Can you please let me know if the SMAdminUser to be used for smkeyexport command is different than the one I am trying with.

Regards,

Pankaj Sharma

Hi Pankaj,

Policy Server Version ? 

How many policy server in this environment ?

Regards,

Leo Joseph.

Hi Leo,

The issue has been resolved and now I am able to execute the command.

Thanks.

There are two kind of Administrators 

- Administrators 

- Legacy Administrators

Key export (smkeyexport) could be performed only by Legacy Administrators.

Legacy Administrators can reside either in external store or policy store.

Hi Ujwol,

I was trying to execute the command using Legacy Admin only.

I did a change in the key which was used during the Policy Server installation using smreg command post which I am able to execute the smkeyexport command without any issues.

Thanks for the reply.

Hi Pankaj,

It's good to hear that the issue has been resolved.

Did you get a chance to look at the reason beyond the issue which you faced earlier?

Are you sure that you are not facing any issues by changing the encryption key without exporting/taking backup of Key Store? Have you tried restarting the policy server once? because sensitive information in key store will be encrypted using key store key (most of the cases, we will be using policy store key i.e., encryption key for this purpose as well, not sure about your implementation).

Even if you are using separate key store key, that will in turn be encrypted using policy store key i.e., encryption key only while storing in registry. So, as per my knowledge, if encryption key has been changed, policy sever should not be able to decrypt any existing keys. Also, it should not able to even connect to policy store and key store (hoping smconsole is not updated).

As per my knowledge, below is the best appraoch for updation of encryption key:

1. Export of policy store data using XPSExport
2. Export of key store data using smkeyexport
3. Change of encryption key using smreg command. Update of policy store and key store credentials in policy server management console.
   Note : Encryption key will be used by policy server to encrypt and decrypt "sensitive" information that is entered in SiteMinder Policy Server Management Console. Encrypted data will be stored in the local Policy server registry.
4. Import of policy store data using XPSImport
5. Import of key store data using smkeyimport

Thanks,
Dhilip

Hi Dhilip,

Thanks for providing the details, but since there was no traffic on the server and the server is not yet live hence went through with change of encryption key directly.

I have done the server restart several times and everything seems to be normal. But will definitely keep a tab on it for any issues.

Regards,

Pankaj Sharma