AnsweredAssumed Answered

CA SSO Error: No initial key management object found

Question asked by Dhi1ip on Sep 5, 2018
Latest reply on Oct 5, 2018 by Dhi1ip

Hello All,


Before talking about the issue, little overview about what i am trying to do : Trying to re-point the existing policy server to a new policy store.


I have completed the activity, while starting the services, I got the following error:
[ERROR][sm-Server-00520] No initial key management object found. This policy server is configured in read-only key management mode. Unable to proceed


As X11 forwarding was not enabled on the Policy Server, I changed the following configuration manually in the registry:

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Database\Key section, retained the value of 'Use Default' as 0x1 so that new policy store can be used as key store.
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\ObjectStore section, changed the value of 'EnableKeyGeneration' from '0' to '0x1' so that this policy server can generate the keys.


While restarting the services, I was getting the same error message. While digging the trace logs, I found the following lines
[Finish processing SQL statement.][][][1001][CSmRecordset::DoSelect][CDb.cpp:244][SQL_NO_DATA][][][SELECT keymanagementoid, isenabled, changefrequency, changevalue, newkeysettime, oldkeysettime, firehour, persistentkey FROM smkeymanagement4 WHERE keymanagementoid = '1a-fa347804-9d33-11d3-8025-006008aaae5b'][][][]
[LogMessage:ERROR:[sm-Server-00520] No initial key management object found. This policy server is configured in read-only key management mode. Unable to proceed][][][][][SmPolicyServer.cpp:911][][][][][][][]


  1. 1) In HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Database\Key section, if the registry entry of Use Default is 0x1 and key store details (different from policy store) are also provided, which will be used for key store? I hope policy store details will be used (as key store). Please confirm.
  2. If the policy server has 'EnableKeyGeneration' privilege, it can reset PERSISTENTKEY and ENCKEY (Agent key) column in the DB. But, can it add new complete record in the table?
  3. I would like to when these records will be created for the first time. Will it be created while setting up policy store?


Note : After these issues, I have enabled X11 forwarding and tired to enable the Agent Key Generation from smconsole (just to confirm if no other registry entries are updated). But, I am getting some other error, "Wrong Time Format". As that issue is not of much priority now, I am not explaining much. Will open a new thread later(if required) for the same.