Before talking about the issue, little overview about what i am trying to do : Trying to re-point the existing policy server to a new policy store.
I have completed the activity, while starting the services, I got the following error:
[ERROR][sm-Server-00520] No initial key management object found. This policy server is configured in read-only key management mode. Unable to proceed
As X11 forwarding was not enabled on the Policy Server, I changed the following configuration manually in the registry:
- In HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Database\Key section, retained the value of 'Use Default' as 0x1 so that new policy store can be used as key store.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\ObjectStore section, changed the value of 'EnableKeyGeneration' from '0' to '0x1' so that this policy server can generate the keys.
While restarting the services, I was getting the same error message. While digging the trace logs, I found the following lines
[Finish processing SQL statement.][CSmRecordset::DoSelect][CDb.cpp:244][SQL_NO_DATA][SELECT keymanagementoid, isenabled, changefrequency, changevalue, newkeysettime, oldkeysettime, firehour, persistentkey FROM smkeymanagement4 WHERE keymanagementoid = '1a-fa347804-9d33-11d3-8025-006008aaae5b']
[LogMessage:ERROR:[sm-Server-00520] No initial key management object found. This policy server is configured in read-only key management mode. Unable to proceed][SmPolicyServer.cpp:911]
- 1) In HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Database\Key section, if the registry entry of Use Default is 0x1 and key store details (different from policy store) are also provided, which will be used for key store? I hope policy store details will be used (as key store). Please confirm.
- If the policy server has 'EnableKeyGeneration' privilege, it can reset PERSISTENTKEY and ENCKEY (Agent key) column in the DB. But, can it add new complete record in the table?
- I would like to when these records will be created for the first time. Will it be created while setting up policy store?
Note : After these issues, I have enabled X11 forwarding and tired to enable the Agent Key Generation from smconsole (just to confirm if no other registry entries are updated). But, I am getting some other error, "Wrong Time Format". As that issue is not of much priority now, I am not explaining much. Will open a new thread later(if required) for the same.