Symantec Access Management

Tuesday Tip by David Macedo, Senior Support Engineer, for 8-28-12

How to fix Administrative UI error of ‘No session’ under the Key Management Tab
-------------------------------------------------------------------------------------------------

The context of this note is deployment of SiteMinder R12 SP3 Policy Server on RHEL 5 with an Oracle 11g R2 policy store.

After various installation and configuration tasks, we needed to roll the keys. However, when we accessed the Key Management tab in the Administrative UI (AdminUI), there was immediately the red error message seen: No Session. Restarting or reploying did not help. Re-importing the policy store did not work.

The first place to look was the JBOSS server log. Here, a variety of errors regarding the tabs and tasks executed could be seen. Example below:

555 ERROR [com.ca.siteminder.uiagent.commands.KeyManagementFetchCommand] No session
2012-08-22 09:11:31,555 ERROR [ims.ui] com.netegrity.sdk.apiutil.SmApiException
[facility=4 severity=3 reason=0 status=8 message=No session]
at com.ca.siteminder.uiagent.UIAgentUtil.isSuccess(Unknown Source)
at com.ca.siteminder.uiagent.UIAgent.execute(Unknown Source)

You can see the ‘No session’ message clearly. Next stop was the smps.log. Here was the biggest clue. We saw the fairly common ‘Failed to decrypt persistent key’ message. Lately this has been due to a null encryption key, typically during an R6 to R12 upgrade. So we checked the keystore.

objectclass: KeyManagement
Oid: 1a-fa347804-9d33-11d3-8025-006008aaae5b
IsEnabled: false
ChangeFrequency: 0
ChangeValue: 0
NewKeyTime: 0
OldKeyTime: 0
FireHour: 0
PersistentKey: {RC2}upFBiMlkzcOIVkkJXkqpHw==

Now, we’re not entirely sure if a null key would still show up as a hash value. But, anyway, we know it was unusable based on the smps log. However, since the AdminUI Key Management tab was not working, it is a "catch 22". The Key Management tab is where you would roll the SessionTicket/Persistent key! Let's think of possible solutions.

• Solution 1 – Use FSSUI to roll the Session Ticket. But, sometimes, this may not (or could not) have been used because it may be a stripped down server, - as in this instance.
• Solution 2 – Use the AllowEmptyEncryptionKey registry setting. Possibly this might work. However, this was a new installation of R12, and not an upgrade. So, it was unlikely this alone would work.
• Solution 3 – Figure out to use the AdminUI to roll the Session Ticket. This is what we did.

In Summary, steps were followed as below:

1) First, we had to set the AllowEmptyEncryptionKey in the registry and restart server.

2) Next step was to manually blank out the PersistentKey in the keystore DB.

3) Another restart to be safe, and, then, we could get back into the AdminUI and access the Key Management tab.

4) Now, it was possible to generate a new Session Ticket key. So, even though the AllowEmptyEncryptionKey registry was already set, it was no longer needed and could actually be removed.

Additional references regarding Persistent Key (Session Ticket Key) errors below:

How to change R12 behavior when a empty persistent key is present in the key store?
https://comm.support.ca.com/?legacyid=TEC537691

"Failed to decrypt persistent key" errors after upgrading the policy Server from v6.0...
https://comm.support.ca.com/?legacyid=TEC537828

Why R12 policy server can't use 6x persistent key?
https://comm.support.ca.com/?legacyid=TEC541196

Hello

in this step:

1) First, we had to set the AllowEmptyEncryptionKey in the registry and restart server. do you create this registry key?

Thank you,

June

wanju09:

Hello

in this step:

1) First, we had to set the AllowEmptyEncryptionKey in the registry and restart server. do you create this registry key?

Thank you,

June

Yes, create this DWORD registry key under

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\ObjectStore
Value: 1
 

Thank you.

Does this apply to 12.51 cr01 on windows?  I upgraded from 12.0 to the 12.51 ct01.... we been having the smkeydatabase issues..story short, I am able to get to the adminUI:

1> I am seeing the key mgt option is missing under policy server.

2> my existing user directory is there but do not showing the user content ( re-enter the passwrd for AD connection - LDAP namespace) 

3> adminUI debug log shows no session

4> I can access smfssgui on both servers (one = 12.51, one =12.0 + as the key generation server).  I need to unchecked manage key from smfssgui, then the 12.51 smfssgui manage key option will display

5> can this work without key managemet option under policy server or this is normal behavior when you have one or more policy servers connect to the one key/pstores?

Thank you,

wanju09:

Thank you.

Does this apply to 12.51 cr01 on windows?  I upgraded from 12.0 to the 12.51 ct01.... we been having the smkeydatabase issues..story short, I am able to get to the adminUI:

1> I am seeing the key mgt option is missing under policy server.

2> my existing user directory is there but do not showing the user content ( re-enter the passwrd for AD connection - LDAP namespace) 

3> adminUI debug log shows no session

4> I can access smfssgui on both servers (one = 12.51, one =12.0 + as the key generation server).  I need to unchecked manage key from smfssgui, then the 12.51 smfssgui manage key option will display

5> can this work without key managemet option under policy server or this is normal behavior when you have one or more policy servers connect to the one key/pstores?

Thank you,

 

I'm having the same issue with r12.51 SP0 CR1. Re-installed the policy server component (long-story, why), and previously the encryption key was blank, but upon re-instalaltion specified a new encryption key. Reimported previously backed up XPSexport, and reset passwords within (such as those for LDAP connection, and user directories), but still getting this error ("no session") in the agent/key/session key management screens.  

Also.. when the policy server service is running, the acocunt specified within the user directories (for authentication purposes) is getting locked out every ~20 minutes, even then I've updated the passwords within the policy store.

Any suggestions?

Thanks!

Van

Stan wrote : 

I'm having the same issue with r12.51 SP0 CR1. Re-installed the policy server component (long-story, why), and previously the encryption key was blank, but upon re-instalaltion specified a new encryption key. Reimported previously backed up XPSexport, and reset passwords within (such as those for LDAP connection, and user directories), but still getting this error ("no session") in the agent/key/session key management screens.

Here is a link to the techdoc article on how to fix that.

https://comm.support.ca.com/?legacyid=TEC537828

The nuts and bolts are new server finds somethign wrong with the old session keys (returns them as empty).  So you set the "AllowEmptyEncKey" setting, which then lets you get access to the screen to roll them or add a new static encryption key.

A similar effect can be achieved by stop the policy servers, delete the session keys from LDAP or Database, and then on restart the policy server will find they dont exist and generate a new set (there should be a techdoc for that too - but I could not find it in my quick search). 

Good luck - if you still have trouble open a support ticket and someone can give you a hand (or find that other tech note :-). 

Cheers - Mark