masvi10

How to fix R12 Administrative UI error of ‘No session’

Discussion created by masvi10 Employee on Aug 28, 2012
Latest reply on Feb 13, 2014 by wanju09

Tuesday Tip by David Macedo, Senior Support Engineer, for 8-28-12

How to fix Administrative UI error of ‘No session’ under the Key Management Tab
-------------------------------------------------------------------------------------------------

The context of this note is deployment of SiteMinder R12 SP3 Policy Server on RHEL 5 with an Oracle 11g R2 policy store.

After various installation and configuration tasks, we needed to roll the keys. However, when we accessed the Key Management tab in the Administrative UI (AdminUI), there was immediately the red error message seen: No Session. Restarting or reploying did not help. Re-importing the policy store did not work.

The first place to look was the JBOSS server log. Here, a variety of errors regarding the tabs and tasks executed could be seen. Example below:

555 ERROR [com.ca.siteminder.uiagent.commands.KeyManagementFetchCommand] No session
2012-08-22 09:11:31,555 ERROR [ims.ui] com.netegrity.sdk.apiutil.SmApiException
[facility=4 severity=3 reason=0 status=8 message=No session]
at com.ca.siteminder.uiagent.UIAgentUtil.isSuccess(Unknown Source)
at com.ca.siteminder.uiagent.UIAgent.execute(Unknown Source)

You can see the ‘No session’ message clearly. Next stop was the smps.log. Here was the biggest clue. We saw the fairly common ‘Failed to decrypt persistent key’ message. Lately this has been due to a null encryption key, typically during an R6 to R12 upgrade. So we checked the keystore.

objectclass: KeyManagement
Oid: 1a-fa347804-9d33-11d3-8025-006008aaae5b
IsEnabled: false
ChangeFrequency: 0
ChangeValue: 0
NewKeyTime: 0
OldKeyTime: 0
FireHour: 0
PersistentKey: {RC2}upFBiMlkzcOIVkkJXkqpHw==

Now, we’re not entirely sure if a null key would still show up as a hash value. But, anyway, we know it was unusable based on the smps log. However, since the AdminUI Key Management tab was not working, it is a "catch 22". The Key Management tab is where you would roll the SessionTicket/Persistent key! Let's think of possible solutions.

• Solution 1 – Use FSSUI to roll the Session Ticket. But, sometimes, this may not (or could not) have been used because it may be a stripped down server, - as in this instance.
• Solution 2 – Use the AllowEmptyEncryptionKey registry setting. Possibly this might work. However, this was a new installation of R12, and not an upgrade. So, it was unlikely this alone would work.
• Solution 3 – Figure out to use the AdminUI to roll the Session Ticket. This is what we did.

In Summary, steps were followed as below:

1) First, we had to set the AllowEmptyEncryptionKey in the registry and restart server.

2) Next step was to manually blank out the PersistentKey in the keystore DB.

3) Another restart to be safe, and, then, we could get back into the AdminUI and access the Key Management tab.

4) Now, it was possible to generate a new Session Ticket key. So, even though the AllowEmptyEncryptionKey registry was already set, it was no longer needed and could actually be removed.

Additional references regarding Persistent Key (Session Ticket Key) errors below:

How to change R12 behavior when a empty persistent key is present in the key store?
https://support.ca.com/irj/portal/kbtech?docid=537691&searchID=TEC537691&fromKBResultsScreen=T

"Failed to decrypt persistent key" errors after upgrading the policy Server from v6.0...
https://support.ca.com/irj/portal/kbtech?docid=537828&searchID=TEC537828&fromKBResultsScreen=T

Why R12 policy server can't use 6x persistent key?
https://support.ca.com/irj/portal/kbtech?docid=541196&searchID=TEC541196&fromKBResultsScreen=T

Outcomes