Incorrect/Additional set of keys in Key Store after manually deleting keys from key store, then start Policy server and perform key roll over.

Document ID : KB000051695
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

There are two known ways to end up with multiple key sets in the Key Store.

By far the most common cause of having multiple sets of Agent Keys in the Key Store, is by having multiple Policy Servers that generate Agent Keys pointing at the same Key Store. This situation is entered when an administrator adds Policy Servers to an existing environment without un-checking the "Enable Agent Key Generation" check box prior to start up. In this situation you generally see a set of keys for each Policy Server in the environment still configured to generate Agent Keys.

The other known cause that some may hit was due to improper caching of the key store. The improper caching was causing the extra keys to be added in the Key Store, even after Key Store cleanup, by performing a key-rollover. This affects all 6.0 and earlier prior to fix 88165, which was put into 6.0 SP5 CR31 and later. The 12.0 line is also affected by this cache issue in versions prior to 12.0 SP2 CR00 where fix 90465 was introduced.

Solution:

To resolve multiple set of keys in the Key Store, the following steps should be taken:

  1. Ensure your Policy Server is at a version beyond 6.0 SP5 CR31 or 12.0 SP2 CR00
  2. Follow TEC541461 - How to Clean up a SiteMinder Key Store
    (We recommend the latest release as that will always have the most issues resolved)