Steps involved for update Policy Server encryption key

Document ID : KB000009927
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Policy server encryption key is provided during policy server installation. The value is stored in EncryptionKey.txt

(<Policy_server_install_path>)/bin folder)

This key is used by the Policy server to encrypt and decrypt "sensitive" information that is entered in the

CA SSO (Siteminder) via policy server management console (SMConsole) as well as the CA SSO Policy Server User Interface.

This includes data such as LDAP bind-credentials, ODBC passwords, key-store keys, agent shared secrets etc.

Background:

No way for policy servers that use different Encryption key to share same policy store. In order for policy servers to decrypt

the sensitive information within policy store, they need to use the same encryption key. We can change it via smreg -key

<encryption_key>

Environment:
CA SSO R12.5x
Instructions:

1. Shut down Policy Server. Backup policy store, key store, Encryptionkey.txt. This will ensure if something went wrong during the process, we can revert back to initial state.

2. Export all policies.
ie:
xpsexport policy.xml -xb -npass

3. Export keys from key store.
smkeyexport -o<output_file> -d<AdminName> -w<AdminPW> -c
ie:
smkeyexport -oC:\keys_24112016 -dsiteminder -wpassword -c

Snippet of output file that shown 1 persistent key and 4 agent keys.
This should be the expected number of keys exist in key store.
If you have more than that (4 agent keys, 1 persistent key), the key store need to be clean by delete from key store database (SMKEYMANAGEMENT4, SMAGENTKEY4) OR LDAP (under ou=PolicySvr4,ou=Siteminder,ou=Netegrity,o=policystore)
@@@
objectclass: KeyManagement
Oid: 1a-fa347804-9d33-11d3-8025-006008aaae5b
IsEnabled: false
ChangeFrequency: 0
ChangeValue: 0
NewKeyTime: 0
OldKeyTime: 0
FireHour: 0
PersistentKey: tg2HnGjudTYxB4WIWs/o0gWwkx2++vlu

objectclass: AgentKey
Oid: 1b-a4a6dc2b-8fce-4f91-bf02-e532f8c457cb
KeyMarker: 1
Key: HOIvqhwgHCEaCm1zv1hmxBvwTupYWkx6

objectclass: AgentKey
Oid: 1b-ef0ee89b-7637-4a02-91e0-35628f7cc8b0
KeyMarker: 2
Key: HOIvqhwgHCEaCm1zv1hmxBvwTupYWkx6

objectclass: AgentKey
Oid: 1b-54a1351e-b0e7-45d9-986e-dc46b9623c4c
KeyMarker: 3
Key: HOIvqhwgHCEaCm1zv1hmxBvwTupYWkx6

objectclass: AgentKey
Oid: 1b-3dc0c9fb-539b-4c7b-ac48-edc9af333320
KeyMarker: 4
Key: HOIvqhwgHCEaCm1zv1hmxBvwTupYWkx6
@@@

4. Change encryption key via smreg -key command
ie:
smreg -key <encryption_key>

5. Import policies after encryption key changed.
ie:
xpsimport policy.xml -npass -fo

6. Import keys via smkeyimport
ie:
C:\>smkeyimport -iC:\keys_24112016 -dsiteminder -wpassword -c

7. Startup policy server

8. Rollover agent keys and persistent key via WAMUI. (optional)

Additional Information:

http://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.TEC529432.html?intcmp=searchresultclick&resultnum=2