We are getting below issue after pointing(Without Host re-registration) the WebAgent(R12SP3CR09) on application webserver from SiteMinder R12 environment to R12.52 SP02 environment. Even after successful authentication user is still getting the login page.
SMAccess logs on policy server -
AuthAccept AAP45 [17/Oct/2016:00:18:36 -0700] "xx.xx.***.x <UserDN>" " apps-agent GET /apps/store/test.jsp " [idletime=0;maxtime=670794924;authlevel=4;]   
AuthAccept AAP45 [17/Oct/2016:00:18:44 -0700] "xx.xx.***.x <UserDN>" " apps-agent GET /apps/store/test.jsp " [idletime=0;maxtime=670794916;authlevel=4;]   
AuthAccept AAP45 [17/Oct/2016:00:18:51 -0700] "xx.xx.***.x <UserDN>" " apps-agent GET /apps/store/test.jsp " [idletime=0;maxtime=670794909;authlevel=4;]   
AuthAccept AAP45 [17/Oct/2016:00:19:00 -0700] "xx.xx.***.x <UserDN>" " apps-agent GET /apps/store/test.jsp " [idletime=0;maxtime=670794900;authlevel=4;]   
ValidateReject AAP45 [17/Oct/2016:00:19:30 -0700] "xx.xx.xxxx " " apps-agent GET /apps/store"   Invalid key in use  
It seems like policy server failed to validate the session. AuthReason 2 shows Invalid Session.
Is it issue because of session ticket key? If yes, then how it’s working fine for an application which we migrated/repointed from R12 & R12.52 environment.
The webagent(Pointed to R12.52) logs on centralized server serving the login pages shows below error message –
[WARNING] Unable to process SMSESSION cookie.
Additional details – All policy servers in R12.52 environment are having same encryption key and pointed to a common key store collated with Policy store. One of the policy server is configured to Generate the agent keys.
We have not yet checked the application WebAgent logs.
Can you please help with above issue?
Please find below KB with general information on the reported error:
However, your case appears to be a bit different from issue reported in the above KB.
You may want to open a support case and share followingregistry export from both Policy servers:
Thanks and Regards,
Yes, The error "Invalid Key in use" means Policy server is unable to decrypt the Session Spec contained within the SMSESSION using it's current Session Ticket/Persistent Key.
Do you have dynamic session ticket key rollover or multiple keystore?
We are using a common key store for all policy servers in R12.52 environment and no dynamic session ticket key rollover done. There is no session ticket key defined using Admin UI.
May be that's the issue. Can you try setting a static session ticket key?
I tried to export the session ticket from R12 environment in clear text, however I can see all the keys are encrypted(RC2- FIPS Compat). I guess this is known issue with R12SP3.
I am wondering how the other application migrated to R12.52 is working fine as we didn't setup any static session ticket key in R12.52. Even we didn't get any sort of issues in lower environment.
I suggest opening a support ticket for this issue as it might need some indepth review of your key store and ps trace logs.
I have opened up a case with CA support team. Case# 00583086. Appreciate if you can see the logs attached(Policy server access and WA logs) and suggest the things needs to be looked upon.
Also, Password blob attribute seems to be wiped out due to new encryption key used in R12.52. We are unaware of encryption key set for R12 environment and we don't want to reset it. Is there any way you suggest to get the PasswordBlob data with minimal changes & impact.
Unfortunately there is no way to migrate/export/import password blob.
If the Persistent Key (not only Encryption Key) is reset, the existing password blob will no more be valid.
Tech Tip - CA Single Sign-On:Policy Server:Persistent Key/Session Ticket Key Introduced
<a href=# onload=alert(1)>