Symantec Access Management

Hi Folks,

As part of our r12.0 to r12.52 parallel upgrade, we exported the agent and session ticket keys from the r12.0 PS and import it into the r12.52 PS.  This process worked in our other environments, but fails as I try to setup SSO between the existing PROD r12.0 policy servers to the first of the three new r12.52 policy servers.

This is my export command from the r12.0:   smobjexport -osr12.0-keys-export.smdif -dsiteminder -wpassword -v -k -x

This is my import command from r12.52:   smkeyimport -dsiteminder -wpassword -ir12.0-keys.smdif -v

This is the error:

Unable to decrypt KeyManagement key from import file using policy store / key store key. Aborting..

Fatal Error: Failed initialization.

Thank you in advance for your responses!

Hi Duc,

Common cause of the error is that the encryption key used by R12 and R12.52 Policy Server are different.

If you can find out the encryption key used during R12 installation, you can reset the encryption key in R12.52. Please refer to the following documentation:

https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?1930249.html

You are correct!  I did not realized our policy servers in the PROD environment used different policy server encryption key than our lower environments. 

Thanks again for the help!

Hi Duc,

As Kelly mentioned, difference in the EncryptionKey is the most common cause of this error.

However,  this error could also cause if :Persistent Key is not set in the r12.0 key store.

To fix this, you can set the Persistent Key/Session Ticket Key to some static value from r12.0 and then perform export and import in r12.52 key store.

Regards,

Ujwol