Layer7 Access Management

Expand all | Collapse all

SiteMinder r12.52 SP1 CR05 smkeyimport command error/failed

Jump to Best Answer
  • 1.  SiteMinder r12.52 SP1 CR05 smkeyimport command error/failed

    Posted 08-08-2016 04:49 PM

    Hi Folks,

     

    As part of our r12.0 to r12.52 parallel upgrade, we exported the agent and session ticket keys from the r12.0 PS and import it into the r12.52 PS.  This process worked in our other environments, but fails as I try to setup SSO between the existing PROD r12.0 policy servers to the first of the three new r12.52 policy servers.

     

    This is my export command from the r12.0:   smobjexport -osr12.0-keys-export.smdif -dsiteminder -wpassword -v -k -x

     

    This is my import command from r12.52:   smkeyimport -dsiteminder -wpassword -ir12.0-keys.smdif -v

     

    This is the error:

    Unable to decrypt KeyManagement key from import file using policy store / key store key. Aborting..

    Fatal Error: Failed initialization.

     

     

    Thank you in advance for your responses!



  • 2.  Re: SiteMinder r12.52 SP1 CR05 smkeyimport command error/failed
    Best Answer

    Posted 08-08-2016 05:58 PM

    Hi Duc,

     

    Common cause of the error is that the encryption key used by R12 and R12.52 Policy Server are different.

     

    If you can find out the encryption key used during R12 installation, you can reset the encryption key in R12.52. Please refer to the following documentation:

    https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?1930249.html



  • 3.  Re: SiteMinder r12.52 SP1 CR05 smkeyimport command error/failed

    Posted 08-08-2016 07:52 PM

    You are correct!  I did not realized our policy servers in the PROD environment used different policy server encryption key than our lower environments. 

     

    Thanks again for the help!



  • 4.  Re: SiteMinder r12.52 SP1 CR05 smkeyimport command error/failed

    Posted 08-08-2016 07:20 PM

    Hi Duc,

     

    As Kelly mentioned, difference in the EncryptionKey is the most common cause of this error.

    However,  this error could also cause if :Persistent Key is not set in the r12.0 key store.

    To fix this, you can set the Persistent Key/Session Ticket Key to some static value from r12.0 and then perform export and import in r12.52 key store.

     

    Regards,

    Ujwol