Blog Viewer

Tech Tip : CA Single Sign-On :Policy Server:How to encrypt password in Sm.registry file without using SmConsole

By Ujwol posted 08-15-2016 09:08 PM

  

Summary:

How to encrypt the Database Administrator Password in the Sm.registry file without using the Policy Server Management Console (SmConsole) in Unix based systems.

Background:

The Policy server management is GUI based utility and will need X11 forwarding to be able to work with it in Unix systems.

Most of the configuration available in SmConsole can also be performed directly by modifying the Sm.registry file located at <PolicyServer_Install_Directory>/registry directory.

However, the challenge is when we need to modify an encrypted value like Database Administrator password or Policy store Administrator password etc without using the SmConsole.

Environment:

Policy Server : R12.5+,

OS : Unix

Instructions:

An workaround for this use case, is to use the “smldapsetup” utility bundled with the Policy server as follows:

smldapsetup reg -hldapserver.mycompany.com -d”LDAP User” -wMyPassword123 -ro=security.com

Where, “MyPassword123” needs to be replaced with the actual password that you would like to encrypt.

Note : Running the above command modifies the LDAP Policy store connection details, so if you are using LDAP Policy store, do NOT use this workaround.

 

Then, copy the value of the encrypted password from the following registry key to the relevant section in the Sm.registry file:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\LdapPolicyStore\AdminPW

 

For e.g for the Database Administrator password for “Policy store” , you will need to copy the encrypted password value to the key :

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Database\Default\Password

 

Additional Information:

Enhancement Request for command line option for SmConsole : https://communities.ca.com/ideas/235732441