Symantec Access Management

Hello All,

Before talking about the issue, little overview about what i am trying to do : Trying to re-point the existing policy server to a new policy store.

I have completed the activity, while starting the services, I got the following error:
<<
[ERROR][sm-Server-00520] No initial key management object found. This policy server is configured in read-only key management mode. Unable to proceed
>>

As X11 forwarding was not enabled on the Policy Server, I changed the following configuration manually in the registry:

• In HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Database\Key section, retained the value of 'Use Default' as 0x1 so that new policy store can be used as key store.
• In HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\ObjectStore section, changed the value of 'EnableKeyGeneration' from '0' to '0x1' so that this policy server can generate the keys.

While restarting the services, I was getting the same error message. While digging the trace logs, I found the following lines
<<
[Finish processing SQL statement.][][][1001][CSmRecordset::DoSelect][CDb.cpp:244][SQL_NO_DATA][][][SELECT keymanagementoid, isenabled, changefrequency, changevalue, newkeysettime, oldkeysettime, firehour, persistentkey FROM smkeymanagement4 WHERE keymanagementoid = '1a-fa347804-9d33-11d3-8025-006008aaae5b'][][][]
[LogMessage:ERROR:[sm-Server-00520] No initial key management object found. This policy server is configured in read-only key management mode. Unable to proceed][][][][][SmPolicyServer.cpp:911][][][][][][][]
>>

1. 1) In HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Database\Key section, if the registry entry of Use Default is 0x1 and key store details (different from policy store) are also provided, which will be used for key store? I hope policy store details will be used (as key store). Please confirm.
2. If the policy server has 'EnableKeyGeneration' privilege, it can reset PERSISTENTKEY and ENCKEY (Agent key) column in the DB. But, can it add new complete record in the table?
3. I would like to when these records will be created for the first time. Will it be created while setting up policy store?

Note : After these issues, I have enabled X11 forwarding and tired to enable the Agent Key Generation from smconsole (just to confirm if no other registry entries are updated). But, I am getting some other error, "Wrong Time Format". As that issue is not of much priority now, I am not explaining much. Will open a new thread later(if required) for the same.

Regards,

Dhilip

Hi Dhilip, 

Can you check in the registry under Objectstore, is the KeyStoreEncryptionKey entry still populated?

If so I think you ran into a variant of an old issue that was fixed many years ago, but the context was different. In that use case, when using the SMConsole to switch from a separate keystore to using the default Policy Store as the keystore, it failed. The reason it failed was that even though Encrypt Keys Using Policy Store Encryption Key was greyed out, the KeyStoreEncryptionKey value was still present in the registry and caused failures.

The resolution was a check was added to the SMConsole so that if Use Policy Store database was checked under Key Store/Data tab, the value of the KeyStoreEncryptionKey should be cleared. Since you are manually editing the registry, this might not be taking place.

I recall seeing that "Wrong time format" a few years ago, same scenario, X11, using SMConsole. In that particular case I think the customer was changing their log rollover. If I remember right, it was due to an invalid value in the registry. I'll have to see if I can find the old issue though.

Hope this helps!

Hi David,

Thanks for your response.

In my case, KeyStoreEncryptionKey is not populated. It is empty. But, the use case here is same because when I point old existing key store, policy server is getting started without any issue. Now, I want to move from the separate key store to default.

Thanks.

Regards,

Dhilip

Hi Dhilip, 

 When a Policy Server is pointed at a new store or store that has had its keys deleted, if EnableKeyGeneration is checked, it will re-populate them. If it can't find smKeyManagementOID4 with a value of 1a-fa347804-9d33-11d3-8025-006008aaae5b , then it will generate messages like what you are seeing.

Just to confirm, you are saying the table smkeymanagement4 exists correct? But is it empty? Or do you see the smKeyManagementOID4 has a value?

One other thought since this Policy Server had EnableKeyGeneration disabled and was pointed at a common keystore.

Can you check in the registry under ObjectStore and see if EnableKeyUpdate=1 ? It should be =0 now that this server will be generating keys in its own policy store.

It might be worthwhile to consider opening a Support Ticket as this is starting to look like something that may need to be reproduced in our labs.

Thanks, David

Hi David,

PFB my responses.

smkeymanagement4 table is created successfully but it is empty. It has no records.

Value of EnableKeyUpdate is 0.

As per your suggestion, raised support ticket. Case Number : 01185497

I got the answer for my first query. Could you please provide your feedback for the remaining two queries. Re-posting the same below..

2) If the policy server has 'EnableKeyGeneration' privilege, it can reset PERSISTENTKEY and ENCKEY (Agent key) column in the DB. But, can it add new complete record in the table?
3) I would like to when these records will be created for the first time. Will it be created while setting up policy store?

Regards,

Dhilip

This is the latest updates for  01185497. 

Ca Engineer ISSUE SUMMARY ####
Trying to re-point the existing policy server to a new policy store.

I have completed the activity, while starting the services, I got the following error:
<<
[ERROR][sm-Server-00520] No initial key management object found. This policy server is configured in read-only key management mode. Unable to proceed
>>

#### ENV ####
r12.52

#### NEXT ACTIONS ####

As discussed on call, Since you have disabled EnableAgentKeyGeneration and configured the policy server, Hence it is throwing below error.

[ERROR][sm-Server-00520] No initial key management object found. This policy server is configured in read-only key management mode. Unable to proceed

Kindly try below options and let me know the results.
1) take the backup of policy store.
2) EnableAgentKeyGeneration in management console.
3) Select policy store as key store option
4) Re-configure the policy store
5) restart the policy server

........

Dhilip wrote the following  

While trying to reconfigure the policy store, I am getting the following error.

<<
4- Policy Store
5- None of the above

ENTER A COMMA-SEPARATED LIST OF NUMBERS REPRESENTING THE DESIRED CHOICES, OR
PRESS <ENTER> TO ACCEPT THE DEFAULT: 4

Invocation of this Java Application has caused an InvocationTargetException. This application will now exit. (LAX)

Stack Trace:
java.lang.StackOverflowError
at java.lang.StringBuffer.append(Unknown Source)

This Application has Unexpectedly Quit: Invocation of this Java Application has caused an InvocationTargetException. This application will now exit. (LAX)
>>

CA_SiteMinder_Policy_Server_Configuration_Wizard_Install_09_11_2018_12_27_54.log:
<<
Install Action: InstallAnywhere Variable
Status: ERROR
Additional Notes: ERROR - java.lang.StackOverflowError

Product Installer:
Status: FATAL ERROR
Additional Notes: FATAL ERROR - The Installer has failed due to an Unhandled Exception
java.lang.StackOverflowError
>>

If I select any option other than 4, I am able to proceed further

.......

Ca Engineer wrote below

Please set the below env variable before starting the configuration which will help us to get more debugging.

export LAX_DEBUG=true

Can you just try:

1. EnableAgentKeyGeneration

2. Restart Policy server

It looks like the persistentkey is missing. If you have old key export ,

you can also try importing them.

On Wed, 26 Sep 2018 at 5:49 am, Terry_Mills <

If you are still having an issue with running the config wizard, the ca-ps-installer.properties file may be corrupted or incomplete depending on how many times this has been run. Each time it runs it should be taking a backup file, you may need to try reverting to an older backup of the properties to fix the "InvocationTargetException" issue.

Otherwise, getting the InstallAnywhereDebug info might shed some more light on the error.

Hello All,

Sorry, I was not able to provide an update here.

For resolving this issue, I have imported the existing keys from different environment and imported the same. Just now I read that Ujwol was also mentioning the same solution.   I guess following are the answers to my second question. But sill, not sure about the answer for third question.

2) If the policy server has 'EnableKeyGeneration' privilege, it can reset PERSISTENTKEY and ENCKEY (Agent key) column in the DB. But, can it add new complete record in the table?

   Answer : No
3) I would like to know when these records will be created for the first time. Will it be created while setting up policy store? If the answer is yes, while it is not getting created in my case?

Thanks.

Regards,
Dhilip