Symantec Access Management

​As part of upgrading to SiteMinder 12.8, I'm prepping the environment to migrate to FIPS-140 mode.  After running "setFIPSmigration", no problem changing the policy store key or super user password with smreg, but the step to re-encrypt the policy and key store passwords is a problem.  The only way mentioned in the docs is to use the policy server management console (smconsole).  But the firewall around our policy servers doesn't allow an x-window, so we never use smconsole.  For the decades SM has been used, all updates to sm.registry are done via text editor.
Can anyone think of another way to re-encrypt the "AdminPW=" lines (for LDAP policy and key stores) in the registry??

My complicated but possible fallback is to install the policy server on a lab server set to FIPS-140 mode and copy paste the resulting passwords from the registry on the FIPS-140 lab server into my migrating servers.  I'm looking for something less complicated.

  Jim B.

I am having this post moved to our Siteminder community.  Thank you.

------------------------------
Best regards,

Scott Owens
Sr Support Engineer


Original Message:
Sent: 11-15-2019 11:59 AM
From: Jim Brewer
Subject: SiteMinder FIPS-140 migration with no X-Windows on Linux

​As part of upgrading to SiteMinder 12.8, I'm prepping the environment to migrate to FIPS-140 mode.  After running "setFIPSmigration", no problem changing the policy store key or super user password with smreg, but the step to re-encrypt the policy and key store passwords is a problem.  The only way mentioned in the docs is to use the policy server management console (smconsole).  But the firewall around our policy servers doesn't allow an x-window, so we never use smconsole.  For the decades SM has been used, all updates to sm.registry are done via text editor.
Can anyone think of another way to re-encrypt the "AdminPW=" lines (for LDAP policy and key stores) in the registry??

My complicated but possible fallback is to install the policy server on a lab server set to FIPS-140 mode and copy paste the resulting passwords from the registry on the FIPS-140 lab server into my migrating servers.  I'm looking for something less complicated.

  Jim B.

You should be able to use smldapsetup, part of the Policy Server Tools.

See smldapsetup

Broadcom		remove preview
smldapsetup The smldapsetup utility allows you to manage an LDAP policy store from the command line. Using smldapsetup, you can configure an LDAP policy store, generate an LDIF file, and remove policy store data and schema. To use smldapsetup, specify a mode, which determines the action that smldapsetup will perform, and arguments, which contain the values that are used to configure the LDAP server. View this on Broadcom >

Use the reg command to register a policy store and write the configuration to the registry, encrypting the specified AdminPW password entry.

------------------------------
Security Integration & Adoption, Software Architect
Broadcom
------------------------------

Original Message:
Sent: 11-15-2019 11:59 AM
From: Jim Brewer
Subject: SiteMinder FIPS-140 migration with no X-Windows on Linux

​As part of upgrading to SiteMinder 12.8, I'm prepping the environment to migrate to FIPS-140 mode.  After running "setFIPSmigration", no problem changing the policy store key or super user password with smreg, but the step to re-encrypt the policy and key store passwords is a problem.  The only way mentioned in the docs is to use the policy server management console (smconsole).  But the firewall around our policy servers doesn't allow an x-window, so we never use smconsole.  For the decades SM has been used, all updates to sm.registry are done via text editor.
Can anyone think of another way to re-encrypt the "AdminPW=" lines (for LDAP policy and key stores) in the registry??

My complicated but possible fallback is to install the policy server on a lab server set to FIPS-140 mode and copy paste the resulting passwords from the registry on the FIPS-140 lab server into my migrating servers.  I'm looking for something less complicated.

  Jim B.