Symantec Access Management

Hi,

We are in the process of upgrading our SiteMinder r12.0 SP3 CR10 policy servers to version r12.7 SP2.  We chose to do this in a "parallel" environment to minimize impact and risks on our existing applications. Both old and new environments have 2 policy-servers.

Here are the steps that we took for upgrading policy servers:

1) Install and configure the r12.7 SP2 policy server/components. (configured this policy-server with new policy-store, initialized this pstore instance through config wizard).

2) Export r12.0 policy data through XPSExport utility.(12.0 pstore and key store are collocated meaning we have configured :- use policy-store database for key store.

3) Import policy data into r12.7 SP2 using XPSImport utility.(12.7 pstore and key store are collocated meaning we have configured :- use policy-store database for key store.

4) restart the r12.7 SP2 policy servers.

To get SSO working, if the pstore and keystore are same as mentioned above then do we have to explicitly export and import keys also by using (smkeyexport, smkeyimport) command from old environment?

We have applications which will be migrated to use 12.7SP2 PS. Web-agents which are pointing to 12.0 PS will be re-registered to point to 12.7 PS by running smreghost commands. After re-registration of web-agents will the applications loose their session if the web-agents are recycled? We have mix of web-agent (6x and 12x). Is it required to restart the agents after re-registration?

Also we are not sure if the encryption key that was provided for installing old 12.0 policy-servers is same when we installed new 12.7 policy-server. if the encryption keys are different between old and new environment then is there any way SSO can be achieved? Will rollover of keys work if the encryption keys are different? Shall we do rollover from both policy-servers old and new?

Any help to figure this out is greatly appreciated.

Thanks.

The common cause of the error is that the encryption key used by R12.0 and R12.7 Policy Server is different.To achieve sso could u specific with what type of keys static or old like that,rollover also different in case of different encryption keys

• To get SSO working, if the pstore and keystore are same as mentioned above then do we have to explicitly export and import keys also by using (smkeyexport, smkeyimport) command from old environment?

Ujwol => Correct. XPSExport/XPSImport doesn't export keys. They need to be exported and imported separately using smkeyexport/smkeyimport tools.

• We have applications which will be migrated to use 12.7SP2 PS. Web-agents which are pointing to 12.0 PS will be re-registered to point to 12.7 PS by running smreghost commands. After re-registration of web-agents will the applications loose their session if the web-agents are recycled? We have mix of web-agent (6x and 12x). Is it required to restart the agents after re-registration?

Ujwol => First off all, if you are doing a full export from 12.0 and importing to 12.7 (xpsexport -xb). You do NOT need to reregister your web agent against 12.7 policy server again.

All you need to do is :

1. modify SmHost.conf on webagent to point to 12.7 Policy server
2. modify HCO on the 12.7 Policy store to point to 12.7 Policy server.

The existing shared secret/trusted host will still be valid.

This is provided you have maintained the same policy server encryption key between 12.0 & 12.7 envrionments.

The user sessions are NOT stored on web agents, so recycling the web agents will not invalidate the existing user session.

If you decide to go with re-registraton of web agents (not sure why you would do that  but anyway) , then yes you will need to recycle web agents.

• Also we are not sure if the encryption key that was provided for installing old 12.0 policy-servers is same when we installed new 12.7 policy-server. if the encryption keys are different between old and new environment then is there any way SSO can be achieved? Will rollover of keys work if the encryption keys are different? Shall we do rollover from both policy-servers old and new?

Ujwol => For sso to work , you will need to maintain same Policy server encryption between 12.0 and 12.7 enviornment. As you are having separate key stores, you cannot use dynamic agent key configuraiton. You will need to configure same static agent keys in two setup.

Requirement for sso are :

- Same Policy server encryption key.

- Same Persistent key/Session Ticket Key

- Same Agent Keys

Thank you so much Ujwol for providing answers to my queries.

I had run smkeyexport from 12.0 environment and run smkeyimport into 12.7 environment. The import happened successfully.

- Does that mean the encryption keys for both environments are same because I didn't see any errors during import?

- Before running the smkeyimport I had registered test web-agent with this 12.7 policy-server. I was able to successfully test authentication/authorization for the test protected page. After running smkeyimport I am not able to access that protected site and I get below errors.

[6551/140045428176640][Thu Mar 15 2018 15:02:45][CServer.cpp:2121][ERROR][sm-Tunnel-00010] Bad security handshake attempt. Handshake error: 3154
[6551/140045428176640][Thu Mar 15 2018 15:02:45][CServer.cpp:2132][ERROR][sm-Tunnel-00050] Handshake error: Shared secret incorrect for this client

I haven't rolled over the keys yet from 12.7 policy-server. Should I do the rollover and that should take care of this error?

My answer inlline.

- Does that mean the encryption keys for both environments are same because I didn't see any errors during import?

Ujwol => Depends on whether you exported keys encrypted or not (used -c switch or not) . If you exported keys encrypted and if you were able to import it successfully, it would imply that Policy server encryption keys are the same.

- Before running the smkeyimport I had registered test web-agent with this 12.7 policy-server. I was able to successfully test authentication/authorization for the test protected page. After running smkeyimport I am not able to access that protected site and I get below errors.

[6551/140045428176640][Thu Mar 15 2018 15:02:45][CServer.cpp:2121][ERROR][sm-Tunnel-00010] Bad security handshake attempt. Handshake error: 3154
[6551/140045428176640][Thu Mar 15 2018 15:02:45][CServer.cpp:2132][ERROR][sm-Tunnel-00050] Handshake error: Shared secret incorrect for this client

Ujwol => This doesn't make sense. The shared secret in trusted host is encrypted using Policy store key which is dervied from Policy server encryption key. This has nothing to do with Persistent Key/Agent Key that you imported.

DId you reboot your web server host by any chance ?

I would say re-register the agent.

I haven't rolled over the keys yet from 12.7 policy-server. Should I do the rollover and that should take care of this error?

Ujwol => Don't do that. If you roll the keys, your keys wont' be in sync with 12.0 setup and you can no longer have SSO with it. You should disable any dynamic key rollover and never perform manual key rollover from either of the policy server.

If you want dynamic agent key rollover, you will need to configure common key store.

There are some additonal configuration which is needed to fully support this.

If you haven't already read through this , I would strongly encourage to read through this blog to fully understand different keys that CA SSO uses and how they are relevant for what function.

Tech Tip : CA Single Sign-On : Data Protection, Key Management,Configuration & Common Issues 

Hi Ujwol,

The keys were exported in encrypted mode. We are going to migrate the apps and will see if any issues come.

Thank you so much for providing the link, it has very helpful information.

Hi Ujwol,

Thank you so much for your help with this. We were able to migrate the apps in one environment using the steps above. The enc.keys were same in both environments. We were able to migrate the apps without re-registration, just re-pointing/sso worked.

On the other hand, in another environment, we came to find that the enc. keys are different.

In this env., we have 2 policy-servers. I have reset the enc. keys on one policy-server(12.7 as it was on 12.0) by following the other link posted by you.

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/administrating/manage-encryption-keys/reset-the-r12-x-policy-store-encryption-key

Unfortunately, I didn't run smreg command on the other policy-server. So one policy-server enc keys are changed and 2nd PS still hasn't have the re-changed keys.

Please let me know what steps I should perform on the second Policy-server. Do I have to re-do all the steps that I did for the first PS?

Thanks.

Hi, Let's work on this question here :

Resetting encryption keys