Symantec Access Management

Tech Tip - CA Single Sign-On:Policy Server: smmigratecds AES decryption failed 

12-01-2017 12:19 AM


smmigratecds fails with error :



[smuser@172.x.x.x properties]$ -validate -v -p changeit 


java.lang.Exception: Unable to load private key using certificate. Exception Message: NativeDB$Access.pbeDecrypt: AES decryption failed

        at com.netegrity.smkeydatabase.db.filebased.FileBasedCertificateDataStoreImpl.getPrivateKeyFromDB(

        at com.netegrity.smkeydatabase.db.filebased.FileBasedCertificateDataStoreImpl.switchToMemoryDB(

        at com.netegrity.smkeydatabase.db.filebased.FileBasedCertificateDataStoreImpl.registerDB(

        at com.netegrity.smkeydatabase.db.filebased.FileBasedCertificateDataStoreImpl.registerDB(

        at com.netegrity.smkeydatabase.db.SMKeyDatabase.registerDB(

        at com.netegrity.smkeydatabase.migrate.MigrateFBCDS.<init>(

        at com.netegrity.smkeydatabase.migrate.MigrateCertificateDataTool.process(

        at com.netegrity.smkeydatabase.migrate.MigrateCertificateDataTool.main(


New Policy server : 12.52SP1 and above Old Policy server : 12.0 Policy server encryption keys are different between old and new server.


Steps taken by customer In 12.52 Policy server :

  1. Renamed the located at siteminder_home\config\properties to
  2. Copied file from r12.0 to r12.52 Policy server to directory siteminder_home\config\properties
  3. Copied smkeydatabase folder from r12.0 to r12.52 Policy server.
  4. Edited to change DBLocation property to point to location of smkeydatabase folder.

Then ran command, -validate -v -p <password>

where the password "<password>" is for the smkeydatabase password from r12.0 setup.


Now, the issue here is that, the password in the file is encrypted using Policy server Encryption Key.

But  for this case, as the Policy server encryption key were different from r12.0 and r12.52 Policy server, the r12.52 Policy server was not able to decrypt the password encrypted using r12.0 Policy server encryption key.


If the Policy server encryption keys are different, you should NOT copy the old file to the new Policy server.

i.e skip step 1 & 2 above.

The new policy server should use it's own file.

0 Favorited
0 Files

Tags and Keywords


Related Entries and Links

No Related Resource entered.