Federation Manager Guide › Migrate Federation Manager to Use FIPS Encryption › How To Migrate from FIPS_COMPAT Mode to FIPS-Only Mode › Re-encrypt the Policy Store and Key Store Data

Re-encrypt the Policy Store and Key Store Data

Re-encrypt policy and key store data so that is uses a FIPS-compatible encryption algorithm.

To re-encrypt policy and key store data

1. Open a command prompt window.
2. Export the key data by entering the following command

   smkeyexport -dadmin_name -wadmin_password -oexport_file -l -v -t -cf

   • admin_name

     Specifies the name of the administrator. You must enter siteminder for this value when using the smkeyexport utility.

   • admin_password

     Specifies the password Federation Manager administrator.

   • export_file

     Specifies the name of the file that results from the export. This file must end in an .smdif extension.

3. Export the policy store data by entering the following command

   XPSExport export_file -xa –xs –xc -passphrase passphrase -v -e file_name -l log_file

   • export_file

     Names the output file that results from the export. The output from XPSExport is in XML format, therefore, the filename should end with the extension .xml.

   • passphrase

     Specifies the passphrase required to encrypt sensitive data. The passphrase must be at least eight characters and must contain at least one digit, one uppercase and one lowercase letter. If the passphrase contains a space, then it must be enclosed in quotes.

     NOTE: If you do not want to enter the passphrase directly, do not specify it in the command. XPSExport then prompts you for a passphrase and a passphrase confirmation, which is not echoed to the screen.

   • file_name

     Specifies the name of the error file where Federation Manager writes error messages.

   • log_file

     Specifies the name of the log file where Federation Manager writes the results of the export. This file can be any name, but the extension .log is recommended.

     You can enter a full path to the file or only the file name. If you enter only a file name, Federation Manager creates the file in the location where you are running the XPSExport command. The name you enter for this parameter should be different from the log_path value you enter when you import the policy store data.

4. Import the key data into the new or existing key store by entering the following command:

   Note: You may be using the policy store as your key store.

   smkeyimport -iexport_file -dadmin_name -wadmin_password -l -v -t -cf

   • export_file

     Specifies the name of the XML file that resulted from the export of the original store.

   • admin_name

     Specifies the name of the administrator. You must enter siteminder for this value when using the smkeyimport utility.

   • admin_password

     Specifies the password Federation Manager administrator.

5. Import the policy store data into the new or existing policy store by entering the following command:

   XPSImport –fo export_file -passphrase passphrase -vT -vI -vW -vE -vF -l log_path

   • export_file

     Names the XML file that resulted from the export of the original configuration.

   • passphrase

     Specifies the passphrase required to decrypt sensitive data. The passphrase must be the same as passphrase you specified when you ran the XPSExport command in the previous step.

   • log_path

     Specifies the location and name of the log file where Federation Manager writes the results of the import. This file can be any name, but the extension .log is recommended.