Previous Topic: Re-encrypt the Proxy Engine Agent Shared SecretNext Topic: Set the CA SiteMinder® Federation Standalone UI to FIPS_Only Mode

CA SiteMinder® Federation Standalone Installation and Upgrade GuideMigrate CA SiteMinder® Federation Standalone to Use FIPS EncryptionHow to Migrate from FIPS_COMPAT Mode to FIPS_Only ModeRe-encrypt the Policy Store and Key Store Data

Re-encrypt the Policy Store and Key Store Data

Re-encrypt policy and key store data so that is uses a FIPS-compatible encryption algorithm.

To re-encrypt policy and key store data

  1. Open a command prompt window.
  2. Export the key data by entering the following command

    smkeyexport -dadmin_name -wadmin_password -oexport_file -l -v -t -cf

    admin_name

    Specifies the name of the administrator. You must enter siteminder for this value when using the smkeyexport utility.

    admin_password

    Specifies the password CA SiteMinder® Federation Standalone administrator.

    export_file

    Specifies the name of the file that results from the export. This file must end in an .smdif extension.

  3. Export the policy store data by entering the following command

    XPSExport export_file -xa –xs –xc -passphrase passphrase -v -e file_name -l log_file

    export_file

    Names the output file that results from the export. The output from XPSExport is in XML format, therefore, the filename should end with the extension .xml.

    passphrase

    Specifies the passphrase required to encrypt sensitive data. The passphrase must be at least eight characters and must contain at least one digit, one uppercase and one lowercase letter. If the passphrase contains a space, then it must be enclosed in quotes.

    NOTE: If you do not want to enter the passphrase directly, do not specify it in the command. XPSExport then prompts you for a passphrase and a passphrase confirmation, which is not echoed to the screen.

    file_name

    Specifies the name of the error file where CA SiteMinder® Federation Standalone writes error messages.

    log_file

    Specifies the name of the log file where CA SiteMinder® Federation Standalone writes the results of the export. This file can be any name, but the extension .log is recommended.

    You can enter a full path to the file or only the file name. If you enter only a file name, CA SiteMinder® Federation Standalone creates the file in the location where you are running the XPSExport command. The name you enter for this parameter should be different from the log_path value you enter when you import the policy store data.

  4. Import the key data into the new or existing key store by entering the following command:

    Note: You may be using the policy store as your key store.

    smkeyimport -iexport_file -dadmin_name -wadmin_password -l -v -t -cf

    export_file

    Specifies the name of the XML file that resulted from the export of the original store.

    admin_name

    Specifies the name of the administrator. You must enter siteminder for this value when using the smkeyimport utility.

    admin_password

    Specifies the password CA SiteMinder® Federation Standalone administrator.

  5. Import the policy store data into the new or existing policy store by entering the following command:

    XPSImport –fo export_file -passphrase passphrase -vT -vI -vW -vE -vF -l log_path

    export_file

    Names the XML file that resulted from the export of the original configuration.

    passphrase

    Specifies the passphrase required to decrypt sensitive data. The passphrase must be the same as passphrase you specified when you ran the XPSExport command in the previous step.

    log_path

    Specifies the location and name of the log file where CA SiteMinder® Federation Standalone writes the results of the import. This file can be any name, but the extension .log is recommended.