Previous Topic: Key Management OverviewNext Topic: Configure Periodic Key Rollover

Policy Server GuidesPolicy Server Administration GuideConfiguring and Managing Encryption KeysReset the r12.x Policy Store Encryption Key

Reset the r12.x Policy Store Encryption Key

Follow these steps:

  1. Log in to the Policy Server host system.
  2. Run the following command: 
    XPSExport output_file -xa -xs -xc -passphrase passphrase
    output_file

    Specifies the name of the XML file to which the policy store data is exported.

    -xa

    Specifies that all policy store data be exported.

    -xs

    Specifies that security data be exported.

    -xc

    Specifies that configuration data be exported.

    If the following criteria are met, do not export configuration data:

    • The Policy Server is operating at version earlier than cr09.
    • You do not plan on upgrading to cr09 or later before reimporting the data.

      Importing configuring data after resetting the encryption key causes Policy Server connection failures.

    If the following criteria are met, exporting configuration data is optional:

    • The Policy Server is operating at a version earlier than cr09, but you plan on upgrading to cr09 or later before reimporting the data. If the export contains configuration data, import the policy store data using the –nxci switch.

      Using the switch prevents Policy Server connection failures after the import.

    • If the Policy Server is operating at version cr09 or later.
    -passphrase passphrase

    Specifies the passphrase that is required for the encryption of sensitive data.

    Limits: The passphrase must:

    • Be at least eight characters long.
    • Contain at least one uppercase and one lowercase character.
    • Contain at least one numeric digit.

      Note: If the passphrase contains a space, enclose the passphrase with quotes.

    The utility exports the policy store data to the XML.

  3. Be sure that the smreg utility is located in policy_server_home\bin.
    policy_server_home

    Specifies the Policy Server installation path.

    Note: If the utility is not present, it is included with the Policy Server installation media.

  4. Run the following command: 
    smreg -key encryption_key
    encryption_key

    Specifies the new encryption key.

    Limits: 6 to 24 characters.

    The utility changes the policy store encryption key.

  5. Run the following command: 
    XPSImport input_file -fo -nxci -passphrase passphrase
    input_file

    Specifies the name of the XML file that contains the exported policy store data.

    -fo

    Allows existing policy store data to be overwritten.

    -nxci

    Specifies that all configuration data is either ignored or not imported.

    • If the Policy Server was operating at cr09 or later during the export, the switch is not required.
    • If the Policy Server was operating at a version earlier than cr09 during the export, and the export included configuration data, the switch is required.
    -passphrase passphrase

    Specifies the passphrase that is required for the decryption of sensitive data.

    Important! If the passphrase does not match the passphrase entered during the policy store export, sensitive data cannot be decrypted and the import fails.

    The utility imports the policy store data. The policy store encryption key is reset.

Configure Agent Key Generation

You use the Policy Server Management Console Keys tab to configure how the Policy Sever handles Agent key generation.

Note: Enable key generation only on the Policy Server that you want to generate Agent keys.

To configure Policy Server agent key generation

  1. Start the Policy Server Management Console.

    Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your SiteMinder component.

  2. Click the Keys tab.

    Note: For more information about the settings and controls on this tab, click Help, Management Console Help.

  3. Complete the fields and controls presented on the Keys tab to configure Agent key generation.
  4. When you are done, click Apply to save your changes.

Manage Agent Keys

The SiteMinder Key Management dialog box, which you access from the Administrative UI, enables you to configure periodic Agent key rollovers, execute manual rollovers, and change the static key. It also enables you to manage the session ticket key.

Note: To manage keys, you must log into the Administrative UI using an account with the Manage Keys and Password Policies privilege. For more information, see the Policy Server Configuration Guide.

More information:

Manage the Session Ticket Key

Configure Periodic Key Rollover

Manually Rollover the Key

Change Static Keys