Create and Manage the Key Database Using Smkeytool

Policy Server Guides › Policy Server Configuration Guide › SiteMinder Key Database Management › Create and Manage the Key Database Using Smkeytool

Create and Manage the Key Database Using Smkeytool

The smkeytool command-line utility allows you to populate and manage the key database. This tool is installed with the Policy Server.

Use smkeytool to:

Create and delete a key database
You can only have one key database per Policy Server. After the database is created, you can add keys and certificates.
Add and delete the private key and certificate
Add and delete an issuer certificate
List all certificates stored in the key database

Note: smkeytool relies on values in the smkeydatabase.properties file. Be sure that this file is properly configured before running smkeytool.

smkeytool is located in the following directory:

<policy_server_home>/bin (UNIX)
<policy_server_home>\bin (Windows)

Run the smkeytool utility from a command line, using the following syntax:

UNIX:

smkeytool.sh option [argument(s)]

Windows:

smkeytool.bat option [argument(s)]

Important! Before running a SiteMinder utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

The options and arguments are described in the following table.

Option	Arguments	Function
-createDB or -cdb	<password>	Creates an empty key database to store keys and certificates. The specified password is encrypted using the policy store key and added to the smkeydatabase.properties file.
-deleteDB or -ddb	None	Deletes the key database specified in the smkeydatabase.properties file.
-addPrivKey or -apk	<private_key_filepath> <x.509_certificate_filepath> <password>	Adds the specified private key and corresponding certificate file to the key database. Note that <password> is the password used to encrypt the private key file being loaded, not the one associated with the key database.
-deletePrivKey or -dpk	<x.509_certificate_filepath>	Deletes the private key entry from the key database based on the specified certificate.
-addCert or -ac	<x.509_certificate_filepath>	Adds a certificate to the key database.
-deleteCert or -dc	<x.509_certificate_filepath>	Deletes a certificate from the key database based on the specified certificate.
-listCerts or -lc	None	Lists the issuer/subject name (DN) and serial number of all the certificates stored in key database.
-help or -h	None	Lists smkeytool usage information.

Note: smkeytool has several command options to manage certificate revocation information. These options are only for SiteMinder Federation Security Services signing and encryption features.

Smkeytool Examples

Create a key database
UNIX:

smkeytool.sh –cdb password

Windows:

smkeytool.bat –cdb password
Add a private key and certificate:
UNIX:

smkeytool.sh –apk /opt/netegrity/webagent/certs/samplePrivKey.pkcs8 /opt/netegrity/webagent/certs/sampleRobm.cer passphrase

Windows:

smkeytool.bat –apk "c:\program files\netegrity\webagent\certs\samplePrivKey.pkcs8" "C:\program files\netegrity\webagent\certs\sampleRobm.cer" passphrase
Add an issuer certificate:
UNIX:

smkeytool.sh –ac /opt/netegrity/webagent/certs/sampleCARoot.cer

Windows:

smkeytool.bat –ac "c:\program files\netegrity\webagent\certs\sampleCARoot.cer"