000023336 - Best Practices for backup and restoration of FIM configuration and secrets files

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000023336
Applies ToRSA Federated Identity Manager (FIM) 2.6
RSA Federated Identity Manager (FIM) 2.5
IssueBest Practices for backup and restoration of FIM configuration and secrets files
com.rsa.csf.common.exceptionbase.CsfApplicationException: Problem decrypting the property file
com.rsa.csf.common.exceptionbase.CsfApplicationException: can not get SSVS to access properties file
The FIM managed server does not start.
Cause RSA Federated Identity Manager (FIM) is based on the RSA common server framework (csf) server.  In order to protect sensitive security information FIM encrypts information using a key based on several key hardware parameters of the machine where FIM is installed and stored in the rsaappserer\properties\encryptedfields.properties file.  The encryption key is based on a combination of the following parameters.

ram_info
os_version
mac_address
machine_name
disk_serial_number
diskcontroller_id
cpu_id

If any three of the parameters change then the encryption key is no longer valid and FIM will fail to start.  This may occur if an operating system patch is applied or memory added, or if the FIM server is moved to a different machine.  On Windows systems the password used to start the FIM servers as a windows services is also encrypted using these keys.

Resolution

Backup of FIM configuration files

In order to ensure that your FIM server can be restored in the case that the encryption keys are lost you should ensure that a backup of encryption keys and SAML configuration is made periodically.  A backup should be performed:

1. after the initial installation of FIM
2. before any changes to the machine or operating system that would affect the parameters described above,.
3. after any major changes to the configuration of FIM or the addition of any new parties.
4. periodically as part of routing backup procedure

To perform a backup of FIM follow the following procedure.

configtool EXPORTSECRETS password filename
configtool EXPORTSAMLCONFIG filename


Restoration of FIM configuration files

configtool IMPORTSECRETS password filename
configtool SETSAMLCONFIG filename

 

WorkaroundThe FIM machine was recently upgraded or the server was moved to different hardware.
Legacy Article IDa33457

Attachments

    Outcomes