SM-UCMDB SSL Integration Issue (1583 Views)
Reply
Advisor
hsidani
Posts: 32
Registered: ‎04-26-2013
Message 1 of 16 (1,583 Views)

SM-UCMDB SSL Integration Issue

[ Edited ]

Hi Experts,

 

I'm trying to integrate SM 9.31 with ucmdb 10.01 using SSL, but I'm getting an error as per the attachment log.

 

I have done the following Configuration:

 

Adapter : service manager 9.x

Host name: Server name

Port: 13443

Url override: https://servername:13443/SC62server/ws

Cerdential: username and passsword created in ucmdb same as falcon

 

The certificates are distributed in the followin locations

 

 

SM server:

Adding the Ucmdb certificate(.cer) and SM Certificate (.cer) signed by CA to trustedclients.jks

 

Probe server

Adding the Ucmdb certificate(.cer) and SM Certificate (.cer) signed by CA to HPProbetruststore.jks

 

UCMDB Server

Adding the SM Certificate (.cer) signed by CA to Server.truststore

 

Kindly advice

 

Thanks and Regards

 

Hani

 

 

HP Expert
Amen16
Posts: 221
Registered: ‎11-01-2011
Message 2 of 16 (1,555 Views)

Re: SM-UCMDB SSL Integration Issue

Hello Hani,

 

Is this the first time with this integration?

 

Are you getting an error message on your screen?

 

What are you doing when you get that error message?

 

Regards,

Alex

HP Support

If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.
Advisor
hsidani
Posts: 32
Registered: ‎04-26-2013
Message 3 of 16 (1,544 Views)

Re: SM-UCMDB SSL Integration Issue

Hello Alex,

 

Thank you for your reply.

 

Actually yes it is the first integration. On the screen I'm getting the same error as per the attachment (PLS refer to the image below). When I get this error message, I tried many times to relocate the certificates since as per the logs it seems the issue something related to SSL. I didn't find any document explain exactly how to do this integration using CA certificate. I found only one document describes how to do it using Self signed certficate which is the the case that I have.

 

ucmdb-sm error

 

Thanks again

 

Regards

 

Hani 

HP Expert
viprom
Posts: 321
Registered: ‎11-09-2011
Message 4 of 16 (1,538 Views)

Re: SM-UCMDB SSL Integration Issue

[ Edited ]

Hi hsidani,

 

check the SM 9.31 - uCMDB 10 integration guide KM1195820 for detailed steps on how to configure it.

-----
If you find this or other posts helpful, please do not forget to click the Kudo Star or to mark it as a Solution if you are the owner of the thread. Thanks :)
Advisor
hsidani
Posts: 32
Registered: ‎04-26-2013
Message 5 of 16 (1,531 Views)

Re: SM-UCMDB SSL Integration Issue

Hi Viprom,

 

Thank you for your reply.

 

I've configured it exactly as per the document but with no success. There is nothing mentioned about how to place the certificates in sm and ucmdb servers to trust each other. 

 

Thanks again

 

Regards

 

Hani 

 

HP Expert
Amen16
Posts: 221
Registered: ‎11-01-2011
Message 6 of 16 (1,527 Views)

Re: SM-UCMDB SSL Integration Issue

Hello Hani,

 

Did you have SSL enabled before just with SM?  If not you could first try that before runing the intergation to make sure it works fine.

 

Ther is also a known issue but it seems to be related to ucmdb 9.3 as you can see here:

 

http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_QCCR1E74267

 

 In case you first would like to setup SSL on the Service Manager side then you can check the following document:

 

http://support.openview.hp.com/selfsolve/document/KM773556

 

Regards,

Alex

HP Support

If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.
Advisor
hsidani
Posts: 32
Registered: ‎04-26-2013
Message 7 of 16 (1,524 Views)

Re: SM-UCMDB SSL Integration Issue

Hi Alex,

 

yes SSL and trusted sign on is configured on sm. Also ssl is configured on ucmdb. By the way i have tried to enable the integration  without ssl, it is working fine. the problem only occured when SSL is enabled.

 

Thanks and Regards

 

Hani

HP Expert
Amen16
Posts: 221
Registered: ‎11-01-2011
Message 8 of 16 (1,496 Views)

Re: SM-UCMDB SSL Integration Issue

Hello Hani,

 

I just found this but I'm not sure if this is actually related or not so I'll keep on checking:

 

http://support.openview.hp.com/selfsolve/document/KM1360037

 

Regards,

Alex

HP Support

If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.
Advisor
hsidani
Posts: 32
Registered: ‎04-26-2013
Message 9 of 16 (1,482 Views)

Re: SM-UCMDB SSL Integration Issue

Hello Amen,

 

Thank you for your support.

 

I don't think this is related to what I'm doing since this integration is working on one of our customers. It was done by HP PS. But as I remember even HP PS at that time had asked for HP support to implement it. I already asked them but they don't remember the steps since this configuration is not done frequently.

 

your support is really appreciated

 

Thanks and Regards

 

Hani

HP Expert
lisajo
Posts: 480
Registered: ‎02-15-2010
Message 10 of 16 (1,457 Views)

Re: SM-UCMDB SSL Integration Issue

Hi

I am not sure if this will help

but with the cacert issue

. Create a server key store.

Instructions for creating a server key store

  1. Open a command-line window on the computer or the system where the CommonStore Server is installed.
  2. Enter the following command, where servername is the name or IP address of the server for which you want to create the keystore:keytool -genkey -alias servername -validity 365 -keystore keystore.jks.
  3. Enter a password when prompted by this message:Enter keystore password:
  4. You are asked a number of questions. Type an answer, where necessary, and press Enter to see the next question. Note that the question for the first and the last name has to be answered with the name of the CommonStore Server as specified in SAP (transaction code OAC0). For example:What is your first and last name? [Unknown]:myserver.comWhat is the name of your organizational unit? [Unknown]:AccountingWhat is the name of your organization? [Unknown]:Dough InternationalWhat is the name of your City or Locality?[Unknown]:SpringfieldWhat is the name of your State or Province? [Unknown]:What is the two-letter country-code for this unit? [Unknown]:USIs <CN=myserver.com, OU=Accounting, O=Dough International,L=Springfield,ST=Unknown, C=US> correct? [no]:yesEnter key password for <servername> (Press Enter if you want to usethe same password as for the keystore)
    Important:

    By following these instructions, you create a self-signed certificate. Users who connect to a CommonStore Server receive a warning when such a certificate is used. If you want to avoid these warnings, let a trusted certificate authority sign your certificate.

    Another solution is to instruct your client users to add the certificate to their trusted certificates when they receive the warning.

  5. Turn on Secure Socket Layer (SSL) support in the server configuration profile (usually archint.ini) by specifying the SSL Web port. Use the SSL_WEBPORT keyword for this purpose, for example:SSL_WEBPORT 5590
  6. Specify the path and file name of the keystore on the CommonStore Server by using the KEYSTORE_FILE keyword, for example:KEYSTORE_FILE C:\ssl\keystore.jks
  7. Enter the password for the keystore. To do so, take these steps:
    1. Open a command-line window.
    2. Change to the instance directory of the CommonStore Server. This is the directory that the INSTANCEPATH keyword points to. Remember, the INSTANCEPATH keyword is set in the configuration profile for the CommonStore Server (usually archint.ini).

      Examples

      Start of changeAIX®, HP-UX, LinuxEnd of change /home/<cssapusr>/

      where <cssapusr> is the ID of the user you created for the purpose of running instances of the CommonStore Server.

      Sun Solaris /export/home/<cssapusr>/

      where <cssapusr> is the ID of the user you created for the purpose of running instances of the CommonStore Server.

      Windows C:\Program Files\IBM\CSSAP\Server\instance01
    3. Enter the following command:archpro -f keystore_passwd
    4. You are asked for the password. Enter it.


2. Creat CSR Certificate Signing Request

To create a new CSR or generate a renewal request while another certificate exists on your Web site, follow these steps:

  1. In the Microsoft Management Console (MMC), right-click the default Web site, click New, and then click Site.
  2. Create a new site and give it a temporary name.
  3. Right-click the new site, click Properties, click the Directory Security tab, and then click Server certificate.
  4. Select Create new certificate and follow the wizard to create a new CSR. When prompted, select Prepare the request now but send it later.
  5. Use the CSR that you just created to request a new certificate from the certificate authority (CA) that issued the original certificate. 

    NOTE: If you are renewing a VeriSign certificate, see the following Web site: 
    Renew SSL Certificates

    If you are unable to renew the certificate by using this Web site, you can reach VeriSign's renewal department at the following e-mail address or telephone numbers:

    E-mail: renewal@verisign.com
    Technical Support: (877) 438-8776
    Sales: (650) 429-3347
  6. When you receive the certificate from VeriSign or another third-party CA, save it to your hard drive. Remember the serial number of this certificate and where you save it.
  7. Right-click the temporary site that you created in step 2, click Properties, click the Directory Security tab, click Server certificate, and then click Next. Follow the wizard. When prompted, select Process the pending request.
  8. After the certificate has been installed, click OK, and then stop and start the Web site.
  9. Right-click the temporary site that you created in step 2, click Properties, click Directory Security, and then click Server certificate.
  10. Select Remove the current certificate and follow the wizard. This removes the certificate from IIS, but the certificate remains in the certificate store.
  11. Right-click the Web site that has the original server certificate installed (that is, the certificate that you are renewing or replacing), click Properties, click Directory Security, click Server certificate, and then select Replace the current certificate.
  12. Select the certificate that you just installed. If you see duplicate certificate names, make sure that you select the certificate that matches the serial number that you noted in step 6.

NOTE: The list of available certificates is populated from the personal certificate store, which is located under Certificates (Local Computer) in the MMC. To view the personal certificate store, add the Certificates snap-in for the Computer Accountto your MMC. 

NOTE: If IIS does not display the new certificate, you may need to copy it from the personal certificate store that is located under Certificates - Current User in the MMC into the personal certificate store that is located under Certificates (Local Computer). To view the personal certificate store, add the Certificates snap-in for the User Account to your MMC.

3. Imported certificate  into keystore.

Copy the text file that contains your server certificate to the directory that contains your keystore file and save it as certificate.p7.

"HP Support
If you find that this post or any post resolves your issue, please make sure to mark it as an accepted solution."
Advisor
hsidani
Posts: 32
Registered: ‎04-26-2013
Message 11 of 16 (1,447 Views)

Re: SM-UCMDB SSL Integration Issue

Hello Lisajo,

 

Thank you for your support.

 

This configuration is used specifically for IBM SAP. The command used is general but the other configuration like configuring SSL and other config doesn't exist in ucmdb or SM. Server keystore is already created and is working file since I'm able to access the ucmdb and SM using SSL. So the problem here where to distribute the certificates to make the integration work properly because if there is any problem in the certificate generated I'll will not be able to access neither UCMDB nor SM.

 

For example if I remove the root CA Certificate from c:\program files(x86)\HP\server manager 9.30\Server\Run\cacerts"

the SM will stop working. So this means the cacerts is working properly.

 

Thanks Again

 

Regards

 

Hani

Occasional Advisor
EfsyEngi
Posts: 14
Registered: ‎07-24-2013
Message 12 of 16 (1,330 Views)

Re: SM-UCMDB SSL Integration Issue

I'm having the same issue here after enabling SSL on the server. Could you clarify which kind of certficates have been loaded into where? So far I have the following certificates in place:

 

SM:

SM Client Certificates (x2, for client/webtier)

UCMDB Probe Client certificate

 

UCMDB Probe (located on the same server as SM):

SM Server Certificate

SM Client Certificate

UCMDB Server Certificate

 

UCMDB (UD10.01)

UCMDB Probe Client Certificate

 

Based on your previous posts, I believe I've made a little headway; it seems that loading the probe with a SM client certificate is the way to go, however my issue is that the certificate the probe is sending back to the SM server is invalid, despite using the same client certs (Which work) for the Client/webtier.

 

 

jvm 1 | Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

Advisor
hsidani
Posts: 32
Registered: ‎04-26-2013
Message 13 of 16 (1,322 Views)

Re: SM-UCMDB SSL Integration Issue

Hi Efsy,

 

Actually I'm using only the server Certificate signed by CA for all because as per the documents nowhere is mentioned that you have to use also the client certificate for integration.

 

In your case keep the the UCMDB probe configuration as it is. But for SM and UCMDB Server add the UCMDB probe Server Certificate instead of Client.

 

Please try it and keep me posted.

 

Thanks and Regards

 

Hani

Occasional Advisor
EfsyEngi
Posts: 14
Registered: ‎07-24-2013
Message 14 of 16 (1,299 Views)

Re: SM-UCMDB SSL Integration Issue

I got mine to work.

 

My fix was to copy a cacerts file which contained the SM Server certificate into the Data Flow Probe's JRE security store (<Probe Install Directory>/bin/jre/lib/security/conf/cacerts). I used the one generated by the SM certificate batch jobs.

 

I decided to use client Certificates for the data flow probe because the integration had to access the SM application server directly in the same way that the webtier and windows client. I treated the Probe as another client that needed to be verified by SM and distributed certificates per the SM SSL guides (each client received a copy of the cacerts containing the server certificate and a keystore that included the SM client certificate). 

 

I also imported all of the SM certificates into the probe trust store for good measure, though in a client environment I was able to achieve the same results by just replacing the probe cacerts file. 

 

So my resulting setup:

 

SM:

SM Client ceriticates in the trustedclients.keystore - as per the SSL setup

UCMDB Probe Client certificates in trustedclients.keystore - effect unknown

 

Probe:

SM Client & Server certificates in hpprobetruststore.jks - resulted in bad certificate/invalid signature errors, but it was connecting

UCMDB Server certificates in hpprobetruststore.jks - mutual ssl with ucmdb

SM Client certificate in client.keystore - no noticable effect

CACerts with SM Server Certificates in /bin/jre/lib/security/ - managed to connect and integrate

 

UCMDB:

Probe Client Certificate - mutual ssl with Probe

 

I have yet to try the API actual state integration between UCMDB and SM, but this worked for me.

Advisor
hsidani
Posts: 32
Registered: ‎04-26-2013
Message 15 of 16 (1,292 Views)

Re: SM-UCMDB SSL Integration Issue

[ Edited ]

Hi Efsy,

 

I'm glad to hear that your problem has been solved.

I think your setup should be applied exactly the same to my environment but nowadays I'm too busy with other projects.

I think we can mark your result as the accepted solution but first let me test it.

Thanks for sharing your result with me.

 

Regards

 

Hani

Occasional Advisor
EfsyEngi
Posts: 14
Registered: ‎07-24-2013
Message 16 of 16 (1,287 Views)

Re: SM-UCMDB SSL Integration Issue

To be specific, import the mycacert.pem generated by the SM server certificate batch file into the cacerts of the JRE in the Data Flow Probe responsible for the integration, not the native system cacerts found in the java keystore. The goal is to insert the root certificate used by SSL into the DFP's jre. In your case, try placing your signed CA certificate there first before inserting the other certificates into the keystores. 

 

I suspect that this may be the only thing you need to do, as I was able to achieve the same result in a client dev environment by just placing a modified cacerts file (that contained their own verified certs) into a data probe's JRE. Please let me know how this method works.

 

Good luck

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.