Re: Single Sign on doesn't work after System Management Homepage update (2678 Views)
Frequent Advisor
PrzemekK
Posts: 39
Registered: ‎07-31-2012
Message 26 of 60 (3,102 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Please fix it ASAP.

 

After install HP SIM 7.1, generate CSR , send to PKI and install Cert to HP SIM from PKI.

Next every server with SMH (with PKI certificate) higher than 7.0.0.24 SSO dont work.

It is included with HP SIM itself and version control repository.

HP SIM have SMH in 7.1.0.17 version. Can we downgrade SMH on hp sim server to 7.0.0.24 ?

 

 

How to make SSO work on HP SMH 7.1.1.1

 

Frequent Advisor
Jens Ey
Posts: 44
Registered: ‎11-30-2007
Message 27 of 60 (3,098 Views)

Re: Single Sign on doesn't work after System Management Homepage update

[ Edited ]

7.0.0.24 does not show the problem. But, I don't know if you can downgrade or have to uninstall/install.

 

Jens

Valued Contributor
SwisspostIT
Posts: 178
Registered: ‎02-20-2012
Message 28 of 60 (3,027 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

 

does anyone have any news about this issue?

I cannot replicate anymore agent settings from HP VCA through HP SIM because the SSO isn't working anymore.

And a downgrade to HP SMH 7.0 is not really a solution for us since SMH 7.1.1.1 has fixed several security issues:

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041

 

Regards,

Ville

Frequent Advisor
Jens Ey
Posts: 44
Registered: ‎11-30-2007
Message 29 of 60 (3,024 Views)

Re: Single Sign on doesn't work after System Management Homepage update

I was waiting for a response from ICS - he claimed that he raised a case with HP. But, i just realized that he solved the problem. Problem is not solved for me.

 

So I think we need another guy which opens a case. I'm quite busy at the moment so I would prefer not to do it by myself.

 

Jens

Advisor
Marcus Svensson
Posts: 14
Registered: ‎06-20-2011
Message 30 of 60 (3,002 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

 

I have also run in to this problem after upgrading to HP SIM 7.1. I need to upgrade HP servers FW and this we do with the help of HP SIM. After the upgrade to 7.1 the SSO is not working to the SMH and when I try to push FW from HP SIM to other HP servers the trust is no longer in place.

I have opened a case  with HP and we will work on the issue during this week (week 34).

 

Valued Contributor
SwisspostIT
Posts: 178
Registered: ‎02-20-2012
Message 31 of 60 (3,003 Views)

Re: Single Sign on doesn't work after System Management Homepage update

hi,

 

I've also a case open at HP.

I'll update you if I have any news.

 

Regards,

Ville

Valued Contributor
SwisspostIT
Posts: 178
Registered: ‎02-20-2012
Message 32 of 60 (3,007 Views)

Re: Single Sign on doesn't work after System Management Homepage update

[ Edited ]

only news I have until now is: it's a known problem at HP ...

but the workaround they provided me so far doesn't work so we'll have another virtual room session today.

 

Occasional Visitor
adileso
Posts: 2
Registered: ‎08-22-2012
Message 33 of 60 (2,999 Views)

Re: Single Sign on doesn't work after System Management Homepage update

I tried your workaround also without success.

For both CA certificate and  latest base CRL I also renamed the file extension to .pem

 

 

Advisor
Marcus Svensson
Posts: 14
Registered: ‎06-20-2011
Message 34 of 60 (2,915 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

 

I have also not recived any solution from HP regarding this issue. I have noticed that SSO is working to target servers that have an older versoion of SMH. I can push the HP SIM certificate to all SMH but the SSO is only working on old SMH version i.e. HP System Management Homepage v2.1.11.197. Has anyone else seens this behaiver?

 

BR

Valued Contributor
SwisspostIT
Posts: 178
Registered: ‎02-20-2012
Message 35 of 60 (2,904 Views)

Re: Single Sign on doesn't work after System Management Homepage update

The issue appears as soon as you want to SSO to a SMH with Version 7.x

It looks like my case is now dispatched to the developer team since L2 couldn't help...

 

Regular Advisor
Jason Salgado
Posts: 92
Registered: ‎06-01-2009
Message 36 of 60 (2,820 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Arrrgghhh.

 

We were running 7.1 and upgraded to the 7.11 hotfix and now we can't even log into the local SMHs.

Is there anyway to uninstall this hotfix???

Regular Advisor
Jason Salgado
Posts: 92
Registered: ‎06-01-2009
Message 37 of 60 (2,816 Views)

Re: Single Sign on doesn't work after System Management Homepage update

OK.  So far the only way I'm able to temp fix this was to do the following for SSO to work.

 

I had a custom collection of servers set up.

Went to Configure or Repair Agents, skipped the first screen and selected set Trust by Certificate.

Ran it and it imported the new cert to the client servers.  SSO seems to work again... At least for the servers I pushed this to.

Frequent Advisor
PrzemekK
Posts: 39
Registered: ‎07-31-2012
Message 38 of 60 (2,703 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Any updates about SSO fix ? We have v7.1.1.1 and SSO wont work with certificates from AD PKI
Advisor
consolero
Posts: 11
Registered: ‎06-22-2012
Message 39 of 60 (2,693 Views)

Re: Single Sign on doesn't work after System Management Homepage update

It's a really exhausting issue! I wait since three months for a working solution!

Currently my SSO works with a 1024 Bit self-signed certificate from SIM...

Advisor
Marcus Svensson
Posts: 14
Registered: ‎06-20-2011
Message 40 of 60 (2,688 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

 

The information I have recived from HP is that they are currently working on a solution but they do not have any dates when a fix will be avalible. I have also had this isuue for several month now.

Occasional Visitor
Maciej_Szuba
Posts: 1
Registered: ‎10-03-2012
Message 41 of 60 (2,678 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

Could you try this solution:

 

1. Create directory where you copy certificate and CRL

  a) New-Item C:\WorkArea\CaFiles -type directory

  b) New-Item C:\WorkArea\CaFiles\cacerts -type directory

  c) New-Item C:\WorkArea\CaFiles\cacrls -type directory

 

2.Get your rootca and/or subca certificate, and copy to cacerts directory.

But this certificates should have PEM( ASCII base64) format and extension cer!!!  Important is this file should be PEM text file, not binary format like DER. You can use this command openssl x509 -in cert.cer-text -noout to check this. If You obtain error like this:

unable to load certificate

13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306: 13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509

that  means you have, not correct format. You could convert using   openssl x509 -in cert.crt -inform der -outform pem -out cert.cer

 

3. Get your rootca and/or subca CRL , and copy to cacrls directory. But this CRL should have PEM( ASCII base64) format and extension crl!!!

You can check crl have correct format using  openssl.exe crl -text -noout -in .\cacrl.crl

If You obtain error like this:
unable to load CRL
13644:error:0906D06C:PEM routines:PEM_read_bio:no start line:./crypto/pem/pem_lib.c:647:Expecting: X509 CRL

that  means you have, not correct format. You could convert using  openssl crl -inform DER -in crl.crl -outform PEM-out crl_.crl

 

4. When you copy certificate and crl,  you should inform HP System Management Homepage, about this
 using cmd:  C:\hp\hpsmh\bin\smhconfig.exe -W C:\WorkArea\CaFiles, and restart service C:\hp\hpsmh\bin\smhconfig.exe -r

 

5. From HPSIM connect to managed node System Management Homepage, import certificates to Trusted Managment Servers(if you must).

Frequent Advisor
Jens Ey
Posts: 44
Registered: ‎11-30-2007
Message 42 of 60 (2,624 Views)

Re: Single Sign on doesn't work after System Management Homepage update

This does not really sound like a solution to me.

I found entries in the smh logfiles that SMH was not able to check the certificate against a CRL.

The URI for CRLs in the certicates issued from my CA are valid and I'm able to get a current CRL using that URI.

It makes no sense for me to copy the CRL manually to my servers. It is also an very unusual behaviour for software to deny access if the CRL of a certificate can't be checked...

 

Please HP: Fix that ASAP

 

Jens

Valued Contributor
SwisspostIT
Posts: 178
Registered: ‎02-20-2012
Message 43 of 60 (2,608 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

 

the steps provided by Maciej_Szuba what also what HP support provided me in the case I've opened.

But until know I couldn't bring this to work like this.

I also told HP yesterday that even if this works, this isn't a solution for enterprise customers like us who manage >1000 servers with HP SIM (no manager would like to pay the afford for going on every of the server and making these manual steps...!)

 

So I'm know again waiting for update from HP and until this is fixed I'll have to logon to every SMH manually to which I connect through HP SIM.

 

regards,

Ville

Frequent Advisor
PrzemekK
Posts: 39
Registered: ‎07-31-2012
Message 44 of 60 (2,569 Views)

Re: Single Sign on doesn't work after System Management Homepage update

This procedure is good, but it is not solution. Because crls will expiry in 2 weeks etc.

 

We needed convert crls

openssl crl -inform DER -in crl.crl -outform PEM-out crl_.crl

 

And export certs to base64

 

My HP System Management Homepage v7.1.2.3

Advisor
consolero
Posts: 11
Registered: ‎06-22-2012
Message 45 of 60 (2,515 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Frequent Advisor
Jens Ey
Posts: 44
Registered: ‎11-30-2007
Message 46 of 60 (2,511 Views)

Re: Single Sign on doesn't work after System Management Homepage update

As hubert J. Farnsworth would say:

 

Good news everyone!

 

The customer advisory says clearly that HP will not fix this issue.

It worked for me at least. But, it is a pain to touch every server!

 

It seems like HPSMH downloads the CRL at every start after you walked through the steps once. But as I see it they messed it up the first time...

 

Jens

Valued Contributor
SwisspostIT
Posts: 178
Registered: ‎02-20-2012
Message 47 of 60 (2,490 Views)

Re: Single Sign on doesn't work after System Management Homepage update

This is ridiculous if they don't fix this in future releases...

With this manual steps HP SMH isn't anymore Enterprise suitable IMO since you have to do much manual steps on EACH managed system!

 

But one thing isn't clear for me: Since they're only talking about CA certificate, what if you use a self signed certificate which doesn't have root certificates and CRLs? Is it then the same way as before or do you also have to manually add the certificate locally and run the smhconfig commands?

 

Regards,

Ville

Frequent Advisor
Jens Ey
Posts: 44
Registered: ‎11-30-2007
Message 48 of 60 (2,486 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Sorry, I have to add that - also stated otherwise on Tuesday - it did not work for me. After logging off I still get the message that the certicate is revoked...
I will open an case with HP now.

Jens
Valued Contributor
SwisspostIT
Posts: 178
Registered: ‎02-20-2012
Message 49 of 60 (2,481 Views)

Re: Single Sign on doesn't work after System Management Homepage update

just had a VR session and the simplest thing to solve this problem is to use only a self signed certificate created by the SIM Server... (even if our company security maybe won't like that)

meanwhile HP is looking at my CA certificate files to find out what is wrong with them.

Occasional Visitor
Curt-H
Posts: 1
Registered: ‎11-27-2012
Message 50 of 60 (2,396 Views)

Re: Single Sign on doesn't work after System Management Homepage update

I upgraded to HP System Management Homepage v7.1.2.3 on a few servers. Some servers recognize that my cert is self-signed and lets SSO work. Another server thinks it's issued from a CA and SSO fails.

 

Server 1
CRITICAL 11/27/2012 4:26:37 PM Trusted certificate used for SSO is either revoked or SMH failed to verify it against CRL
Server 2:
INFORMATIONAL 11/27/2012 4:31:53 PM Certificate verification message: self_signed_certificate

What do I do now? Why would one server allow SSO and another not. The cert is exactly the same, I checked. 

 

Curt

 

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.