Re: Single Sign on doesn't work after System Management Homepage update (2460 Views)
Frequent Advisor
PrzemekK
Posts: 39
Registered: ‎07-31-2012
Message 26 of 60 (2,884 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Please fix it ASAP.

 

After install HP SIM 7.1, generate CSR , send to PKI and install Cert to HP SIM from PKI.

Next every server with SMH (with PKI certificate) higher than 7.0.0.24 SSO dont work.

It is included with HP SIM itself and version control repository.

HP SIM have SMH in 7.1.0.17 version. Can we downgrade SMH on hp sim server to 7.0.0.24 ?

 

 

How to make SSO work on HP SMH 7.1.1.1

 

Please use plain text.
Frequent Advisor
Jens Ey
Posts: 44
Registered: ‎11-30-2007
Message 27 of 60 (2,880 Views)

Re: Single Sign on doesn't work after System Management Homepage update

[ Edited ]

7.0.0.24 does not show the problem. But, I don't know if you can downgrade or have to uninstall/install.

 

Jens

Please use plain text.
Valued Contributor
SwisspostIT
Posts: 178
Registered: ‎02-20-2012
Message 28 of 60 (2,809 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

 

does anyone have any news about this issue?

I cannot replicate anymore agent settings from HP VCA through HP SIM because the SSO isn't working anymore.

And a downgrade to HP SMH 7.0 is not really a solution for us since SMH 7.1.1.1 has fixed several security issues:

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041

 

Regards,

Ville

Please use plain text.
Frequent Advisor
Jens Ey
Posts: 44
Registered: ‎11-30-2007
Message 29 of 60 (2,806 Views)

Re: Single Sign on doesn't work after System Management Homepage update

I was waiting for a response from ICS - he claimed that he raised a case with HP. But, i just realized that he solved the problem. Problem is not solved for me.

 

So I think we need another guy which opens a case. I'm quite busy at the moment so I would prefer not to do it by myself.

 

Jens

Please use plain text.
Advisor
Marcus Svensson
Posts: 14
Registered: ‎06-20-2011
Message 30 of 60 (2,784 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

 

I have also run in to this problem after upgrading to HP SIM 7.1. I need to upgrade HP servers FW and this we do with the help of HP SIM. After the upgrade to 7.1 the SSO is not working to the SMH and when I try to push FW from HP SIM to other HP servers the trust is no longer in place.

I have opened a case  with HP and we will work on the issue during this week (week 34).

 

Please use plain text.
Valued Contributor
SwisspostIT
Posts: 178
Registered: ‎02-20-2012
Message 31 of 60 (2,785 Views)

Re: Single Sign on doesn't work after System Management Homepage update

hi,

 

I've also a case open at HP.

I'll update you if I have any news.

 

Regards,

Ville

Please use plain text.
Valued Contributor
SwisspostIT
Posts: 178
Registered: ‎02-20-2012
Message 32 of 60 (2,789 Views)

Re: Single Sign on doesn't work after System Management Homepage update

[ Edited ]

only news I have until now is: it's a known problem at HP ...

but the workaround they provided me so far doesn't work so we'll have another virtual room session today.

 

Please use plain text.
Occasional Visitor
adileso
Posts: 2
Registered: ‎08-22-2012
Message 33 of 60 (2,781 Views)

Re: Single Sign on doesn't work after System Management Homepage update

I tried your workaround also without success.

For both CA certificate and  latest base CRL I also renamed the file extension to .pem

 

 

Please use plain text.
Advisor
Marcus Svensson
Posts: 14
Registered: ‎06-20-2011
Message 34 of 60 (2,697 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

 

I have also not recived any solution from HP regarding this issue. I have noticed that SSO is working to target servers that have an older versoion of SMH. I can push the HP SIM certificate to all SMH but the SSO is only working on old SMH version i.e. HP System Management Homepage v2.1.11.197. Has anyone else seens this behaiver?

 

BR

Please use plain text.
Valued Contributor
SwisspostIT
Posts: 178
Registered: ‎02-20-2012
Message 35 of 60 (2,686 Views)

Re: Single Sign on doesn't work after System Management Homepage update

The issue appears as soon as you want to SSO to a SMH with Version 7.x

It looks like my case is now dispatched to the developer team since L2 couldn't help...

 

Please use plain text.
Regular Advisor
Jason Salgado
Posts: 92
Registered: ‎06-01-2009
Message 36 of 60 (2,602 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Arrrgghhh.

 

We were running 7.1 and upgraded to the 7.11 hotfix and now we can't even log into the local SMHs.

Is there anyway to uninstall this hotfix???

Please use plain text.
Regular Advisor
Jason Salgado
Posts: 92
Registered: ‎06-01-2009
Message 37 of 60 (2,598 Views)

Re: Single Sign on doesn't work after System Management Homepage update

OK.  So far the only way I'm able to temp fix this was to do the following for SSO to work.

 

I had a custom collection of servers set up.

Went to Configure or Repair Agents, skipped the first screen and selected set Trust by Certificate.

Ran it and it imported the new cert to the client servers.  SSO seems to work again... At least for the servers I pushed this to.

Please use plain text.
Frequent Advisor
PrzemekK
Posts: 39
Registered: ‎07-31-2012
Message 38 of 60 (2,485 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Any updates about SSO fix ? We have v7.1.1.1 and SSO wont work with certificates from AD PKI
Please use plain text.
Advisor
consolero
Posts: 11
Registered: ‎06-22-2012
Message 39 of 60 (2,475 Views)

Re: Single Sign on doesn't work after System Management Homepage update

It's a really exhausting issue! I wait since three months for a working solution!

Currently my SSO works with a 1024 Bit self-signed certificate from SIM...

Please use plain text.
Advisor
Marcus Svensson
Posts: 14
Registered: ‎06-20-2011
Message 40 of 60 (2,470 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

 

The information I have recived from HP is that they are currently working on a solution but they do not have any dates when a fix will be avalible. I have also had this isuue for several month now.

Please use plain text.
Occasional Visitor
Maciej_Szuba
Posts: 1
Registered: ‎10-03-2012
Message 41 of 60 (2,460 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

Could you try this solution:

 

1. Create directory where you copy certificate and CRL

  a) New-Item C:\WorkArea\CaFiles -type directory

  b) New-Item C:\WorkArea\CaFiles\cacerts -type directory

  c) New-Item C:\WorkArea\CaFiles\cacrls -type directory

 

2.Get your rootca and/or subca certificate, and copy to cacerts directory.

But this certificates should have PEM( ASCII base64) format and extension cer!!!  Important is this file should be PEM text file, not binary format like DER. You can use this command openssl x509 -in cert.cer-text -noout to check this. If You obtain error like this:

unable to load certificate

13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306: 13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509

that  means you have, not correct format. You could convert using   openssl x509 -in cert.crt -inform der -outform pem -out cert.cer

 

3. Get your rootca and/or subca CRL , and copy to cacrls directory. But this CRL should have PEM( ASCII base64) format and extension crl!!!

You can check crl have correct format using  openssl.exe crl -text -noout -in .\cacrl.crl

If You obtain error like this:
unable to load CRL
13644:error:0906D06C:PEM routines:PEM_read_bio:no start line:./crypto/pem/pem_lib.c:647:Expecting: X509 CRL

that  means you have, not correct format. You could convert using  openssl crl -inform DER -in crl.crl -outform PEM-out crl_.crl

 

4. When you copy certificate and crl,  you should inform HP System Management Homepage, about this
 using cmd:  C:\hp\hpsmh\bin\smhconfig.exe -W C:\WorkArea\CaFiles, and restart service C:\hp\hpsmh\bin\smhconfig.exe -r

 

5. From HPSIM connect to managed node System Management Homepage, import certificates to Trusted Managment Servers(if you must).

Please use plain text.
Frequent Advisor
Jens Ey
Posts: 44
Registered: ‎11-30-2007
Message 42 of 60 (2,406 Views)

Re: Single Sign on doesn't work after System Management Homepage update

This does not really sound like a solution to me.

I found entries in the smh logfiles that SMH was not able to check the certificate against a CRL.

The URI for CRLs in the certicates issued from my CA are valid and I'm able to get a current CRL using that URI.

It makes no sense for me to copy the CRL manually to my servers. It is also an very unusual behaviour for software to deny access if the CRL of a certificate can't be checked...

 

Please HP: Fix that ASAP

 

Jens

Please use plain text.
Valued Contributor
SwisspostIT
Posts: 178
Registered: ‎02-20-2012
Message 43 of 60 (2,390 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

 

the steps provided by Maciej_Szuba what also what HP support provided me in the case I've opened.

But until know I couldn't bring this to work like this.

I also told HP yesterday that even if this works, this isn't a solution for enterprise customers like us who manage >1000 servers with HP SIM (no manager would like to pay the afford for going on every of the server and making these manual steps...!)

 

So I'm know again waiting for update from HP and until this is fixed I'll have to logon to every SMH manually to which I connect through HP SIM.

 

regards,

Ville

Please use plain text.
Frequent Advisor
PrzemekK
Posts: 39
Registered: ‎07-31-2012
Message 44 of 60 (2,351 Views)

Re: Single Sign on doesn't work after System Management Homepage update

This procedure is good, but it is not solution. Because crls will expiry in 2 weeks etc.

 

We needed convert crls

openssl crl -inform DER -in crl.crl -outform PEM-out crl_.crl

 

And export certs to base64

 

My HP System Management Homepage v7.1.2.3

Please use plain text.
Advisor
consolero
Posts: 11
Registered: ‎06-22-2012
Message 45 of 60 (2,297 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Please use plain text.
Frequent Advisor
Jens Ey
Posts: 44
Registered: ‎11-30-2007
Message 46 of 60 (2,293 Views)

Re: Single Sign on doesn't work after System Management Homepage update

As hubert J. Farnsworth would say:

 

Good news everyone!

 

The customer advisory says clearly that HP will not fix this issue.

It worked for me at least. But, it is a pain to touch every server!

 

It seems like HPSMH downloads the CRL at every start after you walked through the steps once. But as I see it they messed it up the first time...

 

Jens

Please use plain text.
Valued Contributor
SwisspostIT
Posts: 178
Registered: ‎02-20-2012
Message 47 of 60 (2,272 Views)

Re: Single Sign on doesn't work after System Management Homepage update

This is ridiculous if they don't fix this in future releases...

With this manual steps HP SMH isn't anymore Enterprise suitable IMO since you have to do much manual steps on EACH managed system!

 

But one thing isn't clear for me: Since they're only talking about CA certificate, what if you use a self signed certificate which doesn't have root certificates and CRLs? Is it then the same way as before or do you also have to manually add the certificate locally and run the smhconfig commands?

 

Regards,

Ville

Please use plain text.
Frequent Advisor
Jens Ey
Posts: 44
Registered: ‎11-30-2007
Message 48 of 60 (2,268 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Sorry, I have to add that - also stated otherwise on Tuesday - it did not work for me. After logging off I still get the message that the certicate is revoked...
I will open an case with HP now.

Jens
Please use plain text.
Valued Contributor
SwisspostIT
Posts: 178
Registered: ‎02-20-2012
Message 49 of 60 (2,263 Views)

Re: Single Sign on doesn't work after System Management Homepage update

just had a VR session and the simplest thing to solve this problem is to use only a self signed certificate created by the SIM Server... (even if our company security maybe won't like that)

meanwhile HP is looking at my CA certificate files to find out what is wrong with them.

Please use plain text.
Occasional Visitor
Curt-H
Posts: 1
Registered: ‎11-27-2012
Message 50 of 60 (2,178 Views)

Re: Single Sign on doesn't work after System Management Homepage update

I upgraded to HP System Management Homepage v7.1.2.3 on a few servers. Some servers recognize that my cert is self-signed and lets SSO work. Another server thinks it's issued from a CA and SSO fails.

 

Server 1
CRITICAL 11/27/2012 4:26:37 PM Trusted certificate used for SSO is either revoked or SMH failed to verify it against CRL
Server 2:
INFORMATIONAL 11/27/2012 4:31:53 PM Certificate verification message: self_signed_certificate

What do I do now? Why would one server allow SSO and another not. The cert is exactly the same, I checked. 

 

Curt

 

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation