08-01-2012 12:23 PM
Please fix it ASAP.
After install HP SIM 7.1, generate CSR , send to PKI and install Cert to HP SIM from PKI.
Next every server with SMH (with PKI certificate) higher than 220.127.116.11 SSO dont work.
It is included with HP SIM itself and version control repository.
HP SIM have SMH in 18.104.22.168 version. Can we downgrade SMH on hp sim server to 22.214.171.124 ?
How to make SSO work on HP SMH 126.96.36.199
08-01-2012 11:09 PM - edited 08-01-2012 11:10 PM
188.8.131.52 does not show the problem. But, I don't know if you can downgrade or have to uninstall/install.
08-16-2012 07:05 AM
does anyone have any news about this issue?
I cannot replicate anymore agent settings from HP VCA through HP SIM because the SSO isn't working anymore.
And a downgrade to HP SMH 7.0 is not really a solution for us since SMH 184.108.40.206 has fixed several security issues:
08-16-2012 07:15 AM
I was waiting for a response from ICS - he claimed that he raised a case with HP. But, i just realized that he solved the problem. Problem is not solved for me.
So I think we need another guy which opens a case. I'm quite busy at the moment so I would prefer not to do it by myself.
08-20-2012 01:07 AM
I have also run in to this problem after upgrading to HP SIM 7.1. I need to upgrade HP servers FW and this we do with the help of HP SIM. After the upgrade to 7.1 the SSO is not working to the SMH and when I try to push FW from HP SIM to other HP servers the trust is no longer in place.
I have opened a case with HP and we will work on the issue during this week (week 34).
08-21-2012 11:57 PM - edited 08-29-2012 03:50 AM
only news I have until now is: it's a known problem at HP ...
but the workaround they provided me so far doesn't work so we'll have another virtual room session today.
08-22-2012 06:30 AM
I tried your workaround also without success.
For both CA certificate and latest base CRL I also renamed the file extension to .pem
09-02-2012 11:57 PM
I have also not recived any solution from HP regarding this issue. I have noticed that SSO is working to target servers that have an older versoion of SMH. I can push the HP SIM certificate to all SMH but the SSO is only working on old SMH version i.e. HP System Management Homepage v220.127.116.11. Has anyone else seens this behaiver?
09-03-2012 06:26 AM
The issue appears as soon as you want to SSO to a SMH with Version 7.x
It looks like my case is now dispatched to the developer team since L2 couldn't help...
09-14-2012 11:39 AM
We were running 7.1 and upgraded to the 7.11 hotfix and now we can't even log into the local SMHs.
Is there anyway to uninstall this hotfix???
09-14-2012 12:06 PM
OK. So far the only way I'm able to temp fix this was to do the following for SSO to work.
I had a custom collection of servers set up.
Went to Configure or Repair Agents, skipped the first screen and selected set Trust by Certificate.
Ran it and it imported the new cert to the client servers. SSO seems to work again... At least for the servers I pushed this to.
10-01-2012 10:30 PM
It's a really exhausting issue! I wait since three months for a working solution!
Currently my SSO works with a 1024 Bit self-signed certificate from SIM...
10-02-2012 02:07 AM
The information I have recived from HP is that they are currently working on a solution but they do not have any dates when a fix will be avalible. I have also had this isuue for several month now.
10-03-2012 02:19 AM
Could you try this solution:
1. Create directory where you copy certificate and CRL
a) New-Item C:\WorkArea\CaFiles -type directory
b) New-Item C:\WorkArea\CaFiles\cacerts -type directory
c) New-Item C:\WorkArea\CaFiles\cacrls -type directory
2.Get your rootca and/or subca certificate, and copy to cacerts directory.
But this certificates should have PEM( ASCII base64) format and extension cer!!! Important is this file should be PEM text file, not binary format like DER. You can use this command openssl x509 -in cert.cer-text -noout to check this. If You obtain error like this:
unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306: 13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509
that means you have, not correct format. You could convert using openssl x509 -in cert.crt -inform der -outform pem -out cert.cer
3. Get your rootca and/or subca CRL , and copy to cacrls directory. But this CRL should have PEM( ASCII base64) format and extension crl!!!
You can check crl have correct format using openssl.exe crl -text -noout -in .\cacrl.crl
If You obtain error like this:
unable to load CRL
13644:error:0906D06C:PEM routines:PEM_read_bio:no start line:./crypto/pem/pem_lib.c:647:Expecting: X509 CRL
that means you have, not correct format. You could convert using openssl crl -inform DER -in crl.crl -outform PEM-out crl_.crl
4. When you copy certificate and crl, you should inform HP System Management Homepage, about this
using cmd: C:\hp\hpsmh\bin\smhconfig.exe -W C:\WorkArea\CaFiles, and restart service C:\hp\hpsmh\bin\smhconfig.exe -r
5. From HPSIM connect to managed node System Management Homepage, import certificates to Trusted Managment Servers(if you must).
10-09-2012 12:13 AM
This does not really sound like a solution to me.
I found entries in the smh logfiles that SMH was not able to check the certificate against a CRL.
The URI for CRLs in the certicates issued from my CA are valid and I'm able to get a current CRL using that URI.
It makes no sense for me to copy the CRL manually to my servers. It is also an very unusual behaviour for software to deny access if the CRL of a certificate can't be checked...
Please HP: Fix that ASAP
10-10-2012 07:12 AM
the steps provided by Maciej_Szuba what also what HP support provided me in the case I've opened.
But until know I couldn't bring this to work like this.
I also told HP yesterday that even if this works, this isn't a solution for enterprise customers like us who manage >1000 servers with HP SIM (no manager would like to pay the afford for going on every of the server and making these manual steps...!)
So I'm know again waiting for update from HP and until this is fixed I'll have to logon to every SMH manually to which I connect through HP SIM.
10-15-2012 02:38 AM
This procedure is good, but it is not solution. Because crls will expiry in 2 weeks etc.
We needed convert crls
openssl crl -inform DER -in crl.crl -outform PEM-out crl_.crl
And export certs to base64
My HP System Management Homepage v18.104.22.168
10-23-2012 02:00 AM
HP released a CUSTOMER ADVISORY:
10-23-2012 04:29 AM
As hubert J. Farnsworth would say:
Good news everyone!
The customer advisory says clearly that HP will not fix this issue.
It worked for me at least. But, it is a pain to touch every server!
It seems like HPSMH downloads the CRL at every start after you walked through the steps once. But as I see it they messed it up the first time...
10-25-2012 12:49 AM
This is ridiculous if they don't fix this in future releases...
With this manual steps HP SMH isn't anymore Enterprise suitable IMO since you have to do much manual steps on EACH managed system!
But one thing isn't clear for me: Since they're only talking about CA certificate, what if you use a self signed certificate which doesn't have root certificates and CRLs? Is it then the same way as before or do you also have to manually add the certificate locally and run the smhconfig commands?
10-25-2012 02:46 AM
I will open an case with HP now.
10-25-2012 05:28 AM
just had a VR session and the simplest thing to solve this problem is to use only a self signed certificate created by the SIM Server... (even if our company security maybe won't like that)
meanwhile HP is looking at my CA certificate files to find out what is wrong with them.
11-27-2012 01:38 PM
I upgraded to HP System Management Homepage v22.214.171.124 on a few servers. Some servers recognize that my cert is self-signed and lets SSO work. Another server thinks it's issued from a CA and SSO fails.
CRITICAL 11/27/2012 4:26:37 PM Trusted certificate used for SSO is either revoked or SMH failed to verify it against CRL
INFORMATIONAL 11/27/2012 4:31:53 PM Certificate verification message: self_signed_certificate
What do I do now? Why would one server allow SSO and another not. The cert is exactly the same, I checked.