Single Sign on doesn't work after System Management Homepage update (6724 Views)
Reply
Advisor
consolero
Posts: 11
Registered: ‎06-22-2012
Message 1 of 60 (6,724 Views)

Single Sign on doesn't work after System Management Homepage update

Hi all

 

We use our HP SIM with a certificate from our CA and distribute this certificate to all of our servers, which are running a SMH.

The SMH trusts by certificate and the SIM server is known as the trusted management server with this certificate. With the SMH versions 6.3.1.24 and 7.0.0.24 it was possible to use the SSO from SIM to acces the SMH. After updating to the newest Version 7.1.1.1 it is no longer possible to use the SSO and I found this errors in the SMHlog:

 

CRITICAL

Trusted certificate used for SSO is either revoked or SMH failed to verifiy it against CRL

 

MAJOR

 Certificate verification message: uanble_to_get_local_issuer_certificate

 

WARNING

Secure Task Execution User:auto_generated was DENIED acces to System Management Homepage to invoke target URL=/Proxy/STE

 

Does anyone know this problem?

 

Thanks a lot

nik

 

Frequent Advisor
Jens Ey
Posts: 44
Registered: ‎11-30-2007
Message 2 of 60 (6,697 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi nik,

 

I know this problem - but not the solution, sorry.

 

i tried so far to create a new certificate for SIM and even renewed the CA certificate to get rid of a URL with file://... for the CRL.

As far as I can remember HP changed OpenSSL to a newer version with this release of SMH.

 

jens

Frequent Advisor
Jens Ey
Posts: 44
Registered: ‎11-30-2007
Message 3 of 60 (6,676 Views)

Re: Single Sign on doesn't work after System Management Homepage update

hello nik.

 

the next thing I tried was to look closer at the new SIM 7.1. There is an option how the agents should check for revoked certificates (e.g. is the CA available for the agents or has the SIM a copy of the CRL).

I installed a complete new SIM 7.1 and a new server with the current agents but had no luck at all to get this working.

 

So my conclusion for the moment is once more: HP broke it, HP should fix it.

 

Jens

Advisor
consolero
Posts: 11
Registered: ‎06-22-2012
Message 4 of 60 (6,669 Views)

Re: Single Sign on doesn't work after System Management Homepage update

hello jens

 

Thanks for your informations.

I also upgraded to SIM 7.1 and tried to configure the Certificate Revocation Check but the probles is still the same.

 

I am agree with you about HP....

 

nik

Occasional Visitor
referencepoint
Posts: 1
Registered: ‎07-06-2012
Message 5 of 60 (6,628 Views)

Re: Single Sign on doesn't work after System Management Homepage update

I've just come across this issue too, after upgrading to SIM 7.1 and updating my servers with SMH 7.1.1.1.

 

Hugely annoying to not have SSO working for any system now - this needs fixing ASAP HP!

Honored Contributor
Bart_Heungens
Posts: 694
Registered: ‎10-26-2005
Message 6 of 60 (6,626 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

 

Just to inform you all that I have no such problems... Have 2 independent SIM environments running with the latest SMH and SIM 7.1 and do not have the SSO problem...

 

 

Kr,

Bart

--------------------------------------------------------------------------------
If my post was useful, clik on my KUDOS! "White Star" !
My blog: http://blog.bitcon.be
Frequent Advisor
Jens Ey
Posts: 44
Registered: ‎11-30-2007
Message 7 of 60 (6,617 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi Bart,

 

are you using a CA in these environments and what kind of CA? Are you copying the CRLs to the SIM servers?

 

Jens

Honored Contributor
Bart_Heungens
Posts: 694
Registered: ‎10-26-2005
Message 8 of 60 (6,615 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi Jens,

 

No I am not using a separate CA...

 

 

Kr,

Bart

--------------------------------------------------------------------------------
If my post was useful, clik on my KUDOS! "White Star" !
My blog: http://blog.bitcon.be
Advisor
consolero
Posts: 11
Registered: ‎06-22-2012
Message 9 of 60 (6,582 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

 

I fixed the problem with the CRL by signing a new SIM Certificate (2048) with my CA.

But the next problem is already here:

The SIM server uses a self-signing certificate (1024) for the SSO and not my new cert from the CA.

 

Is this a new thing with SIM 7 or why does he take this one?

 

nik

 

Frequent Advisor
Jens Ey
Posts: 44
Registered: ‎11-30-2007
Message 10 of 60 (6,579 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

 

did you changed to SIM certificate or the SMH certificate of the SIM server?

 

SIM certificates must be changed in SIM (Options / Security / HP Systems Insight Manager Server Certificate) using the button "Import" where you can create a new request and import it later.

 

After import the SIM has to be rebooted.

 

I also tried to generate a new CA signed certificate for the SIM (and even setting up a complete new SIM) but had no luck...

 

Jens

Advisor
consolero
Posts: 11
Registered: ‎06-22-2012
Message 11 of 60 (6,577 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi

 

I changed the SIM certificate as you described it. And I also imported the new SIM certificate as trusted management server in the SMH.

 

nik

Frequent Advisor
ICS
Posts: 38
Registered: ‎06-28-2011
Message 12 of 60 (6,559 Views)

Re: Single Sign on doesn't work after System Management Homepage update

There appears to be a compatibility issues as I am having the same issue with hpsmhd 7.1.0.17 and SIM 6.3. I raised the issue with HP..workaround appears to be deleting the certificate and pulling it from the CMS.
Advisor
consolero
Posts: 11
Registered: ‎06-22-2012
Message 13 of 60 (6,557 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Good morning

 

What do you mean with deleting the certificate and pulling it from the CMS?

Deleting the Trusted certificate on the SMH? Pulling by Agent repair?

 

thx

 

nik

Occasional Advisor
IT_SCAC
Posts: 5
Registered: ‎07-11-2012
Message 14 of 60 (6,531 Views)

Re: Single Sign on doesn't work after System Management Homepage update

[ Edited ]

I have same problem. After upgrade to SIM 7.1 and SMH v7.1.1.1 can't login via SSO.

SIM have certificate issued by enterprise CA. It include correct CRL URL path.
WIth SMH v6.3.1.24 all work perfect.

What else need options to get SSO work? 

Frequent Advisor
ICS
Posts: 38
Registered: ‎06-28-2011
Message 15 of 60 (6,522 Views)

Re: Single Sign on doesn't work after System Management Homepage update

I deleted the certificate from the SMH under security...then used the get server option to pull the trusted mgmt server cert. I was immediately able to SSO from SIM
Advisor
consolero
Posts: 11
Registered: ‎06-22-2012
Message 16 of 60 (6,522 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Hi IT_SCAC

 

How long is the key lenght of your SIM certificate?

 

Have you tried to reimport the SIM certificate to the trusted server on the smh?

 

greez

 

Occasional Advisor
IT_SCAC
Posts: 5
Registered: ‎07-11-2012
Message 17 of 60 (6,515 Views)

Re: Single Sign on doesn't work after System Management Homepage update

1024
Yes i try reimport via quick repair.
Occasional Advisor
IT_SCAC
Posts: 5
Registered: ‎07-11-2012
Message 18 of 60 (6,509 Views)

Re: Single Sign on doesn't work after System Management Homepage update

I just create new certificate with 2048 bit and SSO is worked!!!
Advisor
consolero
Posts: 11
Registered: ‎06-22-2012
Message 19 of 60 (6,488 Views)

Re: Single Sign on doesn't work after System Management Homepage update

[ Edited ]

hello

 

This works for me too but when I see the details of the trusted certificate on the smh I see that he takes a self-signed certificate:

 

 Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: xxxxxxxxxx (xxxxxxxxxx) (For your security, I have removed the serial number from your post above - that's information you probably don't want to make publicly available - HP Forums Moderator)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=Palo Alto, O=Hewlett-Packard Company, OU=Hewlett-Packard Network Management Software, CN=srvname.com
        Validity
            Not Before: Jun  5 11:47:11 2012 GMT
            Not After : Jun  6 11:47:11 2022 GMT
        Subject: C=US, ST=California, L=Palo Alto, O=Hewlett-Packard Company, OU=Hewlett-Packard Network Management Software, CN=srvname.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)

 

 

Do you have the same effect or does it takes your CA-signed SIM-certificate?

 

thx

 

nik

Frequent Advisor
Jens Ey
Posts: 44
Registered: ‎11-30-2007
Message 20 of 60 (6,484 Views)

Re: Single Sign on doesn't work after System Management Homepage update


ICS wrote:
I deleted the certificate from the SMH under security...then used the get server option to pull the trusted mgmt server cert. I was immediately able to SSO from SIM

 Hi,

 

deleting the SIM certificate in the SMH of the other servers and reimporting them from the SIM didn't worked for me. It seems that SSO ist working because you are already logged in but if you sign out and restart your web browser SSO is not working. At leat not for me.

 

Jens

Occasional Advisor
smroczek
Posts: 9
Registered: ‎07-06-2012
Message 21 of 60 (6,446 Views)

Re: Single Sign on doesn't work after System Management Homepage update

[ Edited ]

I guess that the problem was already invastigated and worked around.

 

for windows: rename C:\hp\hpsmh\conf\smhCertDate.txt to smhCertDate.txt.OLD

for unix/linux/vmware: rename /opt/hp/hpsmh/conf/smhCertDate.txt to smhCertDate.txt.OLD

 

Then restart SMH service.

 

 

Let me know if that helped.

Occasional Advisor
IT_SCAC
Posts: 5
Registered: ‎07-11-2012
Message 22 of 60 (6,436 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Ploblem is back after i restart SMH. SSO broken again.
Renaming smhCertDate.txt is not help.
Occasional Advisor
smroczek
Posts: 9
Registered: ‎07-06-2012
Message 23 of 60 (6,431 Views)

Re: Single Sign on doesn't work after System Management Homepage update

Did you try to run Configure or Repair Agents and set the trust relationship again?

Advisor
consolero
Posts: 11
Registered: ‎06-22-2012
Message 24 of 60 (6,423 Views)

Re: Single Sign on doesn't work after System Management Homepage update

When I restart the SMH it creates exactly the same smhCertDate.txt again...

Valued Contributor
SwisspostIT
Posts: 181
Registered: ‎02-20-2012
Message 25 of 60 (6,192 Views)

Re: Single Sign on doesn't work after System Management Homepage update

did anyone solve this issue (without using a CA) ?

just tried following: deleted certificate in "Trusted Management servers" and pulled it from the HP SIM Server (pull was successfully).

but even after that i'm still not able to use SSO from HP SIM to login to the system...

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.