04-06-2012 09:14 AM
i just installed a new hp sim 7 server to replace my old 6.3 system. so far everything went fine, but i also want to use the new feature from vca 7 "by certificate".
on the hp sim server locally it is working, but from all remote systems not. when i enter the credentials of my domain admin i get the support packs. so the basic config should be ok.
what do i miss to enable all my servers to authenticate via certificate for vca?
thank´s a lot for your help!
04-11-2012 07:42 AM - edited 04-12-2012 07:35 AM
I have the exact same problem. Did a lot of fiddling around over the last day.
on the SMH I imported all the HPsim management certs and clicing from hpsim to agent HPSMH works without logging in.
In HPSIM for version control and I assigned the baseline and it actually check the software on the agent and showed the differences GREAT!!
but from the agent SMH home page clicking USING CERTIFICATE fails, but using userid and password works.
The specified repository, cmtcfcpwprmgt01.ibg.adroot.bmogc.net, is invalid or not reachable.
Content-Type: text/html; charset=iso-8859-1
Date: Wed, 11 Apr 2012 14:31:56 GMT
Server: CompaqHTTPServer/9.9 HP System Management Homepage/184.108.40.206
04-16-2012 04:12 AM
sorry, but is nobody from HP here that can explain how this feature works and what is needed?!? did anybody find the documentation for the latest vca? unfortunately i only find one from 2003...
04-20-2012 02:39 PM
The documentation is all right here
"HP Version Control supports Single Sign On (SSO) system that allows a trusted HP
VCA the ability to connect to the HP VCRM without providing authentication details to
login to HP VCRM's HP SMH. When the Using Certificate option is selected, HP
SMH processes the SSO request depending on the Trust Mode selected. HP SMH
obtains the HP VCA 's HP SMH public certificate and uses it to validate the trust
relationship. If HP SMH is unable to establish the trust relationship or cannot verify the
security token, then HP VCA displays the following error message:The specified
repository, VCRM IP, is invalid or not reachable."
04-23-2012 06:13 AM
at least we have now the attention by someone from hp! :) thank´s a lot!
the trust mode from the smh is by certificate. the certificate i use is the self-signed created by the hp sim setup.
can you explain detailed what i should do/check to get this working? are there any firewall ports we must take care of except 2301 and 2381?
thank´s a lot for your help!
04-23-2012 06:25 PM
I replicated what you all are reporting.
The VCA "Use Certificate" failed for me as well with the error "The specified repository, is invalid or not reachable" yet if I use Username and Password it connects fine so my thinking is certificate itself.
In dinking around SMH Settings --> Security --> Local Server Certificate under Current Certificate I added the IP address of the vcrm for giggles in the Alternate Names box.
Went back to VCA and it was connected so I don't know if that was the ticket or not but went to change agent settings to set a baseline and it passed Use Certificate for the login.
Tomorrow I am going to try and get some clarity on a few details that aren't real clear in both the VCA and SMH documentation. As soon as I find out I'll post back unless someone beats me to it.
04-25-2012 07:29 AM
I am having the same issue as Deas.h. I tried your solution by adding the IP under the Alternate Names box. No joy. I tried several servers with various info in the Alternate Names box as well as tried different certificates and no luck.
04-25-2012 07:45 AM
I didn't figure it would be that simple, I cleared my out and SSO is still working. I have the question into engineering so we'll see what I can ascetain - whenever I can replicate an item like this internally usually they like to look at it otherwise the only avenue is a support case.
05-15-2012 01:09 PM
I did hear back - Basically it is kinda backwards from what I think it should be
The SSO is a SMH hosting the VCA to SMH hosting the VCRM
The SMH hosting the VCRM needs to have the SMH Certificate of the SMH hosting the VCA
So for every VCA you want to have SSO to VCRM, you have to add the certificate of the SMH hosting the VCA
It is a manual process so if you have 3000 VCA's you want to have SSO with the VCRM you will need to install each certificate for each SMH hosting VCA one at a time.
I suggested they flip the order so there was only 1 certificate to push out via HPSIM or if not using SIM can be installed pre-configured into the VCA.
Not sure if there will be much of a demand for it. What do you all think, is SSO for VCA to VCRM something you'd think important to have? I am not really sure I see the benefit of it beyond a simple convenience, but then again I don't have to deal with it everyday like you fine folks.
05-16-2012 08:11 AM
Thanks for your responses, Jim. I, too, am experiencing this exact problem with my recent upgrade to SIM 7 and some of the VCAgent versions to 220.127.116.110.
You asked "if SSO for VCA to VCRM [is] something you'd think important to have?" and my initial response would be "sure, whatever's the most secure and the least amount of work." But truly, in my environment, it's not that big of a deal to use the username and password since that's how we did it before. However, if HP's going to offer the "using certificate" option, it seems like it should be set up in a way that makes sense and is in line with how the other features work...we set "trust by certificate" on all the "client" SMHs and can push out that one important certificate (of the CMS, which is also the VCRM in my case) to all client SMHs. Why can't the version control repository's certificate, if different from the CMS machine, be pushed out the same way to all clients with the VCA?
I might be thinking about this SSO flow incorrectly, but it seems like the client needs to be sure it's getting updates from the correct, trusted repository more than the repository would need to verify it's communicating with trusted clients (and therefore have all of their certificates known to it).
That said, if nothing changes with the design of this "feature," and assuming I do manually want to install a certificate for each client VCA onto the VCRM, how would I actually go about doing that? I don't see a way (in the GUI) to import or view client certificates.
05-29-2012 04:44 AM
After having a little think about this, if you are running a proper Certificate Authority and you've imported the Root certificate of the CA into the SMH thats hosting your VCRM then any VCA client that has a local certificate from the same CA will automatically be trusted.
Therefore you wont need to manually import every client certificate into the VCRM.
06-26-2012 06:21 AM
I followed all steps mentioned about those certificates but do not get it running...
I can import the certificate from the SIM server under the VCA SMH under trusted management servers...
However VCA config using certificate does not work...
If I try to import the certificate from the VCA host on the SIM server (so the other way around), it says that the certificate cannot be found (since SIM is not installed on that server).
Where can I find the certificates from the SMH itself and not from the SIM server?
If my post was useful, clik on my KUDOS! "White Star" !
My blog: http://blog.bitcon.be
10-01-2012 12:06 PM
I'm getting the same results, could someone please post a way to get the trust going?
I tried the other link that I found where you copy the certificate from the smh to the vcrm and still nothing.
copy \\%computername%\c$\hp\sslshare\cert.pem \\vcrm\c$\hp\hpsmh\certs\%computername%.pem
01-29-2013 11:21 AM
In the VCA server go to C:\hp\sslshare and copy the file called cert.pem. If you don't see this file simply go to Settings - Security - Local Certificate and click on generate (without alternate names)
In the VCRM server paste that file in the location c:\hp\hpsmh\certs and restart the SMH service.
Open the cert.pem and copy the contents then pasted them in the VCRM server's SMH under Trusted Management Servers -> Import Certificate Data
On both cases, in the VCRM under Trusted Management Servers you shoul see the certificate you pasted.
03-06-2013 12:20 PM
So essentially you are taking the server cert from each target server (VCA) and copying that certificate to the server running VCRM. That is backwards from when is already setup. I have the HPSIM/VCRM's certificate on each VCA. None the less, this doesn't work for me.
If I copy the cert.pem file from the VCA to VCRM as you indicate, then restart the SMH, it deletes the cert I just put in that folder. If I try option 2 and paste it in the Trusted Management Servers and import, it errors out and doesn't import.
Has anyone else been able to get this working. As with my original post, the only server that I can trust the VCA by certificate is the HPSim server itself.
03-07-2013 03:32 AM
It is difficult to manage different systems when we need to manually copy certs from VCA to VCRM. The perfect resolution should be
when using self signed certs
- During HP SIM node discovery certificate should be imported from VCA (HP SIM) as trusted.
when using PKI certs
- Import pki cert to HP sim CMS
- Import root cert to HP sim trusted certs
- Verify crl from ldap or from CRL Distribution Point in certificate
And recommended trusted mode (by certificate) is impossible to implement and manage
Please fix trust by certificate in VCA and PKI certificates in HP SMH and HP SIM
10-10-2013 08:51 AM
I am having the same issue with my HP SIM 7.2 \VCRM 7.2 (same server) configuration.
I have tried importing the certs from the VCA clients in to Trusted Certs on HP SIM (I can do this), but still get the error. I have manually tried importing the cert information also.
I also, tried the copying of the certs from the C:\HP\SSLShare directory, but still it does not work.
I can use the domain authentication to the VCRM server name and IP and it works fine.
No firewall, ports 2381, 2301, 161, 80 are all fine.
SNMP is working correctly.
Is there any workable resolution to this issue? I have tried all of the above solutions in this thread and have not found one that works.
11-20-2013 08:09 AM
The solution proposed by Alonso worked fo me. The only problem being "Option 1" does not work for multiple VCA servers - since they all have the same file name "cert.pem". The obvious adjustment to that step would be to rename the file to be something unique before copying it to the VCRM server. My choice was the server name as the name of the PEM file. Thus rename cert.pem to serverabc.pem if my server name was serverabc, and then copy it to the VCRM server.
So from an end-to-end perspective, the solution I am looking into is a PowerShell script to loop through all VCA servers:
1) Obtain list of all your managed VCA servers; a simple text file would be sufficient.
2) Loop through each server in the list
3) Copy \\servername\c$\hp\sslshare\cert.pem to a temp location
4) Rename cert.pem in temp location to servername.pem
5) Move servername.pem to \\vcrmserver\c$\hp\hpsmh\certs
6) Repeat for next server in the loop
7) Restart SMH on VCRM server (either manually or use PowerShell command to due it in the script)
So the issue of having to do this for 100's or 1000's of servers may end up being trivial if you can automate it.
05-02-2014 12:53 PM
This solution no longer works for me with the latest SMH. From what I can tell, HP is now generating certificates with the FQDN of the host and this no longer matches with what the VCAgent <-> VC Repository communication is looking for. They used to create certificates with just the hostname and I think that is what the VC Repository is looking for as a match with the certificate; now that it is a FQDN, they do not match up and the connection fails. You have to go back to the Username/Password method. I even tried setting an alternative name with the SMH GUI, but that still does not work.
05-20-2014 12:41 PM
And the same... I can't get it to work by certificate either. But it does with a username/password.
Everything *should* be in order for the certificates too - generated one with the SIM Server, exported it, and then added it under the trust on the client server... So in the same boat - and I just downloaded and installed the newest of all of this today.
Glad it wasn't just me I suppose :)