vca and use certificate to connect to vcrm (5983 Views)
Reply
Occasional Advisor
Posts: 11
Registered: ‎07-19-2010
Message 1 of 22 (5,983 Views)

vca and use certificate to connect to vcrm

hello,

 

i just installed a new hp sim 7 server to replace my old 6.3 system. so far everything went fine, but i also want to use the new feature from vca 7 "by certificate".

 

on the hp sim server locally it is working, but from all remote systems not. when i enter the credentials of my domain admin i get the support packs. so the basic config should be ok.

 

what do i miss to enable all my servers to authenticate via certificate for vca?

 

thank´s a lot for your help!

 

brgds Andreas

Advisor
Posts: 32
Registered: ‎06-15-2004
Message 2 of 22 (5,965 Views)

Re: vca and use certificate to connect to vcrm

I have the exact same issue.  Works on the HPSim server but nothing else.

Frequent Visitor
Posts: 1
Registered: ‎04-11-2012
Message 3 of 22 (5,957 Views)

Re: vca and use certificate to connect to vcrm

[ Edited ]

I have the exact same problem.   Did a lot of fiddling around over the last day.

 

on the SMH I imported all the HPsim management certs and clicing from hpsim to agent HPSMH works without logging in.  

 

In HPSIM for version control and I assigned the baseline and it actually check the software on the agent and showed the differences GREAT!!

 

but from the agent SMH home page  clicking USING CERTIFICATE  fails,   but using userid and password works.

 

The specified repository, cmtcfcpwprmgt01.ibg.adroot.bmogc.net, is invalid or not reachable.  

 

Connection: close
Content-Length: 248
Content-Type: text/html; charset=iso-8859-1
Date: Wed, 11 Apr 2012 14:31:56 GMT
Location: /cpqlogin.htm?RedirectUrl=/vcrepository&RedirectQueryString=
Server: CompaqHTTPServer/9.9 HP System Management Homepage/7.0.0.24
Set-Cookie: Compaq-HMMD=0001-708914d6-02bb-f343-b7be-17e211b5c0c0-1334154716745077; path=/; Secure
Status: 302

 

 

 

Occasional Advisor
Posts: 11
Registered: ‎07-19-2010
Message 4 of 22 (5,930 Views)

Re: vca and use certificate to connect to vcrm

sorry, but is nobody from HP here that can explain how this feature works and what is needed?!? did anybody find the documentation for the latest vca? unfortunately i only find one from 2003...

 

brgds Andreas

Trusted Contributor
Posts: 246
Registered: ‎04-13-2004
Message 5 of 22 (5,907 Views)

Re: vca and use certificate to connect to vcrm

The documentation is all right here

 

http://h18013.www1.hp.com/products/servers/management/unified/infolibraryfm.html

 

"HP Version Control supports Single Sign On (SSO) system that allows a trusted HP
VCA the ability to connect to the HP VCRM without providing authentication details to
login to HP VCRM's HP SMH. When the Using Certificate option is selected, HP
SMH processes the SSO request depending on the Trust Mode selected. HP SMH
obtains the HP VCA 's HP SMH public certificate and uses it to validate the trust
relationship. If HP SMH is unable to establish the trust relationship or cannot verify the
security token, then HP VCA displays the following error message:The specified
repository, VCRM IP, is invalid or not reachable."

Occasional Advisor
Posts: 11
Registered: ‎07-19-2010
Message 6 of 22 (5,900 Views)

Re: vca and use certificate to connect to vcrm

hello,

 

at least we have now the attention by someone from hp! :) thank´s a lot!

 

the trust mode from the smh is by certificate. the certificate i use is the self-signed created by the hp sim setup.

 

can you explain detailed what i should do/check to get this working? are there any firewall ports we must take care of except 2301 and 2381?

 

thank´s a lot for your help!

 

brgds Andreas

Trusted Contributor
Posts: 246
Registered: ‎04-13-2004
Message 7 of 22 (5,892 Views)

Re: vca and use certificate to connect to vcrm

I replicated what you all are reporting.

 

The VCA "Use Certificate" failed for me as well with the error "The specified repository, is invalid or not reachable" yet if I use Username and Password it connects fine so my thinking is certificate itself.

 

In dinking around SMH Settings --> Security --> Local Server Certificate under Current Certificate I added the IP address of the vcrm for giggles in the Alternate Names box.

 

Went back to VCA and it was connected so I don't know if that was the ticket or not but went to change agent settings to set a baseline and it passed Use Certificate for the login.

 

Tomorrow I am going to try and get some clarity on a few details that aren't real clear in both the VCA and SMH documentation. As soon as I find out I'll post back unless someone beats me to it.

Advisor
Posts: 32
Registered: ‎06-15-2004
Message 8 of 22 (5,876 Views)

Re: vca and use certificate to connect to vcrm

I am having the same issue as Deas.h.  I tried your solution by adding the IP under the Alternate Names box.  No joy.  I tried several servers with various info in the Alternate Names box as well as tried different certificates and no luck.

Trusted Contributor
Posts: 246
Registered: ‎04-13-2004
Message 9 of 22 (5,873 Views)

Re: vca and use certificate to connect to vcrm

I didn't figure it would be that simple, I cleared my out and SSO is still working. I have the question into engineering so we'll see what I can ascetain - whenever I can replicate an item like this internally usually they like to look at it otherwise the only avenue is a support case.

Trusted Contributor
Posts: 246
Registered: ‎04-13-2004
Message 10 of 22 (5,802 Views)

Re: vca and use certificate to connect to vcrm

I did hear back - Basically it is kinda backwards from what I think it should be

 

The SSO is a SMH hosting the VCA to SMH hosting the VCRM

 

The SMH hosting the VCRM needs to have the SMH Certificate of the SMH hosting the VCA

 

So for every VCA you want to have SSO to VCRM, you have to add the certificate of the SMH hosting the VCA

 

It is a manual process so if you have 3000 VCA's you want to have SSO with the VCRM you will need to install each certificate for each SMH hosting VCA one at a time.

 

I suggested they flip the order so there was only 1 certificate to push out via HPSIM or if not using SIM can be installed pre-configured into the VCA. 

 

Not sure if there will be much of a demand for it. What do you all think, is SSO for VCA to VCRM something you'd think important to have? I am not really sure I see the benefit of it beyond a simple convenience, but then again I don't have to deal with it everyday like you fine folks.

 

 

Occasional Visitor
Posts: 1
Registered: ‎06-16-2011
Message 11 of 22 (5,789 Views)

Re: vca and use certificate to connect to vcrm

Thanks for your responses, Jim.  I, too, am experiencing this exact problem with my recent upgrade to SIM 7 and some of the VCAgent versions to 7.0.0.900.

 

You asked "if SSO for VCA to VCRM [is] something you'd think important to have?" and my initial response would be "sure, whatever's the most secure and the least amount of work."  But truly, in my environment, it's not that big of a deal to use the username and password since that's how we did it before.  However, if HP's going to offer the "using certificate" option, it seems like it should be set up in a way that makes sense and is in line with how the other features work...we set "trust by certificate" on all the "client" SMHs and can push out that one important certificate (of the CMS, which is also the VCRM in my case) to all client SMHs. Why can't the version control repository's certificate, if different from the CMS machine, be pushed out the same way to all clients with the VCA? 

 

 I might be thinking about this SSO flow incorrectly, but it seems like the client needs to be sure it's getting updates from the correct, trusted repository more than the repository would need to verify it's communicating with trusted clients (and therefore have all of their certificates known to it).

 

That said, if nothing changes with the design of this "feature," and assuming I do manually want to install a certificate for each client VCA onto the VCRM, how would I actually go about doing that? I don't see a way (in the GUI) to import or view client certificates.

 

Thanks again,

Brandi

Advisor
Posts: 15
Registered: ‎06-18-2009
Message 12 of 22 (5,728 Views)

Re: vca and use certificate to connect to vcrm

After having a little think about this, if you are running a proper Certificate Authority and you've imported the Root certificate of the CA into the SMH thats hosting your VCRM then any VCA client that has a local certificate from the same CA will automatically be trusted.

 

Therefore you wont need to manually import every client certificate into the VCRM.

Honored Contributor
Posts: 728
Registered: ‎10-26-2005
Message 13 of 22 (5,547 Views)

Re: vca and use certificate to connect to vcrm

Hi all,

 

I followed all steps mentioned about those certificates but do not get it running...

 

I can import the certificate from the SIM server under the VCA SMH under trusted management servers...

However VCA config using certificate does not work...

 

If I try to import the certificate from the VCA host on the SIM server (so the other way around), it says that the certificate cannot be found (since SIM is not installed on that server).

 

Where can I find the certificates from the SMH itself and not from the SIM server?

--------------------------------------------------------------------------------
If my post was useful, clik on my KUDOS! "White Star" !
My blog: http://blog.bitcon.be
Regular Advisor
Posts: 158
Registered: ‎08-07-2007
Message 14 of 22 (4,801 Views)

Re: vca and use certificate to connect to vcrm

I'm getting the same results, could someone please post a way to get the trust going?

 

I tried the other link that I found where you copy the certificate from the smh to the vcrm and still nothing.

 

copy \\%computername%\c$\hp\sslshare\cert.pem \\vcrm\c$\hp\hpsmh\certs\%computername%.pem

Occasional Advisor
Posts: 18
Registered: ‎07-08-2009
Message 15 of 22 (4,705 Views)

Re: vca and use certificate to connect to vcrm

any news here? This isn't working for me also
Occasional Advisor
Posts: 8
Registered: ‎01-02-2012
Message 16 of 22 (4,231 Views)

Re: vca and use certificate to connect to vcrm

I was able to get this working doing the following:

In the VCA server go to C:\hp\sslshare and copy the file called cert.pem. If you don't see this file simply go to Settings - Security - Local Certificate and click on generate (without alternate names)

Option 1:
In the VCRM server paste that file in the location c:\hp\hpsmh\certs and restart the SMH service.

Option 2:
Open the cert.pem and copy the contents then pasted them in the VCRM server's SMH under Trusted Management Servers -> Import Certificate Data

On both cases, in the VCRM under Trusted Management Servers you shoul see the certificate you pasted.
Advisor
Posts: 32
Registered: ‎06-15-2004
Message 17 of 22 (4,010 Views)

Re: vca and use certificate to connect to vcrm

So essentially you are taking the server cert from each target server (VCA) and copying that certificate to the server running VCRM.   That is backwards from when is already setup.  I have the HPSIM/VCRM's certificate on each VCA.  None the less, this doesn't work for me.

 

If I copy the cert.pem file from the VCA to VCRM as you indicate, then restart the  SMH, it deletes the cert I just put in that folder.  If I try option 2 and paste it in the Trusted Management Servers and import, it errors out and doesn't import.

 

Has anyone else been able to get this working.  As with my original post, the only server that I can trust the VCA by certificate  is the HPSim server itself.

 

Frequent Advisor
Posts: 39
Registered: ‎07-31-2012
Message 18 of 22 (3,998 Views)

Re: vca and use certificate to connect to vcrm

Welcome,

 

 

It is difficult to manage different systems when we need to manually copy certs from VCA to VCRM.  The perfect resolution should be

 

when using self signed certs

- During HP SIM node discovery certificate should be imported from VCA (HP SIM) as trusted.

 

when using PKI certs


- Import pki cert to HP sim CMS

- Import root cert to HP sim trusted certs

- Verify crl from ldap or from CRL Distribution Point in certificate

 

Now PKI certs wont work http://h30499.www3.hp.com/t5/ITRC-HP-Systems-Insight-Manager/Single-Sign-on-doesn-t-work-after-Syste...

 

And recommended trusted mode (by certificate) is impossible to implement and manage

 

Please fix trust by certificate in VCA and PKI certificates in HP SMH and HP SIM

 

Visitor
Posts: 1
Registered: ‎10-10-2013
Message 19 of 22 (3,106 Views)

Re: vca and use certificate to connect to vcrm

I am having the same issue with my HP SIM 7.2 \VCRM 7.2 (same server) configuration. 

 

I have tried importing the certs from the VCA clients in to Trusted Certs on HP SIM (I can do this), but still get the error.  I have manually tried importing the cert information also. 

 

I also, tried the copying of the certs from the C:\HP\SSLShare directory, but still it does not work. 

 

I can use the domain authentication to the VCRM server name and IP and it works fine.

 

No firewall, ports 2381, 2301, 161, 80 are all fine.

 

SNMP is working correctly.

 

Is there any workable resolution to this issue?   I have tried all of the above solutions in this thread and have not found one that works.

 

Honored Contributor
Posts: 952
Registered: ‎03-12-2003
Message 20 of 22 (2,918 Views)

Re: vca and use certificate to connect to vcrm

The solution proposed by Alonso worked fo me.  The only problem being "Option 1" does not work for multiple VCA servers - since they all have the same file name "cert.pem".  The obvious adjustment to that step would be to rename the file to be something unique before copying it to the VCRM server.  My choice was the server name as the name of the PEM file.  Thus rename cert.pem to serverabc.pem if my server name was serverabc, and then copy it to the VCRM server.

 

So from an end-to-end perspective, the solution I am looking into is a PowerShell script to loop through all VCA servers:

 

1) Obtain list of all your managed VCA servers; a simple text file would be sufficient.

2) Loop through each server in the list

3) Copy \\servername\c$\hp\sslshare\cert.pem to a temp location

4) Rename cert.pem in temp location to servername.pem

5) Move servername.pem to \\vcrmserver\c$\hp\hpsmh\certs

6) Repeat for next server in the loop

7) Restart SMH on VCRM server (either manually or use PowerShell command to due it in the script)

 

So the issue of having to do this for 100's or 1000's of servers may end up being trivial if you can automate it.

 

Nelson

Honored Contributor
Posts: 952
Registered: ‎03-12-2003
Message 21 of 22 (2,200 Views)

Re: vca and use certificate to connect to vcrm

This solution no longer works for me with the latest SMH.  From what I can tell, HP is now generating certificates with the FQDN of the host and this no longer matches with what the VCAgent <-> VC Repository communication is looking for.  They used to create certificates with just the hostname and I think that is what the VC Repository is looking for as a match with the certificate; now that it is a FQDN, they do not match up and the connection fails.  You have to go back to the Username/Password method.  I even tried setting an alternative name with the SMH GUI, but that still does not work.

 

NK

Frequent Advisor
Posts: 34
Registered: ‎06-27-2007
Message 22 of 22 (2,074 Views)

Re: vca and use certificate to connect to vcrm

And the same... I can't get it to work by certificate either. But it does with a username/password.

 

Everything *should* be in order for the certificates too - generated one with the SIM Server, exported it, and then added it under the trust on the client server... So in the same boat - and I just downloaded and installed the newest of all of this today.

 

SHM 7.3.1.4

VCA 7.3.2.0

VCRM 7.3.2.0

 

Glad it wasn't just me I suppose :)

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.