Re: A message generated by an agent correlation unable to run an AA on the management server. (343 Views)
Reply
Occasional Contributor
ZipNolan1
Posts: 5
Registered: ‎03-19-2014
Message 1 of 6 (378 Views)
Accepted Solution

A message generated by an agent correlation unable to run an AA on the management server.

OMU     9.11.040 Agent 11.03.012

 

A message generated by an agent correlation (opceca) is not able to run an Automatic Action on the management server.

 

Management Server - System.txt

 

[opcmsgm.c:12570]:  Failed to verify action signature.  Reason: No signature found associated with this aa_action call

(OpC40-1871)

 

I have a requirement to own (opcownmsg) messages generated by a multi-source agent correlation.  The created message has an associated Server Automatic Action:

            opcownmsg –own opc_msg <$MSG_ID>

The command works correctly when called by a message policy condition installed on the agent.

The multi-source correlation can run local Automatic Actions.

 

Editing remactconf.xml to add rules with Adding <certified>false</certified> has no effect.

 

Has anyone any suggestions?

 

Thanks in advance.

HP Expert
Carlos_Pinto
Posts: 281
Registered: ‎06-01-2012
Message 2 of 6 (373 Views)

Re: A message generated by an agent correlation unable to run an AA on the management server.

Hello,

 

Based on what you mention you can try the steps from:

 

http://support.openview.hp.com/selfsolve/document/KM743767

 

And after evaluate if this same problem persist.

 

Hope this information helps.

 

Thanks and Regards,

Carlos Pinto

 

HP Support

If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution

If you liked it I would appreciate KUDOs 

Occasional Contributor
ZipNolan1
Posts: 5
Registered: ‎03-19-2014
Message 3 of 6 (356 Views)

Re: A message generated by an agent correlation unable to run an AA on the management server.

Unfortunately the problem has remained.

 

There were no <$OPC_GUI_CLIENT> entries in the node reference report.  I have added the variables: <$OPC_GUI_CLIENT>, <$OPC_GUI_CLIENT_WEB>, to the node bank.

 

Within the correlation the New alarm I set the AACTION_NODE to <$OPC_MGMTSV>.  The message annotation reports:

 

Can’t start automatic action xxxx on node “mymanagementserver.com”.

The message failed authentication checks – this message has possibly been sent by an untrusted source.

 

If I change AACTION_NODE to <$OPC_GUI_CLIENT> the variable is not resolved with the annotation:

 

Can’t start automatic action xxxx on node <$OPC_GUI_CLIENT>.

The node is not an HPOM controlled node.

 

Thanks

HP Expert
tobias_m
Posts: 269
Registered: ‎05-06-2010
Message 4 of 6 (343 Views)

Re: A message generated by an agent correlation unable to run an AA on the management server.

Hello,

 

There are two things you could check:

1. Make sure MSI defined actions are allowed for that node. That's configured in the Advanced Options when editing a node (Allow Externally Defined ... Automatic Actions and/or Operator Actions).

 

2. If that doesn't help, you might need to change your /etc/opt/OV/share/conf/OpC/mgmt_sv/remactconf.xml file.

By default only certified actions (actions defined by a policy on a HTTPS node) are allowed.

To also allow actions defined by the MSI, change these lines:


  <rule>
    <doc>Allow ALL certified actions</doc>
    <allow/>
  </rule>

 

To these:


  <rule>
    <doc>Allow ALL certified and MSI defined actions</doc>
              <if>
                <certified>msi</certified>
              </if>
    <allow/>
  </rule>

 

 

This is the default rule. You may have changed rules if remote actions are restricted. You might need to create a specifc

rule with source being your agent node and target being the management server.

 

Best regards,

Tobias

 

Occasional Contributor
ZipNolan1
Posts: 5
Registered: ‎03-19-2014
Message 5 of 6 (336 Views)

Re: A message generated by an agent correlation unable to run an AA on the management server.

Tobias,

 

 

Setting a: <certified>msi</certified> rule allowed the action to run.

 

 

The https agent manual states:

 

certified

The certified check allows the values valid and invalid.

Valid matches only if a signature and a certificate are provided, with the signature

being signed by the certificate's owner, and when the OvCoreId of the certificate's subject

is listed in the trust element. Invalid matches all other cases.

 

 

Thanks very much I was completely stumped on this problem.

HP Expert
tobias_m
Posts: 269
Registered: ‎05-06-2010
Message 6 of 6 (331 Views)

Re: A message generated by an agent correlation unable to run an AA on the management server.

Hello,

 

I'm glad that helped.

 

There are basically three values for certified:

- true - only actions defined and signed by a HTTPS node allowed

- false - actions from DCE and HTTPS nodes allowed

- msi - Actions from HTTPS node and actions defined in the MSI of an HTTPS node are allowed.

 

Best regards,

Tobias

 

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.