03-19-2014 04:46 AM
OMU 9.11.040 Agent 11.03.012
A message generated by an agent correlation (opceca) is not able to run an Automatic Action on the management server.
Management Server - System.txt
[opcmsgm.c:12570]: Failed to verify action signature. Reason: No signature found associated with this aa_action call
I have a requirement to own (opcownmsg) messages generated by a multi-source agent correlation. The created message has an associated Server Automatic Action:
opcownmsg –own opc_msg <$MSG_ID>
The command works correctly when called by a message policy condition installed on the agent.
The multi-source correlation can run local Automatic Actions.
Editing remactconf.xml to add rules with Adding <certified>false</certified> has no effect.
Has anyone any suggestions?
Thanks in advance.
Solved! Go to Solution.
03-19-2014 05:03 AM
Based on what you mention you can try the steps from:
And after evaluate if this same problem persist.
Hope this information helps.
Thanks and Regards,
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution
If you liked it I would appreciate KUDOs
03-19-2014 06:26 AM
Unfortunately the problem has remained.
There were no <$OPC_GUI_CLIENT> entries in the node reference report. I have added the variables: <$OPC_GUI_CLIENT>, <$OPC_GUI_CLIENT_WEB>, to the node bank.
Within the correlation the New alarm I set the AACTION_NODE to <$OPC_MGMTSV>. The message annotation reports:
Can’t start automatic action xxxx on node “mymanagementserver.com”.
The message failed authentication checks – this message has possibly been sent by an untrusted source.
If I change AACTION_NODE to <$OPC_GUI_CLIENT> the variable is not resolved with the annotation:
Can’t start automatic action xxxx on node <$OPC_GUI_CLIENT>.
The node is not an HPOM controlled node.
03-19-2014 08:51 AM
There are two things you could check:
1. Make sure MSI defined actions are allowed for that node. That's configured in the Advanced Options when editing a node (Allow Externally Defined ... Automatic Actions and/or Operator Actions).
2. If that doesn't help, you might need to change your /etc/opt/OV/share/conf/OpC/mgmt_sv/remactconf.xml file.
By default only certified actions (actions defined by a policy on a HTTPS node) are allowed.
To also allow actions defined by the MSI, change these lines:
<doc>Allow ALL certified actions</doc>
<doc>Allow ALL certified and MSI defined actions</doc>
This is the default rule. You may have changed rules if remote actions are restricted. You might need to create a specifc
rule with source being your agent node and target being the management server.
03-19-2014 09:42 AM
Setting a: <certified>msi</certified> rule allowed the action to run.
The https agent manual states:
The certified check allows the values valid and invalid.
Valid matches only if a signature and a certificate are provided, with the signature
being signed by the certificate's owner, and when the OvCoreId of the certificate's subject
is listed in the trust element. Invalid matches all other cases.
Thanks very much I was completely stumped on this problem.
03-19-2014 10:20 AM
I'm glad that helped.
There are basically three values for certified:
- true - only actions defined and signed by a HTTPS node allowed
- false - actions from DCE and HTTPS nodes allowed
- msi - Actions from HTTPS node and actions defined in the MSI of an HTTPS node are allowed.