Server Management - Systems Insight Manager
1748199 Members
2668 Online
108759 Solutions
New Discussion

Re: Single Sign on doesn't work after System Management Homepage update

 
Maciej_Szuba
New Member

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

Could you try this solution:

 

1. Create directory where you copy certificate and CRL

  a) New-Item C:\WorkArea\CaFiles -type directory

  b) New-Item C:\WorkArea\CaFiles\cacerts -type directory

  c) New-Item C:\WorkArea\CaFiles\cacrls -type directory

 

2.Get your rootca and/or subca certificate, and copy to cacerts directory.

But this certificates should have PEM( ASCII base64) format and extension cer!!!  Important is this file should be PEM text file, not binary format like DER. You can use this command openssl x509 -in cert.cer-text -noout to check this. If You obtain error like this:

unable to load certificate

13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306: 13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509

that  means you have, not correct format. You could convert using   openssl x509 -in cert.crt -inform der -outform pem -out cert.cer

 

3. Get your rootca and/or subca CRL , and copy to cacrls directory. But this CRL should have PEM( ASCII base64) format and extension crl!!!

You can check crl have correct format using  openssl.exe crl -text -noout -in .\cacrl.crl

If You obtain error like this:
unable to load CRL
13644:error:0906D06C:PEM routines:PEM_read_bio:no start line:./crypto/pem/pem_lib.c:647:Expecting: X509 CRL

that  means you have, not correct format. You could convert using  openssl crl -inform DER -in crl.crl -outform PEM-out crl_.crl

 

4. When you copy certificate and crl,  you should inform HP System Management Homepage, about this
 using cmd:  C:\hp\hpsmh\bin\smhconfig.exe -W C:\WorkArea\CaFiles, and restart service C:\hp\hpsmh\bin\smhconfig.exe -r

 

5. From HPSIM connect to managed node System Management Homepage, import certificates to Trusted Managment Servers(if you must).

Jens Ey
Frequent Advisor

Re: Single Sign on doesn't work after System Management Homepage update

This does not really sound like a solution to me.

I found entries in the smh logfiles that SMH was not able to check the certificate against a CRL.

The URI for CRLs in the certicates issued from my CA are valid and I'm able to get a current CRL using that URI.

It makes no sense for me to copy the CRL manually to my servers. It is also an very unusual behaviour for software to deny access if the CRL of a certificate can't be checked...

 

Please HP: Fix that ASAP

 

Jens

SwisspostIT
Valued Contributor

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

 

the steps provided by Maciej_Szuba what also what HP support provided me in the case I've opened.

But until know I couldn't bring this to work like this.

I also told HP yesterday that even if this works, this isn't a solution for enterprise customers like us who manage >1000 servers with HP SIM (no manager would like to pay the afford for going on every of the server and making these manual steps...!)

 

So I'm know again waiting for update from HP and until this is fixed I'll have to logon to every SMH manually to which I connect through HP SIM.

 

regards,

Ville

PrzemekK
Frequent Advisor

Re: Single Sign on doesn't work after System Management Homepage update

This procedure is good, but it is not solution. Because crls will expiry in 2 weeks etc.

 

We needed convert crls

openssl crl -inform DER -in crl.crl -outform PEM-out crl_.crl

 

And export certs to base64

 

My HP System Management Homepage v7.1.2.3

consolero
Advisor

Re: Single Sign on doesn't work after System Management Homepage update

Jens Ey
Frequent Advisor

Re: Single Sign on doesn't work after System Management Homepage update

As hubert J. Farnsworth would say:

 

Good news everyone!

 

The customer advisory says clearly that HP will not fix this issue.

It worked for me at least. But, it is a pain to touch every server!

 

It seems like HPSMH downloads the CRL at every start after you walked through the steps once. But as I see it they messed it up the first time...

 

Jens

SwisspostIT
Valued Contributor

Re: Single Sign on doesn't work after System Management Homepage update

This is ridiculous if they don't fix this in future releases...

With this manual steps HP SMH isn't anymore Enterprise suitable IMO since you have to do much manual steps on EACH managed system!

 

But one thing isn't clear for me: Since they're only talking about CA certificate, what if you use a self signed certificate which doesn't have root certificates and CRLs? Is it then the same way as before or do you also have to manually add the certificate locally and run the smhconfig commands?

 

Regards,

Ville

Jens Ey
Frequent Advisor

Re: Single Sign on doesn't work after System Management Homepage update

Sorry, I have to add that - also stated otherwise on Tuesday - it did not work for me. After logging off I still get the message that the certicate is revoked...
I will open an case with HP now.

Jens
SwisspostIT
Valued Contributor

Re: Single Sign on doesn't work after System Management Homepage update

just had a VR session and the simplest thing to solve this problem is to use only a self signed certificate created by the SIM Server... (even if our company security maybe won't like that)

meanwhile HP is looking at my CA certificate files to find out what is wrong with them.

Curt-H
New Member

Re: Single Sign on doesn't work after System Management Homepage update

I upgraded to HP System Management Homepage v7.1.2.3 on a few servers. Some servers recognize that my cert is self-signed and lets SSO work. Another server thinks it's issued from a CA and SSO fails.

 

Server 1
CRITICAL 11/27/2012 4:26:37 PM Trusted certificate used for SSO is either revoked or SMH failed to verify it against CRL
Server 2:
INFORMATIONAL 11/27/2012 4:31:53 PM Certificate verification message: self_signed_certificate

What do I do now? Why would one server allow SSO and another not. The cert is exactly the same, I checked. 

 

Curt