- Community Home
- >
- Servers and Operating Systems
- >
- HPE ProLiant
- >
- Server Management - Systems Insight Manager
- >
- Re: Single Sign on doesn't work after System Manag...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2012 02:19 AM
10-03-2012 02:19 AM
Re: Single Sign on doesn't work after System Management Homepage update
Hi,
Could you try this solution:
1. Create directory where you copy certificate and CRL
a) New-Item C:\WorkArea\CaFiles -type directory
b) New-Item C:\WorkArea\CaFiles\cacerts -type directory
c) New-Item C:\WorkArea\CaFiles\cacrls -type directory
2.Get your rootca and/or subca certificate, and copy to cacerts directory.
But this certificates should have PEM( ASCII base64) format and extension cer!!! Important is this file should be PEM text file, not binary format like DER. You can use this command openssl x509 -in cert.cer-text -noout to check this. If You obtain error like this:
unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306: 13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509
that means you have, not correct format. You could convert using openssl x509 -in cert.crt -inform der -outform pem -out cert.cer
3. Get your rootca and/or subca CRL , and copy to cacrls directory. But this CRL should have PEM( ASCII base64) format and extension crl!!!
You can check crl have correct format using openssl.exe crl -text -noout -in .\cacrl.crl
If You obtain error like this:
unable to load CRL
13644:error:0906D06C:PEM routines:PEM_read_bio:no start line:./crypto/pem/pem_lib.c:647:Expecting: X509 CRL
that means you have, not correct format. You could convert using openssl crl -inform DER -in crl.crl -outform PEM-out crl_.crl
4. When you copy certificate and crl, you should inform HP System Management Homepage, about this
using cmd: C:\hp\hpsmh\bin\smhconfig.exe -W C:\WorkArea\CaFiles, and restart service C:\hp\hpsmh\bin\smhconfig.exe -r
5. From HPSIM connect to managed node System Management Homepage, import certificates to Trusted Managment Servers(if you must).
- Tags:
- OpenSSL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2012 12:13 AM
10-09-2012 12:13 AM
Re: Single Sign on doesn't work after System Management Homepage update
This does not really sound like a solution to me.
I found entries in the smh logfiles that SMH was not able to check the certificate against a CRL.
The URI for CRLs in the certicates issued from my CA are valid and I'm able to get a current CRL using that URI.
It makes no sense for me to copy the CRL manually to my servers. It is also an very unusual behaviour for software to deny access if the CRL of a certificate can't be checked...
Please HP: Fix that ASAP
Jens
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2012 07:12 AM
10-10-2012 07:12 AM
Re: Single Sign on doesn't work after System Management Homepage update
Hi,
the steps provided by Maciej_Szuba what also what HP support provided me in the case I've opened.
But until know I couldn't bring this to work like this.
I also told HP yesterday that even if this works, this isn't a solution for enterprise customers like us who manage >1000 servers with HP SIM (no manager would like to pay the afford for going on every of the server and making these manual steps...!)
So I'm know again waiting for update from HP and until this is fixed I'll have to logon to every SMH manually to which I connect through HP SIM.
regards,
Ville
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2012 02:38 AM
10-15-2012 02:38 AM
Re: Single Sign on doesn't work after System Management Homepage update
This procedure is good, but it is not solution. Because crls will expiry in 2 weeks etc.
We needed convert crls
openssl crl -inform DER -in crl.crl -outform PEM-out crl_.crl
And export certs to base64
My HP System Management Homepage v7.1.2.3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-23-2012 02:00 AM
10-23-2012 02:00 AM
Re: Single Sign on doesn't work after System Management Homepage update
- Tags:
- certificate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-23-2012 04:29 AM
10-23-2012 04:29 AM
Re: Single Sign on doesn't work after System Management Homepage update
As hubert J. Farnsworth would say:
Good news everyone!
The customer advisory says clearly that HP will not fix this issue.
It worked for me at least. But, it is a pain to touch every server!
It seems like HPSMH downloads the CRL at every start after you walked through the steps once. But as I see it they messed it up the first time...
Jens
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2012 12:49 AM
10-25-2012 12:49 AM
Re: Single Sign on doesn't work after System Management Homepage update
This is ridiculous if they don't fix this in future releases...
With this manual steps HP SMH isn't anymore Enterprise suitable IMO since you have to do much manual steps on EACH managed system!
But one thing isn't clear for me: Since they're only talking about CA certificate, what if you use a self signed certificate which doesn't have root certificates and CRLs? Is it then the same way as before or do you also have to manually add the certificate locally and run the smhconfig commands?
Regards,
Ville
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2012 02:46 AM
10-25-2012 02:46 AM
Re: Single Sign on doesn't work after System Management Homepage update
I will open an case with HP now.
Jens
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2012 05:28 AM
10-25-2012 05:28 AM
Re: Single Sign on doesn't work after System Management Homepage update
just had a VR session and the simplest thing to solve this problem is to use only a self signed certificate created by the SIM Server... (even if our company security maybe won't like that)
meanwhile HP is looking at my CA certificate files to find out what is wrong with them.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-27-2012 01:38 PM
11-27-2012 01:38 PM
Re: Single Sign on doesn't work after System Management Homepage update
I upgraded to HP System Management Homepage v7.1.2.3 on a few servers. Some servers recognize that my cert is self-signed and lets SSO work. Another server thinks it's issued from a CA and SSO fails.
Server 1
CRITICAL 11/27/2012 4:26:37 PM Trusted certificate used for SSO is either revoked or SMH failed to verify it against CRL
Server 2:
INFORMATIONAL 11/27/2012 4:31:53 PM Certificate verification message: self_signed_certificate
What do I do now? Why would one server allow SSO and another not. The cert is exactly the same, I checked.
Curt