Server Management - Systems Insight Manager
1748089 Members
4935 Online
108758 Solutions
New Discussion

Re: vca and use certificate to connect to vcrm

 
buttadee
Occasional Visitor

Re: vca and use certificate to connect to vcrm

Thanks for your responses, Jim.  I, too, am experiencing this exact problem with my recent upgrade to SIM 7 and some of the VCAgent versions to 7.0.0.900.

 

You asked "if SSO for VCA to VCRM [is] something you'd think important to have?" and my initial response would be "sure, whatever's the most secure and the least amount of work."  But truly, in my environment, it's not that big of a deal to use the username and password since that's how we did it before.  However, if HP's going to offer the "using certificate" option, it seems like it should be set up in a way that makes sense and is in line with how the other features work...we set "trust by certificate" on all the "client" SMHs and can push out that one important certificate (of the CMS, which is also the VCRM in my case) to all client SMHs. Why can't the version control repository's certificate, if different from the CMS machine, be pushed out the same way to all clients with the VCA? 

 

 I might be thinking about this SSO flow incorrectly, but it seems like the client needs to be sure it's getting updates from the correct, trusted repository more than the repository would need to verify it's communicating with trusted clients (and therefore have all of their certificates known to it).

 

That said, if nothing changes with the design of this "feature," and assuming I do manually want to install a certificate for each client VCA onto the VCRM, how would I actually go about doing that? I don't see a way (in the GUI) to import or view client certificates.

 

Thanks again,

Brandi

Re: vca and use certificate to connect to vcrm

After having a little think about this, if you are running a proper Certificate Authority and you've imported the Root certificate of the CA into the SMH thats hosting your VCRM then any VCA client that has a local certificate from the same CA will automatically be trusted.

 

Therefore you wont need to manually import every client certificate into the VCRM.

Bart_Heungens
Honored Contributor

Re: vca and use certificate to connect to vcrm

Hi all,

 

I followed all steps mentioned about those certificates but do not get it running...

 

I can import the certificate from the SIM server under the VCA SMH under trusted management servers...

However VCA config using certificate does not work...

 

If I try to import the certificate from the VCA host on the SIM server (so the other way around), it says that the certificate cannot be found (since SIM is not installed on that server).

 

Where can I find the certificates from the SMH itself and not from the SIM server?

--------------------------------------------------------------------------------
If my post was useful, clik on my KUDOS! "White Star" !
mark q
Regular Advisor

Re: vca and use certificate to connect to vcrm

I'm getting the same results, could someone please post a way to get the trust going?

 

I tried the other link that I found where you copy the certificate from the smh to the vcrm and still nothing.

 

copy \\%computername%\c$\hp\sslshare\cert.pem \\vcrm\c$\hp\hpsmh\certs\%computername%.pem

Pedae
Occasional Advisor

Re: vca and use certificate to connect to vcrm

any news here? This isn't working for me also
AlonsoRojas
Occasional Advisor

Re: vca and use certificate to connect to vcrm

I was able to get this working doing the following:

In the VCA server go to C:\hp\sslshare and copy the file called cert.pem. If you don't see this file simply go to Settings - Security - Local Certificate and click on generate (without alternate names)

Option 1:
In the VCRM server paste that file in the location c:\hp\hpsmh\certs and restart the SMH service.

Option 2:
Open the cert.pem and copy the contents then pasted them in the VCRM server's SMH under Trusted Management Servers -> Import Certificate Data

On both cases, in the VCRM under Trusted Management Servers you shoul see the certificate you pasted.
Pber
Advisor

Re: vca and use certificate to connect to vcrm

So essentially you are taking the server cert from each target server (VCA) and copying that certificate to the server running VCRM.   That is backwards from when is already setup.  I have the HPSIM/VCRM's certificate on each VCA.  None the less, this doesn't work for me.

 

If I copy the cert.pem file from the VCA to VCRM as you indicate, then restart the  SMH, it deletes the cert I just put in that folder.  If I try option 2 and paste it in the Trusted Management Servers and import, it errors out and doesn't import.

 

Has anyone else been able to get this working.  As with my original post, the only server that I can trust the VCA by certificate  is the HPSim server itself.

 

PrzemekK
Frequent Advisor

Re: vca and use certificate to connect to vcrm

Welcome,

 

 

It is difficult to manage different systems when we need to manually copy certs from VCA to VCRM.  The perfect resolution should be

 

when using self signed certs

- During HP SIM node discovery certificate should be imported from VCA (HP SIM) as trusted.

 

when using PKI certs


- Import pki cert to HP sim CMS

- Import root cert to HP sim trusted certs

- Verify crl from ldap or from CRL Distribution Point in certificate

 

Now PKI certs wont work http://h30499.www3.hp.com/t5/ITRC-HP-Systems-Insight-Manager/Single-Sign-on-doesn-t-work-after-System-Management-Homepage/td-p/5701581

 

And recommended trusted mode (by certificate) is impossible to implement and manage

 

Please fix trust by certificate in VCA and PKI certificates in HP SMH and HP SIM

 

HP_Ski
Visitor

Re: vca and use certificate to connect to vcrm

I am having the same issue with my HP SIM 7.2 \VCRM 7.2 (same server) configuration. 

 

I have tried importing the certs from the VCA clients in to Trusted Certs on HP SIM (I can do this), but still get the error.  I have manually tried importing the cert information also. 

 

I also, tried the copying of the certs from the C:\HP\SSLShare directory, but still it does not work. 

 

I can use the domain authentication to the VCRM server name and IP and it works fine.

 

No firewall, ports 2381, 2301, 161, 80 are all fine.

 

SNMP is working correctly.

 

Is there any workable resolution to this issue?   I have tried all of the above solutions in this thread and have not found one that works.

 

NJK-Work
Honored Contributor

Re: vca and use certificate to connect to vcrm

The solution proposed by Alonso worked fo me.  The only problem being "Option 1" does not work for multiple VCA servers - since they all have the same file name "cert.pem".  The obvious adjustment to that step would be to rename the file to be something unique before copying it to the VCRM server.  My choice was the server name as the name of the PEM file.  Thus rename cert.pem to serverabc.pem if my server name was serverabc, and then copy it to the VCRM server.

 

So from an end-to-end perspective, the solution I am looking into is a PowerShell script to loop through all VCA servers:

 

1) Obtain list of all your managed VCA servers; a simple text file would be sufficient.

2) Loop through each server in the list

3) Copy \\servername\c$\hp\sslshare\cert.pem to a temp location

4) Rename cert.pem in temp location to servername.pem

5) Move servername.pem to \\vcrmserver\c$\hp\hpsmh\certs

6) Repeat for next server in the loop

7) Restart SMH on VCRM server (either manually or use PowerShell command to due it in the script)

 

So the issue of having to do this for 100's or 1000's of servers may end up being trivial if you can automate it.

 

Nelson