topic Re: HIDS agent problem in Operating System - HP-UX

HIDS agent problem

Rainer von Bongartz — Thu, 01 Mar 2007 07:34:55 GMT

Hi,

my HIDS manager ( HP-UX Host IDS B.03.00) cannot contact the agent systems any longer :

ERROR in TRACE.log is:

MAJOR: initialize ipAddress: X.X.X.X Handshake Exception: java.io.IOException: Broken pipe

The GUI says : No agent available

ids IS running on the agent hosts

Any ideas ??

Re: HIDS agent problem

Pierre Pasturel — Tue, 20 Mar 2007 15:11:08 GMT

Hi Rainer -

It appears the SSL handshake with an agent failed. Have you tried all the suggestions listed in the Troubleshooting section of the Admin Guide?

See
http://docs.hp.com/en/5991-6776/aphs01.html#cacjifja
http://docs.hp.com/en/5991-6776/aphs01.html#cacjhecj

Pierre

Re: HIDS agent problem

Rainer von Bongartz — Wed, 21 Mar 2007 04:54:33 GMT

Pierre,

thanks for the hint, the certificates were expired.

I created new ones as described, but still have this error on the management system when trying to poll the client:

Wed Mar 21 10:57:04 2007: libcomm: pid=26511 thread_id=2: accept_connection: Handshake error (ssl_err=1,ret=0) as server
2:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1052:SSL alert number 46
Wed Mar 21 10:57:04 2007: libcomm: pid=26511 thread_id=2: read_thread: error accepting connection, errno=607

Re: HIDS agent problem

Pierre Pasturel — Wed, 21 Mar 2007 12:01:50 GMT

Hi Rainer -

Did you make sure both the admin and agent certs were not expired?

On the admin system, run the following:
% /opt/ids/bin/IDS_checkAdminCert
% cksum /etc/opt/ids/certs/admin/cacert.pem

On the agent system, run the following:
% /opt/ids/bin/IDS_checkAgentCert
% cksum /etc/opt/ids/certs/agent/cacert.pem

The checksums for .../admin/cacert and .../agent/cacert should match.

If the admin certs expired, and you re-ran IDS_genAdminKeys, you will need to regenerate certs for the agent also by running IDS_genAgentCerts and then IDS_importAgentCerts on the agent system to install them.

Pierre

Re: HIDS agent problem

Rainer von Bongartz — Thu, 22 Mar 2007 08:56:06 GMT

Piere,

I checked the checksums and the match.
I re-created the keys and distiributed them but the errors stays the same

On the admin system it says:
HP-UX Host IDS Root CA Certificate:
Valid from: Thu Mar 22 09:54:44 CET 2007 until: Thu Feb 19 09:54:44 CET 2009

HP-UX Host IDS Admin Certificate:
Valid from: Thu Mar 22 09:55:10 CET 2007 until: Thu Feb 19 09:55:10 CET 2009

$ cksum /etc/opt/ids/certs/admin/cacert.pem
2699799611 1082 /etc/opt/ids/certs/admin/cacert.pem

On the agent system it says.
HP-UX Host IDS Root CA Certificate:
Valid from: Mar 22 08:54:44 2007 GMT until: Feb 19 08:54:44 2009 GMT

HP-UX Host IDS Agent Certificate on host nova:
Valid from: Mar 22 09:10:52 2007 GMT until: Feb 19 09:10:52 2009 GMT
ids@nova $

2699799611 1082 /etc/opt/ids/certs/agent/cacert.pem

so everythings looks OK.
Any further hints ??

Re: HIDS agent problem

Pierre Pasturel — Mon, 26 Mar 2007 11:10:09 GMT

Hi Rainer -

Sorry for the late response.

What is the output of the following commands on both the admin and agent system?

% date
% ls -lR /etc/opt/ids/certs

Can the admin (idsgui (GUI) and idsadmin CLUI) connect to an agent running on the admin system? I assume you are trying to connect to a remote agent.

Run "idsadmin -c 3 -a |& tee /var/tmp/idsadmin.log" and run the "ping" command from the idsadmin interctive menu and then attach idsadmin.log in your next response.

Pierre