https://community.hpe.com/t5/server-management-systems/newbie-hp-systems-mangement-homepage-ssl-heartbleed-bug-cert/m-p/6464280#M58588 <P>Yes - you are exactly right.&nbsp; You can also use the SMH GUI to generate a CSR, grab the file from that same directory and sign it with your CA and then replace the file cert.pem with your new cert (use the same name).&nbsp; Its a&nbsp;lot of work to provide custom certs for 100's of servers so I can see why nobody would want to do it and you are probably better off you doing the simpler method they provide (deleting the existing files and restarting the service).</P><P>&nbsp;</P><P>Nelson</P> Fri, 02 May 2014 15:57:21 GMT NJK-Work 2014-05-02T15:57:21Z https://community.hpe.com/t5/server-management-systems/newbie-hp-systems-mangement-homepage-ssl-heartbleed-bug-cert/m-p/6464214#M58587 <P>Hello All,</P> <P>&nbsp;</P> <P>I am new to managing a Windows Server&nbsp;environment which&nbsp;is&nbsp;a mix of Windows Server 2003/2008 &nbsp;(32/64 bit) versions.</P> <P>&nbsp;</P> <P>Recently, several hundred servers had been detected with the Heartbleed bug on port 2381 which I beleive is related to SMH. The SMH version&nbsp;was 7.2.2 which HP recommeds to upgrade to 7.2.3.</P> <P>&nbsp;</P> <P>Because of the priority, I quickly upgraded these to 7.2.3&nbsp;by installing the suggested .exe on HP site :</P> <P><A href="http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay?javax.portlet.begCacheTok=com.vignette.cachetoken&amp;javax.portlet.endCacheTok=com.vignette.cachetoken&amp;javax.portlet.prp_ba847bafb2a2d782fcbb0710b053ce01=wsrp-navigationalState%3DdocId%253Demr_na-c04251388-1%257CdocLocale%253D%257CcalledBy%253D&amp;javax.portlet.tpst=ba847bafb2a2d782fcbb0710b053ce01&amp;ac.admitted=1399017795638.876444892.199480143" target="_blank">http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay?javax.portlet.begCacheTok=com.vignette.cachetoken&amp;javax.portlet.endCacheTok=com.vignette.cachetoken&amp;javax.portlet.prp_ba847bafb2a2d782fcbb0710b053ce01=wsrp-navigationalState%3DdocId%253Demr_na-c04251388-1%257CdocLocale%253D%257CcalledBy%253D&amp;javax.portlet.tpst=ba847bafb2a2d782fcbb0710b053ce01&amp;ac.admitted=1399017795638.876444892.199480143</A></P> <P>&nbsp;</P> <P>The above fixed the vulnerability and produced clean scans.</P> <P>&nbsp;</P> <P>I now wish to regenerate the certificates and am completely lost on how I should do that. As per the doc above,</P> <P>&nbsp;</P> <P>"If it is suspected that a datacenter has been compromised by this security vulnerability, delete the SMH certificate or back it up by moving it to a private folder. The SMH certificate is located on each node of the datacenter, with the filenames cert.pem and file.pem, in folder C:\hp\sslshare. A new certificate will be created when the SMH service starts (at the end of the upgrade or new installation)."</P> <P>&nbsp;</P> <P>Does the above mean that if&nbsp;simply delete cert.pem and file.pem and restart the SMH service, the certificates will be re-genreated and&nbsp;the issue is solved?</P> <P>Or When it says &nbsp;"(at the end of the upgrade or new installation)", does it mean that I have to reinstall 7.2.3?</P> <P>&nbsp;</P> <P>(FYI, PKI is *not* being used in our environment.)</P> <P>&nbsp;</P> <P>Please advise. Thanks.</P> Mon, 12 May 2014 08:07:17 GMT https://community.hpe.com/t5/server-management-systems/newbie-hp-systems-mangement-homepage-ssl-heartbleed-bug-cert/m-p/6464214#M58587 aruntechie123 2014-05-12T08:07:17Z https://community.hpe.com/t5/server-management-systems/newbie-hp-systems-mangement-homepage-ssl-heartbleed-bug-cert/m-p/6464280#M58588 <P>Yes - you are exactly right.&nbsp; You can also use the SMH GUI to generate a CSR, grab the file from that same directory and sign it with your CA and then replace the file cert.pem with your new cert (use the same name).&nbsp; Its a&nbsp;lot of work to provide custom certs for 100's of servers so I can see why nobody would want to do it and you are probably better off you doing the simpler method they provide (deleting the existing files and restarting the service).</P><P>&nbsp;</P><P>Nelson</P> Fri, 02 May 2014 15:57:21 GMT https://community.hpe.com/t5/server-management-systems/newbie-hp-systems-mangement-homepage-ssl-heartbleed-bug-cert/m-p/6464280#M58588 NJK-Work 2014-05-02T15:57:21Z https://community.hpe.com/t5/server-management-systems/newbie-hp-systems-mangement-homepage-ssl-heartbleed-bug-cert/m-p/6464286#M58589 <P>Sorry, I just re-read you your post.&nbsp; Here is what I would do:</P><P>&nbsp;</P><P>Install latest SMH.&nbsp; Do not install 7.3.2 on Windows 2003.&nbsp; This breaks&nbsp;SMH as Windows 2003 does not support the the versionof PHP included in the SMH 7.3 familiy.&nbsp; Use 7.2.3 for Windows 2003 and 7.3.2 for Windows 2008 and up.&nbsp; This fixes the Heartbleed bug in HP SMH software.</P><P>&nbsp;</P><P>Install latest VCAgent if you are using it.&nbsp; You can use 7.3.2 version of the VCA for both Windows 2003 and 2008 and up servers.&nbsp; This fixes the Heartbleed bug in the HP VCA software.</P><P>&nbsp;</P><P>If you are worried your existing certificates have been comprimised, delete the certs as you outlined in your post and restart the SHM agent service to have them regenerated.&nbsp; As you mentioned you are not using PKI you can ignore my earlier post regarding creating CSRs...and that is a lot of work anyways.</P><P>&nbsp;</P><P>Hope this helps.</P><P>NK</P> Fri, 02 May 2014 16:05:07 GMT https://community.hpe.com/t5/server-management-systems/newbie-hp-systems-mangement-homepage-ssl-heartbleed-bug-cert/m-p/6464286#M58589 NJK-Work 2014-05-02T16:05:07Z https://community.hpe.com/t5/server-management-systems/newbie-hp-systems-mangement-homepage-ssl-heartbleed-bug-cert/m-p/6471616#M58618 <P>Hello Nelson,</P><P>&nbsp;</P><P>Many thanks for your advice.</P><P>I followed the steps you mentioned and received about 80% successful fixes (upgrades).</P><P>&nbsp;</P><P>However, on about 20% of the servers, the scan script still reports "probably vulnerable" for heartbleed</P><P>(a) c:\hp\hpsmh\bin\smhlogreader --version displays 7.2.3.1<BR />(b) c:\hp\hpsmh\bin\ssleay32.dll and libeay32.dll show Product version as "1.0.1c"<BR />(c) c:\smh_installer.log&nbsp; seems to indicate a successful upgrade. PFA.</P><P>&nbsp;</P><P>(I have not updated the VCAgent for any as yet)</P><P>&nbsp;</P><P>Please help.</P> Sun, 11 May 2014 22:30:17 GMT https://community.hpe.com/t5/server-management-systems/newbie-hp-systems-mangement-homepage-ssl-heartbleed-bug-cert/m-p/6471616#M58618 aruntechie123 2014-05-11T22:30:17Z https://community.hpe.com/t5/server-management-systems/newbie-hp-systems-mangement-homepage-ssl-heartbleed-bug-cert/m-p/6475114#M58622 Just FYI, once rebooted, it was fine. Wed, 14 May 2014 14:59:54 GMT https://community.hpe.com/t5/server-management-systems/newbie-hp-systems-mangement-homepage-ssl-heartbleed-bug-cert/m-p/6475114#M58622 aruntechie123 2014-05-14T14:59:54Z