topic Re: SIM 4.2 distributes wrong cert in Server Management - Systems Insight Manager

SIM 4.2 distributes wrong cert

Kevin Kelling — Fri, 07 Jan 2005 00:07:00 GMT

Where is the cert located that SIM pushes when you run the Configure or Repair Agents tool?

If I use this tool OR if I request the certifcate from the server (from the system home page) I get a certificate with a serial number of "0" which does not give me a trust.

However, if I request the certificate from the system home page but enter a DNS alias for the SIM server (which resolves to the same IP address) I get a certificate with a valid serial number which results in a trust with the SIM Server.

So basically I have three secarios by which to push a certificate to managed nodes:

1) Configure/Repair Agents Tool
2) Request using FQDN
3) Request using DNS alias

1 and 2 return a bad certificate. Only #3 returns a good certificate -- even though the DNS alias and FQDN use the same IP address (there is no clustering or load balancing in play -- the SIM server only has one IP address and ALL names resolve to this one IP address).

What's the best way to get SIM 4.2 (Windows 2003) to the point where I can have SIM distribute a certificate that will result in a trust with the SIM Server?

Thanks1

Re: SIM 4.2 distributes wrong cert

Kevin Kelling — Fri, 07 Jan 2005 01:05:14 GMT

Just for fun I tried the following:

1) Generated a new server certificate
2) Rebooted SIM server
3) Ran Configure/Repair Agents Tool on sample group (4 servers)

The tool reports that the certificate deployment was sucessful

All target servers still have no trust and a certificate with a serial number of 0 (0x0)

Re: SIM 4.2 distributes wrong cert

Kevin Kelling — Fri, 07 Jan 2005 11:13:49 GMT

I'm aware that it is possible to distribute certs with a PSP but the problem is that the cert has changed and I now need to redistribute.

Yes I can run the PSP again on 300 servers, OR I could distribute them in one easy task with SIM :^)

Problem is that SIM keeps distributing bogus certs...even if I create a new server cert in SIM!!

If you create a new server cert in SIM, should not SIM be distributing this cert automatically? This is what I can infer from the security whitepaper.

Re: SIM 4.2 distributes wrong cert

Mike Strako — Tue, 18 Jan 2005 13:34:39 GMT

You can distribute the files faster by the following script, but you must modify for your environment:

#
#
# Run this script from the target server (login script, group policy, remote-exec, etc)
#
# To use this, modify \\source\share and snmp.reg
# Put the agent config files on the UNC
# To get snmp.reg, export HKLM:System\CurrentControlSet\System\SNMP\Parameters
#

# --------------------------- HP Agents -----------------------------

del c:\compaq\wbem\certs\*.* /q
# Remove previous trusts

REM xcopy \\source\share\compaq\wbem\CPQHMMD.ACL c:\compaq\wbem\ /y
REM xcopy \\source\share\compaq\wbem\CPQHMMD.CFG c:\compaq\wbem\ /y
REM xcopy \\source\share\compaq\wbem\homepage\CPQHMMD.INI c:\compaq\wbem\homepage\ /y
xcopy \\crownew\temp\CPQHMMDX.INI c:\compaq\wbem\homepage\ /y
REM xcopy \\source\share\compaq\wbem\certs\*.* c:\compaq\wbem\certs\ /y
# duplicates agent configuration

# -------------------------- Windows SNMP ----------------------------

regedit -S \\crownew\temp\snmp.reg

# ------------ Restart SNMP and Agents so changes take effect --------

net stop "snmp service" /y && net start "snmp service" /y
net start "HP Insight Web Agent"
net start "HP Insight Foundation Agent"
net start "HP Insight Storage Agents"
net start "HP Insight Server Agents"
net start "HP Insight NIC Agent"

Let me know how it works.

Best regards,

Mike.

Re: SIM 4.2 distributes wrong cert

Kevin Kelling — Tue, 18 Jan 2005 17:42:42 GMT

Thanks but I opened a case with HP and we were able to get it resolved.

There was a previous installation of a previous version of SIM on a different drive letter.

I uninstalled SIM and re-installed, but some registry keys were not cleaned up.

Thus SIM was creating the certs on the E drive, but was attempting to distribute certs from the D drive (where a previous version of either IM7 or SIM had been installed).

Once we understood the problem we were able to fix by simply copying the certs from the E drive to the D drive.