HPE Community
HPE OneView
1752603 Members
4595 Online
108788 Solutions
New Discussion юеВ

Re: HP-Oneview 4.0 upgrade Issues

 
BhaskarV
Trusted Contributor

тАО01-10-2019 08:44 PM

тАО01-10-2019 08:44 PM

Re: HP-Oneview 4.0 upgrade Issues

Thanks @ChrisLynch and @YYCSysAdmin  

Just wanted to clarify to @YYCSysAdmin that you will see the alerts for the expired cerificates but communication will not be disrupted to these iLOs with out of the box / default settings. The alerts are for you to take notice of and fix the expired certificates on such iLOs which is what you are doing by making use of the powershell script. Let me know if this is what you are seeing in OneView 4.10 as well.. 

Regards,
Bhaskar


I am an HPE employee

Accept or Kudo

Reply
YYCSysAdmin
Frequent Advisor

тАО01-11-2019 08:05 AM

тАО01-11-2019 08:05 AM

Re: HP-Oneview 4.0 upgrade Issues

Thank you for the information. I am trying to get our Lab environment as clean as possible and remove any and all warnings and critical events to get it as clean as I can!

0 Kudos
Reply
YYCSysAdmin
Frequent Advisor

тАО01-14-2019 01:31 PM - edited тАО01-14-2019 02:43 PM

тАО01-14-2019 01:31 PM - edited тАО01-14-2019 02:43 PM

Re: HP-Oneview 4.0 upgrade Issues

Just to let everyone know, the script provided to bulk update the SSL certs worked great once I renewed the Appliance self-signd SSL cert.

All iLO certs are now good!

Reply
ChrisLynch
HPE Pro

тАО01-14-2019 02:04 PM

тАО01-14-2019 02:04 PM

Re: HP-Oneview 4.0 upgrade Issues

@YYCSysAdminSo glad to hear you got it fixed.


I am an HPE employee

Accept or Kudo

Reply
YYCSysAdmin
Frequent Advisor

тАО01-17-2019 09:27 AM

тАО01-17-2019 09:27 AM

Re: HP-Oneview 4.0 upgrade Issues

Well Chris, maybe I spoke too soon. I have been trying to now use this on production but it is failing trying to authenticate. Our production system does use AD to login, I have tried with both AD account as well as the local administrator account but I keep getting this error:

We did just generate a new self signed certificate for the Appliance via the Oneview GUI this morning.

Connect-HPOVMgmt : Unable to establish trusted communication with the server. The certificate of the root CA that has authorized the directory server certificate is not present in the OneView trust store. Add the certificate of the root CA that has 
authorized the directory server's certificate into the OneView trust store and retry the operation. 
At C:\Users\********\*********\Documents\00. Scripts\HPE\Generate a new iLO self-signed SSL certificate.ps1:136 char:9
+         Connect-HPOVMgmt -appliance $IP -UserName $username -Password ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Send-HPOVRequest:String) [Connect-HPOVMgmt], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperation,Connect-HPOVMgmt
0 Kudos
Reply
Adis_S
Advisor

тАО01-17-2019 10:52 PM - edited тАО01-21-2019 12:43 AM

тАО01-17-2019 10:52 PM - edited тАО01-21-2019 12:43 AM

Re: HP-Oneview 4.0 upgrade Issues

@YYCSysAdmin

Try to use -DisableCertificateAuthentication parameters with your Connect-HPEiLO command egg:

Connect-HPEiLO -Credential (Get-Credential) -IP <ilofqdn> -Timeout 200 -DisableCertificateAuthentication

 

If certification Authentication is what you actually need and would use, then import the Root CA Certificate (from Cert Sign Authority, egg. Microsoft CA in house) to OneView Appliance by going to:  Settings | Manage Certificates | Add certificates.

 

 

Reply
YYCSysAdmin
Frequent Advisor

тАО01-18-2019 11:20 AM - edited тАО01-18-2019 12:11 PM

тАО01-18-2019 11:20 AM - edited тАО01-18-2019 12:11 PM

Re: HP-Oneview 4.0 upgrade Issues

Hello @Adis_S

Thank you for that, however I do not have that string in this script as the script Chris posted connects in through OneView, closest to that I think is:

Connect-HPOVMgmt -appliance $IP -UserName $username -Password $password | Out-Null

Is there a way to run a script direct against a single iLO vs going in through OneView? I know the benefit of the OneView method is it will also update OneView with the new cert / force it to recheck..


0 Kudos
Reply
Adis_S
Advisor

тАО01-20-2019 11:29 PM

тАО01-20-2019 11:29 PM

Re: HP-Oneview 4.0 upgrade Issues

@YYCSysAdmin

I did not check script from @ChrisLynch i just gave you an example, which I use to connect to single iLO and which ignores the Certificate Authentication.

But seems there is no such option "DisableCertificateAuthentication" for Connect-HPOVMgmt.

Normaly when adding a Directory servers for Domain login it imports a Domain Root CA certificates to, which can be checked when going over WebGUI to Security | Directory | Edit Directory under Directory servers there is column with "Certificate Status". Do you have anything there?

So for your case you need to import your Root CA into Oneview bei using WebGUI and going to "Security | Manage certificates | Add certificates" . An additional step could popup, to import same cert on your workstation/management server from where you are starting your script.

0 Kudos
Reply
ChrisLynch
HPE Pro

тАО01-22-2019 11:15 AM

тАО01-22-2019 11:15 AM

Re: HP-Oneview 4.0 upgrade Issues

The Connect-HPOVMgmt Cmdlet does not contain a parameter like the iLO Cmdlets do.  This is because the HPE OneView PowerShell library supports session state of authenticated connections.  Each Cmdlet does not have credential support to authenticate to an iLO individually.

The HPE OneView PowerShell library examines the SSL certificate of the connecting appliance and validates its validity using .Net methods.

That being said, yes, the iLO Cmdlets or HPEREST Cmdlets can be used indipendently of HPE OneView to perform various operations.  If you simply wanted to generate the iLO certificate using the HPERest Cmdlets, then you would want to look at Line 237 from the script I linked you to.


I am an HPE employee

Accept or Kudo

Reply
ChrisLynch
HPE Pro

тАО01-22-2019 11:23 AM

тАО01-22-2019 11:23 AM

Re: HP-Oneview 4.0 upgrade Issues

@YYCSysAdmin wrote:

Well Chris, maybe I spoke too soon. I have been trying to now use this on production but it is failing trying to authenticate. Our production system does use AD to login, I have tried with both AD account as well as the local administrator account but I keep getting this error:

We did just generate a new self signed certificate for the Appliance via the Oneview GUI this morning.

Connect-HPOVMgmt : Unable to establish trusted communication with the server. The certificate of the root CA that has authorized the directory server certificate is not present in the OneView trust store. Add the certificate of the root CA that has 
authorized the directory server's certificate into the OneView trust store and retry the operation. 
At C:\Users\********\*********\Documents\00. Scripts\HPE\Generate a new iLO self-signed SSL certificate.ps1:136 char:9
+         Connect-HPOVMgmt -appliance $IP -UserName $username -Password ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Send-HPOVRequest:String) [Connect-HPOVMgmt], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperation,Connect-HPOVMgmt

That Connect-HPOVMgmt error is originating from the appliance.  Genreating the appliances SSL certificate is not the source.  Can you validate that you have added all of the CA certs (root and subordinates) to your appliance?  You can change your login code to:

 

Connect-HPOVMgmt -Hostname $appliance -Username $MyAccountName -Password $MyPassword -AuthLoginDomainLOCAL

Then you can run other Cmdlets bypassing Authentication Directory issues you have.  Just make sure that you have a local user account.


I am an HPE employee

Accept or Kudo

Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.