Server Management - Systems Insight Manager
cancel
Showing results for 
Search instead for 
Did you mean: 

Adding a managed host with non-root user

 
SOLVED
Go to solution
Lou97
Occasional Advisor

Adding a managed host with non-root user

Does anybody know if adding a managed host with a non-root user is supported on HP SIM 6.3? I originally thought that I can use privilege elevation for this, but I couldn't seem to work it out. The documentation on this topic is really limited.

 

In my opinion, disabling direct login for root or any user with admin privilege is a common security practice on any *nix environment. Hence not being able to use a non-root to identify/add a new managed host is a major issue.

 

Thanks.

10 REPLIES
shocko
Honored Contributor

Re: Adding a managed host with non-root user

It really depends on what management protocols you are using, snmp or webem?

If my post was helpful please award me Kudos! or Points :)
Lou97
Occasional Advisor

Re: Adding a managed host with non-root user

I'm using SNMP. Thanks

shocko
Honored Contributor

Re: Adding a managed host with non-root user

I'm not sure I get you. Is the managed node not being identified correctly or do you want to use a non-root account for sign-in credentials?

If my post was helpful please award me Kudos! or Points :)
Lou97
Occasional Advisor

Re: Adding a managed host with non-root user

Sorry for the late response.

 

I'm trying to use a non-root account for sign-in credentials when adding a new managed host. As far as I'm awaree, HP SIM uses this credentials to identify the machine (grab mode, S/N, etc.)

 

What I've done:

1. Disable root login on the managed hosts. They are using RHEL.

2. Enable Privilege Elevation for Linux on the SIM server. Below is the screenshot.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3. Add two new discovery tasks to discover a single system and use root user for the fist task and support user for the 2nd task for sign-in credential. Both result in the same error message.

 

Major:   

The system cannot be identified properly for HP SIM to manage; unable to get one or more of the following: model, serial number or unique identifier (UUID). For management processors, verify the system is running the latest firmware. For Linux based operating systems, you must have dmidecode installed, enable the    PermitRootLogin and PasswordAuthentication in sshd, and use root sign-in credential. For HP-UX, verify the sign-in credential. For Windows, check if WMIMapper is configured correctly on the CMS and verify the sign-in credential.

 

Does it mean that the only way to properly add a new manage host is only with a root account?


 

Bart_Heungens
Honored Contributor
Solution

Re: Adding a managed host with non-root user

Hi,

 

Did you implement a trust relationship between the Systems Management Homepage on the *nix servers and the CMS? If U do this, then the CMS can talk directly with all the agents on those servers thru the SMH and not needing the root account...

 

At my customer side I do not have root access to the servers but can manage all hardware from the servers thru this mechanism... To set this up, the *nix admin must log on once to get into the SMH and activate the trust, afterwards it is not necessary anymore... Works fine for me.

 

 

Kr,

Bart

--------------------------------------------------------------------------------
If my post was useful, clik on my KUDOS! "White Star" !
Lou97
Occasional Advisor

Re: Adding a managed host with non-root user

Thanks Bart, I've done that manually as HP SIM can't push the certificate due to the failed sign-in process.

 

So I logged into the client's SMH page and manually entered the certificate. After that I can have the single sign on feature to the SMH from HP SIm page.

 

However this doesn't solve the issue where HP SIM couldn't properly identify the client (no S/N, h/w model, etc).

 

Also when I perform Configure > Manage configurations on the client, I was getting error on the identification section.

Lou97
Occasional Advisor

Re: Adding a managed host with non-root user

Continuing my previous post. I decided to give Bart's suggestion another try. This is what I've done

 

1. Delete the client from HP SIM (the one with disabled root access)

2. Re-discover the client by using root account as the credential.

- As expected I got the previous error.

- HP SIM is populated only with minimum information. Below is the screenshot

2011-12-08_1141.png
- Single sign on to the SMH page are still working as I didn't delete the certificate from SMH. I believe this means SIM couldn't extract the details of the machines only with the deployed SIM certificate on the SMH page.

 

3. Open Configure > Manage Communications on the page and perform a quick repair.

Below is the screenshot of the last page.

 

2011-12-08_1131.png

 

As you can see, HP SIM does offer the previlege elevation password. What I hope is that HP SIM uses the password that I provided on the screenshot and pick up user support that I've configured on the previlege elevation configuration page (refer to the screenshot on my earlier post) for login purpose and then later perform an SU with the root's credential to get all of the detail of the machines. However it doesn't work at all. I'm getting the following error.

 

Could not connect to the target system: kmb2
The network path was not found.
Could not to the target system IP or name: 192.168.0.56
The network path was not found.
HP Systems Insight Manager was unable to connect to the target because it was un
reachable.

Configure SSH for host-based authentication ......................... [FAILED]
Configuration failed to complete due to the following exception:
    SSH Password authentication failed for user root for target system: kmb2.Check password and try again. Also check target systems SSH configuration file to see if the password authentication is enabled and whether the user is permitted to login remotely

 

FYI, there's nothing wrong with the network path, I can ssh to the client (192.168.0.56) from the SIM server.

 

Brat, can you please advise if you do something else apart from importing the certificate?

 

Can anybody explain what's the function of previlege elevation on HP SIM? The manual doesn't have any sample at all.

 

Thanks.

 

Bart_Heungens
Honored Contributor

Re: Adding a managed host with non-root user

Hi,

 

You try to push the certificate, I do it the other way around... Inside the SMH I download the certificate by entering the HP SIM server name under security...

 

When you launch the SMH from the server itself, does it show all information expected on hardware etc?

When you enter the settings/security, under trusted management servers do U see your SIM server mentioned? If not the certificate is not well imported...

Is the Trust type set to Trust by certificate?

 

These are the settings that I use and I can see all details that I see inside the SMH also inside SIM... Without root user account...

 

 

Kr,

Bart

--------------------------------------------------------------------------------
If my post was useful, clik on my KUDOS! "White Star" !
shocko
Honored Contributor

Re: Adding a managed host with non-root user

Lou,

 

I note not in your output the following:

 

  • "HP Systems Insight Manager was unable to connect to the target because it was un
    reachable."

Can you verify network connectivity across all needed ports? Also, is the SN etc. Available in the SMH on that system? You need to verify this as if it's not there SIM will not get it either. Can you send a full output of identification and also setup an appropriate account with low privilege in the SMH.

 

Settings  »  SMH  »  Security  »  User Groups

 

 

If my post was helpful please award me Kudos! or Points :)
Lou97
Occasional Advisor

Re: Adding a managed host with non-root user

All,


I just redo the test that I did previously and it does work now!!! The only difference was this time I deleted the host' ILO record on the SIM server. Apparently when I deleted only the host only, it also deleted the details of the host managed by the ILO. This has caused the missing info when I added back the host to the SIM server.

Basically I was verifying what Bart has said about relying on certificate to get all of the details.

This is what I did:

1. Delete the host and its ILO on SIM server.
2. re-discover the ILO on the SIM server.
    This step basically added the ILO details on the SIM server with the S/N of the machine managed by this ILO.
3. re-discover the host on the SIM server. I didn't even add any sign-in credential for this on the discovery task.
    This time the identification process finish successfully. After adding the host, the system credential listed on the SIM server for this host is only SNMP and Certificate Single Sign-On. 

All of the host's fields on the SIM are now populated correctly. From the way it works I reckon privilege elevation wasn't used at all for this.

Thanks heaps to Bart and Shocko for helping me!!