HPE Community
Server Management - Systems Insight Manager
1753806 Members
7644 Online
108805 Solutions
New Discussion юеВ

Re: Certificate issues with servers when accessing via the Systems Management Homepage from SIM

 
Nate2272
Occasional Advisor

тАО06-13-2006 01:53 AM

тАО06-13-2006 01:53 AM

Certificate issues with servers when accessing via the Systems Management Homepage from SIM

Has anyone had the following issue before?

Anytime we try to access a server's SMH from SIM, we receive a Security Alert window with the options of Yes, No, and View Certificate.

When selecting View Certificate, Certificate Information shows that the CA Root Certificate is not trusted.

My question is:

Shouldn't the certificate show ISSUED BY as being the SIM Server for the environment, instead of as the following (local system)?

Issued to: PMRIP02A (system)

Issued by: PMRIP02A (system)

We are using Secure Trust Mode with Trust by Certificate.

Under Trusted Manager Server Certificates on the SMH of our servers, the SIM server is listed.

Any suggestions would be of great help.

Nate
0 Kudos
Reply
9 REPLIES 9
Albert Austin
Esteemed Contributor

тАО06-13-2006 02:46 AM

тАО06-13-2006 02:46 AM

Re: Certificate issues with servers when accessing via the Systems Management Homepage from SIM

Yes I to have noticed this too, I to have trust by certificate in my environment. When you have viewed the certifiate have you tried to install it?
Well I have done it and it did not ask me again when I accessed the page.
But only when I access the SIM console using https://servername:50000.
If I access the SIM via https://serverip:50000 or https://localhost:50000 it still asks me to accept the trust certificate.
0 Kudos
Reply
Jan Prucha, TPCA Czech
Advisor

тАО06-13-2006 08:07 PM

тАО06-13-2006 08:07 PM

Re: Certificate issues with servers when accessing via the Systems Management Homepage from SIM

Just a short remark on server certificates in general: server certificate prooves the identity of server. In order to be accepted by the client automatically, 3 conditions must be met:
1. the certificate must be valid (not expired)
2. the name of the server you are trying to access (what you write in the browser) must equal the server name contained in the certificate
3. the issuing authority must be trusted. If the SMH certificate is self-issued, like most of them are, you have to add it to your trusted certificates by installing it, as it was suggested before.

Hope I cleared things a little.
jan
0 Kudos
Reply
Jan Prucha, TPCA Czech
Advisor

тАО06-13-2006 08:13 PM

тАО06-13-2006 08:13 PM

Re: Certificate issues with servers when accessing via the Systems Management Homepage from SIM

and, sorry, one more:
There are two certificates, actually. Please do not confuse them:

A: System Management Homepage certificate - (the one causing the message in this case). Its purpose is to prove identity of the managed server. Each server issues its own, usually, unless you create some in your own certificate authority and have the target servers use them instead.

B: System Insight Manager certificate - its purpose is to prove identity of the SIM to the SMH of the target server, so that the SIM can initiate some administrative actions (like install software and stuff).

BTW, Your configuration is correct, the SIM can manage the target servers OK I guess.

0 Kudos
Reply
Nate2272
Occasional Advisor

тАО06-14-2006 09:28 AM

тАО06-14-2006 09:28 AM

Re: Certificate issues with servers when accessing via the Systems Management Homepage from SIM

Jan,

Thanks for your reply...

I understand that there are 2 certificates (one specific to the server, and the enterprise certificate for the SIM server).

Something isn't set up properly, or I'm missing something...

Whenever I try to replicate the Agent settings for the VC agent settings, SNMP settings, or Systems Management Homepage from the SIM server which is set up properly to another server, I receive a Not Trusted error.

My assumption was that it was related to the certificate(s) being used?

If you want, I could submit a screenshot of the error I'm getting.


Nate
0 Kudos
Reply
Rich Purvis
Honored Contributor

тАО06-14-2006 09:58 AM

тАО06-14-2006 09:58 AM

Re: Certificate issues with servers when accessing via the Systems Management Homepage from SIM

Nate,
When you try to go to the SMH from HPSIM and you get the security popup window - Do you still have to login after you go past the popup? If not, it sounds like the cert trust is working and you are getting the annoying local cert challenge that Albert mentioned.

If you do have to login that would explain why the Replicate Agent tasks are not working.

If you are not logging in after the cert challenge, and the Replicate Agent tasks are failing on the same system then that is confusing.

-Rich
Why does my tivo keep recording Nickelodeon?
0 Kudos
Reply
Albert Austin
Esteemed Contributor

тАО06-14-2006 06:53 PM

тАО06-14-2006 06:53 PM

Re: Certificate issues with servers when accessing via the Systems Management Homepage from SIM

Hi,

From your last line in your first post

"Under Trusted Manager Server Certificates on the SMH of our servers, the SIM server is listed."

I understood that you have no problems with your trust certificates as they have all been installed locally and working fine. right?

What I understand from your post is that you are wondering why do you still have this security alert eventhough you have this SIM security cert installed. Hope Im still on track?
I too have seen this problem and think I have managed to solve it in my environment.

When you try and access SMH from SIM console the security checks if not your SIM cert but your cert of the server you are trying to access. By default it uses system name to manage links to systems.

From OPTIONS->SECURITY->SYSTEM LINK CONFIGURATION you should be able to change the format to create a link to managed systems.

I changed mine to IP address as I manage a mixed environment and it seemed to do the trick for me.

Hope this helps.
0 Kudos
Reply
Nate2272
Occasional Advisor

тАО06-22-2006 04:48 AM

тАО06-22-2006 04:48 AM

Re: Certificate issues with servers when accessing via the Systems Management Homepage from SIM

Sorry, I've been away for a week...

Albert, I actually tried that with no luck.

I used the IP address instead of the System Name under System Link Configuration.

Everytime I access a SMH for a system, I have to login.

Every system shows a local certificate...I select OK, or install the certificate if it shows as untrusted...I still have to login, regardless if I access from the SIM server or locally on the box itself.

Stumped...

0 Kudos
Reply
Ananthak23
Trusted Contributor

тАО06-22-2006 01:46 PM

тАО06-22-2006 01:46 PM

Re: Certificate issues with servers when accessing via the Systems Management Homepage from SIM

Nate,
If you want to login to SMH locally without giving username/password, you can set it (after logging in) by clicking on settings -> System Management Homepage -> Security ->Local/Anonymous Access and then selecting Local Access checkbox and Administrator radio button and then Save the configuration.

You might try deleting the existing SIM server certificate and manually importing the SIM server cert to the trusted mgmt servers and then run discovery/identification task against this system. This should establish the trust relationship and you should be able to open SMH page (without logggin in) through SIM.

-Anantha
0 Kudos
Reply
Nate2272
Occasional Advisor

тАО06-26-2006 04:45 AM

тАО06-26-2006 04:45 AM

Re: Certificate issues with servers when accessing via the Systems Management Homepage from SIM

Thanks, I'll give that a shot.


Nate
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.