HPE Community
Server Management - Systems Insight Manager
1752781 Members
5877 Online
108789 Solutions
New Discussion

Re: vca and use certificate to connect to vcrm

 
Deas.h
Occasional Advisor

‎04-06-2012 09:14 AM

‎04-06-2012 09:14 AM

vca and use certificate to connect to vcrm

hello,

 

i just installed a new hp sim 7 server to replace my old 6.3 system. so far everything went fine, but i also want to use the new feature from vca 7 "by certificate".

 

on the hp sim server locally it is working, but from all remote systems not. when i enter the credentials of my domain admin i get the support packs. so the basic config should be ok.

 

what do i miss to enable all my servers to authenticate via certificate for vca?

 

thank´s a lot for your help!

 

brgds Andreas

0 Kudos
Reply
22 REPLIES 22
Pber
Advisor

‎04-10-2012 06:52 AM

‎04-10-2012 06:52 AM

Re: vca and use certificate to connect to vcrm

I have the exact same issue.  Works on the HPSim server but nothing else.

0 Kudos
Reply
JeffA3
Frequent Visitor

‎04-11-2012 07:42 AM - edited ‎04-12-2012 07:35 AM

‎04-11-2012 07:42 AM - edited ‎04-12-2012 07:35 AM

Re: vca and use certificate to connect to vcrm

I have the exact same problem.   Did a lot of fiddling around over the last day.

 

on the SMH I imported all the HPsim management certs and clicing from hpsim to agent HPSMH works without logging in.  

 

In HPSIM for version control and I assigned the baseline and it actually check the software on the agent and showed the differences GREAT!!

 

but from the agent SMH home page  clicking USING CERTIFICATE  fails,   but using userid and password works.

 

The specified repository, cmtcfcpwprmgt01.ibg.adroot.bmogc.net, is invalid or not reachable.  

 

Connection: close
Content-Length: 248
Content-Type: text/html; charset=iso-8859-1
Date: Wed, 11 Apr 2012 14:31:56 GMT
Location: /cpqlogin.htm?RedirectUrl=/vcrepository&RedirectQueryString=
Server: CompaqHTTPServer/9.9 HP System Management Homepage/7.0.0.24
Set-Cookie: Compaq-HMMD=0001-708914d6-02bb-f343-b7be-17e211b5c0c0-1334154716745077; path=/; Secure
Status: 302

 

 

 

0 Kudos
Reply
Deas.h
Occasional Advisor

‎04-16-2012 04:12 AM

‎04-16-2012 04:12 AM

Re: vca and use certificate to connect to vcrm

sorry, but is nobody from HP here that can explain how this feature works and what is needed?!? did anybody find the documentation for the latest vca? unfortunately i only find one from 2003...

 

brgds Andreas

0 Kudos
Reply
jim goodman
Trusted Contributor

‎04-20-2012 02:39 PM

‎04-20-2012 02:39 PM

Re: vca and use certificate to connect to vcrm

The documentation is all right here

 

http://h18013.www1.hp.com/products/servers/management/unified/infolibraryfm.html

 

"HP Version Control supports Single Sign On (SSO) system that allows a trusted HP
VCA the ability to connect to the HP VCRM without providing authentication details to
login to HP VCRM's HP SMH. When the Using Certificate option is selected, HP
SMH processes the SSO request depending on the Trust Mode selected. HP SMH
obtains the HP VCA 's HP SMH public certificate and uses it to validate the trust
relationship. If HP SMH is unable to establish the trust relationship or cannot verify the
security token, then HP VCA displays the following error message:The specified
repository, VCRM IP, is invalid or not reachable."

0 Kudos
Reply
Deas.h
Occasional Advisor

‎04-23-2012 06:13 AM

‎04-23-2012 06:13 AM

Re: vca and use certificate to connect to vcrm

hello,

 

at least we have now the attention by someone from hp! :) thank´s a lot!

 

the trust mode from the smh is by certificate. the certificate i use is the self-signed created by the hp sim setup.

 

can you explain detailed what i should do/check to get this working? are there any firewall ports we must take care of except 2301 and 2381?

 

thank´s a lot for your help!

 

brgds Andreas

0 Kudos
Reply
jim goodman
Trusted Contributor

‎04-23-2012 06:25 PM

‎04-23-2012 06:25 PM

Re: vca and use certificate to connect to vcrm

I replicated what you all are reporting.

 

The VCA "Use Certificate" failed for me as well with the error "The specified repository, is invalid or not reachable" yet if I use Username and Password it connects fine so my thinking is certificate itself.

 

In dinking around SMH Settings --> Security --> Local Server Certificate under Current Certificate I added the IP address of the vcrm for giggles in the Alternate Names box.

 

Went back to VCA and it was connected so I don't know if that was the ticket or not but went to change agent settings to set a baseline and it passed Use Certificate for the login.

 

Tomorrow I am going to try and get some clarity on a few details that aren't real clear in both the VCA and SMH documentation. As soon as I find out I'll post back unless someone beats me to it.

0 Kudos
Reply
Pber
Advisor

‎04-25-2012 07:29 AM

‎04-25-2012 07:29 AM

Re: vca and use certificate to connect to vcrm

I am having the same issue as Deas.h.  I tried your solution by adding the IP under the Alternate Names box.  No joy.  I tried several servers with various info in the Alternate Names box as well as tried different certificates and no luck.

0 Kudos
Reply
jim goodman
Trusted Contributor

‎04-25-2012 07:45 AM

‎04-25-2012 07:45 AM

Re: vca and use certificate to connect to vcrm

I didn't figure it would be that simple, I cleared my out and SSO is still working. I have the question into engineering so we'll see what I can ascetain - whenever I can replicate an item like this internally usually they like to look at it otherwise the only avenue is a support case.

0 Kudos
Reply
jim goodman
Trusted Contributor

‎05-15-2012 01:09 PM

‎05-15-2012 01:09 PM

Re: vca and use certificate to connect to vcrm

I did hear back - Basically it is kinda backwards from what I think it should be

 

The SSO is a SMH hosting the VCA to SMH hosting the VCRM

 

The SMH hosting the VCRM needs to have the SMH Certificate of the SMH hosting the VCA

 

So for every VCA you want to have SSO to VCRM, you have to add the certificate of the SMH hosting the VCA

 

It is a manual process so if you have 3000 VCA's you want to have SSO with the VCRM you will need to install each certificate for each SMH hosting VCA one at a time.

 

I suggested they flip the order so there was only 1 certificate to push out via HPSIM or if not using SIM can be installed pre-configured into the VCA. 

 

Not sure if there will be much of a demand for it. What do you all think, is SSO for VCA to VCRM something you'd think important to have? I am not really sure I see the benefit of it beyond a simple convenience, but then again I don't have to deal with it everyday like you fine folks.

 

 

Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.