Server Management - Systems Insight Manager
1820495 Members
2165 Online
109625 Solutions
New Discussion

Forbidden to access SMH on Citrix XenServer

 
SOLVED
Go to solution
Ulli Kassner
Occasional Advisor

Forbidden to access SMH on Citrix XenServer

Hi all,

 

I just installed a new XenServer 6.0.2 onto a DL380 G6 and added the "HP SNMP Agents for Citrix XenServer 9.0" supplemental pack. It all installed without errors but I am not able to access the system management homepage (SMH) using https://servername:2381

 

I get the well-known certification warning that's normally is not a problem but after that it says: "Forbidden. You don't have permission to access / on this server."

 

The logfile /var/spool/opt/hp/hpsmh/logs/error_log says "(13)Permission denied: access to / denied", but I can't see anything in the configuration of SMH that would explain this behavior:

 

 

smhconfig -V
-------------------------------------
-------HP SMH Current Settings-------
-------------------------------------
anonymous-access = false
box-item-order = status
box-order = status
config-level = Informational
custom-ui = false
disable-sslv2 = true
ssl-cipher-suite = ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:SSLV2?:+EXP:-LOW:+eNULL
httpd-error-log = false
iconview = false
ip-binding = false
ip-restricted-logins = false
localaccess-enabled = false
localaccess-type = Anonymous
log-level = error
autostart = false
timeoutsmh = 30
port2301 = false
allow-default-os-admin = true
reject-prog-admin-login = true
rotate-logs = 0
rotate-logs-size = 5
session-maximum = 128
session-timeout = 15
trustmode = TrustByCert
ui-timeout = 120

 

Allowing "anonymous-access" or disabling iptables also did not help. The accessing client is in the same subnet as the XenServer.

 

Does anybody have a hint for me?

 

Thank you very much!

  ulli.

3 REPLIES 3
Ulli Kassner
Occasional Advisor
Solution

WORKAROUND FOUND: Forbidden to access SMH on Citrix XenServer

The HP support helped me find a workaround: XenServer version 6.0.2 sets a different permission to /. Instead of 755 (drwxr-xr-x) as it was in 6.0 it is 700 (drwx------) in 6.0.2 and with this setting the apache that serves the SMH is somehow not allowed to access the needed files anymore.

 

Execute the following command to determine the permissions of your root dir:

ls -ld /

 

If it shows

drwx------ 24 root root 4096 Feb  5 16:41 /

 executing the follow command will set permissions so the apache will be able to access the SMH files again and serve them to your webbrowser:

 

chmod 755 /

 

Yet I am wondering if it is wise to expand everyones rights on / and that Citrix will surely have had a good reason to set the permission this way. Also I cannot comprehend why the apache would need access to / when all of the served data resides somewhere down the path of /opt/hp/hpsmh. Can it be that the apache config of the HP Agents is not as secure and tested as one may want to believe? The problem with the apache is that the system administrator is not allowed to edit the apache config for it is overwritten by the settings made with smhconfig every time you restart the hpsmhd. too bad :-(

 

If anybody has an opinion about this, please share it...

 

Thank you and have a pleasant weekend!

  ulli.

jan_Herman
New Member

Re: WORKAROUND FOUND: Forbidden to access SMH on Citrix XenServer

Hi,

 

thanks a lot for the post. It help me from frustration :)

We have some Xenservers instaled with the 1st version of Xenserver 6.02 (before it was upgraded with hotfixes) and there the permission are correct - 755.

 

But on the new updated 6.02 version we face the same issue ...

 

I will check with Citrix if they have some conlusion.

 

Regards,

Jan

SvenAndersen
Occasional Advisor

Re: WORKAROUND FOUND: Forbidden to access SMH on Citrix XenServer

Hi...

 

we are currently having the ame issue, PLUS we cannot even get SNMP wotking on the XenServer machine.

We are unable to discover using SNMP, despite the agent being installed, FW ports opened locally on the XenServer.

We have the root access for SSH, so we can discover basic info.....however we are unable to test traps from it, or load the SMH.

 

can you either:  help with the configuration of the agent,   OR   tell me the benefit of using the HP SIM Agent on the XenServer, as we already have the blade enclosure fully discovered.... will the events fro teh enclosure be detailed enough to alert of any significant HW failure on the XenServer blade ?

 

thanks

 

Sven.