HPE Community
Server Management - Systems Insight Manager
1834736 Members
2757 Online
110070 Solutions
New Discussion

Re: HP SIM 4.2 on W2K3 - OpenSSH & using domain accounts

 
Trond Haugmo
Occasional Advisor

‎04-08-2005 12:06 AM

‎04-08-2005 12:06 AM

HP SIM 4.2 on W2K3 - OpenSSH & using domain accounts

After reading several other posts here on the forum, I realize that I'm not the only one getting into trouble when trying to implement HP SIM 4.2 on Windows Server 2003 in an AD environment.

I strongly encourage HP to change how HP SIM and OpenSSH works so that it is possible to use domain accounts. In any large enterprise it is quite normal to rename the local Administrator account, set a complex password on it and then kind of forget that the account exists. All administration and system implementations will in stead rely on domain accounts that also have local administrator privileges on servers and clients in a Windows environment.

With this in mind it seems a bit ignorant to create a solution that solely relies on using the local Administrator account on all managed systems. This has to change quickly.

And then a question at the end: Does all the tools in HP SIM 4.2 (like Initial Deployment of PSP, Install OpenSSH, Install SW and FW, Configure or Repair Agents, Replicate Agent Settings) rely on a properly configured and working OpenSSH server running on the CMS, or does some of these utilities use standard OS functions that are able to use domain accounts in stead?
0 Kudos
Reply
6 REPLIES 6
Mike Strako
Trusted Contributor

‎04-11-2005 03:32 AM

‎04-11-2005 03:32 AM

Re: HP SIM 4.2 on W2K3 - OpenSSH & using domain accounts

You might want to try this.

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=PSD_ES050126_CW01

Good luck.
0 Kudos
Reply
David Claypool
Honored Contributor

‎04-11-2005 03:38 AM

‎04-11-2005 03:38 AM

Re: HP SIM 4.2 on W2K3 - OpenSSH & using domain accounts

Trond: This was published last Friday. Hope it helps.

"Configuring Security Policies To Run OpenSSH In Microsoft Windows Server 2003 For Use With ProLiant Essentials Vulnerability And Patch Management Pack"

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=PSD_ES041215_CW01
0 Kudos
Reply
Derek_31
Valued Contributor

‎04-13-2005 03:39 PM

‎04-13-2005 03:39 PM

Re: HP SIM 4.2 on W2K3 - OpenSSH & using domain accounts

Hear hear! We do the same thing as you for local administrator accounts. Rename, creat long complex password, and put into shredder.

I hear HP is going to remove the OpenSSH dependence in future SIMs for Windows only environments. About time!
0 Kudos
Reply
Stefan Laemmer
Valued Contributor

‎04-14-2005 01:13 AM

‎04-14-2005 01:13 AM

Re: HP SIM 4.2 on W2K3 - OpenSSH & using domain accounts

Same here.. And using a 3rd party protocol, that is a pain (to say it nicely) to configure trust between machines that already have trust relationship established through other methods doesnt make sense (and they all run behind our company firewall). I had to go through SSH to eval VPM..
I read on another thread, that HP is going to release SP2 for HP SIM 4.2 soon.. Any date on this one ?
0 Kudos
Reply
Trond Haugmo
Occasional Advisor

‎04-15-2005 01:19 AM

‎04-15-2005 01:19 AM

Re: HP SIM 4.2 on W2K3 - OpenSSH & using domain accounts

I've used the last couple of days testing how to set up a working environment using OpenSSH and HP SIM, using a domain account and I think I've found what's required. The documents that Mike and David referred to only contains parts of the solution. To get things working I did the following:

1) During installation of HP SIM, you can only specify a local service account for the OpenSSH Server service (not allowed to continue if you try to specify a domain account), so I just used the renamed local Administrator account temporarily (I change that later in the process).

2) After the entire HP SIM installation is completed, I changed the service account for OpenSSH Service to the domain account which I also used for the HP SIM service it self (\). This account is member of the local Administrators group on the HP SIM (CMS) server.

3) In Local Security Policy on the CMS server, I gave the specified domain account the following OS rights:
- Create a token object
- Replace a process
It already has "Log on as a service" rights and some other rights due to it's membership to the local Administrators group.

4) Changed security rights on C:\Program Files\OpenSSH\var\log\OpenSSHd.log, so that the new service account has full control rights to the file (must first take ownership of the file).

5) At this point I restarted the CMS server.

6) When the restart where completed, I logged on with the domain account that where set up as the service account for both HP SIM and OpenSSH Server services (the same account which I was logged on with during the installation since HP SIM automatically sets up the service to run in the context of the logged in account).

7) Next, I searched for all files in C:\Program Files\HP\Systems Insight Manager\tools that contain >administrator< and replace that with >srvHPSIM< (this is the name of my mentioned service account). I also changed all occurences of revision="2.0" to revision="2.1" to ease the process of uploading the tools to the database in the next step.

8) After having updated all tool .xml files, I ran the following command for each .xml file:
mxtool -m -f .xml
In one of the .xml files there where no revision="2.0" definition, so to successfully upload the changed tool definitoins from that file (repair-msa-tools.xml) I had to run the command with an additional command swich: -x force

9) Now, I stopped both the HP SIM and OpenSSH server services.

10) Then I deleted the following files/directories:
- C:\Documents and Settings\srvHPSIM\.ssh
- C:\Program Files\HP\Systems Insight Manager\config\sshtools\known_hosts file
- C:\Program Files\HP\Systems Insight Manager\config\sshtools\ if it exists
- C:\Program Files\OpenSSH\etc\passwd file

11) Next, I ran the following command:
"C:\Program Files\OpenSSH\bin\mkpasswd" -d -u srvHPSIM >> "C:\Program Files\OpenSSH\etc\passwd"

12) Then I started up the two services again (HP SIM and OpenSSH Server).

13) Next I ran the "MxAgentConfig" utility (without command line parameters) which loads the GUI for the tool.

14) In the MxAgentConfig dialog box I specified the FQDN name of my local CMS server in the "Hostname" field, the name of my service account (srvHPSIM without domain name) in the "Username" field, and the password for the service account in the "Password" field and then pressed "Connect".
The connect process takes a minute or so, but in the end I get a "Connection to established successfully after a while. At this point the "C:\Program Files\HP\Systems Insight Manager\config\sshtools\known_hosts" file is recreated and populated.

After having completed these steps, I'm able to run the tools like "Install Software and Firmware", "Initial ProLiant SupportPack Install", "Configure and Repair Agents" and "Replicate Agent Settings" successfully. I assume all the other tools also work in stead of giving me the annoying "EXCEPTION: Authentication failed" failure messages when running these tools.

I hope this can be of use for other people that hit the same problems as I did. With these procedures it is possible to set up HP SIM and OpenSSH to use a domain account.
0 Kudos
Reply
Derek_31
Valued Contributor

‎04-15-2005 01:57 AM

‎04-15-2005 01:57 AM

Re: HP SIM 4.2 on W2K3 - OpenSSH & using domain accounts

Wow I certainly thank you for taking the time to document all of those processes. I think it is ridiculous for HP to make the setup so complicated. They should be ashamed of themselves for making it so complicated. Our IT lives are already complicated enough without going through gyrations to get remote management working on Windows computers.

They really need to think about making life EASY and secure for us...not complicated.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.