"Configure or Repair Agents" fails with OpenSSL error

When trying to run the "Configure or Repair Agents" tool on any node I get the following message:

EXCEPTION CLASS: com.hp.mx.dtf.sshClient.MxSshFailedConnectionException
EXCEPTION: Unable to contact the SSH server on node "".

OpenSSL was installed on the SIM 4.2 server (Windows 2003). Just for run I removed it, downloaded it and reinstalled.

This same error persists.

My understanding is that OpenSSL is only required on the SIM server (and it is).

Any insight into debugging this OpenSSL issue?

Thanks!

12 REPLIES 12

I think you mean OpenSSH. Check out the whitepaper "Secure Shell (SSH) in HP Systems Insight Manager (pdf)" at http://www.hp.com/go/hpsim --> Information Library for troubleshooting information.

Do you disable or rename the Administrator OS account on the SIM server? If so, you need to edit the Repair Agent tool definition file to use the different local OS administrative account. the file name is in .\program files\hp\sys...\tools called repair-msa-tools.xml. Change the 'execute as' from Administrator to the other account.

Hope that helps.

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Thanks but nothing is working.

This OpenSSL stuff is greek to me but I went through all of the troublshooting sections of the appendix and nothing helped.

I don't think it ever was an account/permissions issue.

The error is "unable to connect" and not "unable to authenticate"

I really don't want to reinstall SIM from scratch as we have so much customization

You don't have to uninstall HPSIM - its the VERY rare case that is necessary.

Question: Are you logging into the system as "Administrator" or are you logging into HPSIM as a different account? This matters.

Also, is the Administrator account even there on that system - again, this matters.

The way SSH stuff works is that it is using a SPECIFIC user account to run in context. By default, we put Administrator in the tool file. If Administrator isn't there or if you installed SIM while logged into the OS under a different user account, you have to do some 'remediation' to make this work (even on the SIM server itself). It's easy to fix, just trying to figure out which scenario you are in.... :)

Thanks!

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

I forget the name of the file the whitepaper talked about, but I reviewied it and the account that was used to install SIM (a service account we made) was listed. I even ran the commands to recreate this file and verified that it was there.

Yes, I did enable the local Administrator account. Had to do this for the Version Control Repository to work (which we weren't thrilled about having to do -- normally the local Administrator account is renamed every month to a cryptic string on all our servers).

Now I did not log into SIM as "Adminsitrator" but this account does not exist in SIM. We use domain accounts in SIM exclusively for security reasons.

Okay, cool! FYI. For VCRM to work, you don't need the Administrator account to work by the way. Create a "VCAdmin" account or something in the local account on that box. Use HPSIM to do a Replicate Agent Settings task (to change all the VCA's to use that account/pwd instead). Starting with the 2.0.7 release of the VCA, that field is free-form so that you can change it and not be tied to the "Admin/Operator/User" accounts in the past. With the VCA bundled as part of the 7.20 PSP, they will only be using an OS account for access.

OpenSSH: the service is running, eh? :) I assume you have cycled the OpenSSH service just in case. Was there anything in the NT Event Log? Let me see if we can dup this.

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Recycled? Schute, I reinstalled :)

I also went through the process described in the Appendix of the whitepaper to change the service account from Local System to ADministrator and manually gave the rights.

This seemed to have no impact as well.

Okay, thanks. Which OS - Win2k3? I assume you have a domain policy applied to, eh? I wonder if something is in conflict here. Is there a firewall or anything on that box that would block traffic?

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

No on both. It is in domain but there are no GPO's restricting traffic. No firewall. Yes W2K3.

I'm bamboozled. A failed to authenticate error I could halfway understand. But a "failed to connect" from the same CMS host?

Yea, definitely weird - haven't seen that before.

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

I also have ISEEE (Self healing Services gateway) installed on this server.

Just noticed that ISEEE gateway is no longer working.

Could there be some kind of conflict between ISEEE Gateway and OpenSSH?

I don't recall seeing anything in the release notes. I am assuming it is supported to run ISEEE gateway and SIM/OpenSSH on the same box?

Interesting; what happens if ISEE is not running, will OpenSSH run and work? Please open a support case so that this can be worked. Thanks, and Merry Christmas!

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]