HPE Community
Server Management - Systems Insight Manager
1832994 Members
2307 Online
110048 Solutions
New Discussion

Re: SIM 4.2 distributes wrong cert

 
Kevin Kelling
Super Advisor

‎01-06-2005 04:07 PM

‎01-06-2005 04:07 PM

SIM 4.2 distributes wrong cert

Where is the cert located that SIM pushes when you run the Configure or Repair Agents tool?

If I use this tool OR if I request the certifcate from the server (from the system home page) I get a certificate with a serial number of "0" which does not give me a trust.

However, if I request the certificate from the system home page but enter a DNS alias for the SIM server (which resolves to the same IP address) I get a certificate with a valid serial number which results in a trust with the SIM Server.

So basically I have three secarios by which to push a certificate to managed nodes:

1) Configure/Repair Agents Tool
2) Request using FQDN
3) Request using DNS alias

1 and 2 return a bad certificate. Only #3 returns a good certificate -- even though the DNS alias and FQDN use the same IP address (there is no clustering or load balancing in play -- the SIM server only has one IP address and ALL names resolve to this one IP address).

What's the best way to get SIM 4.2 (Windows 2003) to the point where I can have SIM distribute a certificate that will result in a trust with the SIM Server?

Thanks1
0 Kudos
Reply
4 REPLIES 4
Kevin Kelling
Super Advisor

‎01-06-2005 05:05 PM

‎01-06-2005 05:05 PM

Re: SIM 4.2 distributes wrong cert

Just for fun I tried the following:

1) Generated a new server certificate
2) Rebooted SIM server
3) Ran Configure/Repair Agents Tool on sample group (4 servers)

The tool reports that the certificate deployment was sucessful

All target servers still have no trust and a certificate with a serial number of 0 (0x0)
0 Kudos
Reply
Kevin Kelling
Super Advisor

‎01-07-2005 03:13 AM

‎01-07-2005 03:13 AM

Re: SIM 4.2 distributes wrong cert

I'm aware that it is possible to distribute certs with a PSP but the problem is that the cert has changed and I now need to redistribute.

Yes I can run the PSP again on 300 servers, OR I could distribute them in one easy task with SIM :^)

Problem is that SIM keeps distributing bogus certs...even if I create a new server cert in SIM!!

If you create a new server cert in SIM, should not SIM be distributing this cert automatically? This is what I can infer from the security whitepaper.
0 Kudos
Reply
Mike Strako
Trusted Contributor

‎01-18-2005 05:34 AM

‎01-18-2005 05:34 AM

Re: SIM 4.2 distributes wrong cert

You can distribute the files faster by the following script, but you must modify for your environment:

#
#
# Run this script from the target server (login script, group policy, remote-exec, etc)
#
# To use this, modify \\source\share and snmp.reg
# Put the agent config files on the UNC
# To get snmp.reg, export HKLM:System\CurrentControlSet\System\SNMP\Parameters
#


# --------------------------- HP Agents -----------------------------

del c:\compaq\wbem\certs\*.* /q
# Remove previous trusts

REM xcopy \\source\share\compaq\wbem\CPQHMMD.ACL c:\compaq\wbem\ /y
REM xcopy \\source\share\compaq\wbem\CPQHMMD.CFG c:\compaq\wbem\ /y
REM xcopy \\source\share\compaq\wbem\homepage\CPQHMMD.INI c:\compaq\wbem\homepage\ /y
xcopy \\crownew\temp\CPQHMMDX.INI c:\compaq\wbem\homepage\ /y
REM xcopy \\source\share\compaq\wbem\certs\*.* c:\compaq\wbem\certs\ /y
# duplicates agent configuration


# -------------------------- Windows SNMP ----------------------------

regedit -S \\crownew\temp\snmp.reg


# ------------ Restart SNMP and Agents so changes take effect --------

net stop "snmp service" /y && net start "snmp service" /y
net start "HP Insight Web Agent"
net start "HP Insight Foundation Agent"
net start "HP Insight Storage Agents"
net start "HP Insight Server Agents"
net start "HP Insight NIC Agent"

Let me know how it works.

Best regards,

Mike.
0 Kudos
Reply
Kevin Kelling
Super Advisor

‎01-18-2005 09:42 AM

‎01-18-2005 09:42 AM

Re: SIM 4.2 distributes wrong cert

Thanks but I opened a case with HP and we were able to get it resolved.

There was a previous installation of a previous version of SIM on a different drive letter.

I uninstalled SIM and re-installed, but some registry keys were not cleaned up.

Thus SIM was creating the certs on the E drive, but was attempting to distribute certs from the D drive (where a previous version of either IM7 or SIM had been installed).

Once we understood the problem we were able to fix by simply copying the certs from the E drive to the D drive.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.