HPE Community
Server Management - Systems Insight Manager
1825756 Members
3393 Online
109687 Solutions
New Discussion

Single Sign on doesn't work after System Management Homepage update

 
consolero
Advisor

‎06-26-2012 12:46 AM

‎06-26-2012 12:46 AM

Single Sign on doesn't work after System Management Homepage update

Hi all

 

We use our HP SIM with a certificate from our CA and distribute this certificate to all of our servers, which are running a SMH.

The SMH trusts by certificate and the SIM server is known as the trusted management server with this certificate. With the SMH versions 6.3.1.24 and 7.0.0.24 it was possible to use the SSO from SIM to acces the SMH. After updating to the newest Version 7.1.1.1 it is no longer possible to use the SSO and I found this errors in the SMHlog:

 

CRITICAL

Trusted certificate used for SSO is either revoked or SMH failed to verifiy it against CRL

 

MAJOR

 Certificate verification message: uanble_to_get_local_issuer_certificate

 

WARNING

Secure Task Execution User:auto_generated was DENIED acces to System Management Homepage to invoke target URL=/Proxy/STE

 

Does anyone know this problem?

 

Thanks a lot

nik

 

1 person had this problem.
0 Kudos
Reply
59 REPLIES 59
Jens Ey
Frequent Advisor

‎06-26-2012 04:20 AM

‎06-26-2012 04:20 AM

Re: Single Sign on doesn't work after System Management Homepage update

Hi nik,

 

I know this problem - but not the solution, sorry.

 

i tried so far to create a new certificate for SIM and even renewed the CA certificate to get rid of a URL with file://... for the CRL.

As far as I can remember HP changed OpenSSL to a newer version with this release of SMH.

 

jens

0 Kudos
Reply
Jens Ey
Frequent Advisor

‎06-28-2012 03:02 AM

‎06-28-2012 03:02 AM

Re: Single Sign on doesn't work after System Management Homepage update

hello nik.

 

the next thing I tried was to look closer at the new SIM 7.1. There is an option how the agents should check for revoked certificates (e.g. is the CA available for the agents or has the SIM a copy of the CRL).

I installed a complete new SIM 7.1 and a new server with the current agents but had no luck at all to get this working.

 

So my conclusion for the moment is once more: HP broke it, HP should fix it.

 

Jens

0 Kudos
Reply
consolero
Advisor

‎06-28-2012 05:46 AM

‎06-28-2012 05:46 AM

Re: Single Sign on doesn't work after System Management Homepage update

hello jens

 

Thanks for your informations.

I also upgraded to SIM 7.1 and tried to configure the Certificate Revocation Check but the probles is still the same.

 

I am agree with you about HP....

 

nik

0 Kudos
Reply
referencepoint
Advisor

‎07-06-2012 12:28 AM

‎07-06-2012 12:28 AM

Re: Single Sign on doesn't work after System Management Homepage update

I've just come across this issue too, after upgrading to SIM 7.1 and updating my servers with SMH 7.1.1.1.

 

Hugely annoying to not have SSO working for any system now - this needs fixing ASAP HP!

0 Kudos
Reply
Bart_Heungens
Honored Contributor

‎07-06-2012 12:42 AM

‎07-06-2012 12:42 AM

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

 

Just to inform you all that I have no such problems... Have 2 independent SIM environments running with the latest SMH and SIM 7.1 and do not have the SSO problem...

 

 

Kr,

Bart

--------------------------------------------------------------------------------
If my post was useful, clik on my KUDOS! "White Star" !
0 Kudos
Reply
Jens Ey
Frequent Advisor

‎07-06-2012 01:02 AM

‎07-06-2012 01:02 AM

Re: Single Sign on doesn't work after System Management Homepage update

Hi Bart,

 

are you using a CA in these environments and what kind of CA? Are you copying the CRLs to the SIM servers?

 

Jens

0 Kudos
Reply
Bart_Heungens
Honored Contributor

‎07-06-2012 01:25 AM

‎07-06-2012 01:25 AM

Re: Single Sign on doesn't work after System Management Homepage update

Hi Jens,

 

No I am not using a separate CA...

 

 

Kr,

Bart

--------------------------------------------------------------------------------
If my post was useful, clik on my KUDOS! "White Star" !
0 Kudos
Reply
consolero
Advisor

‎07-09-2012 05:10 AM

‎07-09-2012 05:10 AM

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

 

I fixed the problem with the CRL by signing a new SIM Certificate (2048) with my CA.

But the next problem is already here:

The SIM server uses a self-signing certificate (1024) for the SSO and not my new cert from the CA.

 

Is this a new thing with SIM 7 or why does he take this one?

 

nik

 

0 Kudos
Reply
Jens Ey
Frequent Advisor

‎07-09-2012 05:18 AM

‎07-09-2012 05:18 AM

Re: Single Sign on doesn't work after System Management Homepage update

Hi,

 

did you changed to SIM certificate or the SMH certificate of the SIM server?

 

SIM certificates must be changed in SIM (Options / Security / HP Systems Insight Manager Server Certificate) using the button "Import" where you can create a new request and import it later.

 

After import the SIM has to be rebooted.

 

I also tried to generate a new CA signed certificate for the SIM (and even setting up a complete new SIM) but had no luck...

 

Jens

0 Kudos
Reply
consolero
Advisor

‎07-09-2012 05:34 AM

‎07-09-2012 05:34 AM

Re: Single Sign on doesn't work after System Management Homepage update

Hi

 

I changed the SIM certificate as you described it. And I also imported the new SIM certificate as trusted management server in the SMH.

 

nik

0 Kudos
Reply
ICS
Frequent Advisor

‎07-09-2012 10:25 AM

‎07-09-2012 10:25 AM

Re: Single Sign on doesn't work after System Management Homepage update

There appears to be a compatibility issues as I am having the same issue with hpsmhd 7.1.0.17 and SIM 6.3. I raised the issue with HP..workaround appears to be deleting the certificate and pulling it from the CMS.
0 Kudos
Reply
consolero
Advisor

‎07-09-2012 11:28 PM

‎07-09-2012 11:28 PM

Re: Single Sign on doesn't work after System Management Homepage update

Good morning

 

What do you mean with deleting the certificate and pulling it from the CMS?

Deleting the Trusted certificate on the SMH? Pulling by Agent repair?

 

thx

 

nik

0 Kudos
Reply
IT_SCAC
Occasional Advisor

‎07-11-2012 07:11 AM - edited ‎07-11-2012 07:11 AM

‎07-11-2012 07:11 AM - edited ‎07-11-2012 07:11 AM

Re: Single Sign on doesn't work after System Management Homepage update

I have same problem. After upgrade to SIM 7.1 and SMH v7.1.1.1 can't login via SSO.

SIM have certificate issued by enterprise CA. It include correct CRL URL path.
WIth SMH v6.3.1.24 all work perfect.

What else need options to get SSO work? 

0 Kudos
Reply
ICS
Frequent Advisor

‎07-11-2012 07:16 AM

‎07-11-2012 07:16 AM

Re: Single Sign on doesn't work after System Management Homepage update

I deleted the certificate from the SMH under security...then used the get server option to pull the trusted mgmt server cert. I was immediately able to SSO from SIM
0 Kudos
Reply
consolero
Advisor

‎07-11-2012 07:18 AM

‎07-11-2012 07:18 AM

Re: Single Sign on doesn't work after System Management Homepage update

Hi IT_SCAC

 

How long is the key lenght of your SIM certificate?

 

Have you tried to reimport the SIM certificate to the trusted server on the smh?

 

greez

 

0 Kudos
Reply
IT_SCAC
Occasional Advisor

‎07-11-2012 07:28 AM

‎07-11-2012 07:28 AM

Re: Single Sign on doesn't work after System Management Homepage update

1024
Yes i try reimport via quick repair.
0 Kudos
Reply
IT_SCAC
Occasional Advisor

‎07-11-2012 07:47 AM

‎07-11-2012 07:47 AM

Re: Single Sign on doesn't work after System Management Homepage update

I just create new certificate with 2048 bit and SSO is worked!!!
0 Kudos
Reply
consolero
Advisor

‎07-11-2012 10:34 PM - last edited on ‎08-22-2012 12:02 AM by

‎07-11-2012 10:34 PM - last edited on ‎08-22-2012 12:02 AM by

Re: Single Sign on doesn't work after System Management Homepage update

hello

 

This works for me too but when I see the details of the trusted certificate on the smh I see that he takes a self-signed certificate:

 

 Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: xxxxxxxxxx (xxxxxxxxxx) (For your security, I have removed the serial number from your post above - that's information you probably don't want to make publicly available - HP Forums Moderator)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=Palo Alto, O=Hewlett-Packard Company, OU=Hewlett-Packard Network Management Software, CN=srvname.com
        Validity
            Not Before: Jun  5 11:47:11 2012 GMT
            Not After : Jun  6 11:47:11 2022 GMT
        Subject: C=US, ST=California, L=Palo Alto, O=Hewlett-Packard Company, OU=Hewlett-Packard Network Management Software, CN=srvname.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)

 

 

Do you have the same effect or does it takes your CA-signed SIM-certificate?

 

thx

 

nik

0 Kudos
Reply
Jens Ey
Frequent Advisor

‎07-11-2012 11:47 PM

‎07-11-2012 11:47 PM

Re: Single Sign on doesn't work after System Management Homepage update

@ICS wrote:
I deleted the certificate from the SMH under security...then used the get server option to pull the trusted mgmt server cert. I was immediately able to SSO from SIM

 Hi,

 

deleting the SIM certificate in the SMH of the other servers and reimporting them from the SIM didn't worked for me. It seems that SSO ist working because you are already logged in but if you sign out and restart your web browser SSO is not working. At leat not for me.

 

Jens

0 Kudos
Reply
smroczek
Occasional Advisor

‎07-12-2012 06:36 AM - edited ‎07-12-2012 06:38 AM

‎07-12-2012 06:36 AM - edited ‎07-12-2012 06:38 AM

Re: Single Sign on doesn't work after System Management Homepage update

I guess that the problem was already invastigated and worked around.

 

for windows: rename C:\hp\hpsmh\conf\smhCertDate.txt to smhCertDate.txt.OLD

for unix/linux/vmware: rename /opt/hp/hpsmh/conf/smhCertDate.txt to smhCertDate.txt.OLD

 

Then restart SMH service.

 

 

Let me know if that helped.

0 Kudos
Reply
IT_SCAC
Occasional Advisor

‎07-12-2012 06:43 AM

‎07-12-2012 06:43 AM

Re: Single Sign on doesn't work after System Management Homepage update

Ploblem is back after i restart SMH. SSO broken again.
Renaming smhCertDate.txt is not help.
0 Kudos
Reply
smroczek
Occasional Advisor

‎07-12-2012 06:49 AM

‎07-12-2012 06:49 AM

Re: Single Sign on doesn't work after System Management Homepage update

Did you try to run Configure or Repair Agents and set the trust relationship again?

0 Kudos
Reply
consolero
Advisor

‎07-12-2012 07:02 AM

‎07-12-2012 07:02 AM

Re: Single Sign on doesn't work after System Management Homepage update

When I restart the SMH it creates exactly the same smhCertDate.txt again...

0 Kudos
Reply
SwisspostIT
Valued Contributor

‎07-31-2012 01:23 AM

‎07-31-2012 01:23 AM

Re: Single Sign on doesn't work after System Management Homepage update

did anyone solve this issue (without using a CA) ?

just tried following: deleted certificate in "Trusted Management servers" and pulled it from the HP SIM Server (pull was successfully).

but even after that i'm still not able to use SSO from HP SIM to login to the system...

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.