Access Problems SMH Documentation Unclear on Treatment of securetty Solution: The HP System Management Homepage
(HP SMH) does not use /etc/securetty. Refer to
the login(1)for details on /etc/securetty. After entering a hostname
on Linux, HP SMH does not start. Solution: Hostnames that
are 64 characters or longer in length are not supported on Linux. The
breadcrumb links presented in the HP SMH top frame only display the
current location within the HP SMH menu structure up to the plugin
name, but not including the names of internal plugin pages. Solution: Use the buttons and links provided inside the
plug-in pages to cancel an operation or move to a different plug-in
page.
Browser Problems When I log into HP SMH
and then close the browser, the HP SMH session is not killed. If I
go back and open Internet Explorer, after closing it, I can log into HP SMH
without credentials. How can I fix this problem? Solution: There are two
possible solutions in order to be sure the HP SMH shortcut will ask
for credentials. Solution #1 Select Tools Internet Options
Choose the Advanced tab. Under Settings Browsing, uncheck Reuse windows for launching shortcuts (when tabbed
browsing is off). Click [OK].
Solution #2 Select Tools Internet Options
Under the General tab, look
for Tabs: Change how webpages
are displayed in tabs. Click [Settings]. Under Open links from other programs in:, select the third option The current tab or window. Click [OK] in the Tabbed
Browsing Settings pop-up window. Click [OK] to close Internet
Options.
When I use Internet
Explorer 6.0 in Windows, why do I see warnings in the Security
Alert dialog box when I log in to the HP System Management Homepage (HP SMH)? Solution: There are two
possible warnings that might be seen including: Warning #1:
The name on the security certificate is invalid or does not match
the name of the site. This warning occurs when you browse to HP SMH using an IP address.
This warning also occurs if you browse locally using localhost for
the machine name. Warning #2:
The security certificate was issued by a company you have not chosen
to trust. View the cert to determine whether you want to trust the
CA. The certificate is issued by HP SMH. You can add the certificate to your Trusted Certificate List and the warning goes away.
Opening a second Mozilla
browser can appear as an unauthorized login into HP SMH. Solution: Mozilla browsers
share sessions when launched separately. I get security messages
or partially displayed pages when browsing into HP SMH from Internet
Explorer running on Windows 2003. Solution: Internet Explorer
6.0 on Windows 2003 Server has different security settings in the
default install. To prevent the problem, add each managed system into
the local intranet zone twice, once as: http://hostname:2301 and once more as: https://hostname:2381. The
alternatives to this solution are to decrease the level of security
settings in the browser (not recommended) or alter the browser security
settings to allow cookies (both stored and per-session) and allow
active scripting. My browser page does
not display all of the contents. What is wrong? Solution: Frame sizes
are optimized for medium fonts. If you switch your browser to use
larger or smaller fonts, then manually adjust the frame layout using
the mouse. Why does the browser
prompt to accept cookies when accessing a system? Solution: Browser cookies
are required to keep track of user state and security. Cookies must
be enabled in the browser and prompting for acceptance of cookies
should be disabled. I can log in to HP-UX
with http://hostname:2301/, but not https://hostname:2381/. Solution: By default,
HP-UX is installed with the autostart feature enabled.
A daemon listens on port 2301 and only starts HP SMH on port 2381 when
requested, then stops it again after a timeout period. See the smhstartconfig(1M) command for more information. When I browse to https://ipaddress:2381 on
a local machine or a remote machine running Windows 2003, I don't
see the Login screen. Solution: Internet Explorer
6.0 on Windows 2003 sometimes causes only the Account Login text in a blue bar to appear instead of the entire Login page. This issue occurs when browsing on a local system or a remote
system and can be resolved as follows: HP System Management Homepage cannot show this page until you have enabled the javascript support and added this site to the Trusted sites list. When
using HP SMH (until version 2.1.5), the [Back] button in the browser window may not behave as expected. After pressing
the [Back] button, the current page will be refreshed
instead of the previous page being displayed.
Solution: The use of the browser's [Back] button is not the supported method of navigating within HP SMH. You
can navigate within HP SMH using the breadcrumb links and the navigation
buttons and links presented inside the HP SMH pages.
Clustering Problems I cannot browse to the HP SMH
on my cluster IP address after a cluster fail over has occurred. Solution: Install HP SMH
2.1.4 or later (which is available in SmartStart 7.5 or later) and
modify the XML file to accommodate the cluster. HP recommends the following actions: As a precautionary measure, copy the existing smhpd.xml
file into a different directory. Manually add the tag: Open the smhpd.xml in the \hp\hpsmh\conf directory on
the boot drive with a text editor. Add the following line between the <system-management-homepage>
and </system-management-homepage> tags: <monitor-ip-changes>1</monitor-ip-changes> Save the file.
Repeat these steps on any system that could be a target
of a cluster failover. Restart the HP SMH service on both systems.
Installation Problems After running setup.exe /r on a Windows system to import certificates,
the installation fails. Solution: Do not use setup.exe /r to import or copy certificates. Instead, use
the Configure or Repair Agents tool in HP Systems Insight Manager. When installing HP SMH,
I receive the following error: another instance is
running. Solution: The HP SMH installation
attempted to install on a system that had files that were previously
corrupted or the installation was aborted. To resolve this issue, navigate to the \temp directory on the HP SMH system and delete the smhlock.tmp file. When installing HP SMH,
I receive the following errors: error: cannot get
exclusive lock on /var/lib/rpm/Packages error: cannot open Packages
index using db3 - Operation not permitted (1) error: cannot open Packages
database in /var/lib/rpm. Solution: This error appears
when more than one instance of the install is initiated on a Linux
system. Only one HP SMH installation can run at a time.
IP Address Problems Is there an easier way
to access the local system with my browser without having to find
out its IP address? Solution: Yes. You can
access the local system at https://hostname:2381 or https://127.0.0.1:2381. For HP-UX, you can access the local system at http://hostname:2301 if you keep the default setting of autostart enabled. When I use the IP Restricted Login feature on Windows 2000 Advanced Server,
entering my server IP address does not have the desired effect. How
can I be sure that the local machine IP addresses are recognized by
this feature? Solution: On Microsoft
Windows NT 4.0 and Windows 2000 Advanced Server, enter 127.0.0.1 in
addition to the actual IP addresses of the server if you intend to
include or exclude the local machine. The address 127.0.0.1 is always
included in the Include section, so it is only
excluded if it is explicitly placed in the Exclude section. Although an IP restriction
is configured, localhost access is not being denied. Why is this happening? Solution: If you do not
include the IP address for the local host in the Include field, the
local host is still granted access because most users do not intend
to block the local host access. If you do need to block localhost access, enter 127.0.0.1 into the Exclude field under IP Restriction. Under IP Restriction, I did not include the system's local IP address or 127.0.0.1 to
the Include list, but I can still browse to it
locally. Solution: As a precaution
against users unintentionally locking themselves out of HP SMH access,
localhost requests are not denied when the local IP addresses are
not mentioned in the Include list. If this is
absolutely necessary, the local system's IP address and 127.0.0.1
can be added to the Exclude list, and this setting
denies access to any user trying to gain access from the local system.
Login Problems After logging onto the Microsoft
Windows operating system on a ProLiant server running HP System Management
Homepage (SMH) Version 2.1.3 (or later), the ROTATELOGS.EXE command
prompt appears on the screen if SMH has been configured to allow interaction
with the desktop. When this occurs, one or two smaller command prompt
windows will appear with messages similar to the following: (drive) :\hp\hpsmh\bin\rotatelogs.exe |
Solution: The command prompt
window messages do not affect the performance or functionality of
the server or of SMH and can be ignored. Any ProLiant server configured with Microsoft Windows 2000 Server
or Microsoft Windows Server 2003 (any edition) and HP System Management
Homepage (SMH) Version 2.1.3 (or later) when SMH is allowed to interact
with the desktop may be affected. To prevent SMH from interacting with the server desktop, perform
the following: Click on Start Programs Administrative Tools Services Click on HP System Management Homepage Properties. Click the Log On tab. Uncheck Allow service to interact with desktop. Click on Apply and then click OK. Restart the HP System Management Homepage service.
I gave a user group defined
by Windows, such as Backup Operators, Administrator, Operator and User privileges through the HP SMH User Groups settings page but users in that group cannot login or do not have
the correct privileges in HP SMH. Solution: HP SMH only recognizes
four of the user groups predefined by Windows which are Administrators, Users, Guests and Power Users. Any other
groups predefined by Windows, such as Backup Operators, are not recognized. When trying to login
to HP SMH on a Windows system using an administrative account defined
in the Backup Operators group, the login fails. Solution: On Windows systems
within the pre-defined user groups, only Administrators, Users, Guests and Power Users are recognized. Any other groups predefined
by Windows, such as Backup Operators, are not
recognized. The work around is to create a new group and use that
for providing access to HP SMH.
I cannot log in to HP SMH on
my server running the Windows operating system. Solution: Verify that a valid Windows operating system account has
been set up and that the login is included in the Administrators group or one of the HP SMH operating system groups. Log in to the operating system. Change the password if
prompted.
I cannot log in to HP SMH
on my Windows XP operating system. Solution: Why doesn't my password
work after I upgrade my Web Managed Products? Solution: HP SMH v2.0 and
greater uses operating system accounts whereas previous versions use
three static accounts (administrator, operator, and user). Any operating system account belonging to the
administrators group (root group in Linux) has administrative access
to HP SMH. With this access, you can assign accounts in other operating
system account groups to different levels of access for HP SMH. The HP SMH
online help describes this process in detail. See Security - User Groups I created new Windows
accounts, using default settings, for use with HP SMH but I cannot
use them to log in. Solution: By default,
new accounts created in Windows operating systems are set to user must change the password at next logon. This option
must be deselected before the account can be used to log in to HP SMH. When I use Internet
Explorer 6.0 in Windows and browse through the management server to
a system that was discovered by IP address, I cannot log in to HP SMH.
If anonymous access is enabled, I get through anonymously but the
user name is incorrect. or When I use Internet Explorer
6.0 in Windows and browse through the management server to a device
that was discovered by the IP address, the detailed certificate information
does not appear in the text box of the Automatic Import
Certificate screen. Solution: These issues
can be resolved two different ways by adjusting the Internet Explorer
settings: Configure the Internet Explorer Privacy settings from Medium to Low. HP does not recommend using this option. To change the settings: In Internet Explorer, click Tools → Internet Options. Click Privacy. Click and drag the slide bar to Low. Click [Apply]. Click [OK]. The changes are saved.
or Add the IP address of the target HP SMH to the Local
Intranet's zone. To change the settings: In Internet Explorer, click Tools → Internet Options. Click Security. Select Local Intranet. Click [Sites] → [Advanced]. In Add this website to the zone,
enter the IP address of the HP SMH system. For example, enter https://ipaddress . Click [Add]. Click [OK]. Click [OK] again. Click [OK]. The changes are saved.
When I browse to my system
using the server name http://my-server-name:2301 with Internet Explorer, I cannot log in using my
valid Windows administrator account username and password. However,
I can log in if I browse to my system using my IP address, http://my-ip-address:2301. Solution: Verify whether
there is an underscore "_" defined in your server 's computer name.
If there is, remove it or use -(dash) instead
of __ (underscore).You should be able to log
in using system name.
Security Problems After updating my Windows
XP system with Service Pack 2, I am unable to access HP Systems Insight Manager or
the HP Version Control Repository Manager. What happened? Solution: The Windows
XP Service Pack 2 implements a software firewall that prevents browsers
from accessing the ports required for HP Systems Insight Manager and Version Control Repository Manager access.
To resolve this issue, you must configure the firewall with exceptions
to allow browsers to access the ports used by HP Systems Insight Manager and Version Control Repository Manager. HP recommends the following actions: Select Start Settings Control Panel. Double-click Windows Firewall to configure the firewall settings. Select Exceptions. Click [Add Port]. You must enter
the product name and the port number. Add the following exceptions to the firewall protection: Click [OK] to save your settings
and close the Add a Port dialog box. Click [OK] to save your settings
and close the Windows Firewall dialog box.
This configuration leaves the default SP2 security enhancements
intact, but will allow traffic over the ports previously indicated.
These ports are required for HP Systems Insight Manager and Version Control Repository Manager to run. Ports
2301 and 2381 are required for the Version Control Repository Manager and ports 280 and 50000
are required by HP Systems Insight Manager. The secure and insecure ports must be
added for each product to enable proper communication with the applications. Why can't I import X.509
certificates directly into HP SMH? Solution: HP SMH generates
Certificate Request in Base64-encoded PKCS #10 format. This certificate
request should be supplied to the CA. Most Certificate Authorities
return Base64-encoded PKCS #7 certificate data that you can import
directly into HP SMH by selecting Settings HP System Management Homepage Security Local Server Certificate.
If the CA returns the certificate data in X.509 format, rename
the X.509 certificate file as cert.pem and place
it into the \hp\sslshare directory.
When HP SMH is restarted, this certificate is used. Why is my PKCS #7 cert
data not accepted? Solution: When using a
Mozilla browser, there can be problems when cutting and pasting cert
request and reply data when using Notepad or other editors. To avoid
these problems always use Mozilla to open any certificate reply files
from your CA. Be sure to use the Select All, Cut, and Paste operations
that are supplied by Mozilla when working with certificates. Why is my private key
file not protected by the file system? Solution: If you are using
Windows operating systems, you must have the system drive in NTFS
format for the private key file to be protected by the file system. Why do I get errors
when I paste my customer-generated certificate PKCS #7 data into the HP Systems Insight Manager
Certificate Data field in Settings HP System Management Homepage Security Trusted Management Servers ? Solution: The customer-generated
certificate PKCS #7 data is not relevant to the date given in the Trusted
Management Servers field. The PKCS #7 data should be imported into the Customer Generated Certificates
Import PKCS #7 Data field under Settings→HP System Management Homepage→Security→Local Server Certificate. The HP Systems Insight Manager Certificate Data field is used to trust HP Systems Insight Manager servers with HP SMH. For more information,
refer to Security - Trusted Management Servers. Why can't I use a Windows
2003 certificate authority to grant my third-party certificate into the HP SMH? Solution: To use a Windows
2003 certificate authority to create a certificate for HP SMH: Create the PKCS #10 data packet by clicking Settings HP System Management Homepage Security Local Server Certificate page. Press the Ctrl+ C keys to copy the data into a buffer. Navigate to http://W2003CA/certsrv where W2003CA is
the name of your Windows 2003 certificate authority system. Select Request a certificate. Select Advanced certificate request. Select Submit a certificate request by using
a base. Press the Ctrl+ V keys to paste the PKCS #10 data into the field.
From your Windows 2003 certificate authority system: Click CA (Local) ⇒ W2003CA/certsrv ⇒ where W2003CA is the name of your Windows 2003 certificate authority system. Issue the pending request certificate.
Navigate to http://W2003CA/certsrv where W2003CA is
the name of your Windows 2003 certificate authority system. Select View the status of a pending certificate
request. Select Base64-encoded and Download certificate (not certificate chain). The file download is certnew.cer. Rename certnew.cer to cert.pem.
What are the security
options when using Bastille? Solution: Bastille is a system hardening program which
enhances the security of an HP-UX host. It configures daemons, system
settings and firewalls to be more secure. It can shut off unneeded
services and tools such as rcp(1) and rlogin(1), and can help to
limit the vulnerability of common internet services such as Web servers
and DNS. One of the facilities that Bastille uses to lock down a system
is IP filtering. Refer to the Partition Manager Online Help for requirements
when using IP filtering with Partition Manager. If Bastille's interactive
user interface is used, be aware of these issues when answering the
questions asked by Bastille. Bastille also has three install-time
security options that are represented by the following files in /etc/opt/sec_mgmt/bastille. HOST.config Host-based lockdown, without IPFilter configuration. Using this
configuration has no impact on Partition Manager. MANDMZ.config A fairly tight lockdown, but leaves open select network ports
that are used by common management protocols and tools. For example,
WBEM still functions when this configuration is used. Launching Partition
Manager under this configuration requires the use of SSH or changes
to enable ports 2301 and 2381. To enable launching Partition Manager
on a system where ports 2301 and 2381 have been disabled, adjust the
IP filtering by adding entries such as: pass in quick proto tcp from any to any port = 2301 flags S/0xff
keep state keep frags pass in quick proto tcp from any to any port = 2381 flags S/0xff
keep state keep frags to /etc/opt/sec_mgmt/bastille/ipf.customrules prior to running Bastille. Refer to ipf(5) for more information. DMZ.config A tight lockdown. Launching Partition Manager under this configuration
requires the use of SSH. Bastille also impacts using Partition Manager to remotely manage
a system where Bastille is enabled. After the normal transfer of certificates,
Partition Manager will work as described above if the HOST.config
or MANDMZ.config configurations are used. However, the DMZ.config
configuration blocks WBEM traffic and thus prevents Partition Manager
from remotely managing the system. For more information about Bastille, refer to bastille(1M) and the Bastille User Guide, installed at /opt/sec_mgmt_bastille/docs/user_guide.txt.
Other Problems Why can't
I install HP SMH on my system? Solution: The HP SMH install
requires a Java version that requires at least 256 colors to load. Why do I get an error
indicating the page cannot be displayed when I click the Management Processor link? Solution: The administrator
for the management processor has configured the Web server on the
management processor to use a port other than port 80. HP SMH does
not currently have access to that parameter and assumes the management
processor is on port 80. Why can't I install HP SMH
on HP-UX or Linux when I am not root? Solution: You must be
logged in as root for HP SMH to have the proper access rights. In
the ServiceGuard Manager plugin, selecting [Display Consolidated
Syslog] may require you to reauthenticate or cause a page not found error. Solution: If the page not found error is displayed, you can press the [Refresh] button in the browser to allow the page to be properly shown. Subsequently,
you will need to reauthenticate. The
value presented in the Total Swap Space Size field of the Memory Utilization property page includes not only
the swap space that actually exists in the system as a device or file
system but also the size of the pseudo-swap, which does not exist
as an actual memory resource. The actual device and file system swap
space is not presented in the page. Solution: Currently, it is not possible to obtain the
actual size of the device and file system swap space through the HP SMH
property pages. You can obtain this information from the HP-UX command
line, using the swapinfo command.
|