HP

HP System Management Homepage

English
  Troubleshooting   

Troubleshooting

»Table of Contents
»Index
»Product Overview
»Getting Started
»Navigating the Software
»The Home Page
»The Settings Page
»The Tasks Page
»The Logs Page
»The Installed Webapps Page
»The Support Page
»The Help Page
»Command Line Interface Configuration
»File locations
Troubleshooting
»Service and Support
»Legal Notices
»Printable version
»Glossary
»Using Help
Access Problems
Browser Problems
Installation Problems
IP Address Problems
Sign In Problems
Security Problems
Other Problems

If noted, a topic might only apply to the HP-UX, Linux, or Windows operating system.

1. Access Problems
1-1. SMH Documentation Unclear on Treatment of securetty.
1-2. After entering a hostname on Linux, HP SMH does not start.
2. Browser Problems
2-1. When I sign into HP SMH and close the browser, the HP SMH session is not ended. If I reopen Internet Explorer, after closing it I can sign into HP SMH without credentials. How can I fix this problem?
2-2. When I use Internet Explorer 6.0 in Windows, why do I see warnings in the Security Alert dialog box when I sign in to the HP System Management Homepage (HP SMH)?
2-3. Opening a second Mozilla browser can appear as an unauthorized signin into HP SMH.
2-4. I get security messages or partially displayed pages when browsing into HP SMH from Internet Explorer running on Windows 2003.
2-5. My browser page does not display all contents. What is wrong?
2-6. Why does the browser prompt me to accept cookies when accessing a system?
2-7. I can sign in to HP-UX with http://hostname:2301/, but not https://hostname:2381/.
2-8. When I browse to https://ipaddress:2381 on a local machine or a remote machine running Windows 2003, I don't see the Sign in screen.
3. Installation Problems
3-1. After running setup.exe /r on a Windows system to import certificates, the installation fails.
3-2. When installing HP SMH, I receive the following error: another instance is running.
3-3. When installing HP SMH, I receive the following errors: error: cannot get exclusive lock on /var/lib/rpm/Packages error: cannot open Packages index using db3 - Operation not permitted (1) error: cannot open Packages database in /var/lib/rpm.
4. IP Address Problems
4-1. Why do I get a security warning when I browse to HP SMH with an IPv6 address?
4-2. Is there an easier way to access the local system with my browser without finding out its IP address?
4-3. When I use the IP Restricted Login feature, entering my server IP address does not have the desired effect. How can I be sure that the local machine IP addresses are recognized by this feature?
4-4. Although an IP restriction is configured, localhost access is not being denied. Why is this happening?
4-5. Under IP Restriction, I did not include the system's local IP address or 127.0.0.1 to the Include list, but I can still browse to it locally.
5. Sign In Problems
5-1. After signing onto the Windows operating system on a ProLiant or Integrity server running HP SMH Version 2.1.3 (or later), the ROTATELOGS.EXE command prompt appears on the screen if SMH is configured to allow interaction with the desktop. When this occurs, one or two smaller command prompt windows appear with messages similar to the following:
5-2. I gave a user group defined by Windows, such as Backup Operators, Administrator, Operator and User , privileges through the HP SMH User Groups settings page. However, users in that group cannot sign in or do not have the correct privileges in HP SMH.
5-3. When trying to sign in to HP SMH on a Windows system using an administrative account defined in the Backup Operators group, the sign in fails.
5-4. I cannot sign in to HP SMH on my server running the Windows operating system.
5-5. I cannot sign in to HP SMH on my Windows XP operating system.
5-6. Why doesn't my password work after I upgrade my web-managed Products?
5-7. I created new Windows accounts, using default settings, for use with HP SMH but I cannot use them to sign in.
5-8. When I use Internet Explorer 6.0 in Windows and browse through the management server to a system that was discovered by IP address, I cannot sign in to HP SMH. If anonymous access is enabled, I get through anonymously but the user name is incorrect.
5-9. When I browse to my system using the server name http://my-server-name:2301 with Internet Explorer, I cannot sign in using my valid Windows administrator account username and password. However, I can sign in if I browse to my system using my IP address, http://my-ip-address:2301.
6. Security Problems
6-1. After updating my Windows XP system with Service Pack 2, I cannot access HP SIM or HP Version Control Repository Manager. What happened?
6-2. Why can't I import X.509 certificates directly into HP SMH?
6-3. Why is my PKCS #7 cert data not accepted?
6-4. Why is my private key file not protected by the file system?
6-5. Why do I get errors when I paste my customer-generated certificate PKCS #7 data into the HP SIM Certificate Data field in SettingsSMHSecurityTrusted Management Servers?
6-6. Why can't I use a Windows 2003 CA to grant my third-party certificate into HP SMH?
6-7. What are the security options when using Bastille?
7. Other Problems
7-1. I am having problems downgrading HP SMH from 3.x to 2.x.
7-2. Why can't I install HP SMH on my system?
7-3. Why do I get an error indicating the page cannot be displayed when I click the Management Processor link?
7-4. Why can't I install HP SMH on HP-UX or Linux when I am not root?
7-5. In the ServiceGuard Manager plugin, selecting Display Consolidated Syslog might require you to reauthenticate or cause a page not found error.
7-6. The value presented in the Total Swap Space Size field of the Memory Utilization property page includes the swap space that exists in the system as a device or file system and the size of the pseudo-swap, which does not exist as a memory resource. The actual device and file system swap space is not presented in the page.

1- Access Problems

1-1. SMH Documentation Unclear on Treatment of securetty.
1-2. After entering a hostname on Linux, HP SMH does not start.
1-1. Q:

SMH Documentation Unclear on Treatment of securetty.

A:

The HP System Management Homepage (HP SMH) does not use /etc/securetty. See login(1) for details on /etc/securetty.

1-2. Q:

After entering a hostname on Linux, HP SMH does not start.

A:

Hostnames that are 64 characters or longer in length are not supported on Linux.

2- Browser Problems

2-1. When I sign into HP SMH and close the browser, the HP SMH session is not ended. If I reopen Internet Explorer, after closing it I can sign into HP SMH without credentials. How can I fix this problem?
2-2. When I use Internet Explorer 6.0 in Windows, why do I see warnings in the Security Alert dialog box when I sign in to the HP System Management Homepage (HP SMH)?
2-3. Opening a second Mozilla browser can appear as an unauthorized signin into HP SMH.
2-4. I get security messages or partially displayed pages when browsing into HP SMH from Internet Explorer running on Windows 2003.
2-5. My browser page does not display all contents. What is wrong?
2-6. Why does the browser prompt me to accept cookies when accessing a system?
2-7. I can sign in to HP-UX with http://hostname:2301/, but not https://hostname:2381/.
2-8. When I browse to https://ipaddress:2381 on a local machine or a remote machine running Windows 2003, I don't see the Sign in screen.
2-1. Q:

When I sign into HP SMH and close the browser, the HP SMH session is not ended. If I reopen Internet Explorer, after closing it I can sign into HP SMH without credentials. How can I fix this problem?

A:

There are two possible solutions in order to be sure the HP SMH shortcut asks for credentials.

Solution 1

  1. Select Tools Internet Options

  2. Choose the Advanced tab.

  3. Under Settings Browsing, deselect Reuse windows for launching shortcuts (when tabbed browsing is off).

  4. Click [OK].

Solution 2

  1. Select Tools Internet Options

  2. Under the General tab, look for Tabs: Change how webpages are displayed in tabs. Click [Settings].

  3. Under Open links from other programs in:, select the third option The current tab or window.

  4. In the Tabbed Browsing Settings pop-up window, click [OK].

  5. Click [OK] to close Internet Options.

2-2. Q:

When I use Internet Explorer 6.0 in Windows, why do I see warnings in the Security Alert dialog box when I sign in to the HP System Management Homepage (HP SMH)?

A:

There are two possible warnings:

  • Warning 1: The name on the security certificate is invalid or does not match the name of the site.

    This warning occurs when you browse to HP SMH using an IP address. This warning also occurs if you browse locally using localhost for the machine name.

  • Warning 2: The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the CA.

    The certificate is issued by HP SMH. You can add the certificate to your Trusted Certificate List and the warning goes away.

2-3. Q:

Opening a second Mozilla browser can appear as an unauthorized signin into HP SMH.

A:

Mozilla browsers share sessions when launched separately.

Separate sessions are shared in Mozilla when launched from the desktop. However they are not shared in Internet Explorer.

2-4. Q:

I get security messages or partially displayed pages when browsing into HP SMH from Internet Explorer running on Windows 2003.

A:

Internet Explorer 6.0 on Windows 2003 Server has different default security settings. To prevent the problem, add each managed system to the local intranet zone twice, once as http://hostname:2301 and once more as https://hostname:2381. The alternatives to this solution are to decrease the level of security settings in the browser (not recommended) or alter the browser security settings to allow cookies (both stored and per-session) and allow active scripting.

2-5. Q:

My browser page does not display all contents. What is wrong?

A:

Frame sizes are optimized for medium fonts. If you switch your browser to use larger or smaller fonts, manually adjust the frame layout using the mouse.

2-6. Q:

Why does the browser prompt me to accept cookies when accessing a system?

A:

Browser cookies are required to track user state and security. Cookies must be enabled in the browser and prompting for acceptance of cookies should be disabled.

2-7. Q:

I can sign in to HP-UX with http://hostname:2301/, but not https://hostname:2381/.

A:

By default, HP-UX is installed with the autostart feature enabled. A daemon listens on port 2301 and only starts HP SMH on port 2381 when requested, then stops it again after a timeout period. For more information, see the smhstartconfig(1M) command.

2-8. Q:

When I browse to https://ipaddress:2381 on a local machine or a remote machine running Windows 2003, I don't see the Sign in screen.

A:

Internet Explorer 6.0 on Windows 2003 sometimes causes only the Account Sign in text in a blue bar to appear, instead of the entire Sign in page. This issue occurs when browsing on a local system or a remote system.

To resolve the issue, enable Javascript support and add this site to the Trusted sites list.

3- Installation Problems

3-1. After running setup.exe /r on a Windows system to import certificates, the installation fails.
3-2. When installing HP SMH, I receive the following error: another instance is running.
3-3. When installing HP SMH, I receive the following errors: error: cannot get exclusive lock on /var/lib/rpm/Packages error: cannot open Packages index using db3 - Operation not permitted (1) error: cannot open Packages database in /var/lib/rpm.
3-1. Q:

After running setup.exe /r on a Windows system to import certificates, the installation fails.

A:

Do not use setup.exe /r to import or copy certificates. Instead, use the Configure or Repair Agents tool in HP SIM.

3-2. Q:

When installing HP SMH, I receive the following error: another instance is running.

A:

The HP SMH installation attempted to install on a system that had files that are corrupted, or the installation was aborted.

To resolve this issue, navigate to the \temp directory on the HP SMH system and delete the smhlock.tmp file.

3-3. Q:

When installing HP SMH, I receive the following errors: error: cannot get exclusive lock on /var/lib/rpm/Packages error: cannot open Packages index using db3 - Operation not permitted (1) error: cannot open Packages database in /var/lib/rpm.

A:

This error appears when more than one instance of the install action is initiated on a Linux system. Only one HP SMH installation can run at a time.

4- IP Address Problems

4-1. Why do I get a security warning when I browse to HP SMH with an IPv6 address?
4-2. Is there an easier way to access the local system with my browser without finding out its IP address?
4-3. When I use the IP Restricted Login feature, entering my server IP address does not have the desired effect. How can I be sure that the local machine IP addresses are recognized by this feature?
4-4. Although an IP restriction is configured, localhost access is not being denied. Why is this happening?
4-5. Under IP Restriction, I did not include the system's local IP address or 127.0.0.1 to the Include list, but I can still browse to it locally.
4-1. Q:

Why do I get a security warning when I browse to HP SMH with an IPv6 address?

A:

To use IPv6 addresses, you need the following browsers:

  • Windows OS. Internet Explorer 7

  • Linux OS. Mozilla Firefox

Note: Internet Explorer 6 cannot handle IPv6 addresses. For more information, see http://blogs.msdn.com/ie/archive/2007/02/20/ipv6-uris-in-ie7.aspx and the Microsoft support page at http://support.microsoft.com/kb/325414.

When browsing secure pages, Internet Explorer 7 might ask you to add the page to its Trusted Site Zone. Even clicking [Add], the message returns. In this case, Internet Explorer 7 fails to handle IPv6 URLs since the Internet Explorer parser uses a colon as the separator of the IP address and the Port number. For example,

  • On IPv4, the HP SMH IP address might be https://127.0.0.1:2381. The IP address is 127.0.0.1 and the port number is 2381.

  • On IPv6, the HP SMH IP address might be https://[2001:db8:c18:1:21a:4bff:fe4c:c8e0]:2381. The IP address is 2001:db8:c18:1:21a:4bff:fe4c:c8e0 and the port number is 2381 in this case, Internet Explorer looks for a colon as a separator and uses [2001 as the IP address.

Choose one of two ways to avoid security warnings when browsing with IPv6 addresses:

  • Use a DNS name backed by IPv6 addresses.

  • Add the literal IPv6 address to the Local intranet site or Trusted sites of Internet Explorer 7 without the port number. For example, add http://[ 2001:db8:c18:1:250:8bff:fee2:4ed8] and https://[ 2001:db8:c18:1:250:8bff:fee2:4ed8] without adding the port number.

4-2. Q:

Is there an easier way to access the local system with my browser without finding out its IP address?

A:

Yes. You can access the local system at https://hostname:2381 or https://127.0.0.1:2381. For HP-UX, you can access the local system at http://hostname:2301 if you keep the default setting of autostart enabled.

The word localhost does not work in all languages. In addition, if you have a proxy server configured in your browser, you might need to add 127.0.0.1 to the browser list of addresses that should not be proxied.

4-3. Q:

When I use the IP Restricted Login feature, entering my server IP address does not have the desired effect. How can I be sure that the local machine IP addresses are recognized by this feature?

A:

Enter 127.0.0.1 in addition to the IP addresses of the server if you intend to restrict the local machine. The address 127.0.0.1 is always permitted in the Include section, so it is only restricted if it is explicitly placed in the Exclude section.

4-4. Q:

Although an IP restriction is configured, localhost access is not being denied. Why is this happening?

A:

If you do not include the IP address for the local host in the Include field, the local host is still granted access because most users do not intend to block local host access. If you do need to block localhost access, enter 127.0.0.1 into the Exclude field under IP Restriction.

4-5. Q:

Under IP Restriction, I did not include the system's local IP address or 127.0.0.1 to the Include list, but I can still browse to it locally.

A:

As a precaution against users unintentionally locking themselves out of HP SMH access, localhost requests are not denied when the local IP addresses are not mentioned in the Include list. If necessary, the local system's IP address and 127.0.0.1 can be added to the Exclude list, and this setting denies access to any user trying to gain access from the local system.

5- Sign In Problems

5-1. After signing onto the Windows operating system on a ProLiant or Integrity server running HP SMH Version 2.1.3 (or later), the ROTATELOGS.EXE command prompt appears on the screen if SMH is configured to allow interaction with the desktop. When this occurs, one or two smaller command prompt windows appear with messages similar to the following:
5-2. I gave a user group defined by Windows, such as Backup Operators, Administrator, Operator and User , privileges through the HP SMH User Groups settings page. However, users in that group cannot sign in or do not have the correct privileges in HP SMH.
5-3. When trying to sign in to HP SMH on a Windows system using an administrative account defined in the Backup Operators group, the sign in fails.
5-4. I cannot sign in to HP SMH on my server running the Windows operating system.
5-5. I cannot sign in to HP SMH on my Windows XP operating system.
5-6. Why doesn't my password work after I upgrade my web-managed Products?
5-7. I created new Windows accounts, using default settings, for use with HP SMH but I cannot use them to sign in.
5-8. When I use Internet Explorer 6.0 in Windows and browse through the management server to a system that was discovered by IP address, I cannot sign in to HP SMH. If anonymous access is enabled, I get through anonymously but the user name is incorrect.
5-9. When I browse to my system using the server name http://my-server-name:2301 with Internet Explorer, I cannot sign in using my valid Windows administrator account username and password. However, I can sign in if I browse to my system using my IP address, http://my-ip-address:2301.
5-1. Q:

After signing onto the Windows operating system on a ProLiant or Integrity server running HP SMH Version 2.1.3 (or later), the ROTATELOGS.EXE command prompt appears on the screen if SMH is configured to allow interaction with the desktop. When this occurs, one or two smaller command prompt windows appear with messages similar to the following:

(drive) :\hp\hpsmh\bin\rotatelogs.exe
A:

The command prompt window messages do not affect the performance or functionality of the server or of SMH and can be ignored.

Any ProLiant or Integrity server configured with Windows 2000 Server or Windows Server 2003 (any edition) and HP SMH Version 2.1.3 (or later) when SMH is allowed to interact with the desktop can be affected.

To prevent HP SMH from interacting with the server desktop, perform the following:

  1. Click StartProgramsAdministrative ToolsServices

  2. Click HP System Management Homepage Properties.

  3. Click the Log On tab.

  4. Deselect Allow service to interact with desktop.

  5. Click Apply and then click [OK].

  6. Restart the HP System Management Homepage service.

5-2. Q:

I gave a user group defined by Windows, such as Backup Operators, Administrator, Operator and User , privileges through the HP SMH User Groups settings page. However, users in that group cannot sign in or do not have the correct privileges in HP SMH.

A:

HP SMH only recognizes four user groups defined by Windows: Administrators, Users, Guests and Power Users. Other groups defined by Windows, such as Backup Operators, are not recognized.

On Linux, the group must be previously created using system tools as groupadd.

5-3. Q:

When trying to sign in to HP SMH on a Windows system using an administrative account defined in the Backup Operators group, the sign in fails.

A:

On Windows systems in the defined user groups, only Administrators, Users, Guests and Power Users are recognized. Other groups defined by Windows, such as Backup Operators, are not recognized. Create a new group and use it for providing access to HP SMH.

5-4. Q:

I cannot sign in to HP SMH on my server running the Windows operating system.

A:

Complete the following:

  1. Verify that a valid Windows operating system account is set up and that the signin is included in the Administrators group or in an HP SMH operating system group.

  2. Sign in to the operating system, and change the password if prompted.

    If this password prompt appears, the operating system Administrator has set up the user account with the user must change the password at next sign in option selected.

    Any signin created in the future can be added by the operating system group Administrator without selecting the user must change the password at next sign on option. In addition, if this option is selected, you can change the password through the operating system before signing in to HP SMH.

5-5. Q:

I cannot sign in to HP SMH on my Windows XP operating system.

A:

Go to ProgramsAdministrative ToolsLocal Security Settings and change the policy to Network Access: Sharing and security model for local accounts from Guest Only to Classic Only.

5-6. Q:

Why doesn't my password work after I upgrade my web-managed Products?

A:

HP SMH v2.0 and later use operating system accounts, but previous versions use static accounts (administrator, operator, and user). Any operating system account belonging to the administrators group (root group in Linux) has administrative access to HP SMH. With this access, you can assign accounts in other operating system account groups to different levels of access for HP SMH. The HP SMH online help describes this process in detail. See Security - User Groups.

This does not apply to HP-UX.

5-7. Q:

I created new Windows accounts, using default settings, for use with HP SMH but I cannot use them to sign in.

A:

By default, new accounts created in Windows operating systems are set to user must change the password at next sign in. Deselect this option so the account can be used to sign in to HP SMH.

5-8. Q:

When I use Internet Explorer 6.0 in Windows and browse through the management server to a system that was discovered by IP address, I cannot sign in to HP SMH. If anonymous access is enabled, I get through anonymously but the user name is incorrect.

or

When I use Internet Explorer 6.0 in Windows and browse through the management server to a device that was discovered by IP address, the detailed certificate information does not appear in the text box of the Automatic Import Certificate screen.

A:

These issues can be resolved in the following ways by adjusting the Internet Explorer settings:

  • Configure the Internet Explorer Privacy settings from Medium to Low. (HP does not recommend using this option.)

    To change the settings:

    1. In Internet Explorer, click ToolsInternet Options.

    2. Click Privacy.

    3. Click and drag the slide bar to Low.

    4. Click [Apply].

    5. Click [OK].

      The changes are saved.

  • Add the IP address of the target HP SMH to the Local Intranet's zone.

    To change the settings:

    1. In Internet Explorer, click ToolsInternet Options.

    2. Click Security.

    3. Select Local Intranet.

    4. Click [Sites] → [Advanced].

    5. In Add this website to the zone, enter the IP address of the HP SMH system for example, enter https://ipaddress .

    6. Click [Add].

    7. Click [OK].

    8. Click [OK] again.

    9. Click [OK].

      The changes are saved.

5-9. Q:

When I browse to my system using the server name http://my-server-name:2301 with Internet Explorer, I cannot sign in using my valid Windows administrator account username and password. However, I can sign in if I browse to my system using my IP address, http://my-ip-address:2301.

A:

Verify whether there is an underscore "_" defined in your server's computer name. If there is, remove it or use "-" (dash) instead of "_" (underscore).You should be able to log in using the system name.

You might need to change the Microsoft Internet Information Server (IIS) configuration after you rename a system.

This is a security feature added by Microsoft security patch MS01-055 for Internet Explorer 5.5 or 6.0 that prevents systems with improper name syntax from setting cookie names. Domains that use cookies must use only alphanumeric characters (- or .) in the domain name and the system name. Internet Explorer blocks cookies from a system if the system name contains other characters, such as an underscore character (_).

6- Security Problems

6-1. After updating my Windows XP system with Service Pack 2, I cannot access HP SIM or HP Version Control Repository Manager. What happened?
6-2. Why can't I import X.509 certificates directly into HP SMH?
6-3. Why is my PKCS #7 cert data not accepted?
6-4. Why is my private key file not protected by the file system?
6-5. Why do I get errors when I paste my customer-generated certificate PKCS #7 data into the HP SIM Certificate Data field in SettingsSMHSecurityTrusted Management Servers?
6-6. Why can't I use a Windows 2003 CA to grant my third-party certificate into HP SMH?
6-7. What are the security options when using Bastille?
6-1. Q:

After updating my Windows XP system with Service Pack 2, I cannot access HP SIM or HP Version Control Repository Manager. What happened?

A:

Windows XP Service Pack 2 implements a software firewall that prevents browsers from accessing the ports required for HP SIM and Version Control Repository Manager access. To resolve this issue, configure the firewall with exceptions to allow browsers to access the ports used by HP SIM and Version Control Repository Manager.

HP recommends the following actions:

  1. Select StartSettings Control Panel.

  2. Double-click Windows Firewall to configure the firewall settings.

  3. Select Exceptions.

  4. Click [Add Port].

  5. Enter the product name and the port number.

    Add the following exceptions to the firewall protection:

    Table 1 Firewall protection exceptions

    ProductPort Number
    HP SMH Insecure Port:2301
    HP SMH Secure Port:2381
    HP SIM Insecure Port:280
    HP SIM Secure Port:50000

     

  6. Click [OK] to save your settings and close the Add a Port dialog box.

  7. Click [OK] to save your settings and close the Windows Firewall dialog box.

This configuration leaves the default SP2 security enhancements intact, but allows traffic over the ports previously indicated. These ports are required for HP SIM and Version Control Repository Manager to run. Ports 2301 and 2381 are required for the Version Control Repository Manager and ports 280 and 50000 are required by HP SIM. The secure and insecure ports must be added for each product to enable communication with the applications.

6-2. Q:

Why can't I import X.509 certificates directly into HP SMH?

A:

HP SMH generates Certificate Request in Base64-encoded PKCS #10 format. This certificate request should be supplied to the certificate authority. Most CAs return Base64-encoded PKCS #7 certificate data that you can import directly into HP SMH by selecting SettingsHP System Management HomepageSecurityLocal Server Certificate.

If the CA returns the certificate data in X.509 format, rename the X.509 certificate file as cert.pem and place it into the \hp\sslshare directory. When HP SMH is restarted, this certificate is used.

6-3. Q:

Why is my PKCS #7 cert data not accepted?

A:

When using a Mozilla browser, there can be problems when cutting and pasting cert request and reply data using Notepad or other editors. To avoid these problems, use Mozilla to open certificate reply files from your CA. Use the Select All, Cut, and Paste operations supplied by Mozilla when working with certificates.

6-4. Q:

Why is my private key file not protected by the file system?

A:

If you are using Windows operating systems, you must have the system drive in NTFS format for the private key file to be protected by the file system.

6-5. Q:

Why do I get errors when I paste my customer-generated certificate PKCS #7 data into the HP SIM Certificate Data field in SettingsSMHSecurityTrusted Management Servers?

A:

The customer-generated certificate PKCS #7 data is not relevant to the date given in the Trusted Management Servers field. The PKCS #7 data should be imported into the Customer Generated Certificates Import PKCS #7 Data field under SettingsSMHSecurityLocal Server Certificate. The HP Systems Insight Manager Certificate Data field is used to trust HP SIM servers with HP SMH. For more information, see Security - Trusted Management Servers.

6-6. Q:

Why can't I use a Windows 2003 CA to grant my third-party certificate into HP SMH?

A:

To use a Windows 2003 CA to create a certificate for HP SMH:

  1. Create the PKCS #10 data packet by clicking SettingsSMHSecurityLocal Server Certificate page.

  2. Press the Ctrl+ C keys to copy the data into a buffer.

  3. Navigate to http://W2003CA/certsrv where W2003CA is the name of your Windows 2003 certificate authority system and complete the following:

    1. Select Request a certificate.

    2. Select Advanced certificate request.

    3. Select Submit a certificate request by using a base.

    4. Press the Ctrl+ V keys to paste the PKCS #10 data into the field.

  4. From your Windows 2003 certificate authority system complete the following:

    1. Click StartAll ProgramsAdministrative ToolsCertification Authority.

    2. Click CA (Local)W2003CA/certsrv ⇒ where W2003CA is the name of your Windows 2003 certificate authority system.

    3. Issue the pending request certificate.

  5. Navigate to http://W2003CA/certsrv, where W2003CA is the name of your Windows 2003 certificate authority system and complete the following:

    1. Select View the status of a pending certificate request.

    2. Select Base64-encoded and Download certificate (not certificate chain).

    3. The file download is certnew.cer.

    4. Rename certnew.cer to cert.pem.

6-7. Q:

What are the security options when using Bastille?

A:

Bastille is a system hardening program that enhances the security of an HP-UX host. It configures daemons, system settings and firewalls to be more secure. It can shut off unneeded services and tools such as rcp(1) and rlogin(1), and can help limit the vulnerability of common Internet services such as Web servers and DNS.

At this time, HP System Management Homepage does not support Partition Manager.

One facility that Bastille uses to lock down a system is IP filtering. Refer to the Partition Manager Online Help for requirements when using IP filtering with Partition Manager. If Bastille's interactive user interface is used, be aware of these issues when answering the questions asked by Bastille. Bastille also has three install-time security options that are represented by the following files in /etc/opt/sec-mgmt/bastille.

  • HOST.config. Host-based lockdown, without IPFilter configuration. Using this configuration has no impact on Partition Manager.

  • MANDMZ.config. A fairly tight lockdown, but leaves select network ports open that are used by common management protocols and tools. For example, WBEM still functions when this configuration is used. Launching Partition Manager under this configuration requires the use of SSH or changes to enable ports 2301 and 2381. To enable launching Partition Manager on a system where ports 2301 and 2381 are disabled, adjust the IP filtering by adding entries such as:

    pass in quick proto tcp from any to any port = 2301 flags S/0xff keep state keep frags

    pass in quick proto tcp from any to any port = 2381 flags S/0xff keep state keep frags

    to /etc/opt/sec-mgmt/bastille/ipf.customrules prior to running Bastille.

    For more information, see ipf(5).

  • DMZ.config. A tight lockdown. Launching Partition Manager under this configuration requires the use of SSH.

    Bastille also impacts Partition Manager when remotely managing a system where Bastille is enabled. After the normal transfer of certificates, Partition Manager works as described above if the HOST.config or MANDMZ.config configurations are used. However, the DMZ.config configuration blocks WBEM traffic and prevents Partition Manager from remotely managing the system.

    For more information about Bastille, see bastille(1M) and the Bastille User Guide, installed at /opt/sec-mgmt-bastille/docs/user-guide.txt.

7- Other Problems

7-1. I am having problems downgrading HP SMH from 3.x to 2.x.
7-2. Why can't I install HP SMH on my system?
7-3. Why do I get an error indicating the page cannot be displayed when I click the Management Processor link?
7-4. Why can't I install HP SMH on HP-UX or Linux when I am not root?
7-5. In the ServiceGuard Manager plugin, selecting Display Consolidated Syslog might require you to reauthenticate or cause a page not found error.
7-6. The value presented in the Total Swap Space Size field of the Memory Utilization property page includes the swap space that exists in the system as a device or file system and the size of the pseudo-swap, which does not exist as a memory resource. The actual device and file system swap space is not presented in the page.
7-1. Q:

I am having problems downgrading HP SMH from 3.x to 2.x.

A:

To successfully downgrade HP SMH from 3.x to 2.x, stop the HP SMH service and then execute the downgrade by completing the following steps:

  1. $/etc/init.d/hpsmhd stop

  2. $rpm --oldpackage --U hpsmh-old version.rpm

7-2. Q:

Why can't I install HP SMH on my system?

A:

The HP SMH install action requires a Java version that requires at least 256 colors to load.

This applies to Windows only.

7-3. Q:

Why do I get an error indicating the page cannot be displayed when I click the Management Processor link?

A:

The administrator for the management processor has configured the Web server on the management processor to use a port other than port 80. HP SMH does not have access to that parameter and assumes the management processor is on port 80.

7-4. Q:

Why can't I install HP SMH on HP-UX or Linux when I am not root?

A:

You must be logged in as root for HP SMH to have the proper access rights.

7-5. Q:

In the ServiceGuard Manager plugin, selecting [Display Consolidated Syslog] might require you to reauthenticate or cause a page not found error.

A:

If the page not found error appears, press the [Refresh] button in the browser to allow the page to be shown. Subsequently, you need to reauthenticate.

7-6. Q:

The value presented in the Total Swap Space Size field of the Memory Utilization property page includes the swap space that exists in the system as a device or file system and the size of the pseudo-swap, which does not exist as a memory resource. The actual device and file system swap space is not presented in the page.

A:

Currently, it is not possible to obtain the actual size of the device and file system swap space through HP SMH property pages. You can obtain this information from the HP-UX command line, using the swapinfo command.