VMware Cloud Community
acnsys
Enthusiast
Enthusiast
‎06-13-2008 07:10 AM

HP SIM and vmm SSH issue

Hi Fellows,

I try to import/register ESX hosts inside HP SIM 8.0

I have VMM AGent installed, i have followed a wiki from astroarch:

Identifying ESX Servers

It is best that the HP Proliant Essentials tools for VMware be installed for your specific hardware, as of this writing v7.9.1 is required for VI3.5. This includes the system management home page which gives a single pane of glass for the view of the hardware for the ESX server. This is sometimes critical, but how do you get it to work?

1. Install the tools per normal

You will want to make sure that the HPSIM server and any other server can access the System Management Homepage as necessary.

2. Enable port 2301 incoming (this is a temporary change

esxcfg-firewall -o 2301,tcp,in,HPSIM

3. Identify the ESX Server within HPSIM (Options -> Identify Systems...

4. Disable port 2301 incoming

esxcfg-firewall -c 2301,tcp,in

Now HPSIM will see your System Management Homepage and declare one does not exist. You do not want port 2301 to be open past this stage as it is an insecure connection to your server data but for the brief time it is open, you should be fine.

Installing the Virtual Machine Management Pack Agents

In a normal install of VI3, there is no SSH access to root, this implies that anything HPSIM does via SSH, will not work with ESX unless you enable this access. Enabling this access will degrade your ESX security stance. Instead you should have an administrative account on the ESX server that is a jump point for running the necessary commands.

1. Transfer from the HPSIM server the following files to your administrative account:

C:\Program Files\HP\Virtual Machine Management Pack\Agents\Linux\hpvmmagent.tar

C:\Program Files\HP\Virtual Machine Management Pack\lib\cms.cer

C:\Program Files\HP\Virtual Machine Management Pack\bin\importcert.sh

2. Now as your administrative use on the service console:

1. tar -xf hpvmmagent.tar

2. chmod +x hpvmmagent.sh

3. sudo hpvmagent.sh

4. sudo cp cms.cer /root

5. sudo ./importcert.sh

3. Back in HPSIM you can then register the ESX server using Configure->Virtual Machine Host Registration->Register VM Host->Linux Host... Note that some parts of this will fail, but you have already done them from the SC in a secure manner.

Now when i run the import i receive an error:

Running tool Enable Secure Communication with Linux Host with job id 678.

Task Name :defRunNowTaskId_1213365793153_31

Job ID :678

Tool Name :Enable Secure Communication with Linux Host

Job State :Complete

User Name :AU\atc

Execute As User :Administrator

Start Time :Friday, June 13, 2008 4:03:13 PM CEST

End Time :Friday, June 13, 2008 4:03:21 PM CEST

Elapsed Time :8 seconds 641 milliseconds

Node :amsterdam-sm08.eu.corp.com

Status :Complete

Exit Code :smileyshocked:

STDOUT :

Enable Secure Communication with Linux Host amsterdam-vm02.eu.corp.com

Preparing the Agent keystore on the CMS

createServerCert()

Host = amsterdam-vm02.eu.corp.com

createServerCert()

Done - securing keystore

updateCertExpDate

loadKeyStore

updateCertExpDate

Exiting createServerCert()

updateCertExpDate

loadKeyStore

updateCertExpDate

Running tool Copy KeyStore From CMS to Linux Host with job id 679.

Task Name :defRunNowTaskId_1213365796199_32

Job ID :679

Tool Name :Copy KeyStore From CMS to Linux Host

Job State :Failed

User Name :AU\atc

Execute As User :root

Start Time :Friday, June 13, 2008 4:03:16 PM CEST

End Time :Friday, June 13, 2008 4:03:16 PM CEST

Elapsed Time : 141 milliseconds

Node :amsterdam-vm02.eu.corp.com

Status :Failed

Exit Code :-1

Files copied :0/1

Source :amsterdam-sm08.eu.corp.com:C:\Program Files\HP\Virtual Machine Management Pack\lib\amsterdam-vm02.eu.corp.com_vmmagent.ks

Destination :amsterdam-vm02.eu.corp.com:./vmmagent.ks

STDOUT :

<No output>

STDERR :

SSH public key authentication failed.

Target system amsterdam-vm02.eu.corp.com might not be configured.

Please run mxagentconfig -a from command line window or Configure->Configure or Repair Agents from graphical user interface to configure the target system.

EXCEPTION CLASS :

com.hp.mx.dtf.sshClient.MxSshAuthenticationFailedException

EXCEPTION :

SSH public key authentication failed.Target system amsterdam-vm02.eu.corp.com might not be configured.Please run mxagentconfig -a from command line window or Configure->Configure or Repair Agents from graphical user interface to configure the target system.

Running tool Copy TrustStore From CMS to Linux Host with job id 680.

Task Name :defRunNowTaskId_1213365798184_33

Job ID :680

Tool Name :Copy TrustStore From CMS to Linux Host

Job State :Failed

User Name :AU\atc

Execute As User :root

Start Time :Friday, June 13, 2008 4:03:18 PM CEST

End Time :Friday, June 13, 2008 4:03:18 PM CEST

Elapsed Time : 141 milliseconds

Node :amsterdam-vm02.eu.corp.com

Status :Failed

Exit Code :-1

Files copied :0/1

Source :amsterdam-sm08.eu.corp.com:C:\Program Files\HP\Virtual Machine Management Pack\lib\amsterdam-vm02.eu.corp.com_vmtoolstrust.ks

Destination :amsterdam-vm02.eu.corp.com:./vmtoolstrust.ks

STDOUT :

<No output>

STDERR :

SSH public key authentication failed.

Target system amsterdam-vm02.eu.corp.com might not be configured.

Please run mxagentconfig -a from command line window or Configure->Configure or Repair Agents from graphical user interface to configure the target system.

EXCEPTION CLASS :

com.hp.mx.dtf.sshClient.MxSshAuthenticationFailedException

EXCEPTION :

SSH public key authentication failed.Target system amsterdam-vm02.eu.corp.com might not be configured.Please run mxagentconfig -a from command line window or Configure->Configure or Repair Agents from graphical user interface to configure the target system.

Running tool Copy Keystore Files Linux with job id 681.

Task Name :defRunNowTaskId_1213365800184_34

Job ID :681

Tool Name :Copy Keystore Files Linux

Job State :Failed

User Name :AU\atcExecute As User :root

Start Time :Friday, June 13, 2008 4:03:20 PM CEST

End Time :Friday, June 13, 2008 4:03:20 PM CEST

Elapsed Time : 125 milliseconds

Node :amsterdam-vm02.eu.corp.com

Status :Failed

Exit Code :-1

Files copied :0/1

Source :amsterdam-sm08.eu.corp.com:C:\Program Files\HP\Virtual Machine Management Pack\bin\importcert.sh

Destination :amsterdam-vm02.eu.corp.com:./importcert.sh

STDOUT :

<No output>

STDERR :

SSH public key authentication failed.

Target system amsterdam-vm02.eu.corp.com might not be configured.

Please run mxagentconfig -a from command line window or Configure->Configure or Repair Agents from graphical user interface to configure the target system.

EXCEPTION CLASS :

com.hp.mx.dtf.sshClient.MxSshAuthenticationFailedException

EXCEPTION :

SSH public key authentication failed.Target system amsterdam-vm02.eu.corp.com might not be configured.Please run mxagentconfig -a from command line window or Configure->Configure or Repair Agents from graphical user interface to configure the target system.

STDERR :

Loaded library disp

Any ideas what goes wrong, openssh is installed on the SIM server and configure as: The central management server will accept an SSH connection with any host key, even if not in the list below.

.

Thanks in advance.

Tags (3)
0 Kudos
14 Replies
Texiwill
Leadership
Leadership
‎06-13-2008 01:23 PM

Hello,

Review my write up on HPSIM AND ESX. It should get things working for you.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
GPinson
Contributor
Contributor
‎06-13-2008 02:32 PM

> Hi Fellows,

> I try to import/register ESX hosts inside HP SIM 8.0

Just curious, isn't the latest release of HP SIM only version 5.2 Update 1?

Gene

0 Kudos
acnsys
Enthusiast
Enthusiast
‎06-15-2008 11:49 AM

Ed,

I did follow your wiki in the first place but still the error message shows an error with ssh keys.

PS HP SIm version 8 is for the client, SIM is indeed version 5.2 U1

0 Kudos
acnsys
Enthusiast
Enthusiast
‎06-16-2008 01:36 AM

I fixed it as the error message was quiet explicit.

I went to configure --> repair agent and then only choosed to repair the SSH settings, now the host register succesfully.

0 Kudos
Texiwill
Leadership
Leadership
‎06-16-2008 04:44 AM

Hello,

Interesting as I never had to do that. Could you post any differences between the steps you took and listed on the Wiki article I referenced?

Also, just so you know the HP Management Agents are called HPASM. HPSIM is the name of the server.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
vmproteau
Enthusiast
Enthusiast
‎06-18-2008 12:55 PM

Texiwill,

Thanks for the "HPSIM and ESX" guide. The "Identifying ESX Server" section is what solved my problem which was (after 8.0a install) SMH access from the "Health Status" link in Insight Manager broke. Access over always worked fine.

I'm curious about your concerns over 2301.

  • Is there something specific about that port that is inherently insecure or are you just very security consious.

  • Also, on HPs forum (a link to your guide is posted in a thread there as well Smiley Happy) someone was concerned about a re-identification automated process failing now that we have closed the port. Can you comment on that?

0 Kudos
zeppoliner
Contributor
Contributor
‎03-27-2009 08:42 AM

@ Texiwill: thanks for your great how-to. I followed your guide but can't get it to work.

We are running HP SIM 5.3 which is installed on a Win 2k3 Server. I added a new user (adminvm) to my ESX server which I used when following your guide.

Here's what I did. I copied those files from our SIM server to a flash stick. Logged on to the ESX server and mounted the stick. Finished step 1 & 2 but when I got to step # 3 (sudo hpvmmagent.sh) I was prompted for a password and then received an 'Broken pipe' error.

Do I have to add 'adminvm' to a certain group (maybe root-group) before I run those commands? What am I missing?

0 Kudos
Texiwill
Leadership
Leadership
‎03-27-2009 10:00 AM

Hello,

I'm curious about your concerns over 2301.

  • Is there something specific about that port that is inherently insecure or are you just very security consious.

It is not SSL protected, yes just security conscsious.

  • Also, on HPs forum (a link to your guide is posted in a thread there as well Smiley Happy) someone was concerned about a re-identification automated process failing now that we have closed the port. Can you comment on that?

Never had that problem, once you set it up the first time it does everything fine.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
Texiwill
Leadership
Leadership
‎03-27-2009 10:02 AM

Hello,

Here's what I did. I copied those files from our SIM server to a flash stick. Logged on to the ESX server and mounted the stick. Finished step 1 & 2 but when I got to step # 3 (sudo hpvmmagent.sh) I was prompted for a password and then received an 'Broken pipe' error.

You need to use the password of the adminvm account. Then there should not be any issues going forward.

I have not tried the latest agents but plan on doing that very shortly.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
zeppoliner
Contributor
Contributor
‎04-01-2009 02:01 AM

Hum...guess I have to add 'adminvm' to a certain group on my ESX right? So far it's a read-only account and I can't even do step # 1 without entering su credentials. In your guide you mentioned to use an administrative account, so I guess this must not be a standard user? How can I make 'adminvm' an administrative account?

Thanks

0 Kudos
Texiwill
Leadership
Leadership
‎04-01-2009 09:00 AM

Hello,

Create an account on your ESX host not within vCenter. You can use the VIC connected to the ESX host to do this or useradd from the command line. That would be an account to which you can now do administration without having to compromise your root account settings on the host.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
zeppoliner
Contributor
Contributor
‎04-03-2009 02:37 AM

Hi,

I used 'useradd -m .... passwd ...' on the SC on my ESX to create the account. Evidently this just let's me create a 'standard' user as it keeps asking me for root credentials. Any ideas?

Thanks

Btw we are using ESX 3.5 U3 (if that makes any difference)

Message was edited by: zeppoliner

0 Kudos
Texiwill
Leadership
Leadership
‎04-06-2009 09:28 AM

Hello,

You transfer by hand the files to the adminuser on the ESX host then using 'su' or sudo run the commands specified within http://www.astroarch.com/wiki/index.php/HPSIM_and_ESX

The problem is you need to first get the files there, then run the commands as root. You can only get the files there by default using a non-root account. You can not use HPSIM to do this.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
zeppoliner
Contributor
Contributor
‎04-09-2009 01:05 AM

That worked. Thanks a lot!

0 Kudos