Hi Fellows,
I try to import/register ESX hosts inside HP SIM 8.0
I have VMM AGent installed, i have followed a wiki from astroarch:
Identifying ESX Servers
It is best that the HP Proliant Essentials tools for VMware be installed for your specific hardware, as of this writing v7.9.1 is required for VI3.5. This includes the system management home page which gives a single pane of glass for the view of the hardware for the ESX server. This is sometimes critical, but how do you get it to work?
1. Install the tools per normal
You will want to make sure that the HPSIM server and any other server can access the System Management Homepage as necessary.
2. Enable port 2301 incoming (this is a temporary change
esxcfg-firewall -o 2301,tcp,in,HPSIM
3. Identify the ESX Server within HPSIM (Options -> Identify Systems...
4. Disable port 2301 incoming
esxcfg-firewall -c 2301,tcp,in
Now HPSIM will see your System Management Homepage and declare one does not exist. You do not want port 2301 to be open past this stage as it is an insecure connection to your server data but for the brief time it is open, you should be fine.
Installing the Virtual Machine Management Pack Agents
In a normal install of VI3, there is no SSH access to root, this implies that anything HPSIM does via SSH, will not work with ESX unless you enable this access. Enabling this access will degrade your ESX security stance. Instead you should have an administrative account on the ESX server that is a jump point for running the necessary commands.
1. Transfer from the HPSIM server the following files to your administrative account:
C:\Program Files\HP\Virtual Machine Management Pack\Agents\Linux\hpvmmagent.tar
C:\Program Files\HP\Virtual Machine Management Pack\lib\cms.cer
C:\Program Files\HP\Virtual Machine Management Pack\bin\importcert.sh
2. Now as your administrative use on the service console:
1. tar -xf hpvmmagent.tar
2. chmod +x hpvmmagent.sh
3. sudo hpvmagent.sh
4. sudo cp cms.cer /root
5. sudo ./importcert.sh
3. Back in HPSIM you can then register the ESX server using Configure->Virtual Machine Host Registration->Register VM Host->Linux Host... Note that some parts of this will fail, but you have already done them from the SC in a secure manner.
Now when i run the import i receive an error:
Running tool Enable Secure Communication with Linux Host with job id 678.
Task Name :defRunNowTaskId_1213365793153_31
Job ID :678
Tool Name :Enable Secure Communication with Linux Host
Job State :Complete
User Name :AU\atc
Execute As User :Administrator
Start Time :Friday, June 13, 2008 4:03:13 PM CEST
End Time :Friday, June 13, 2008 4:03:21 PM CEST
Elapsed Time :8 seconds 641 milliseconds
Node :amsterdam-sm08.eu.corp.com
Status :Complete
Exit Code :smileyshocked:
STDOUT :
Enable Secure Communication with Linux Host amsterdam-vm02.eu.corp.com
Preparing the Agent keystore on the CMS
createServerCert()
Host = amsterdam-vm02.eu.corp.com
createServerCert()
Done - securing keystore
updateCertExpDate
loadKeyStore
updateCertExpDate
Exiting createServerCert()
updateCertExpDate
loadKeyStore
updateCertExpDate
Running tool Copy KeyStore From CMS to Linux Host with job id 679.
Task Name :defRunNowTaskId_1213365796199_32
Job ID :679
Tool Name :Copy KeyStore From CMS to Linux Host
Job State :Failed
User Name :AU\atc
Execute As User :root
Start Time :Friday, June 13, 2008 4:03:16 PM CEST
End Time :Friday, June 13, 2008 4:03:16 PM CEST
Elapsed Time : 141 milliseconds
Node :amsterdam-vm02.eu.corp.com
Status :Failed
Exit Code :-1
Files copied :0/1
Source :amsterdam-sm08.eu.corp.com:C:\Program Files\HP\Virtual Machine Management Pack\lib\amsterdam-vm02.eu.corp.com_vmmagent.ks
Destination :amsterdam-vm02.eu.corp.com:./vmmagent.ks
STDOUT :
<No output>
STDERR :
SSH public key authentication failed.
Target system amsterdam-vm02.eu.corp.com might not be configured.
Please run mxagentconfig -a from command line window or Configure->Configure or Repair Agents from graphical user interface to configure the target system.
EXCEPTION CLASS :
com.hp.mx.dtf.sshClient.MxSshAuthenticationFailedException
EXCEPTION :
SSH public key authentication failed.Target system amsterdam-vm02.eu.corp.com might not be configured.Please run mxagentconfig -a from command line window or Configure->Configure or Repair Agents from graphical user interface to configure the target system.
Running tool Copy TrustStore From CMS to Linux Host with job id 680.
Task Name :defRunNowTaskId_1213365798184_33
Job ID :680
Tool Name :Copy TrustStore From CMS to Linux Host
Job State :Failed
User Name :AU\atc
Execute As User :root
Start Time :Friday, June 13, 2008 4:03:18 PM CEST
End Time :Friday, June 13, 2008 4:03:18 PM CEST
Elapsed Time : 141 milliseconds
Node :amsterdam-vm02.eu.corp.com
Status :Failed
Exit Code :-1
Files copied :0/1
Source :amsterdam-sm08.eu.corp.com:C:\Program Files\HP\Virtual Machine Management Pack\lib\amsterdam-vm02.eu.corp.com_vmtoolstrust.ks
Destination :amsterdam-vm02.eu.corp.com:./vmtoolstrust.ks
STDOUT :
<No output>
STDERR :
SSH public key authentication failed.
Target system amsterdam-vm02.eu.corp.com might not be configured.
Please run mxagentconfig -a from command line window or Configure->Configure or Repair Agents from graphical user interface to configure the target system.
EXCEPTION CLASS :
com.hp.mx.dtf.sshClient.MxSshAuthenticationFailedException
EXCEPTION :
SSH public key authentication failed.Target system amsterdam-vm02.eu.corp.com might not be configured.Please run mxagentconfig -a from command line window or Configure->Configure or Repair Agents from graphical user interface to configure the target system.
Running tool Copy Keystore Files Linux with job id 681.
Task Name :defRunNowTaskId_1213365800184_34
Job ID :681
Tool Name :Copy Keystore Files Linux
Job State :Failed
User Name :AU\atcExecute As User :root
Start Time :Friday, June 13, 2008 4:03:20 PM CEST
End Time :Friday, June 13, 2008 4:03:20 PM CEST
Elapsed Time : 125 milliseconds
Node :amsterdam-vm02.eu.corp.com
Status :Failed
Exit Code :-1
Files copied :0/1
Source :amsterdam-sm08.eu.corp.com:C:\Program Files\HP\Virtual Machine Management Pack\bin\importcert.sh
Destination :amsterdam-vm02.eu.corp.com:./importcert.sh
STDOUT :
<No output>
STDERR :
SSH public key authentication failed.
Target system amsterdam-vm02.eu.corp.com might not be configured.
Please run mxagentconfig -a from command line window or Configure->Configure or Repair Agents from graphical user interface to configure the target system.
EXCEPTION CLASS :
com.hp.mx.dtf.sshClient.MxSshAuthenticationFailedException
EXCEPTION :
SSH public key authentication failed.Target system amsterdam-vm02.eu.corp.com might not be configured.Please run mxagentconfig -a from command line window or Configure->Configure or Repair Agents from graphical user interface to configure the target system.
STDERR :
Loaded library disp
Any ideas what goes wrong, openssh is installed on the SIM server and configure as: The central management server will accept an SSH connection with any host key, even if not in the list below.
.
Thanks in advance.
Hello,
Review my write up on HPSIM AND ESX. It should get things working for you.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
> Hi Fellows,
> I try to import/register ESX hosts inside HP SIM 8.0
Just curious, isn't the latest release of HP SIM only version 5.2 Update 1?
Gene
Ed,
I did follow your wiki in the first place but still the error message shows an error with ssh keys.
PS HP SIm version 8 is for the client, SIM is indeed version 5.2 U1
I fixed it as the error message was quiet explicit.
I went to configure --> repair agent and then only choosed to repair the SSH settings, now the host register succesfully.
Hello,
Interesting as I never had to do that. Could you post any differences between the steps you took and listed on the Wiki article I referenced?
Also, just so you know the HP Management Agents are called HPASM. HPSIM is the name of the server.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
Texiwill,
Thanks for the "HPSIM and ESX" guide. The "Identifying ESX Server" section is what solved my problem which was (after 8.0a install) SMH access from the "Health Status" link in Insight Manager broke. Access over always worked fine.
I'm curious about your concerns over 2301.
Is there something specific about that port that is inherently insecure or are you just very security consious.
Also, on HPs forum (a link to your guide is posted in a thread there as well ) someone was concerned about a re-identification automated process failing now that we have closed the port. Can you comment on that?
@ Texiwill: thanks for your great how-to. I followed your guide but can't get it to work.
We are running HP SIM 5.3 which is installed on a Win 2k3 Server. I added a new user (adminvm) to my ESX server which I used when following your guide.
Here's what I did. I copied those files from our SIM server to a flash stick. Logged on to the ESX server and mounted the stick. Finished step 1 & 2 but when I got to step # 3 (sudo hpvmmagent.sh) I was prompted for a password and then received an 'Broken pipe' error.
Do I have to add 'adminvm' to a certain group (maybe root-group) before I run those commands? What am I missing?
Hello,
I'm curious about your concerns over 2301.
Is there something specific about that port that is inherently insecure or are you just very security consious.
It is not SSL protected, yes just security conscsious.
Also, on HPs forum (a link to your guide is posted in a thread there as well ) someone was concerned about a re-identification automated process failing now that we have closed the port. Can you comment on that?
Never had that problem, once you set it up the first time it does everything fine.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast
Hello,
Here's what I did. I copied those files from our SIM server to a flash stick. Logged on to the ESX server and mounted the stick. Finished step 1 & 2 but when I got to step # 3 (sudo hpvmmagent.sh) I was prompted for a password and then received an 'Broken pipe' error.
You need to use the password of the adminvm account. Then there should not be any issues going forward.
I have not tried the latest agents but plan on doing that very shortly.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast
Hum...guess I have to add 'adminvm' to a certain group on my ESX right? So far it's a read-only account and I can't even do step # 1 without entering su credentials. In your guide you mentioned to use an administrative account, so I guess this must not be a standard user? How can I make 'adminvm' an administrative account?
Thanks
Hello,
Create an account on your ESX host not within vCenter. You can use the VIC connected to the ESX host to do this or useradd from the command line. That would be an account to which you can now do administration without having to compromise your root account settings on the host.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast
Hi,
I used 'useradd -m .... passwd ...' on the SC on my ESX to create the account. Evidently this just let's me create a 'standard' user as it keeps asking me for root credentials. Any ideas?
Thanks
Btw we are using ESX 3.5 U3 (if that makes any difference)
Message was edited by: zeppoliner
Hello,
You transfer by hand the files to the adminuser on the ESX host then using 'su' or sudo run the commands specified within http://www.astroarch.com/wiki/index.php/HPSIM_and_ESX
The problem is you need to first get the files there, then run the commands as root. You can only get the files there by default using a non-root account. You can not use HPSIM to do this.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast
That worked. Thanks a lot!