12 Replies Latest reply on May 24, 2012 10:18 AM by Vinnie Lima

    UCS Manager on BBSA Application server or DB server

    Iain Taylor

      Does anyone know if you can use the BBSA Application server or the BBSA Database server to be the UCS Manager. I appreicate it is not best practice and I have advised against it but the customer that I am site with do not have an existing server that they are willing to use and want to know if it is possible before provisioning another server.

       

      The BMC BladeLogic UCS Manager server must be running one of the following

      operating systems:

      —Windows Server 2003 Standard Edition (x86/x64)

      —Windows Server 2008 Standard Edition (x86/x64)

       

      Can Windows Server 2008 Enterprise Edition (x86/x64) be used?

        • 2. UCS Manager on BBSA Application server or DB server
          Iain Taylor

          Thank you Bill, I have added that now, But now I am getting another error in the RSCD log when I try to add a UCS Instance.

           

           

          Error in VirtualizationCommonPluginImpl::Invalid CACert or CACert is not present at 'D:/BMC_Software/Bladelogic/8.1/RSCD/UCS/Certificate/MFUCSDOM01.crt'

           

          I have only just found out that they are using https so what I did was exported the certificate for each of server into the /RSCD/UCS/Certificate folder and named them by hostname.

           

          The only thing that I can see is that if I browse to the UCS Managers by webpage It comes up with a certificate error.

           

          "Certificate Invalid"

           

          The security certificate presented by this website has errors

           

          this problem might indicate an attempt to fool you or intecept any data you send to the server.

           

          But once I click continue to this website I can get onto the UCS Managers without any issues.

          • 3. Re: UCS Manager on BBSA Application server or DB server
            Bill Robinson

            If the cert is self signed or the cert store doesn’t have the CA cert for whatever generated this cert, you’ll get that message.

            • 4. UCS Manager on BBSA Application server or DB server

              Hi Bill,

              Are you saying that if you are using a self signed certificate this will not work and I will not be able to add a UCS manager into the BBSA console?

               

              Were doing this in a test environment before we go into Live, the error I'm getting is below:

               

              Invalid CACert or CACert is not present at 'C: \Program Files\BMC Software\Bladelogic\8.1\RSCD\UCS\Certificate\0.0.0.0.crt' : on host *hostname*

               

              Cheers Ben

                 

              • 5. Re: UCS Manager on BBSA Application server or DB server
                Vinnie Lima

                I am having the same issue with BSA 8.1 SP2.  I noticed that the SSL certificate that comes out of the box with UCS Manager 2.1 (1w) expired in 2011.

                 

                So I went ahead and disabled the HTTP to HTTPS redirection. I am now having a different issue:

                 

                05/22/12 15:24:15.612 ERROR    rscd -  192.168.22.143 6020 BladeLogicRSCD@<BSA APP SERVER>->Administrator@<BSA APP SERVER>:PrivilegeMapped (BLAdmins:BLAdmin): CM: Error returned from plug-in ; Plug-in: /CaliforniaManager_win64 ; Plug-in function: blAsset_PerformAction ; Plug-in asset: CaliforniaManager:<bsa app server>:CaliforniaManager ; Plug-in error code: 100 ; Plug-in error message: Error code : 551 : Failed to obtain cookie, Authentication failed

                 

                 

                I am sure that the user and password defined in the VIRTUALIZATION object for the <BSA APP SERVER>'s attributes "CONNECTION_USER" and "CONNECTION_PASSWORD" is valid (attempted re-entering it various times, double checking that I can access UCS Manager).

                 

                Any suggestion why or how to log the connection?

                • 6. Re: UCS Manager on BBSA Application server or DB server
                  Bill Robinson

                  I had to re-generate the cert on the ucs device and then I was able to get the commands in the doc about saving the cert to work.

                  • 7. Re: UCS Manager on BBSA Application server or DB server
                    Bill Robinson

                    Also – the CO version on the UCS ‘manager’ system matches what you have on the appserver?

                    • 8. Re: UCS Manager on BBSA Application server or DB server
                      Vinnie Lima

                      CO version 81020262.

                       

                      Where do I see the CO version of UCS manager?  All I can find is 2.0 (1w).

                      • 9. Re: UCS Manager on BBSA Application server or DB server
                        Vinnie Lima

                        I read about that in confluence about regenerating the  Cert, but going into the UCS6120 console this translates to generating a new "Key Ring"?  I could not find the option to re-generate the existing, default, Keyring.

                        • 10. Re: UCS Manager on BBSA Application server or DB server
                          Bill Robinson

                          UCS and SSL

                          Renewing the SSL Certificate

                          The simplest way to renew the ssl certificate for UCS systems is to regenerate the default ssl certificate

                          1. Login into UCS system
                          2. Scope security
                          3. Scope keyring default
                          4. Set regenerate yes
                          5. Commit-buffer
                          6. Show detail - to view the certificate details.
                          If your UCS systems is on firmware 1.3 or you don't want to use the default certificate than you need to do the following
                          1. Create a trustpoint
                          2. Create a new keyring
                          3. Create a new cert req for keyring
                          4. Set trustpoint for keyring
                          5. Set cert for keyring
                          6. Set https keyring
                          7. Commit-buffer at each stage

                          How to setup a trustpoint for UCS

                          Follow the steps in UCS CLI guide for it. As of UCS version 1.3 it is
                          1. Login into UCS system
                          2. Scope security
                          3. Create trustpoint <name>
                          4. Commit-buffer
                          5. Scope trustpoint <name>
                          6. Show detail - to view details

                          Example

                            Trustpoint CA:

                              Trustpoint Name: tucs
                              Trustpoint certificate chain:

                          We now to need to create a root certificate for this trustpoint. Use openssl available on a linux system to generate it

                          This link provides the details. http://www.debian-administration.org/articles/284

                          # mkdir CA

                          # cd CA

                          # mkdir newcerts private

                          # echo '01' >serial

                          # touch index.txt

                          # (IMPORTANT: Install and edit the configuration file shown below.)

                          # openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem \

                          -out cacert.pem -days 365 -config ./openssl.cnf

                          Alternatively you can refer to ucs_ca.zip for the certificate and private key (cacert.pem and private/cakey.pem)

                          1. enter scope of trustpoint
                          2. set certchain
                          3. paste the certificate details
                          4. add ENDOFBUF
                          5. commit-buffer
                          The trustpoint is ready - show detail - should look like

                          nimbus4-A /security/trustpoint # show detail

                          Trustpoint CA:
                              Trustpoint Name: tucs
                              Trustpoint certificate chain:

                          ----BEGIN CERTIFICATE----

                          MIIDdTCCAt6gAwIBAgIJAPLgywOqPlCaMA0GCSqGSIb3DQEBBAUAMIGEMQwwCgYD
                          VQQKEwNibWMxDDAKBgNVBAsTA3VjczEhMB8GCSqGSIb3DQEJARYScm9ub19qYWNv
                          YkBibWMuY29tMQ8wDQYDVQQHEwZib3N0b24xDzANBgNVBAgTBmJvc3RvbjELMAkG
                          A1UEBhMCVVMxFDASBgNVBAMTCzEwLjIwLjM4LjE5MB4XDTEwMTEwMjA1Mjg0NFoX
                          DTIwMTAzMDA1Mjg0NFowgYQxDDAKBgNVBAoTA2JtYzEMMAoGA1UECxMDdWNzMSEw
                          HwYJKoZIhvcNAQkBFhJyb25vX2phY29iQGJtYy5jb20xDzANBgNVBAcTBmJvc3Rv
                          bjEPMA0GA1UECBMGYm9zdG9uMQswCQYDVQQGEwJVUzEUMBIGA1UEAxMLMTAuMjAu
                          MzguMTkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMGs4C6ZX8U6oiVUZAuW
                          5xZ98/gpx2fOzkD4RbBe8IJ5dzvLrxPNzlCyTFKTKu1HEHIno80AwO1IgMk3/4w5
                          qhg9XB/nhDmGCs2PxtPl2eAjX3cfFKJF90ljFIClWUA5tReT8sV3XC6K8yefHv+/
                          10EhKZZB5M/ZXdKjb7pjkMTDAgMBAAGjgewwgekwDAYDVR0TBAUwAwEB/zAdBgNV
                          HQ4EFgQUjX8tmqvXf/n+TcUFBO1iVTQgIdgwgbkGA1UdIwSBsTCBroAUjX8tmqvX
                          f/n+TcUFBO1iVTQgIdihgYqkgYcwgYQxDDAKBgNVBAoTA2JtYzEMMAoGA1UECxMD
                          dWNzMSEwHwYJKoZIhvcNAQkBFhJyb25vX2phY29iQGJtYy5jb20xDzANBgNVBAcT
                          BmJvc3RvbjEPMA0GA1UECBMGYm9zdG9uMQswCQYDVQQGEwJVUzEUMBIGA1UEAxML
                          MTAuMjAuMzguMTmCCQDy4MsDqj5QmjANBgkqhkiG9w0BAQQFAAOBgQAQB6M2hVSh
                          n9fQ6SPVnylDqKBj2a5ak8VrWC0jPTWr9BHDJwup+NKsgsx2/VC1zjOeDLMDqb8G
                          oOB6bwxWl408Tme0M9prGMzZVOKhOpJMEILh9gPc9gl1eLs1snTTgiNvqn5/mROF
                          cVK0ALIVjTlraGG2AGOg7eEofeR9Bj8qUQ==
                          ----END CERTIFICATE----

                          How to generate keyring

                          scope security
                          create keyring <name>
                          commit-buffer
                          scope keyring <name>
                          set trustpoint <name>
                          commit-buffer
                          create certreq
                          commit-buffer
                          show certreg

                          --paste the contents to a file (say server.csr)

                          Do the following steps (on the linux system with openssl and openssl.cnf configured)

                          openssl ca -out server.pem -config ./openssl.cnf -infiles server.csr

                          This should sign you certificate

                          set cert
                          paste the contents of server.pem
                          commit-buffer

                          Troubleshooting

                          Refer to following link for info on error messages: http://www.openssl.org/docs/apps/verify.html
                          curl - which used by agent for making https request: http://curl.haxx.se/docs/sslcerts.html

                          <usage>
                          curl  -cacert curl-ca-bundle.crt -d "<aaaLogin inName='admin' inPassword='Qwer4321' />" https://10.20.38.19/nuova

                          • The issuer certificate needs to be appended  into curl-ca-bundle.crt (you need to download this file from the url specified
                          • The issuer certificate the same one as the trust authority (cacert.pm in zip) - ucs_ca.zip

                          How to renew the SSL certificate for a UCS certificate

                          The simplest way to renew the ssl certificate for UCS systems is to regenerate the default ssl certificate
                          1. Login into UCS system
                          2. scope security
                          3. scope keyring default
                          4. set regenerate yes
                          5. commit-buffer
                          6. show detail - to view the certificate details.
                          If your UCS systems is on firmware 1.3 or you don't want to use the default certificate than you need to do the following

                          • Create a trustpoint
                          • Create a new keyring
                          • Create a new cert req for keyring
                          • Set trustpoint for keyring
                          • Set cert for keyring
                          • Set https keyring
                          • Commit-buffer at each stage
                          • 11. UCS Manager on BBSA Application server or DB server

                            I've had the UCS manager regenerate a valid certificate which has been placed in 'C: \Program Files\BMC Software\Bladelogic\8.1\RSCD\UCS\Certificate\

                            one thing I did notice was the default certificate export still produced the same error but when I used Base-64 encoded x.509 (cer) format it worked, is this expected behaviour?

                             

                            The error is now resolved anyway however I then received a new error 'Verify that UCS port value is correct according to SSL configuration' this was because I was using the default port 80, changed this to 443 (which port 80 should be translated to anyway by UCS) and it works. I've been able to add the UCS into BBSA and can live browse. provisioning next!?!?

                             

                            thanks for the help

                             

                            cheers Ben

                            • 12. Re: UCS Manager on BBSA Application server or DB server
                              Vinnie Lima

                              Ok figured this out.  The UCS White Paper I was using for BBSA 8.1 is incorrect and out of date. 

                               

                              The correct documentation to follow for 8.1 SP2 is: 

                               

                              https://docs.bmc.com/docs/display/NP/BladeLogic+Server+Automation+Unified+Computing+System+Installation#BladeLogicServerAutomationUnifiedComputingSystemInstallation

                               

                               

                              Meaning, you dont configure a CONNECTION_USER and CONNECTION_PASSWORD attributes for the VIRTUALIZATION extended object.  You create a new object within the VIRTUAL_ENTITY_CONNECTION attribute:

                               

                              To set BMC Server Automation UCS Manager server properties

                              1 From the BMC Server Automation Console, select the BMC Server Automation

                              UCS Manager server from the Servers workspace.

                              2 On the Properties tab, locate the VIRTUALIZATION* extended server property.

                              3 Click the button to configure the property.

                              4 On the Select value for complex type panel, click the New property set instance

                              button to create a new instance of the property.

                              The New Instance of Virtualization panel displays.

                              5 On the General panel, enter UCS in the Name field and optionally provide a

                              description.

                              6 Select the VIRTUAL_ENTITY_CONNECTION property.

                              7 Click the Select a value button in the Value column.

                              8 On the Choose Property Class Instance panel, click the edit icon in the upper

                              right corner.

                              9 On the New Instance of Connection (General) panel, provide a valid name and

                              description to the property set instance. For example, UCS Connection.

                              10 Set the following properties for the newly added instance:

                               

                              CONNECTION_USER The username to access each UCS system.

                              CONNECTION_PASSWORD The password to access each UCS system.

                               

                              11 Click Next to display the New Instance of Connection (Permissions) panel.

                              12 Select any additional permissions required for the instance and click Finish.

                              Property Value

                               

                               

                              Once I got that sorted out, connected to UCS manager fine.