RonC1 Contributor.
Contributor.
657 views

HPOV 8 - Can't add new monitored nodes - (OpC40-2130)3) SSL certificate verification error

Jump to solution

I'm not sure when this problem started. We haven't tried to add new monitored servers for a long time. Recently,  after granting cert request the following problem occurs. It has happened on multiple attempts across different wintel nodes. The management server is running Solaris.


query ->opcragt servwd300

response:
Node servwd300.eicsprd: 

Cannot get status information from node servcwd300.eicsprd.  (OpC40-428)
Network communication problems occurred. (OpC40-427)
-------------------------------------------------------------------------------
CTRL - CommunicationException:
-------------------------------------------------------------------------------
(ctrl-21) Communication error when executing 'Status' method.
(OpC40-2130)3) SSL certificate verification error (The presented peer certificate has expired.).
Failed.

Running HPOV8 (A.08.35.020) 

ovcert -check seems to show everything ok and expiry on certs valid to 04/30/29 15:54:18 
OvCoreId set                       : OK
Private key installed              : OK
Certificate installed              : OK
Certificate valid                  : OK
Trusted certificates installed     : OK
Trusted certificates valid         : OK

Has anyone seen this and have a workaround or fix?

Thanks... Ron - ron.currie@cgi.com

0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

Re: HPOV 8 - Can't add new monitored nodes - (OpC40-2130)3) SSL certificate verification error

Jump to solution

Hello Ron,

You are probably running into issue QCCR8D100844. 32bit applications with older opensssl max out in January 2038 (max time that can be represented as 32bit integer). OMU on HP-UX and Solaris is a 32 bit application and thus newly created certificates with validitty of 20 years are invalid because the expiration time would be past that date.

If you by chance also have an OM Linux server, you can create certificates there (OM on Linux is 64 bit).

Another option would be to temporarily change the time back before 2018 to create certificates.

Finally, there is a hotfix available for QCCR8D100844 through Micro Focus Support.


Best regards,
Tobias

5 Replies
Outstanding Contributor.. Gediminas Daniu Outstanding Contributor..
Outstanding Contributor..

Re: HPOV 8 - Can't add new monitored nodes - (OpC40-2130)3) SSL certificate verification error

Jump to solution

Hi, Ron

I have seen simmilar issue before. Please check OM server and managed node system time. is it current?

Also please look to certificates validity timestamp.  List certificates  ovcert -list

and then run

ovcert -certinfo <certificte ID> | grep Valid

 

my 2 cents

Gedas

0 Likes
Highlighted
RonC1 Contributor.
Contributor.

Re: HPOV 8 - Can't add new monitored nodes - (OpC40-2130)3) SSL certificate verification error

Jump to solution

Hi Gedas,

Thanks for the suggestions. The management server and managed nodes have been confirmed to have the correct date/time. The certs look like they are within the active timeframe, assuming 29 is being  interpreted as 2029..

10:36:13>  ovcert -certinfo 44895e40-36cc-753a-18a8-d18be1ab709c | grep Valid
Valid from : 05/04/09 15:54:18 GMT
Valid to : 04/30/29 15:54:18 GMT
10:37:38> ovcert -certinfo CA_44895e40-36cc-753a-18a8-d18be1ab709c | grep Valid
Valid from : 04/30/09 18:44:42 GMT
Valid to : 04/26/29 18:44:42 GMT

I don't know if there is some special meaning to the (*) at the end of the certs

Keystore Content
Certificates:
44895e40-36cc-753a-18a8-d18be1ab709c (*)
Trusted Certificates:
CA_44895e40-36cc-753a-18a8-d18be1ab709c

Keystore Content (OVRG: server)
Certificates:
44895e40-36cc-753a-18a8-d18be1ab709c (*)
Trusted Certificates:
CA_44895e40-36cc-753a-18a8-d18be1ab709c (*)


...Ron

0 Likes
RonC1 Contributor.
Contributor.

Re: HPOV 8 - Can't add new monitored nodes - (OpC40-2130)3) SSL certificate verification error

Jump to solution

One further observation. We used to sudo - root and do everythig as root. Some time ago, this access was removed, so now every command has to be done through sudo.

e.g. 

sudo opccsa -map_node acwtc301.acdi=acwtc301.acdi
sudo opccsa -grant acwtc301.acdi

Could this possibly be getting in the way?

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: HPOV 8 - Can't add new monitored nodes - (OpC40-2130)3) SSL certificate verification error

Jump to solution

Hello Ron,

You are probably running into issue QCCR8D100844. 32bit applications with older opensssl max out in January 2038 (max time that can be represented as 32bit integer). OMU on HP-UX and Solaris is a 32 bit application and thus newly created certificates with validitty of 20 years are invalid because the expiration time would be past that date.

If you by chance also have an OM Linux server, you can create certificates there (OM on Linux is 64 bit).

Another option would be to temporarily change the time back before 2018 to create certificates.

Finally, there is a hotfix available for QCCR8D100844 through Micro Focus Support.


Best regards,
Tobias

RonC1 Contributor.
Contributor.

Re: HPOV 8 - Can't add new monitored nodes - (OpC40-2130)3) SSL certificate verification error

Jump to solution

Thanks Tobias,

Based on the supporting evidence that the key file is indeed 32 bits, I think you're correct about the problem. We'll see if we can obtain the hotfix.

file libOvSecCm.so
libOvSecCm.so: ELF 32-bit MSB dynamic lib SPARC32PLUS Version 1, V8+ Required, dynamically linked, not stripped

 

We'll see if we can obtain the hotfix. 

...Ron

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.