Select from the following information:
Accessing HP Insight Management Agents from a Browser for Linux
Accessing HP Insight Management Agents from a Browser for Other Operating Systems
Management HTTP Server First-Time Initialization on Linux Operating Systems
Logging in to Servers Running Linux Operating Systems
Device Home Page on Linux Operating Systems
Options Page for Linux Operating Systems
Configuring Options for Linux Operating Systems
Customer Generated Certificates
How to Replicate Passwords and Configuration Data across Multiple Devices
Viewing Subsystem and Status Information
The HP Insight Management Agents for Servers allow you to view subsystem and status information from a Web browser, either locally or remotely.
To view data locally on Linux operating systems, use the URL:
http://127.0.0.1:2381/
or
http://localhost:2381/
To view data remotely on Linux operating systems, use the URL:
http://machine:2381/
where the machine is the IP address or the computer name under DNS.
Note: Notice that the URL is followed by :2381. This is the port or socket number that the HP Insight Management Agents use to communicate with the browser. If this number is not specified, your browser might attempt to connect to another Web page if the managed server is running a Web server.
After your enter the URL, there will be a certificate challenge (see the section on Management HTTP Server First Time Initialization) followed by a login page (see the section on Loggin In for servers running Linux operating systems).
To view data locally on operating systems other than those from Linux, use the URL:
http://127.0.0.1:2301/
or
http://localhost:2301/
To view data remotely on operating systems other than those from Linux use the URL:
http://machine:2301/
Where machine is the IP address or the computer name under DNS.
NOTE: Notice that the URL is followed by :2301. This is the port or socket number that the HP Insight Management Agents use to communicate with the browser. If this number is not specified, your browser might attempt to connect to another Web page if the managed server is running a Web Server.
After your enter the URL, the Device Home Page displays for servers running operating systems other than those from Linux . See Device Home Page.
For a Linux Operating System product that has been installed and configured on a Management HTTP server, listed below are things that will occur the first time the HTTP Server is ran.
Upon initialization, the HTTP Server will create a private key and a corresponding self signed X.509 Certificate.
NOTE: This does not occur every time that the HTTP Server is started, just the first time that it ever runs.
This certificate is a base64 encoded PEM file. The certificate is stored on the file system as:
/var/spool/compaq/wbem/cert.pem.
The /var/spool/compaq/wbem subdirectory also contains the private key and in order to protect the key, this subdirectory will only be accessible to administrators if the file system allows it. For private key security reasons, it is highly recommended that the Management HTTP Server be run on NTFS systems.
NOTE: For Linux, the/var/spool/compaq/wbem must exist in order for this to occur.
If for any future reason, it is felt that the private key has been compromised and a new private key and certificate should be generated, an administrator can delete the /var/spool/compaq/wbem/cert.pem file and then restart the server. This will cause the Management HTTP server to generate a new certificate and private key.
The Login page allows you to access any of the available web agents. You can access the desired agent by following these steps.
1. Navigate to https://devicename:2381. The first time you navigate to this link, the Security Alert dialog box will display as shown in Figure 1-1 asking you to indicate if you trust the server or not.
NOTE: The Security Alert dialog box shown below is specific to Internet Explorer, however Netscape 4.0 and later is supported as well.
NOTE: You are not required to accept certificates in order to login, however no other servers will be trusted.
NOTE: If you want to implement your own PKI or install your own generated certificates into each managed device, you can install a Certificate Authority Root Certificate into each browser to be used for management. If this is implemented, the Security Alert dialog box displayed below will never be displayed. You can refer to the online help in your browser for more information about installing the Certificate Authority Root Certificate.
2. Click the Yes button. The Login page will display.
3. Select the appropriate account from the User drop-down list. The choices include administrator, operator, or user.
4. Enter the correct password in the Password field.
5. Click the OK button. The Device Home page will display.
NOTE: In reference to the Version Control Repository Manager, the Anonymous login, if enabled, and the User login both allow you to access all pages, but you cannot configure a repository, delete/copy/create Support Paqs, install components, or clear the log. The Anonymous login is disabled by default.
The Device Home Page is the first page displayed when you access the device at port 2381 or 2301 after logging in. This page displays available Web-enabled services. Anonymous access to information is available without logging in when the Device Home Page is launched for the first time. To log in as a different user, select the user name link (which will be Administrator, Operator, User, or Anonymous). The login screen displays. See the Security section below for more information about user accounts.
The following options are available on the Device Home Page:
HP Insight Management Agents - Select this link to view Subsystem and Status Information about a device that is running HP Insight Management Agents.
The Survey Utility - Select this link to view Configuration Audit reports for a device that is running the Survey Utility. Refer to the Survey Utility User Guide for more information.
Refresh - Select this link to reload the Device Home Page.
Options - Select this link to set attributes for the device.
Logout - Select this link to log out from the Device Home Page.
Credits - This link displays information regarding licensing and credit information.
Troubleshooting Tips - This link displays information about known issues that the user may encounter and tips to solve them.
HP on the Internet - Select this link to view web-based support links.
The HP Insight Management Device Home page, permits you to:
Configure options relating to all HP Insight Agents.
Access the available web agents, to include the Version Control Agent and Version Control Repository Manager if installed.
Refresh the device information displayed on the Device Home page.
Display the Device Home page with its list of related servers along with the following information:
Adapter Address
Logout of the Web-Based Management device.
Change Login account
Access HP on the Internet
Consult the Troubleshooting Tips
The Options page allows you to change various HP Insight Management settings. The Options page is accessed from the Management Device Home page by clicking the Options hyperlink. The Page Sections divides the available options into three groups as shown in the Figure below:
Configuration Options
Trusted Certificates
Customer Generated Certificates
The Configuring Options section allows you to select the appropriate settings to include:
Anonymous Access - Anonymous Access is disabled by default. Enabling Anonymous Access allows a user to access HP Insight Agents without logging in.
To enable Anonymous Access:
Select the Anonymous Access checkbox on the Configuration Options page.
Click the Save Configuration button in the Configuration Options section to save your settings. The Configuration Options page will refresh.
Local Access - Setup the Management HTTP Server to automatically configure local IP addresses as part of the selected group. This means that any user with access to the local console will be granted full access if Administrator is selected, or access limited to unsecured pages if Anonymous is selected, without being challenged for a user name and password.
Auto Delete Users - Select the checkbox to automatically delete user directories that have not been accessed for a given time frame. This allows you to retain information on active users, and delete old information on inactive users.
To set the Auto Delete Users:
Select the Auto Delete Users checkbox.
Specify the number of days you want to keep information before deleting cached data for an unused login in the field provided.
NOTE: The cached data referred to in step b is not needed and will re-generate automatically if it is ever needed in the future.
Click the Save Configuration button in the Configuration Options section to save your settings. You can click on the Default Configuration button to return all options back to their original settings.
Logging - Logging allows you to specify the types of log entries you want to record, and whether or not you want to write to the log at all.
To set the Logging options:
Select the Logging checkbox to record information in the log file.
Select the types of logs to be recorded.
Click the Save Configuration button in the Configuration Options section to save your settings.
IP Restricted Logins - The HTTP Server can restrict login access based on the IP address of the machine from which the login is attempted. These restrictions apply only to direct login attempts and not to logins attempted as part of a trusted Insight Manager 7 server's Single Login or Secure Task Execution features.
IP addresses can be explicitly excluded or explicitly included for each type of user. If an IP address is explicitly excluded it will be excluded even if it is also explicitly included. If there are any IP addresses in the inclusion list, then only those IP addresses will be allowed login access. If there are no IP addresses in the inclusion list, then login access will be allowed to any IP addresses not in the exclusion list.
IP address ranges should be listed with the lower end of the range followed by a hyphen followed by the upper end of the range. All ranges are inclusive in that the upper and lower bounds are considered part of the range. IP address ranges and single addresses are separated by semi-colons.
IP address ranges should be entered in the following format:
122.23.44.1-122.23.44.255;172.84.100.35;127.0.0.0-127.0.0.255
Trust Mode -The Trust Mode options allow you to select the security required by your system. There are some situations that require a higher level of security than others, so you are given the options as shown in Figure 1-4.
NOTE: Click the Default Configuration button located in the Configuration Options section to return all options back to their original settings.
Trust All - The Trust All mode will setup the Management HTTP Server to accept certain requests from any server. An example of why you may want to use Trust All would be if you have a secure network, and everyone in the network is trusted.
NOTE: Trust All mode leaves your system vulnerable to security attacks.
Trust By Name - The Trust by Name mode will setup the HTTP Server to only accept certain requests from servers with the Insight Manager 7 names designated in the Trust By Name field: The Trust by Name option is easy to configure, and will prevent non-malicious access. An example of why you may want to use Trust by Name would be if you have a secure network but you network has two groups of administrators in two separate divisions, it would prevent one group from installing software to the wrong system. This option will not verify anything other than the Insight Manger 7 server name submitted.
To use the Trust by Name option:
Select the Trust By Name option.
Enter the name of the server you want to allow access. If you want to trust more than one Insight Manger 7 servers, then you can separate the server names with a semi-colon.
NOTE: Although Trust By Name mode is a slightly stronger method of security than the Trust All mode, it still leaves your system vulnerable to security attacks.
The Trust by Certificate mode will setup the Management HTTP Server to only accept certain requests from Insight Manager 7 servers with Trusted Certificate as shown in the figure below. This mode will require the submitted server to provide authentication by means of certificates. This mode is the strongest method of security, since it requires certificate data before allowing access.
To use the Trust by Certificate option:
In the Insight Manger 7 Server Name field, enter the name of the server you wish to receive a certificate from.
Click the Get Cert button. The certificate data will display.
Click the Options hyperlink. The bottom of the page should display the Insight Manger 7 servers you currently trust. To View certificate information related to that server, click the View Certificate hyperlink associated with that Insight Manger 7 server.
NOTE: If Insight Manger 7 is reinstalled or has re-generated a new certificate, you must remove the trusted servers and start again with step "a".
The Customer Generated Certificates option allows you to use certificates that are not generated by HP. If this option is selected, the self-signed certificate that was originally generated by the Management HTTP Server will be replaced with one that was issued by a Certificate Authority. The first step of the process is to cause the Management HTTP Server to create a Certificate Request (PKCS #10). This request utilizes the original private key that was associated with the self-signed certificate and generates the appropriate data for certificate request.
NOTE: The private key never leaves the server during any of this process
Once the PKCS #10 data has been created, the user needs to send that data off to a Certificate Authority. Once the Certificate Authority has returned PKCS #7 data, the user imports this into the Management HTTP Server. Once the PKCS #7 data has been successfully imported, the original /var/spool/compaq/wbem/cert.pem. certificate file will be overwritten with the device's certificate from that PKCS #7 envelope. The same private key is used for the new imported certificate as well as with the previous self signed certificate.
To use the Customer Generated Certificates option:
Click the Create PKCS #10 Data button. A screen will display indicating that the PKCS #10 Certificate Request data has been successfully generated.
Copy the certificate data.
Send PKCS #10 certificate request data to a Certificate Authority and ask them to send you the certificate request reply data in the form of PKCS #7 format. Request the reply data be in base64 encoded format. If your organization has its own PKI/Certificate Server implemented, send the PKCS#10 data to the Certificate Authority manager and request the PKCS#7 reply data.
NOTE: The selected certificate signer generally charges a fee.
When the certificate signer sends the PKCS#7 certificate request reply data to you, copy the data from the PKCS#7 certificate request and paste the copied data in the PKCS #7 Data field.
Click the Import PKCS #7 Data button. A message will display indicating whether or not the "customer generated certificate" was successfully imported.
Reboot the device.
Browse to the managed device that contains the imported certificate.
Choose to view the certificate when prompted by the browser. Verify the signer is listed as the signer you used, and NOT listed as Compaq/HP, before importing the certificate into your browser. Alternatively, you can import root CA cert into all the browsers on your network to avoid being prompted.
NOTE: If the certificate issuer's organizational unit (OU) is still listed as Management HTTP Server, you will need to start over with step "a".
NOTE: If the certificate signer of your choice sends you the certificate data in X.509 form instead of PKCS #7 data, you must copy the X.509 file to the filename /var/spool/compaq/wbem/cert.pem and reboot the machine.
NOTE: Click the Default Configuration button to revert to default settings. This will not remove imported Trusted Insight Manager 7 certificates or imported Customer Generated certificates.
NOTE: Once you have successfully imported the PKCS#7 certificate, you may see the dialogue box. In order to eliminate this box, you will need to import the Certificate Authority's certificate into your browser as a Trusted Root Certification Authority. Your Certificate Authority can provide you with their certificate and you can import it into your browser via the normal process (refer to the help files that came with your browser for details on how to import a certificate.
The minimum browser requirements include support for tables, frames, Java, JavaScript.
Additional browsers, or the browsers mentioned, used with different operating systems, may or may not work correctly, depending upon their specific implementations of the required browser technologies.
The requirements are TCP/IP and one of the following browsers:
To View Systems Running |
Browser Requirements |
Novell NetWare 4.x, 5.x, and 6.x. |
|
|
|
Tru64 UNIX V4.0F and later |
|
Tru64 UNIX V3.2C and later
|
|
SCO UnixWare 7 v7.1.1 Caldera Open UNIX 8.0.0 and later |
|
Red Hat Linux Advanced Server 2.1
|
|
Red Hat Linux 7.3 Professional |
|
Red Hat Linux 8.0 Professional |
|
SuSE Linux Enterprise Server 7 |
Windows: Netscape Communicator v4.77 on SuSE Linux Enterprise Server 7 |
IMPORTANT: You must turn on the following options for the Management Agents to work properly:
Enable Java
Enable JavaScript
Accept all cookies
For the Tru64 UNIX Server agents, the Netscape option "Accept cookies originating from the same server as the page being viewed" can be used instead of "Accept all cookies".
Update your version of Netscape Communicator by downloading the software from http://home.netscape.com/download
The HP Insight Management Agent allows SNMP sets for some system parameters. This capability requires security that includes the three predefined users. For agents running on Microsoft and Linux operating systems there are no default passwords. On a fresh install the administrator password, the operator password and user passwords will be configured during installation. For agents running on other operating systems there are default passwords defined in the following table.
Account |
User Name |
Password |
anonymous |
|
|
user |
user |
public |
operator |
operator |
operator |
administrator |
administrator |
administrator |
NOTE: These are the only user accounts available in this release, and they cannot be changed except for the password. Under Tru64 UNIX, the Account Names, User Names, and Passwords are lowercase characters.
Anonymous access to information is available without logging in when the Device Home Page is launched for the first time on operating systems other than those from Microsoft and Linux.
On Microsoft Operating Systems, anonymous access is disabled by default but can be turned back on by the user through the Options link on the System Management Home Page.
There are three types of data:
Default (read only),
Sets (read/write)
Reboot (read/write)
The WEBAGENT.INI file located in the system_root\cpqmgmt\webagent directory as well as UnixWare 7 webagent.ini in the /opt/compaq/webagent.
Under Tru64 UNIX, the location of the WEBAGENT.INI file depends on whether the Management Agents for Tru64 UNIX were installed as part of the base operating system or as an upgrade. You can determine the location of the WEBAGENT.INI file by issuing the following command:
# ps -ef | grep -i cpqthresh_mib | grep -v grep
The command output will resemble one of the following lines:
root 12278 1 0.0 ... /usr/sbin/cpqthresh_mib
root 12278 1 0.0 ... /var/opt/CPQIM100/bin/cpqthresh_mib
Use the path name displayed in the output of the ps command to locate the WEBAGENT.INI file on your system as follows:
The WEBAGENT.INI file is located in the directory /var/im/webagent if the pathname is /usr/sbin/cpqthresh_mib.
The WEBAGENT.INI file is located in the directory /var/opt/CPQIMddd/web/im/webagent if the pathname is /var/opt/CPQIMddd/bin/cpqthresh_mib.
The value ddd indicates the version of the Management Agents installed on the system.
The Web Agent service must be stopped and restarted for any changes to take effect for Tru64 UNIX operating systems.
The configurations setting for the Management HTTP Server are stored in three files. The passwords for the Management HTTP Server is stored in:
/var/spool/compaq/wbem/CPQHMMD.ACL
The configuration set for the Management HTTP Server; that existed up through version 3.x are stored in the following location:
/var/spool/compaq/wbem/homepage/cpqhmmd.ini
The configuration settings for the Management HTTP Server that were introduced in version 4.x and later are stored in the following location:
/var/spool/compaq/wbem/homepage/cpqhmmdx.ini
In order to deploy the Management HTTP Server configuration to other servers, copy the corresponding ACL file and INI file(s) listed above.
Anonymous access to information is available without logging in when the Device Homepage is launched for the first time.
There are three types of data: Default (read only), Sets (read/write), and Reboot (read/write). The *.INI file located in /opt/compaq/webagent are the configuration files used by the Web-enabled HP Insight Management Agents.
In NetWare, the WEBAGENT.INI is located at the sys:\system\cpqmgmt\webagent directory, specifies the level of user that has access to data. The "read=" and "write=" entries in the file set the user accounts required for access, where: 0 = No access, 1 = Anonymous, 2 = User, 3 = Operator, and 4 = Administrator. Changing these entries changes the security.
NOTE: The Web Agent service must be stopped and restarted for any changes to take effect for NetWare.
For NetWare do not modify anything except the read/write levels to change the security.
If your enterprise has numerous devices and you wish to share common passwords, configuration information, and certificates of trusted CIM 7's, this can be accomplished by copying certain files from the desired device to other devices.
To replicate the user passwords, replicate the following file:
/var/spool/compaq/wbem/cpqhmmd.acl
To replicate the Management HTTP Server configuration information, replicate the following files:
/var/spool/compaq/wbem/cpqhmmd.ini
/compaq/wbem/homepage/cpqhmmdx.ini
To replicate the certificates of the trusted CIM 7's, replicate all files that exist in the following subdirectory:
/compaq/wbem/certs
After the desired file(s) have been replicated to a given device, the Management HTTP server will need to be restarted before the changes will take affect.
Select HP Insight Management Agents from the Device Home Page to view subsystem and status information for the device. This section describes how to navigate through the management information.
The date and time displayed at the top of the page shows the local time the page was last received by your Web browser. To refresh this frame, select the refresh link at the top of the page.
The Title Frame, located in the upper-left corner of the browser window, displays the following links.
Help - Use this link to navigate to this help page.
Summary - Use this link to quickly navigate back to the list of degraded or failed components on the Summary Page.
Device Home - Use this link to return to the Device Home Page.
Options - Use this link to go to the Options Page and set options for Display Mode (frames or no frames), Help icons, and Auto Refresh intervals.
The first summary page displays the device name, type, contact information, location, and IP address, as well as a list of failed or degraded items. To view detailed information about a failed or degraded item, click on that item.
The colored ball and square icons next to the individual items indicates the status of each item.
Device status is unknown.
Device status is ok.
Device status is degraded.
Device status is failed.
NOTE: In the no-frames version of this software, the Summary page fills the entire browser window. Each page has the equivalent of the contents of the Title Frame at the top with links to Help, Summary, Device Home, and Options. The Summary page in the no-frames version displays all categories of devices, and items within each category are sorted by status. To view detailed information about an item, click on that item.
The Navigation Frame, located below the Title Frame on the left side of the browser window, lists all of the subsystems with components that are available for this device.
The colored ball next to the various items in the list indicates the status of that item. A legend for the colored balls is displayed at the bottom of the frame. Select a component in the left frame to display detailed information about it in the right frame.
Information about the following subsystems is available:
Configuration Subsystem
Mass Storage Subsystem
NIC Subsystem
Utilization Subsystem
Recovery Subsystem
Windows NT Operating System
Novell NetWare Operating System
The SNMP Configuration under the Configuration Subsystem can be used to configure Server SNMP Service and HP Insight Management Agents for servers that are running Linux Operating Systems.
The Data Frame comprises the remainder of the browser window and displays detailed information about the selected items. This window also displays the Summary Page when the Summary option is selected from the Title Frame.
NOTE: Some items may split the Data Frame into sub-frames that follow the same organizational structure as the main frame with navigation data in a sub-frame on the left and detailed information in a sub-frame on the right.
Related Topic: