Accessing HP Insight Management Agents

Select from the following information:

Accessing HP Insight Management Agents from a Browser for Linux

Accessing HP Insight Management Agents from a Browser for Other Operating Systems

Management HTTP Server First-Time Initialization on Linux Operating Systems

Logging in to Servers Running Linux Operating Systems

Device Home Page

Device Home Page on Linux Operating Systems

Options Page for Linux Operating Systems

Configuring Options for Linux Operating Systems

Trust By Certificate

Customer Generated Certificates

Browser Requirements

Security

How to Replicate Passwords and Configuration Data across Multiple Devices

Viewing Subsystem and Status Information

Accessing HP Insight Management Agents from a Browser for Linux Operating Systems

The HP Insight Management Agents for Servers allow you to view subsystem and status information from a Web browser, either locally or remotely.

To view data locally on Linux operating systems, use the URL:

or

To view data remotely on Linux operating systems, use the URL:

 where the machine is the IP address or the computer name under DNS.

Note:  Notice that the URL is followed by :2381. This is the port or socket number that the HP Insight Management Agents use to communicate with the browser. If this number is not specified, your browser might attempt to connect to another Web page if the managed server is running a Web server.

After your enter the URL, there will be a certificate challenge (see the section on Management HTTP Server First Time Initialization) followed by a login page (see the section on Loggin In for servers running Linux  operating systems).

Accessing HP Insight Management Agents from a Browser for Other Operating Systems

To view data locally on operating systems other than those from Linux, use the URL:

or

To view data remotely on operating systems other than those from Linux  use the URL:

Where machine is the IP address or the computer name under DNS.

NOTE:  Notice that the URL is followed by :2301. This is the port or socket number that the HP Insight  Management Agents use to communicate with the browser. If this number is not specified, your browser might attempt to connect to another Web page if the managed server is running a Web Server.

After your enter the URL, the Device Home Page displays for servers running operating systems other than those from Linux . See Device Home Page.

Management HTTP Server First-Time Initialization on Linux Operating Systems

For a Linux Operating System product that has been installed and configured on a Management HTTP server, listed below are things that will occur the first time the HTTP Server is ran.

Upon initialization, the HTTP Server will create a private key and a corresponding self signed X.509 Certificate.  

NOTE:  This does not occur every time that the HTTP Server is started, just the first time that it ever runs.

This certificate is a base64 encoded PEM file. The certificate is stored on the file system as:

/var/spool/compaq/wbem/cert.pem.

The /var/spool/compaq/wbem subdirectory also contains the private key and in order to protect the key, this subdirectory will only be accessible to administrators if the file system allows it. For private key security reasons, it is highly recommended that the Management HTTP Server be run on NTFS systems.

NOTE:  For Linux, the/var/spool/compaq/wbem must exist in order for this to occur.

If for any future reason, it is felt that the private key has been compromised and a new private key and certificate should be generated, an administrator can delete the /var/spool/compaq/wbem/cert.pem file and then restart the server. This will cause the Management  HTTP server to generate a new certificate and private key.

Logging in to Servers Running Linux Operating Systems

The Login page allows you to access any of the available web agents. You can access the desired agent by following these steps.

1. Navigate to https://devicename:2381. The first time you navigate to this link, the Security Alert dialog box will display as shown in Figure 1-1 asking you to indicate if you trust the server or not.

NOTE:  The Security Alert dialog box shown below  is specific to Internet Explorer, however Netscape 4.0 and later is supported as well.

NOTE: You are not required to accept certificates in order to login, however no other servers will be trusted.

NOTE:  If you want to implement your own PKI or install your own generated certificates into each managed device, you can install a Certificate Authority Root Certificate into each browser to be used for management.  If this is implemented, the Security Alert dialog box displayed below will never be displayed. You can refer to the online help in your browser for more information about installing the Certificate Authority Root Certificate.

2. Click the Yes button. The Login page will display.

3. Select the appropriate account from the User drop-down list. The choices include administrator, operator, or user.

4. Enter the correct password in the Password field.

5. Click the OK button. The Device Home page will display.

NOTE:  In reference to the Version Control Repository Manager, the Anonymous login, if enabled, and the User login both allow you to access all pages, but you cannot configure a repository, delete/copy/create Support Paqs, install components, or clear the log. The Anonymous login is disabled by default.

Device Home Page

The Device Home Page is the first page displayed when you access the device at port 2381 or 2301 after logging in. This page displays available  Web-enabled services. Anonymous access to information is available without logging in when the Device Home Page is launched for the first time. To log in as a different user, select the user name link (which will be Administrator, Operator, User, or Anonymous). The login screen displays.  See the Security section below for more information about user accounts.

The following options are available on the Device Home Page:

Device Home Page on Linux Operating Systems

The HP Insight  Management Device Home page, permits you to:

Options Page for Linux Operating Systems

The Options page allows you to change various HP Insight Management settings. The Options page is accessed from the Management Device Home page by clicking the Options hyperlink. The Page Sections divides the available options into three groups as shown in the Figure below:

 

Configuring Options for Linux Operating Systems

The Configuring Options section allows you to select the appropriate settings to include:

To enable Anonymous Access:

  1. Select the Anonymous Access checkbox on the Configuration Options page.

  1. Click  the Save Configuration button in the Configuration Options section to save your settings. The Configuration Options page will refresh.

To set the Auto Delete Users:

  1. Select the Auto Delete Users checkbox.

  1. Specify the number of days you want to keep information before deleting cached data for an unused login in the field provided.

NOTE:  The cached data referred to in step b is not needed and will re-generate automatically if it is ever needed in the future.

  1. Click the Save Configuration button in the Configuration Options section to save your settings. You can click on the Default Configuration button to return all options back to their original settings.

To set the Logging options:

  1. Select the Logging checkbox to record information in the log file.

  2. Select the types of logs to be recorded.

  3. Click the Save Configuration button in the Configuration Options section to save your settings.

IP addresses can be explicitly excluded or explicitly included for each type of user. If an IP address is explicitly excluded it will be excluded even if it is also explicitly included. If there are any IP addresses in the inclusion list, then only those IP addresses will be allowed login access. If there are no IP addresses in the inclusion list, then login access will be allowed to any IP addresses not in the exclusion list.

IP address ranges should be listed with the lower end of the range followed by a hyphen followed by the upper end of the range. All ranges are inclusive in that the upper and lower bounds are considered part of the range. IP address ranges and single addresses are separated by semi-colons.

IP address ranges should be entered in the following format:

122.23.44.1-122.23.44.255;172.84.100.35;127.0.0.0-127.0.0.255

 NOTE:  Click  the Default Configuration button located in the Configuration Options section to return all options back to their original settings.

NOTE:  Trust All mode leaves your system vulnerable to security attacks.

To use the Trust by Name option:

  1. Select the Trust By Name option.

  2. Enter the name of the server you want to allow access. If you want to trust more than one Insight Manger 7 servers, then you can separate the server names with a semi-colon.

NOTE:  Although Trust By Name mode is a slightly stronger method of security than the Trust All mode, it still leaves your system vulnerable to security attacks.

Trust By Certificate

The Trust by Certificate mode will setup the Management HTTP Server to only accept certain requests from Insight Manager 7 servers with Trusted Certificate as shown in the figure below. This mode will require the submitted server to provide authentication by means of certificates. This mode is the strongest method of security, since it requires certificate data before allowing access.

 

To use the Trust by Certificate option:

  1. In the Insight Manger 7 Server Name field, enter the name of the server you wish to receive a certificate from.

  1. Click  the Get Cert button. The certificate data will display.

  2. Click  the Options hyperlink. The bottom of the page should display the Insight Manger 7 servers you currently trust. To View certificate information related to that server, click  the View Certificate hyperlink associated with that  Insight Manger 7 server.

NOTE:  If Insight Manger 7 is reinstalled or has re-generated a new certificate, you must remove the trusted servers and start again with step "a".

Customer Generated Certificates

The Customer Generated Certificates option allows you to use certificates that are not generated by HP. If this option is selected, the self-signed certificate that was originally generated by the Management HTTP Server will be replaced with one that was issued by a Certificate Authority.  The first step of the process is to cause the Management HTTP Server to create a Certificate Request (PKCS #10). This request utilizes the original private key that was associated with the self-signed certificate and generates the appropriate data for certificate request.

NOTE:  The private key never leaves the server during any of this process

Once the PKCS #10 data has been created, the user needs to send that data off to a Certificate Authority.  Once the Certificate Authority has returned PKCS #7 data, the user imports this into the Management  HTTP Server.  Once the PKCS #7 data has been successfully imported, the original /var/spool/compaq/wbem/cert.pem. certificate file will be overwritten with the device's certificate from that PKCS #7 envelope. The same private key is used for the new imported certificate as well as with the previous self signed certificate.

 To use the Customer Generated Certificates option:

  1. Click the Create PKCS #10 Data button. A screen will display indicating that the PKCS #10 Certificate Request data has been successfully generated.

  2. Copy the certificate data.

  3. Send PKCS #10 certificate request data to a Certificate Authority and ask them to send you the certificate request reply data in the form of PKCS #7 format. Request the reply data be in base64 encoded format. If your organization has its own PKI/Certificate Server implemented, send the PKCS#10 data to the Certificate Authority manager and request the PKCS#7 reply data.

NOTE:   The selected certificate signer generally charges a fee.

  1. When the certificate signer sends the PKCS#7 certificate request reply data to you, copy the data from the PKCS#7 certificate request and paste the copied data in the PKCS #7 Data field.

  2. Click the Import PKCS #7 Data button. A message will display indicating whether or not the "customer generated certificate" was successfully imported.

  3. Reboot the device.

  4. Browse to the managed device that contains the imported certificate.

  5. Choose to view the certificate when prompted by the browser. Verify the signer is listed as the signer you used, and NOT listed as Compaq/HP, before importing the certificate into your browser. Alternatively, you can import root CA cert into all the browsers on your network to avoid being prompted.

NOTE:  If the certificate issuer's organizational unit (OU) is still listed as Management HTTP Server, you will need to start over with step "a".

NOTE:  If the certificate signer of your choice sends you the certificate data in X.509 form instead of PKCS #7 data, you must copy the X.509 file to the filename /var/spool/compaq/wbem/cert.pem and reboot the machine.

NOTE:  Click the Default Configuration button to revert to default settings. This will not remove imported Trusted Insight Manager 7 certificates or imported Customer Generated certificates.

NOTE:  Once you have successfully imported the PKCS#7 certificate, you may see the dialogue box. In order to eliminate this box, you will need to import the Certificate Authority's certificate into your browser as a Trusted Root Certification Authority. Your Certificate Authority can provide you with their certificate and you can import it into your browser via the normal process (refer to the help files that came with your browser for details on how to import a certificate.

Browser Requirements

The minimum browser requirements include support for tables, frames, Java, JavaScript.

Additional browsers, or the browsers mentioned, used with different operating systems, may or may not work correctly, depending upon their specific implementations of the required browser technologies.

The requirements are TCP/IP and one of the following browsers:

 

To View Systems Running

Browser Requirements

Novell NetWare  4.x, 5.x, and 6.x.

  • Microsoft Internet Explorer 5.5

  • Microsoft Internet Explorer 6.0

  • Netscape Navigator 4.73 and 6

  • Windows NT 4.0, with Service Pack 6 or greater

  • Windows 2000 with Service Pack

  • Windows .NET Server 2003, Standard Edition

  • Windows .NET Server 2003, Enterprise Edition

 

 

 

  • Microsoft Internet Explorer 5.5

  • Microsoft Internet Explorer 6.0

  • Netscape Navigator 4.73 and 6

    In order to view the SNMP configuration web pages, you have to use Microsoft Internet Explorer 5.0 or later.  Netscape Navigator is not supported.

 

 Tru64 UNIX V4.0F and later

  • Netscape Communicator 4.5 or later.

Tru64 UNIX V3.2C and later

 

  • Netscape Communicator 4.06 or later.

 

SCO UnixWare 7 v7.1.1

Caldera Open UNIX 8.0.0 and later

  • Microsoft Internet Explorer 5.5 and later and Netscape Communicator 4.70 on  Windows 98, Windows NT 4.0, Windows 2000 and Windows XP

  • Netscape Communicator v4.61 on UnixWare 7.1.0 and 7.1.1.

  • Caldera Open UNIX 8.0.0 ships with, Netscape Communicator v4.61.

  • NOTE: UnixWare 7.1.0 Netscape Communicator 4.08 should be presently installed. Remove Netscape 4.08, then upgrade with Netscape Communicator 4.61, which is present in UnixWare 7.1.1 CD.

Red Hat Linux Advanced Server 2.1

 

 

  • Windows: Netscape Communicator 4.51 or later  

  • Microsoft Internet Explorer 5.5 and 6.0

  • Netscape Communicator v 4.78

Red Hat Linux 7.3 Professional

  • Windows: Netscape Communicator 4.51 or later  

  • Microsoft Internet Explorer 5.5 and 6.0

  • Netscape Communicator v 4.78

Red Hat Linux 8.0 Professional

  • Windows: Netscape Communicator 4.51 or later  

  • Microsoft Internet Explorer 5.5 and 6.0

  • Netscape Communicator v 4.78

 

SuSE Linux Enterprise Server 7

Windows: Netscape Communicator v4.77 on SuSE Linux Enterprise Server 7


IMPORTANT: You must turn on the following options for the Management Agents to work properly:

For the Tru64 UNIX Server agents, the Netscape option "Accept cookies originating from the same server as the page being viewed" can be used instead of "Accept all cookies".


Updating Netscape Communicator for Tru64 UNIX Workstations

Update your version of Netscape Communicator by downloading the software from http://home.netscape.com/download

Security

The HP Insight Management Agent allows SNMP sets for some system parameters. This capability requires security that includes the three predefined users. For agents running on Microsoft and Linux operating systems there are no default passwords.  On a fresh install the administrator password, the operator  password and user passwords will be configured during installation.  For agents running on other operating systems there are default passwords defined in the following table.

Account

User Name

Password

anonymous

 

 

user

user

public

operator

operator

operator

administrator

administrator

administrator

NOTE: These are the only user accounts available in this release, and they cannot be changed except for the password. Under Tru64 UNIX, the Account Names, User Names, and Passwords are lowercase characters.

Anonymous access to information is available without logging in when the Device Home Page is launched for the first time on operating systems other than those from Microsoft and Linux.

Deploying the Configurations to Servers Running  Microsoft  Windows

On Microsoft Operating Systems, anonymous access is disabled by default but can be turned back on by the user through the Options link on the System Management Home Page.

There are three types of data:

The WEBAGENT.INI file located in the system_root\cpqmgmt\webagent directory as well as UnixWare 7 webagent.ini in the /opt/compaq/webagent.

Deploying the Configurations to Servers Running

Tru64 UNIX

Under Tru64 UNIX, the location of the WEBAGENT.INI file depends on whether the Management Agents for Tru64 UNIX were installed as part of the base operating system or as an upgrade. You can determine the location of the WEBAGENT.INI file by issuing the following command:

# ps -ef | grep -i cpqthresh_mib | grep -v grep

The command output will resemble one of the following lines:

root 12278 1 0.0 ... /usr/sbin/cpqthresh_mib

root 12278 1 0.0 ... /var/opt/CPQIM100/bin/cpqthresh_mib

Use the path name displayed in the output of the ps command to locate the WEBAGENT.INI file on your system as follows:

The WEBAGENT.INI file is located in the directory /var/im/webagent if the pathname is /usr/sbin/cpqthresh_mib.

The WEBAGENT.INI file is located in the directory /var/opt/CPQIMddd/web/im/webagent if the pathname is /var/opt/CPQIMddd/bin/cpqthresh_mib.

The value ddd indicates the version of the Management Agents installed on the system.

The Web Agent service must be stopped and restarted for any changes to take effect for Tru64 UNIX operating systems.

Deploying the Configurations to Servers Running Linux

The configurations setting for the Management HTTP Server are stored in three files. The passwords for the Management HTTP Server is stored in:

/var/spool/compaq/wbem/CPQHMMD.ACL

The configuration set for the Management HTTP Server; that existed up through version 3.x are stored in the following location:

/var/spool/compaq/wbem/homepage/cpqhmmd.ini

The configuration settings for the Management HTTP Server that were introduced in version 4.x and later are stored in the following location:

/var/spool/compaq/wbem/homepage/cpqhmmdx.ini

In order to deploy the Management HTTP Server configuration to other servers, copy the corresponding ACL file and INI file(s) listed above.

Anonymous access to information is available without logging in when the Device Homepage is launched for the first time.

There are three types of data: Default (read only), Sets (read/write), and Reboot (read/write). The *.INI file located in /opt/compaq/webagent are the configuration files used by the Web-enabled HP Insight Management Agents.

Deploying the Configurations to Servers Running NetWare

In NetWare, the WEBAGENT.INI is located at the sys:\system\cpqmgmt\webagent directory, specifies the level of user that has access to data. The "read=" and "write=" entries in the file set the user accounts required for access, where: 0 = No access, 1 = Anonymous, 2 = User, 3 = Operator, and 4 = Administrator. Changing these entries changes the security.

NOTE: The Web Agent service must be stopped and restarted for any changes to take effect for NetWare.

For NetWare do not modify anything except the read/write levels to change the security.

How to Replicate Passwords and Configuration Data across Multiple Devices

If your enterprise has numerous devices and you wish to share common passwords, configuration information, and certificates of trusted CIM 7's, this can be accomplished by copying certain files from the desired device to other devices.  

To replicate the user passwords, replicate the following file:

/var/spool/compaq/wbem/cpqhmmd.acl

To replicate the Management HTTP Server configuration information, replicate the following files:

/var/spool/compaq/wbem/cpqhmmd.ini

/compaq/wbem/homepage/cpqhmmdx.ini  

To replicate the certificates of the trusted CIM 7's, replicate all files that exist in the following subdirectory:

/compaq/wbem/certs

After the desired file(s) have been replicated to a given device, the Management HTTP server will need to be restarted before the changes will take affect.

Viewing Subsystem and Status Information

Select HP Insight Management Agents from the Device Home Page to view subsystem and status information for the device. This section describes how to navigate through the management information.

The date and time displayed at the top of the page shows the local time the page was last received by your Web browser. To refresh this frame, select the refresh link at the top of the page.

Title Frame

The Title Frame, located in the upper-left corner of the browser window, displays the following links.

Summary Page

The first summary page displays the device name, type, contact information, location, and IP address, as well as a list of failed or degraded items. To view detailed information about a failed or degraded item, click on that item.

Device Status

The colored ball and square icons next to the individual items indicates the status of each item.

unknown.gif (986 bytes) Device status is unknown.

normal.gif (1078 bytes) Device status is ok.

minor.gif (1070 bytes) Device status is degraded.

major.gif (1029 bytes) Device status is failed.

NOTE: In the no-frames version of this software, the Summary page fills the entire browser window. Each page has the equivalent of the contents of the Title Frame at the top with links to Help, Summary, Device Home, and Options. The Summary page in the no-frames version displays all categories of devices, and items within each category are sorted by status. To view detailed information about an item, click on that item.

Navigation Frame

The Navigation Frame, located below the Title Frame on the left side of the browser window, lists all of the subsystems with components that are available for this device.

The colored ball next to the various items in the list indicates the status of that item. A legend for the colored balls is displayed at the bottom of the frame. Select a component in the left frame to display detailed information about it in the right frame.

Information about the following subsystems is available:

The SNMP Configuration under the Configuration Subsystem can be used to configure Server SNMP Service and HP Insight Management Agents for servers that are running Linux Operating Systems.

Data Frame

The Data Frame comprises the remainder of the browser window and displays detailed information about the selected items. This window also displays the Summary Page when the Summary option is selected from the Title Frame.

NOTE: Some items may split the Data Frame into sub-frames that follow the same organizational structure as the main frame with navigation data in a sub-frame on the left and detailed information in a sub-frame on the right.

Related Topic:

Troubleshooting HP Insight Management Agents