STEPS TO REPRODUCE and FIX Private Key Installed: FAILED and Certificate Installed: FAILED on BSM/OMi server and Data collectors

  • KM00815429
  • 24-Mar-2014
  • 26-Mar-2014

Summary

ERROR When you try to acticate a policy for BSM connector Policy Activation component reported following error: The keystore reported problems. Signing failed. Please check if certificates are installed. (conf-45) Could not sign the policy file 'C:\\ProgramData\\HP\\HP BTO Software\\tmp\\e35b83ab-5e16-48fe-99c7-3b49bbac1b0e_header.xml'. The security key store for this node generated errors. (sec.core-25) No certificate for alias '17affa42-16c6-756e-00a9-e5576f3b521b' is installed.

Question

Policy Activation component reported following error:
The keystore reported problems. Signing failed. Please check if certificates are installed.

(conf-45) Could not sign the policy file 'C:\\ProgramData\\HP\\HP BTO Software\\tmp\\e35b83ab-5e16-48fe-99c7-3b49bbac1b0e_header.xml'. The security key store for this node generated errors.
(sec.core-25) No certificate for alias '17affa42-16c6-756e-00a9-e5576f3b521b' is installed.

Answer


A. if BSM/OMI is single server or steps to fix issue on Data Processing Server 

a. Run  %OvDataDir%\ovcoreid and make sure that the ID is different than 549e9822-2fb7-7565-1ff6-8e9b49f35a8e (that’s the core ID of the server keystore and it must be different than the agent keystore coreid
b. If the value returned in step 1 it is the same as the server keystore, you need to generate a new core ID by running the command %OvDataDir%\ovcoreid -create -force.
This will create a new core id 
c. Run the command %OvDataDir%\ovconfget sec.cm.client  and confirm that the value for the setting CERTIFICATE_SERVER is the IP address of the DPS server. If it is different, change it by running the command %OvDataDir%\ovconfchg -edit and making the changes.
If it is same, no change is needed.
d. Request a new certificate for the agent keystore by running the command %OvDataDir%\ovcert -certreq and then at the DPS server grant it by running the command %OvDataDir%\ovcm -grant <request ID>. You can get the request ID by first running %OvDataDir%\ovcm -listpending -l
%OvDataDir%\Ovcm –listpending -l 
e. Check the certificates once again by running %OvDataDir%\ovcert -check
f. Run %OvDataDir%\ovc -kill on the DPS and then %OvDataDir%\ovc -start. Then try to grant the certificate once again.
g. If that continues to fail, we can generate a new certificate manually by running the command
%OvDataDir%\ovcm -issue -file agent.cert -name <fqdn> -coreid <New core ID previously created in A.b>
h. Import the certificate manually by running %OvDataDir%\ovcert -importcert -file agent.cert
It worked


B: For gateway and other data collectors such BSM Connector or SiteScope
For the gateway server and other collectors, you can either run %OvDataDir%\ovcert -certreq command and that should the send the request to the DPS. If the automated request does not work, then you can run the %OvDataDir%\ovcm command on the DP but replace the values for the name and codeid to the corresponding values on the GW or collector you need to generate a new certificate for.
For Gateway
a. Go to gateway server run
Check %OvDataDir%\ovcoreid
b. copy core id
c.%OvDataDir%\ovcm -issue -file gateway.cert -name <fqdn> -coreid <New core ID previously created in A.b>
d. Copy gateway.cert to gateway server
e. Run
%OvDataDir%\ovcert -importcert -file gateway.cert
For SiteScope
a. Go to sitescope server run
. Check ovcoreid with %OvDataDir%\Ovcoreid command
b. copy core id
c.%OvDataDir%\ovcm -issue -file SiteScope.cert -name <fqdn> -coreid <New core ID previously created in A.b>
d. Copy SiteScope.cert to sitescope server
e. run
%OvDataDir%\ovcert -importcert -file sitescope.cert

For BSM Connector
a. Go to BSM Connector server

Check ovcoreid with %OvDataDir%\Ovcoreid command
b. copy core id
c. %OvDataDir%\ovcm -issue -file bsmc.cert -name <fqdn> -coreid <New core ID previously created in A.b>
d. Copy bsmc.cert to bsmc server
e. run

%OvDataDir%\ovcert -importcert -file bsmc.cert

C: if bbcutil –ping fails from server
a. On a BSM Processing Server, execute the following command:
%OvDataDir%\ovcert -exporttrusted -file DSP.cer.
b. On the external machine, execute the following command:
%OvDataDir%\ovcert -exporttrusted –file other.cer.
c. Copy other.cer from the external machine to a BSM Processing Server.
d. Copy DPS.cer from the BSM Processing Server to the external server.
e. On the BSM Processing Server, execute the following commands:
%OvDataDir%\ovcert –importtrusted -file other.cer
and
%OvDataDir%\ovcert -importtrusted -file other.cer -ovrg server.
f. On the external server, execute the following commands:
%OvDataDir%\ovcert -importtrusted –file DPS.cer
and
%OvDataDir%\ovcert -importtrusted -file DPS.cer -ovrg server.
Additionally customer opened ticket 4647693384 for other issue mentioned: "BSM gateway server can not process incoming events from external colletors" with OMi team.