NNMi 10 patch 2: Pre-requisite for NNMi integrations during SSL configurations

  • Document ID:KM01831323
  • Creation Date:07-Sep-2015
  • Modified Date:16-Oct-2015
    • Micro Focus Products:
      network node manager 10.01
      network node manager 10.00

Summary

This document describes the steps to be applied prior to installing 10.01 patch2 to handle the QCCR1B133040 (CVE-2012-6153 + CVE-2014-3577) fixed in the 10.01 patch 2. The document addresses a situation where HP Network Node Manager i-series integrates with other products over Secure Sockets Layer (SSL). After following the steps mentioned in the document, the SSL certificates would have FQDN in them.

Question

When NNMi 10 patch 2 is installed, it may result in a problem with Secure Sockets Layer (SSL) communication. It affects the NNMi Integration with other products over SSL.

For example, when HP NNMi integrates with HP NA, the Certificate imported from the NA server does not have a proper CN name, it just has "localhost" in it.

The following error will be seen in the log file nnm-trace.log - in this instance for an Integration to Network Automation (NA):

 
javax.net.ssl.SSLException: hostname in certificate didn't match: <NA-FQDN> != </localhost>
        at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(Unknown Source)
        at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(Unknown Source)
        at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(Unknown Source)
        at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(Unknown Source)
        at org.apache.commons.httpclient.HttpConnection.open(Unknown Source)
 
and this is seen in the nnm.log:

2015-07-14 03:17:14.254 INFO  [org.apache.axis2.transport.http.HTTPSender] Unable to sendViaPost to url[https://<NA-FQDN>:443/soap]: javax.net.ssl.SSLException: hostname in certificate didn't match: <NA-FQDN> != </localhost>
        at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(Unknown Source)
        at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(Unknown Source)
        at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(Unknown Source)
        at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(Unknown Source)
        at org.apache.commons.httpclient.HttpConnection.open(Unknown Source)
        at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(Unknown Source)
        at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(Unknown Source)
        at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(Unknown Source)
        at org.apache.commons.httpclient.HttpClient.executeMethod(Unknown Source)
        at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:621)
        at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:193)
        at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:75)
        at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:404)
        at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:231)
        at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:443)
        at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:406)
        at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
        at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
        at com.hp.nas._10.g.NetworkManagementApiStub.login(NetworkManagementApiStub.java)
        at com.hp.ov.nnm.na.im.Na10gWsClient.login(Na10gWsClient.java:425)
        at com.hp.ov.nnm.na.im.NaBeanImpl.login(NaBeanImpl.java:46)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

 


Answer

Systems that are of version NNMi 10, or NNMi 10 patch 1, must have SSL certificates that contain a Fully Qualified Domain Name (FQDN) rather than Domain Name Server (DNS) short names or the name "localhost". So it may be necessary to re-generate the certificate(s) for any hosts involved in integrations with NNMi e.g. NA (in this instance) with a Common Name (CN) name as its FQDN un the certificate, and to then import this host's new certificate into NNMi.

For details about this step refer to the manual:

HP Network Node Manager i Software - Deployment Guide.

which can be located here:

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM00838327


The process ovjboss will need to be stopped and restarted. This is achieved with commands:

ovstop -c ovjboss

followed by:

ovstart -c ovjboss

 
At this point NNMi 10 patch 2 can be installed.
Associated KCS Documents: