NOTICE: Branded Content
NOTICE: Certain versions of content (“Material”) accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.
Systems Management (OpenView-OP Mgmt) User Discussions
cancel

Cannot create an OvCore ID

SOLVED
Go to solution
Bruce Atherton Absent Member.
Absent Member.

Cannot create an OvCore ID

I am having a problem starting OVOU on a Solaris box that I recently restored from a flar. The trouble is that there appears to be no OvCore ID, and it refuses to allow itself to be set to anything.

Here is what I get after a fresh reboot, after ovstart has run:

# ovc -status
Error getting OvCore ID.
# ovcoreid
NOTE: No OvCoreId is set.
# ovcoreid -create
NOTE: OvCoreId was set to '8b29f182-abc4-7524-0dd0-994660294927'.
# ovcoreid
NOTE: No OvCoreId is set.
# ovcoreid -set '8b29f182-abc4-7524-0dd0-994660294927'
NOTE: OvCoreId was set to '8b29f182-abc4-7524-0dd0-994660294927'.
# ovcoreid
NOTE: No OvCoreId is set.
# ovcoreid -set '8b29f182-abc4-7524-0dd0-994660294927' -force
NOTE: OvCoreId was set to '8b29f182-abc4-7524-0dd0-994660294927'.
# ovcoreid
NOTE: No OvCoreId is set.

Does anyone have any suggestions about what to try to get this working, or where to look for information that might help debug the problem?

Thanks for any help.

1 ACCEPTED SOLUTION

Accepted Solutions
Tony Cicone Absent Member.
Absent Member.
Solution

Re: Cannot create an OvCore ID

Try setting everything manually.

ovconfchg -ns sec.cm.certificates -set CERTIFICATE_SERVER

ovconfchg -ns sec.core -set CORE_ID

ovconfchg -ns sec.core.auth -set MANAGER

ovconfchg -ns sec.core.auth -set MANAGER_ID

I suppose if this all fails, you should remove the management server as a managed node and then re-add it.

opcnode -del_node node_name= net_type=NETWORK_IP

opcnode -add_node node_name= node_label=
17 REPLIES
Tony Cicone Absent Member.
Absent Member.

Re: Cannot create an OvCore ID

Make sure you do not have any certificates.

#ovcert -list

Remove them if you do.

#ovcert -remove

Force the coreid change.

#ovcoreid -force -create
#ovcoreid -list

Request a new certificate from the managment server, and grant it.

You need to change the coreid for the node to the new one you have created.

(mgmtsv)#opcnode -chg_id id= node_name=
Bruce Atherton Absent Member.
Absent Member.

Re: Cannot create an OvCore ID

Thank you for the answer. Unfortunately, I made a mess of things, even though your instructions were fairly clear.

I had previously had problems with the certificates, and had run through the instructions located at the end of this thread: http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=738468&admit=-682735245+1180716138022+28353475

Sine you were suggesting doing the same sort of thing, I decided to go through the whole process again. I removed the main certificate, the CA_ certificate, and the -ovrg server certificate. Unfortunately, I then removed the CA_ -ovrg server certificate, which I believe was the one certificate I wanted to keep.

Have I hosed myself? Is there any way to get the certificate back? I still have the id of the certificate. Failing that, is there any way to regenerate the trusted CA certificate?

Sorry for the additional bother.
Martin Johnson Absent Member.
Absent Member.

Re: Cannot create an OvCore ID

Try using the Certificate Cookbook. I have had some success with it.



HTH
Marty
Tony Cicone Absent Member.
Absent Member.

Re: Cannot create an OvCore ID

When you say you removed the -ovrg certificate, does that mean you removed the certificate on the management server? If you mean you just removed the trusted certificates from the node, that's fine. You will get these back when you request a new certificate from the management server.
Bruce Atherton Absent Member.
Absent Member.

Re: Cannot create an OvCore ID

No, I removed all 4 certificates that were listed on the management server machine, two for the node and two for the management server. I only intended to remove 3, but got distracted.

In any case, I restored a backup so that I could get around my blunder. But trying to follow your instructions, I still am unable to set the OvCoreId, and I can't generate a certificate for the management server either:

bash-3.00# ovcoreid -ovrg server
2d74b084-d188-7523-136d-ebd893db25e3
bash-3.00# ovcert -list
+---------------------------------------------------------+
| Keystore Content |
+---------------------------------------------------------+
| Certificates: |
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_2d74b084-d188-7523-136d-ebd893db25e3 |
+---------------------------------------------------------+

+---------------------------------------------------------+
| Keystore Content (OVRG: server) |
+---------------------------------------------------------+
| Certificates: |
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_2d74b084-d188-7523-136d-ebd893db25e3 (*) |
+---------------------------------------------------------+

bash-3.00# ovcoreid -create -force
NOTE: OvCoreId was set to '6ded91f0-d11c-7524-1bdd-8e3a528d0d48'.
bash-3.00# ovcoreid
NOTE: No OvCoreId is set.
bash-3.00# ovcm -issue -file /tmp/certif -name sylvester -pass hidden -coreid 2d74b084-d188-7523-136d-ebd893db25e3
ERROR: (sec.cm.server-35) System has no OvCoreId set.





Tony Cicone Absent Member.
Absent Member.

Re: Cannot create an OvCore ID

Sorry, I didn't know this was being performed on your management server. Try the following and see if it works.

Here's what I have normally.

(mgmtserver)# ovcert -list
+---------------------------------------------------------+
| Keystore Content |
+---------------------------------------------------------+
| Certificates: |
| 8cd6375c-5dee-7520-019d-b719ac90feff (*) |
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_8cd6375c-5dee-7520-019d-b719ac90feff |
+---------------------------------------------------------+

+---------------------------------------------------------+
| Keystore Content (OVRG: server) |
+---------------------------------------------------------+
| Certificates: |
| 8cd6375c-5dee-7520-019d-b719ac90feff (*) |
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_8cd6375c-5dee-7520-019d-b719ac90feff (*) |
+---------------------------------------------------------+

Then I remove all my certificates, except for the trusted server one.

(mgmtserver)# ovcert -remove 8cd6375c-5dee-7520-019d-b719ac90feff
* Do you really want to remove the certificate with alias
'8cd6375c-5dee-7520-019d-b719ac90feff' (yes(y)/no(n))? yes
INFO: Certificate has been successfully removed.
(mgmtserver)# ovcert -remove CA_8cd6375c-5dee-7520-019d-b719ac90feff
* Do you really want to remove the certificate with alias
'CA_8cd6375c-5dee-7520-019d-b719ac90feff' (yes(y)/no(n))? y
INFO: Certificate has been successfully removed.
(mgmtserver)# ovcert -remove 8cd6375c-5dee-7520-019d-b719ac90feff -ovrg server
* Do you really want to remove the certificate with alias
'8cd6375c-5dee-7520-019d-b719ac90feff' (yes(y)/no(n))? yes
INFO: Certificate has been successfully removed.

Now I do not have any certificates, which is where you are now.

(mgmtserver)# ovcert -list
+---------------------------------------------------------+
| Keystore Content |
+---------------------------------------------------------+
| Certificates: |
+---------------------------------------------------------+
| Trusted Certificates: |
+---------------------------------------------------------+

+---------------------------------------------------------+
| Keystore Content (OVRG: server) |
+---------------------------------------------------------+
| Certificates: |
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_8cd6375c-5dee-7520-019d-b719ac90feff (*) |
+---------------------------------------------------------+

I changed my ovcoreid's so they are not the same for the node and management server.

(mgmtserver)# ovcoreid
3ea1f116-d158-7524-1c81-f2a0b99b7da3
(mgmtserver)# ovcoreid -ovrg server
8cd6375c-5dee-7520-019d-b719ac90feff

Now force a change of the coreid to the same as your -ovrg server coreid.

(mgmtserver)# ovcoreid -set 8cd6375c-5dee-7520-019d-b719ac90feff -force
NOTE: OvCoreId was changed from '3ea1f116-d158-7524-1c81-f2a0b99b7da3' to
'8cd6375c-5dee-7520-019d-b719ac90feff'.

Now they match.

(mgmtserver)# ovcoreid
8cd6375c-5dee-7520-019d-b719ac90feff
(mgmtserver)# ovcoreid -ovrg server
8cd6375c-5dee-7520-019d-b719ac90feff

Dump the certificate to a file for importing.

(mgmtserver)# ovcm -issue -file /tmp/mgmt.cert -name mgmtserver -pass ovo -coreid 8cd6375c-5dee-7520-019d-b719ac90feff
INFO: Issued certificate was written to file '/tmp/mgmt.cert'.

(mgmtserver)# ovcert -list
+---------------------------------------------------------+
| Keystore Content |
+---------------------------------------------------------+
| Certificates: |
+---------------------------------------------------------+
| Trusted Certificates: |
+---------------------------------------------------------+

+---------------------------------------------------------+
| Keystore Content (OVRG: server) |
+---------------------------------------------------------+
| Certificates: |
| 8cd6375c-5dee-7520-019d-b719ac90feff (*) |
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_8cd6375c-5dee-7520-019d-b719ac90feff (*) |
+---------------------------------------------------------+

Import the certificate for the node.

(mgmtserver)# ovcert -importcert -file /tmp/mgmt.cert -ovrg server
* Enter password:
INFO: Import operation was successful.

Import the certificate for the managment server.

(mgmtserver)# ovcert -importcert -file /tmp/mgmt.cert
* Enter password:
INFO: Import operation was successful.

Now we have certificates.

(mgmtserver)# ovcert -list
+---------------------------------------------------------+
| Keystore Content |
+---------------------------------------------------------+
| Certificates: |
| 8cd6375c-5dee-7520-019d-b719ac90feff (*) |
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_8cd6375c-5dee-7520-019d-b719ac90feff |
+---------------------------------------------------------+

+---------------------------------------------------------+
| Keystore Content (OVRG: server) |
+---------------------------------------------------------+
| Certificates: |
| 8cd6375c-5dee-7520-019d-b719ac90feff (*) |
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_8cd6375c-5dee-7520-019d-b719ac90feff (*) |
+---------------------------------------------------------+

Update the trusted certificates, and you should be good.

(mgmtserver)# ovcert -updatetrusted
INFO: Trusted certificate update was successful.
(mgmtserver)#
Bruce Atherton Absent Member.
Absent Member.

Re: Cannot create an OvCore ID

But setting the ovcoreid is exactly what I cannot do, not even to match my management server:

bash-3.00# ovcert -list
+---------------------------------------------------------+
| Keystore Content |
+---------------------------------------------------------+
| Certificates: |
+---------------------------------------------------------+
| Trusted Certificates: |
+---------------------------------------------------------+

+---------------------------------------------------------+
| Keystore Content (OVRG: server) |
+---------------------------------------------------------+
| Certificates: |
+---------------------------------------------------------+
| Trusted Certificates: |
| CA_2d74b084-d188-7523-136d-ebd893db25e3 (*) |
+---------------------------------------------------------+

bash-3.00# ovcoreid
NOTE: No OvCoreId is set.
bash-3.00# ovcoreid -ovrg server
2d74b084-d188-7523-136d-ebd893db25e3
bash-3.00# ovcoreid -set 2d74b084-d188-7523-136d-ebd893db25e3 -force
NOTE: OvCoreId was set to '2d74b084-d188-7523-136d-ebd893db25e3'.
bash-3.00# ovcoreid
NOTE: No OvCoreId is set.

Tony Cicone Absent Member.
Absent Member.

Re: Cannot create an OvCore ID

Try this step.

(mgmtserver)# opcnode -chg_id id= node_name=
Tony Cicone Absent Member.
Absent Member.

Re: Cannot create an OvCore ID

What do these return?

(mgmtserver)# ovconfget sec.core

(mgmtsever)# ovconfget sec.core.auth
Bruce Atherton Absent Member.
Absent Member.

Re: Cannot create an OvCore ID

Still no joy:

bash-3.00# opcnode -chg_id id=2d74b084-d188-7523-136d-ebd893db25e3 node_name=sylvester
Operation successfully completed.
bash-3.00# ovcoreid
NOTE: No OvCoreId is set.
bash-3.00# ovcoreid -ovrg server
2d74b084-d188-7523-136d-ebd893db25e3
bash-3.00# ovcoreid -set 2d74b084-d188-7523-136d-ebd893db25e3 -force
NOTE: OvCoreId was set to '2d74b084-d188-7523-136d-ebd893db25e3'.
bash-3.00# ovcoreid
NOTE: No OvCoreId is set.

Thanks a lot for the effort you are going to in order to solve my problem. Have you any other ideas?
Bruce Atherton Absent Member.
Absent Member.

Re: Cannot create an OvCore ID

Sorry, didn't see the later message at first. I get nothing back from those two commands:

bash-3.00# ovconfget sec.core
bash-3.00# ovconfget sec.core.auth
bash-3.00#
Tony Cicone Absent Member.
Absent Member.

Re: Cannot create an OvCore ID

What does this return?

#ovconfget sec.cm.client

Bruce Atherton Absent Member.
Absent Member.

Re: Cannot create an OvCore ID

Again, nothing:

bash-3.00# ovconfget sec.cm.client
bash-3.00#
Tony Cicone Absent Member.
Absent Member.

Re: Cannot create an OvCore ID

It doesn't seem like the node was completely installed. Try this.

(mgmtsrv)# /opt/OV/bin/OpC/install/opc_inst -srv -cert_srv

Bruce Atherton Absent Member.
Absent Member.

Re: Cannot create an OvCore ID

I feel like I am in a Catch-22 situation. Everything I need to do to fix the ovcoreid requires that the ovcoreid be set. :-)

Here is the output from running the installation command:

bash-3.00# /opt/OV/bin/OpC/install/opc_inst -srv sylvester.alarmpoint.com -cert_srv sylvester.alarmpoint.com
OVO Maintenance script starts Mon Jun 4 11:52:49 PDT 2007.
A backup copy of OVO settings found in
/var/opt/OV/log/OVO_settings_backup.log. To restore it,
copy it back to /var/opt/OV/conf/xpl/config/local_settings.ini
No packages were found in currect directory.
WARNING: OVO Maintenance script ends Mon Jun 4 11:54:34 PDT 2007 with error
in activation phase.
Check /var/opt/OV/log/opc_inst.log for more details.

Checking the log file revealed this:

ERROR: OV Comm.Broker on server is not reachable
Executing 'ovbbccb -ping sylvester.alarmpoint.com' failed.
Check if ovbbccb on sylvester.alarmpoint.com is running,
start it manually 'ovc -start ovbbccb',

Trying to run the given command gives me this:

bash-3.00# ovc -start ovbbccb
Error getting OvCore ID.
bash-3.00#

"You are in a maze of twisty little passages, all alike"
Tony Cicone Absent Member.
Absent Member.
Solution

Re: Cannot create an OvCore ID

Try setting everything manually.

ovconfchg -ns sec.cm.certificates -set CERTIFICATE_SERVER

ovconfchg -ns sec.core -set CORE_ID

ovconfchg -ns sec.core.auth -set MANAGER

ovconfchg -ns sec.core.auth -set MANAGER_ID

I suppose if this all fails, you should remove the management server as a managed node and then re-add it.

opcnode -del_node node_name= net_type=NETWORK_IP

opcnode -add_node node_name= node_label=
Bruce Atherton Absent Member.
Absent Member.

Re: Cannot create an OvCore ID

Bingo. That helped me find the problem.

I tried running the first command and got this:

bash-3.00# ovconfchg -ns sec.cm.certificates -set CERTIFICATE_SERVER sylvester.alarmpoint.com
(xpl-273) Error occurred when loading configuration file '/var/opt/OV/conf/xpl/config/local_settings.ini'.
(xpl-272) Syntax error in line 1.
(xpl-271) Missing first namespace section.
(xpl-278) Processing update jobs skipped.
(xpl-273) Error occurred when loading configuration file '/var/opt/OV/conf/xpl/config/local_settings.ini'.
(xpl-272) Syntax error in line 1.
(xpl-271) Missing first namespace section.

Looking at local_settings.ini, it looked like a fragment of an Apache configuration file rather than an INI file. Not knowing what else to do, I deleted the node. Then I got lucky. I received a copy of a working local_settings.ini file from another installation and tweaked it to match my environment. Now I when I set the ovcoreid and it stayed on.

So I've re-added the node now and regenerated and installed all of my certificates. I'll play around and see if everything works after all this.

Thanks a lot for all your help, you were a real trooper in following up. How the file became corrupted I can only guess. My suspicion is that there was a drive disconnected in some way without a sync, but I don't really know. It makes me nervous about the rest of the installation, though.