HP JetAdvantage Security Manager Troubleshooting Manual

Technical white paper

HP JetAdvantage Security Manager

Troubleshooting Issues

Table of Contents

Overview ............................................................................................................................................. 1

Log Files and Enabling Debugging ..................................................................................................... 1

Security Manager Log Files Locations ......................................................................................................... 1

Enabling HP JetAdvantage Security Manager debugging (service int eractions) ....................................... 4

Enabling HP JetAdvantage Security Manager debugging (device communication issues) ....................... 5

Enabling HP JetAdvantage Security Manager debugging (Certificate Management) ............................... 7

Enabling HP JetAdvantage Security Manager debugging (SCEP issues) ................................................... 8

Enabling HP JetAdvantage Security Manager debugging (EST issues) ...................................................... 8

Enabling HP Print License Service debugging ............................................................................................. 8

Enabling logging for Qualys Policy Compliance .......................................................................................... 9

Audit log files ................................................................................................................................................ 9

Installation Issues ............................................................................................................................ 10

Common SQL issues ................................................................................................................................. 10

Database Upgrade Failure

Using SQL script to repair/upgrade/install the database ........................................................................ 14

Problems Launching Security Manager Web Interface .................................................................. 17

Issues when running HPSM Application Pool: web page not displayed ................................................. 17

Bindings/firewall problem .................................................................................................................................. 17

Browser settings causing issues........................................................................................................................ 19

Issues when running HPSM Application Pool as network service (sql exception) ................................. 19

32-Bit Applications not enabled for hpsm application pool ........................................................................... 20

........................................................................................................................ 13

Issues when running HPSM Application Pool as non-admin user or service account (error 503) ........ 21

Access Denied when trying to logon to HPSM ......................................................................................... 23

Licensing Issues ................................................................................................................................ 23

Licensing Issues in multi-homed environment: Failed to connect to licensing server .......................... 23

Other Licensing Issues .............................................................................................................................. 24

Required Network Ports .................................................................................................................. 26

Ports Diagram................................................................................................................................... 31

Changing Firewall Settings and Testing Open Ports ........................................................................ 32

Proxy for Network Service Blocking Communication ...................................................................... 34

Device Status Errors and Credential Failures .................................................................................. 35

Credential Management ............................................................................................................................ 33

SNMP ..................................................................................................................................................................... 34

Admin (EWS) Password ...................................................................................................................................... 35

Check Credentials Example ............................................................................................................................... 35

Device Communication Log Files .............................................................................................................. 37

Hanging tasks ................................................................................................................................... 38

Hung Tasks vs. Slow Tasks ....................................................................................................................... 38

Credential Failed or Network Connection Error Impacting Performance ..................................................... 38

Performance Impact of Instant On Remediations ........................................................................................... 39

Growing Database and Nightly Maintenance failing ....................................................................... 41

Certificates Installation Failures ...................................................................................................... 43

Using Network Traces for Troubleshooting .................................................................................... 43

Using Event Viewer for Troubleshooting ......................................................................................... 43

Appendix A Following a task in HPSM_service.log .......................................................................... 44

Overview

HP JetAdvantage Security Manager is a security compliance software used to assess and remediate a fleet of devices against a desired security policy. This document provides troubleshooting techniques to use if issues arise when either installing or running Security Manager. As with any software, challenges can be presented by servers, operating systems, networks, devices, etc. Security Manager relies upon Microsoft IIS and SQL Server, both of which can present challenges as well. While this document discusses known issues, new issues are always going to be encountered. Successful troubleshooting always involves removing variables to determine root cause. Google is also an excellent troubleshooting tool as most errors are generic Microsoft errors and are likely encountered by users of other software.

Log Files and Enabling Debugging

Log files are always an excellent place to start looking for clues as to why an issue occurred. There are three areas where logs reside: Security Manager, licensing, installation. Debug logging can also be enabled to produce more verbose logging if needed.

Security Manager Log Files Locations

Log files created by HP JetAdvantage Security Manager service:

The service HP JSM creates log files in two different directories:

C:\Program Files (x86)\HP JetAdvantage Security Manager\log

C:\Program Files (x86)\HP JetAdvantage Security Manager\WebApp\log

Log file created by HP Print License Service:

C:\ProgramData\HP\HP Print License Service Files\HPPLS.log

Log file created when interacting with SCEP server:

C:\Program Files (x86)\HP JetAdvantage Security Manager\PkiProviders\log

Log file created by FlexeraLicensingService:

C:\ProgramData\HP\HP Print License Service Files\Flexera.log

Log file created by the security manager installer:

C:\Users\”username”\AppData\Local\Temp

Note: This file will begin with “MSI” and end with “.log” but will contain random characters in the middle as this is produced by the Microsoft Windows installer.

Enabling debug logging is sometimes crucial for finding clues on issues such as hanging or slow tasks.

There are two places debug can be enabled. One is in the services area where the HPSM_service.log is filled with debug statements. The other one is in what is called the DAT layer responsible for

communications to and from devices. Two log files in particular named EapNetworkLIb.log and EapDevice.log capture all data to and from devices, and debug statements can be added to these files to

see if devices are responsible for hangs.

HPSM 3.4 and older is using the UTC timestamp for the EAP*.log files and localtime for all other log files. In order to get the same timestamps in all log files, do the following:

1. Open the file EapLogConfig.XML in the directory C:\Program Files (x86)\HP JetAdvantage Security

Manager

2. Replace %utcdate entries with %date

3. After making the changes, restart the HP Jetadvantage Service

In Security Manager 3.0 and later versions, both areas of debug can be enabled by configuring settings in two configuration files and restarting the Security Manager service.

For Security Manager 2.1.5 and earlier, only the service debug can be enabled and a special build of Security Manager has to be produced to turn on DAT debugging.

Enabling HP JetAdvantage Security Manager debugging (service interactions)

To enable debugging for non-device specific issues (like problems starting a task, problems starting the service, edit the following lines in the HPSM_service.exe.config file. Make changes highlighted below in yellow and restart the HP JetAdvantage Security Manager service:

<appender-ref ref="ServerAppender" /> </logger> <logger name="NHibernate.Loader.Loader">

<appender-ref ref="ServerAppender" /> </logger> <logger name="Assessment">

<appender-ref ref="ServerAppender" /> </logger> <logger name="Common">

<appender-ref ref="ServerAppender" /> </logger> <logger name="Data">

<appender-ref ref="ServerAppender" /> </logger> <logger name="Task">

<appender-ref ref="ServerAppender" /> </logger> <logger name="Service">

<appender-ref ref="ServerAppender" /> </logger> <logger name="WCF">

<appender-ref ref="ServerAppender" /> </logger>

The Data logger (highlighted in green) refers to the interactions between the HPSM service and the SQL database. Thus INFO level for the Data logger is fine for troubleshooting non-database related issues.

HPSM 3.4 introduced auto group policies. In order to see in the debug logs the order in which tasks are executed the enableTaskSequencingLogging must be set to true.

Note: These additional log settings will only be available if the logger value for the logger name

Service is set to DEBUG.

By default the logs will roll over when they reach 100 MB in size, and each log will only roll over once before they start to become deleted in each subsequent rollover. These values can also be configured in each of the configuration files mentioned above by changing the following entries:

Enabling HP JetAdvantage Security Manager debugging (device communication issues)

To enable debugging for issues related to device communication, edit the following lines in the EapLogConfig.xml file. Make changes highlighted below in yellow and restart the HP JetAdvantage Security Manager service:

<!--

**LOGGER DEFINITIONS FOLLOW**

Logging levels represented in order of increasing priority (e.g.

ALL includes everything below it, but excludes INFO):

To turn all logging off use:

-->

<logger name="EapDeviceLibrary">

</logger>

</logger>

</logger>

</logger>

<!-- ERRORs shown in this log file are expected, therefore it's off

by default -->

</logger>

</logger>

</logger>

</logger>

Brief explanation of the different log files:

• EapDeviceLibrary: This log shows general information like DAT version, the values returned from

device, which methods will be used, etc.

• Pipeline: This log shows the methods (pipelines) to perform different operations. This helps to

identify errors/exceptions in pipeline steps.

• Results: This gives the names of the config items which are processed.

• EapNetworkLib: This log shows the device communications. This helps to identify the retries,

timeouts, etc.

• McoTranslation: This log file shows methods (pipelines) for custom processes. This helps to

identify errors/exceptions in custom processes.

• Bindings: This log shows which interface of the device has been selected. Normally not needed to

enable debug mode for this, only in cases with errors like McoNotFound, McoNotSupported is listed in other log files.

Enabling HP JetAdvantage Security Manager debugging (Certificate Management)

When HPSM is interacting with a Microsoft (Standalone or Enterprise CA), OpenTrust CA or Symantec CA, it’s

using the Certificate Management log files (HPCM.log). These log files are located in three locations:

C:\Program Files (x86)\HP JetAdvantage Security Manager\log C:\Program Files (x86)\HP JetAdvantage Security Manager\PkiProviders\log C:\Program Files (x86)\HP JetAdvantage Security Manager\WebApp\log

Debug logging for ID Certificate requests can be enabled in two files:

C:\Program Files (x86)\HP JetAdvantage Security Manager\HPSM_Service.exe.config C:\Program Files (x86)\HP JetAdvantage Security Manager\WebApp\Web.config

Make the following changes highlighted:

<appender-ref ref="HPCMAppender"/>

</logger>

The changes in the HPSM_Service.config file require a restart of the service HP JetAdvantage Security Manager and will enable the debug logging for the HPCM.log file in the following directories:

C:\Program Files (x86)\HP JetAdvantage Security Manager\log C:\Program Files (x86)\HP JetAdvantage Security Manager\PkiProviders\log

The last file will contain information about the interaction with the CA server. The changes in the Web.config file require a restart of IIS (or recycle the application pool hpsm) and will enable the debug logging for the HPCM.log file in the directory:

C:\Program Files (x86)\HP JetAdvantage Security Manager\WebApp\log

Enabling HP JetAdvantage Security Manager debugging (SCEP issues)

SCEP debugging can be enabled in the HPSM_Service.exe.config file. Make changes highlighted below in yellow.

</logger>

The changes in the HPSM_Service.config file require a restart of the service HP Jetadvantage Security Manager and will enable the debug logging for the SCEP.log file in the following directories:

C:\Program Files (x86)\HP JetAdvantage Security Manager\log C:\Program Files (x86)\HP JetAdvantage Security Manager\PkiProviders\log

The last file will contain information about the interaction with the SCEP server.

Enabling HP JetAdvantage Security Manager debugging (EST issues)

EST debugging can be enabled in the HPSM_Service.exe.config file. Make changes highlighted below in yellow.

</logger>

The changes in the HPSM_Service.config file require a restart of the service HP Jetadvantage Security Manager and will enable the debug logging for the Est.log file in the following directories:

C:\Program Files (x86)\HP JetAdvantage Security Manager\log C:\Program Files (x86)\HP JetAdvantage Security Manager\PkiProviders\log

Note: The EST plug-in is available from HPSM 3.5 onwards.

Enabling HP Print License Service debugging

To enable debugging for the HP Print License Service, edit the following lines in the HP.Print.License.Host.WindowsService.exe.config file in the following directory:

C:\Program Files (x86)\HP JetAdvantage Security Manager\HP Print

License Service

Make changes highlighted below in yellow, then stop the service HP JetAdvantage Security Manager and then stop the HP Print License Service. Restart first the HP Print License Service and after that restart the service HP JetAdvantage Security Manager.

<appender name="FileAppender"

type="log4net.Appender.RollingFileAppender">

<param name="File" value="C:\ProgramData\HP\HP Print License

Service\HPPLS.log" />

<param name="ConversionPattern" value="%d [%t] %-2p %c - %m%n"

</layout> </appender> <root>

<!--Possible value for level

1.ALL

2.DEBUG

3.INFO

4.WARN

5.ERROR

6.FATAL

7.OFF

-->

<appender-ref ref="FileAppender" />

</root>

</log4net>

Enabling logging for Qualys Policy Compliance

HPSM 3.5 offers service integration with Qualys. In Qualys debugging can be enabled in the HPSM_Service.exe.config file. When enabled log entries will be created when printer assessment results are sent to Qualys. Password are not transmitted to Qualys, only the password assessment result itself. To enable debugging for the Qualys policy integration, make changes highlighted below in yellow.

The changes in the HPSM_Service.config file require a restart of the service HP Jetadvantage Security Manager and will enable the debug logging for the Qualys.log file in the following directories:

C:\Program Files (x86)\HP JetAdvantage Security Manager\log

Audit log files

Besides the debugging log files, Security Manager logs events for who did what and when in two different Audit logs:

• C:\Program Files (x86)\HP JetAdvantage Security Manager\

WebApp\log\HPSM_WebAudit.log

This file will have events that are triggered from the user.

• C:\Program Files (x86)\HP JetAdvantage Security Manager\log\

HPSM_ServiceApp.log

This file contains events about stopping/starting service and license limitations.

This file will have events that are triggered from HPSM service. An explanation of entries in those log files, can be found in the whitepaper Reporting, Email Alert Subscriptions & Remediation Summary, Auditing &

Syslog Functionality under the section HPSM User Activity Logging (Auditing)

Installation Issues

Security Manager uses the Microsoft installer for installing and upgrading the software. If anything goes wrong during installation, the logs file for the installation attempt may provide some clues.

For proper Security Manager installation and operation, specific Microsoft software must be present. The requirements are listed below:

•

Microsoft SQL Server Systems CLR Types [x86] - (part of installation script)

•

Microsoft SQL Server Systems CLR Types [x64] - (part of installation script)

•

Microsoft Primary Interop Assembly - (part of installation script)

•

Microsoft Report Viewer 2012 Runtime - (part of installation script)

•

Microsoft .NET Framework 4.6.1 or greater - (install prior to installation script)

•

Microsoft .NET Framework 3.5 or greater - (install prior to installation script)

•

Microsoft SQL Server Database - (see supported databases above)

•

Microsoft Internet Information Services (IIS) - (part of installation script)

If these are not present on the system, the installation process installs some of the required software. If errors occur when launching Security Manager related to the Microsoft Primary Interop Assembly or Report Viewer, there is a chance that the installer saw them installed thus did not attempt to install them. However, they may be bad versions that had been installed from some other application. It may be required to download and install newer versions from Microsoft.

The installer checks for the presence of IIS and attempts to enable it and necessary configuration elements if not present. The installer also provides an option to install SQL Express if desired or to use an existing SQL server location. It launches a series of SQL scripts to ensure the database is at the current schema version to match the software version. Proper permissions need to be present for the user running the upgrade on the SQL database in order for the installer to upgrade the database.

Recommended .NET versions are .NET 3.5 and 4.6.2. Earlier versions of .NET can be used such as 4.6.1, but some issues were seen in testing on Windows 10 and Windows Server 2016 operating systems using these older versions.

Common SQL issues

By far the most common reason an installation goes awry is related to SQL issues. Whether using local or remote SQL Server, Express or Full, the rules are essentially the same. In every case, Security Manager needs access to a SQL server instance. It can either create a new database, upgrade an existing database, or attach to an existing database, depending upon the situation and the user rights. If Security Manager is instructed to install SQL Express on the local machine, a SQL instance and database for Security Manager will be created by the Security Manager installer. If Security Manager is pointed to an existing local or remote SQL server and instance during installation, proper rights must be present for the user running the installation to be able to create or update a SQL database wherever SQL server may reside. Proper rights

must also exist on the database itself for the user which the Security Manager service runs under to be able to read from and write to the database.

KEY POINT: Just to reiterate, for installing and upgrading Security Manager, the user who is logged into

the machine and running the installer executable must have proper rights on the SQL server to either create a database or update an existing database. All the installer does is run SQL scripts to create or alter a database, and naturally any user running those commands needs to have proper SQL rights. In this case it is the Windows user who is running the installer.

Creating a database requires Create database rights on the SQL instance. Upgrading an existing database requires DBO rights on the database. For normal operation of Security Manager after installation, the user running the Security Manager service (default as Network Service) needs to have permissions to at least read and write to the database, DBO rights preferred.

Each Security Manager installation must point to its own unique database, multiple installations cannot share a database. The instance can be named or default, and the instance can have as many databases it desires including a Web Jetadmin database, but there will be only one HPSM database. Several techniques are available to allow Security Manager to install/use a SQL database in any location.

There are three scenarios where Security Manager will interact with Microsoft SQL:

• Creating a database during installation of Security Manager

• Upgrading a database during upgrading of Security Manager from one version to another

• Running Security Manager to manage security features on a fleet of devices

Each scenario requires a different set of SQL rights for potentially different users.

• Create Database – Windows user running the installer executable needs at minimum Create

Database rights on the SQL instance. SA rights would certainly work.

• Upgrade Database – Windows user running the installer executable to upgrade versions needs

DBO rights on the database to perform potential commands on the database such as insert, update, alter, create table.

• Run Security Manager – the Windows account that runs the Security Manager service (default of

Network Service) needs DBO rights on the database to perform operations such as reading and writing. NOTE: The “HP JetAdvantage Security - Using SQL Server” whitepaper explains how to run with less rights or a different account if desired.

The first sign of trouble if something goes wrong might be an error when launching Security Manager that indicates the SQL database cannot be opened.

Clues can be found in the following log file:

C:\Program Files (x86)\HP JetAdvantage Security Manager\log\HPSM_Service.log

A successful login attempt will display the server\instance, database name, database version and Security manager version

2018-01-11 11:31:29,338 INFO Service [4] - TaskSupervisor.Init - HPSM Starting

2018-01-11 11:31:41,427 INFO Service [4] - Successfully started DSSessionVariables() - hibernate session

2018-01-11 11:31:41,430 INFO Service [4] - ScheduleTaskManager.RetryDBConnection Testing DB connection to: Server=(local)\EXP2014;initial catalog=HPIPSC;Integrated Security=SSPI;

2018-01-11 11:31:41,437 INFO Service [4] - - Done TestDBConnection

2018-01-11 11:31:41,437 INFO Service [4] - ScheduleTaskManager.RetryDBConnection Testing DB connection successfull to: Server=(local)\EXP2014;initial catalog=HPIPSC;Integrated Security=SSPI;

2018-01-11 11:31:41,593 INFO Service [4] - Service Starting up - Init()

2018-01-11 11:31:42,571 INFO Service [4] - Service Version: 3.1.0.65238

2018-01-11 11:31:42,594 INFO Service [4] - Shrinking the DB log file

In the error above, the message indicates that Windows Authentication is attempting to login the user the Security Manager runs under (Network Service in this case) into the correct remote server\instance name but is being rejected. This would happen if Network Service did not have DBO rights to use the database. Use SQL Management Studio to confirm the user running the Security Manager service has DBO rights.

Also, make sure the Security Manager service was restarted after making the changes to the database rights.

Ensure the HPSM_Service.exe.config file contains the correct entries:

• The server or instance name is not correct. Double-check the spelling of each.

It is possible network related issues are preventing the connection to the remote instance. Common troubleshooting steps include:

• Fully qualify the remote SQL server name in the configuration file if name resolution issues are

present or use the IP address instead of the hostname.

• TCP/IP must be enabled on the remote SQL server instance. Use SQL Server Configuration

Manager to confirm.

• Check firewall settings to ensure the port that is used for the remote connection is open. The

default port is 1433.

• SQL Server may default to using a dynamic port. Either configure to use a fixed port or start the

SQL Browser service to allow for remote connections.

• Use SQL Management Studio and/or Windows ODBC to connect to the remote SQL server/instance

from the same machine as Security Manager to at least prove a Windows user account can access the server/instance from the Security Manager machine.

• If the HPSM_Service.log indicates table columns are missing, the database may not have been

upgraded due to insufficient rights by the user running the upgrade. This scenario is described earlier in this document with steps on how to uninstall/reinstall to rectify.

• The database tables should always begin with dbo as the schema i.e. dbo.DeviceTable. If some of

the tables begin with a Windows username as the schema, it is very likely that the user who upgraded or created the database was a member of a Windows group when assigned SQL rights. The default schema for a user can be defined by using the DEFAULT_SCHEMA option of CREATE USER or ALTER USER. If no default schema is defined for a user account, SQL Server will assume dbo is the default schema. It is important note that if the user is authenticated by SQL Server as a member of a group in the Windows operating system, no default schema will be associated with the user. If the user creates an object, a new schema will be created and named the same as the user, and the object will be associated with that user schema. The fix to this scenario is to either rename the schema in the affected tables to indicate dbo, or better yet, assign a default schema of dbo to the Windows group to which the user belongs.

Database Upgrade Failure

A very common scenario involves the installer completing the installation, but improper rights were present on the account running the installer to upgrade the SQL database tables. When this happens, you have a new Security Manager version trying to use older SQL tables. The log files are filled with statements indication tables and/or columns are missing the database.

Two options exist in the case:

• Roll back to the previous version

• Attempt to repair the database to match the Security manager version

To roll back to the previous version, uninstall Security Manager under Programs and Features, but when

asked if you would like to delete the database, select No.

Finish the uninstall, keeping the license files intact when asked. Install the previous version, pointing to the remote server\instance where the database still resides. Since the database was never upgraded when Security Manager was upgraded earlier, it should still match the previous Security manager version and work fine with it. Now ensure proper rights are in place before attempting the upgrade again.

Using SQL script to repair/upgrade/install the database

SQL scripts are also available that can repair the database and upgrade it to match the Security manager version to update the database. This is certainly a much faster resolution to the problem. The scripts are installed with HPSM (InstallSqlScripts.zip in the directory C:\Program Files (x86)\HP Jetadvantage Security Manager) and can be run by someone such as the DBA who has proper rights to upgrade the database. The SQL scripts are run manually from a command prompt. They essentially mimic the SQL files the installer runs when “install a new or update an existing database” is selected. The script is launched by executing a batch file named InstallDBRMT.bat from a command prompt.

When you run the SQL scripts from a command line, you must use the proper syntax It won’t tell you if your syntax is bad, but the log files that are created in the folder where you ran the scripts will be full of errors, if the syntax is bad.

Proper syntax for SQL server instance on same machine where you are running scripts:

installdbrmt .\instance

installdbrmt server\instance

The “.\” just means same server, you can just as easily specify the server even though it is the same machine you are on.

Proper syntax for SQL server instance on remote machine where you are running scripts:

installdbrmt server\instance

If a default instance is used, you should be able to just enter the server name, SQL knows if no instance is specified then use the default instance.

BAD SYNTAXES:

installdbrmt \server\instance

installdbrmt instance

If you use bad syntaxes, the command line will appear as if it is creating tables. It isn’t. Log files are created in the same folder containing the scripts. The logs will be filled with errors if permissions are not correct or improper syntax was used.

The script first looks to see if the database is present. If not present, the script will create the database as long as the user running the script has Create Database rights on the SQL instance. If an existing database is present, the script walks through a routine to see what schema is present and updates to the latest schema, as long as the user running the scripts has DBO rights on the database After the script completes, restart the HP Security Manager service. All should be well as the software and database now match schema versions. See the whitepaper titled “HP JetAdvantage Security Manager – Using Microsoft SQL Server” for more information on running the SQL scripts.

If Security Manager still generates errors while attempting to launch or just hangs indefinitely, the database is probably still not upgraded. If you have a new Security Manager trying to use an old database, statements appear over and over in the service log indicating required tables aren’t present:

2018-01-04 14:33:53,731 ERROR NHibernate.Util.ADOExceptionReporter [4] - Invalid object name 'ScheduledReportsTable'.

In this example, ScheduledReportsTable is a new table only available in the 3.1 version of Security Manager, and it is complaining it can’t find the table. That is very typical of new version using an old database.

Here is a screen shot generated by viewing the database using SQL Management Server showing the table that provides the database schema version. It should be version 7 for Security Manager 3.1. The HPSM_Service.log file also indicates the schema version. Notice too how there is a dbo.ScheduledReportsTable. That is another quick method to see if the database is upgraded or not.

Reasons why this can happen include:

• The account running the Security Manager installer doesn’t have DBO rights on the database

during an upgrade.

• The user chooses “connect to and existing database” instead of “install or upgrade an existing

database” during an upgrade attempt but the database was never upgraded manually using the

SQL scripts.

• The SQL scripts are run to manually upgrade the database but the account running the scripts

does not have DBO permissions on the database to upgrade it.

• The SQL scripts may be the broken ones included in the Security Manager folder of version 3.1.

• The SQL scripts are run using the wrong syntax on the command line

Problems Launching Security Manager Web Interface

Issues when running HPSM Application Pool: web page not displayed

Bindings/firewall problem

The Security Manager browser-based interface requires Internet Information Services (IIS) in order to operate. The installer will verify that IIS is enabled with the proper settings enabled and will offer to enable the proper settings if desired. The Installation Guide specifies the proper IIS setting to be enabled if it is desired to perform manually. If the installer fails to set some of the IIS settings, it may be necessary to configure them manually. Since the installer is attempting to enable IIS, it may prompt for a machine restart. You can use IIS Manager under Administrative Tools to determine if the HPSM application pool and HPSM web site are present and configured properly.

An easy test to determine if IIS is functioning properly is to see if you can browse to the default IIS web

page: http://localhost:80. If you can’t browse to the default page, it is likely you won’t be able to

browse to the Security Manager page either.

When you still cannot access the web page, you might get the following error message in your browser when Security Manager is launched in a browser :

If the application pool is still running after attempting to reach the page, then there is a binding problem of firewall problem .

If it is desired to change this port, or if the port is being blocked, it can be changed by configuring the bindings for the HPSM web site under IIS Manager. Expand Sites in the left pane, click on hpsm and click on Bindings.

Make sure that Type is set to https, Port to 7637 and that as an SSL certificate the HP Security Manager Self signed self-certificate or a server certificate is selected. Change it to a different port if it’s blocked by the firewall or open the port in the firewall.

The self-signed certificate allows the data to be encrypted between client and server, while an existing server certificate not only encrypts data but also provides trust that the server is who it says it is. IIS will always search and bind for the server certificate in the personal store of computer account. An identity certificate needs to be of the type “Server Authentication” in order to provide trust.

Issues have been seen in cases where there are multiple certificates to choose from with the same name

+ 44 hidden pages