on 10-30-2012 11:38 AM
Hi All,
Im in the midst of preparing for the installation of BCM 7.0 SP3. I have some doubts around HAC Nodes setups and the certs required for Connection Server, Internal Server and .p7b cert from CA Server.
We plan to install all BCM components into one single server as part of a demo, we dont have HA/Virtual Unit setup.
So no HA setup and also dont need to generate the cert related to this..? I should be able to login into IA without the cert can i ? I could see there’s an option for you to specify the Connection Server cert during the “Connection” dialog pop-up.
I could skip totally on "Certificates" part as per installation guide, as its not relevant...?
Appreciate you help,
Thanks,
Hello Ramesh,
You can login into IA without a certificate, but for everything else you need a certificate, so it is really a must in SAP BCM7.
Please refer to the how to video on certificate creation for step by step instructions on the certificate creation:http://scn.sap.com/docs/DOC-30223
Kind Regards,
Tomi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Background, followed as per instructions, but when i submit the .req from BCM server, i dont see any pending request in CA Server nor available from the http://<CASERVERHOSTNAME/certsrv/
Any idea..?
Attached doc with screenshot: http://www.scribd.com/doc/111774777/BCM-Generating-Connection-Server-Cert
1. Followed the e.g as found in Examples and Templates in installation media.
2. COS.INF
[NewRequest]
Subject = "CN=COS.DOMAINAME.COM,O=DOMAIN,OU=SAP,L=EASTEND,S=ENGLAND,C=GB"
Exportable = TRUE
KeySpec = 1
KeyLength = 2048
MachineKeySet = TRUE
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1
Note: there wasn’t any extra space after the OID .1 as above.
3. In BCM Server,logged in as <sid>adm open up cmd as administrator
locate COS.INF and run the below command which created cos.req file
certreq –new cos.inf cos.req
4. In BCM Server performed the below steps, open up the link: http://<CASERVERHOSTNAME/certsrv/
Click on Request a certificate
5. Click on Advanced certificate request
6. Click on Submit a certificate request by using a base-64-encoded CMC......
7. Copy and paste the cos.req encrypted key into saved request box. Ensure there wasn’t any extra space after the ----
hit submit when youre done.
8. As per the instruction, i Hit on Home
9. I asked my IT Admin to login into CA directly and check if there is any pending request. As below screenshot taken from the CA server, there wasn’t any pending request though.
Below instruction, taken from BMC_7_Example_SP3.pdf
Well i don’t see anything on CA Server though. Why is this so?
But when i go back to BCM Server and access http://<CASERVERHOSTNAME/certsrv/
then View the status of a pending certificate.....
I don’t see any pending request, so where the cert request has gone...? why this is not working as i followed the same as per instruction....?
Well i manage to solve the .cer certificate generatiion by doing a good clean up. as below steps, but still cant bring up the IA, not sure the errors are related to Cert but it does look like it as thought BCM trying to connect to CA server to verify the authentication and its fail probably the user is just a <sidadm> in BCM server and required Admin access in CA server? Will try to perform as Admin of the CA server to generate the .cer? Next trail and error session...
Error
ERR> Peer/00D28540 [BCM00]: Connection server SSL open failed to [this.bcm.server.ip.address:21012] IssuedTo: COS.DOMAIN.COM IssuedBy: <sidadm> Store: HKLM/My
ERR> PeerManager/00D27F98: Error occurred while peer is going online: protocol error: TLS server open failed
ALW> Using working directory <C:\SAP\BCM\VU\BCM00\bin\>
WRN> Failed to initialize statistics : Error = [-4]
I perform this in BCM
1. delete 2 old COS/BCM .cer in mmc > Certificate > Personal > Certificate
2. delete .p7b cert in mmc > Certificate > Trusted Root Certification Authority > Certificate
3. reboot server
4. upload .p7b cert in mmc > Certificate > Trusted Root Certification Authority > Certificate
5. start submitting the .req for COS/BCM via http://CAHOSTNAME/certsrv
6. the last time around, when i submit i dont see it under "pending request via IE" nor in the CA server also i dont see the private key symbol which is required, so this time around download once submit, download directly as Base 64.still i dont see the private key symbol though. follow step 6 below.
7. open up cmd as administrator, certreq -accept cos.cer then you would be able to see the cos.cer automatically installed in mmc > Certificate > Personal > Certificate > cos.cer and you would see the private key symbol.
8. Hope this is correct.
I perform this in BCM IA
Infra Admin (IA)
9. added HAC node, named as BCM00, entered this BCM server ip address, ok, then set as local HAC Node click ok on home dir.
10. select base installation, ok, contain complete media file.
11. expand the block Deployment Variables for High Availability Controller.
Edit the properties:
HAC Administration Users DOMAIN\<sid>adm
Internal Server Certificate Common Name BCM.DOMAIN.COM
Internal Server Certificate Issuer <sid>adm
Client Certificate Common Name COS.DOMAIN.COM
Client Certificate Issuer <sid>adm
HAC Service Logon User Account DOMAIN\<sid>adm
Password for HAC Service Logon User Account ********
12. save, apply all the changes and saved Model.wim at C:\SAP\BCM\VU\BCM00\etc
13. SAP BCM services created, and the log as user is domain\<sidamd>, service started fine. no issue.
14. connection > connect to
Username DOMAIN\<sid>adm auto populated, Certname: COS.DOMAIN.COM auto populated, entered password and ok.
15. Well within 20 sec it goes down,to health status failed.
Alarm.log
<ALARM NAME="INIT" SEVERITY="NOTIFY" TIME="2012-11-02 08:51:50">
<PROCESS>HAC</PROCESS>
<INSTANCE>BCM00</INSTANCE>
<HOST>DOMAIN</HOST>
<REASON>INIT OK</REASON>
</ALARM>
<ALARM NAME="PROCESS" SEVERITY="NOTIFY" TIME="2012-11-02 08:51:50">
<PROCESS>HAC</PROCESS>
<INSTANCE>BCM00</INSTANCE>
<HOST>DOMAIN</HOST>
<REASON>PROCESS OK</REASON>
<DESC>Main thread restarted</DESC>
</ALARM>
<ALARM NAME="ELEMENT0" SEVERITY="MINOR" TIME="2012-11-02 08:52:11">
<PROCESS>HAC</PROCESS>
<INSTANCE>BCM00</INSTANCE>
<HOST>DOMAIN</HOST>
<RELATES>Admin node [Remote IA]</RELATES>
<REASON>element failed</REASON>
<DESC>A system model element has failed due to reason in additional data</DESC>
<DATA>No connection to node within silent loss time</DATA>
</ALARM>
HAC_DOMAIN_BCM00.log
08:51:50.161 (03028/ServiceMain) INF> *** Service main thread started <SAP BCM HAC BCM00> ***
08:51:50.161 (03028/ServiceMain) INF> Set service status [2=START PENDING]: ExitCode=[0], WaitHint=[3000]
08:51:50.162 (03028/ServiceMain) INF> Service initialization started
08:51:50.162 (03028/ServiceMain) ALW> Start HAC Service <SAP BCM HAC BCM00>
08:5150.162 (03028/ServiceMain) ALW> HAC version: 7.0.3.100
08:51:50.162 (03028/ServiceMain) ALW> Using working directory <C:\SAP\BCM\VU\BCM00\bin\>
08:51:50.163 (03028/ServiceMain) WRN> Failed to initialize statistics : Error = [-4]
08:51:50.163 (03028/ServiceMain) INF> Instance parameters read from registry.
08:51:50.163 (03028/ServiceMain) INF> Using the system configuration data from file <C:\SAP\BCM\VU\BCM00\etc\hacmodel_BCM00.xml>.
08:51:50.163 (03028/ServiceMain) INF> ELEMENT [New system] ID [1]: Role set to [ACTIVE]
08:51:50.164 (03028/ServiceMain) INF> ELEMENT [BCM00] ID [3]: Role set to [ACTIVE]
08:51:50.164 (03028/ServiceMain) INF> ELEMENT [BCM00] ID [3]: Status set to [INACTIVE] due to Detected power off
08:51:50.164 (03028/ServiceMain) INF> ELEMENT [BCM00] ID [3]: Status set to [UNKNOWN] due to went offline
08:51:50.164 (03028/ServiceMain) INF> Admin node [Remote IA]: Role set to [ACTIVE]
08:51:50.164 (03028/ServiceMain) INF> Admin node [Remote IA]: Status set to [INACTIVE] due to Detected power off
08:51:50.164 (03028/ServiceMain) INF> Admin node [Remote IA]: Status set to [UNKNOWN] due to went offline
08:51:50.164 (03028/ServiceMain) INF> System model created and ready.
08:51:50.164 (03028/ServiceMain) INF> Successfully copied the system configuration data to registry.
08:51:50.164 (03028/ServiceMain) ALW> Running as node [BCM00] of system [New system] version 15
08:51:50.171 (03028/ServiceMain) INF> Service initialization completed
08:51:50.171 (03028/ServiceMain) INF> Set service status [4=RUNNING]: ExitCode=[0], WaitHint=[0]
08:51:50.172 (03396/SystemManager) ALW> HAC System Management Process started
08:51:50.176 (00972/PeerManager ) ERR> Peer/00D28540 [BCM00]: Connection server SSL open failed to [this.bcm.server.ip.address:21012] IssuedTo: COS.DOMAIN.COM IssuedBy: <sidadm> Store: HKLM/My
08:51:50.177 (00972/PeerManager ) ERR> PeerManager/00D27F98: Error occurred while peer is going online: protocol error: TLS server open failed
08:51:50.178 (03396/SystemManager) INF> ELEMENT [New system] ID [1]: Status set to [ACTIVE]
08:51:50.179 (03396/SystemManager) INF> ELEMENT [New system] ID [1]: Health set to [NORMAL]
08:51:50.179 (03396/SystemManager) INF> ELEMENT [New system] ID [1]: Reached the desired status [ACTIVE]
08:51:50.179 (03396/SystemManager) INF> ELEMENT [BCM00] ID [3]: Status set to [ACTIVE] due to Detected power on
08:51:50.179 (03396/SystemManager) INF> ELEMENT [BCM00] ID [3]: Health set to [NORMAL] due to Default health
08:51:50.179 (03396/SystemManager) INF> ELEMENT [BCM00] ID [3]: Reached the desired status [ACTIVE]
08:51:50.182 (03396/SystemManager) INF> Admin node [Remote IA]: Status set to [INACTIVE] due to Detected power off
08:52:11.112 (03396/SystemManager) INF> Admin node [Remote IA]: Health set to [FAILED] due to No connection to node within silent loss time
08:52:11.112 (03396/SystemManager) INF> Admin node [Remote IA]: Reached the desired status [INACTIVE]
Hi Ramesh,
If you are now able to log into the IA then that is good.
If the local HAC node is failing within 20seconds with a big RED X this is more likely due to the account that is running the BCM HAC service on the server.
The first thing you should check is to make sure in your services your SAP BCM HAC service has actually started and is running:
Next you need to make sure the service is running using the EXACT SAME ACCOUNT as the account you are using to log into your IA with. If this account is not the same or if you are having trouble reset the user logon properties on the SAP BCM HAC node to be the same, apply and restart the service.
If all this is correct and you are still seeing a red X through the HAC node see if at the bottom status bar of your IA it says (view only) if the bottom status bar says (view only) and in the activity log you have several red messages then your certificate is not playing nice with the IA.
If that is the case when you log into the IA untick the box that says "Authenicate User Locally before going online"
If none of those options work then you still have a certicate problem. Make sure the CA is also in your trusted roots of the local computer as well as the server certificate you generated is in the local computer account for personal certificates.
Thanks,
Marcus McCutchen
Hi Deepak,
I passed this issue. The problem was in the certificate. I issued a new Internal certificate (no connection certificate required to communicate with HAC node)
I left certificate name blank in connect...
my issue now is that when I added database virtual unit and edited some variables as per installation example document then added instance BCM00 as per the below snapshot, Databases haven't been created in SQL server management console
kindly find logs below
12:29:03.493 (02312/IpcWorker ) INF> Admin user [BCM\BCM Admin] from [192.168.1.226:50152]: Connection lost
12:29:03.493 (02312/IpcWorker ) INF> ELEMENT [BCM00] ID [3]: Failed to receive new system model data as requested from node [192.168.1.226:50152]
12:47:11.367 (00684/IpcWorker ) INF> Admin node [192.168.1.226:50158]: Role set to [ACTIVE]
12:47:11.368 (00684/IpcWorker ) INF> ELEMENT [BCM00] ID [3]: User [BCM\BCM Admin] logged in from node [192.168.1.226:50158] with admin rights
12:47:11.368 (00684/IpcWorker ) INF> Admin user [BCM\BCM Admin] from [192.168.1.226:50158]: Connection established
12:47:11.368 (00684/IpcWorker ) INF> Admin user [BCM\BCM Admin] from [192.168.1.226:50158]: Status set to [ACTIVE] due to Detected power on
12:47:11.368 (00684/IpcWorker ) INF> Admin user [BCM\BCM Admin] from [192.168.1.226:50158]: Health set to [NORMAL] due to All problems cleared
12:47:11.368 (00684/IpcWorker ) INF> Admin user [BCM\BCM Admin] from [192.168.1.226:50158]: Reached the desired status [ACTIVE]
12:47:11.368 (00684/IpcWorker ) INF> ELEMENT [BCM00] ID [3]: Requesting new HAC model data from node [192.168.1.226:50158]
12:47:11.390 (03844/SystemManager) INF> Admin user [BCM\BCM Admin] from [192.168.1.226:50158]: Raised minor problem [25]: [Mismatching system model versions]
12:47:11.390 (03844/SystemManager) INF> Admin user [BCM\BCM Admin] from [192.168.1.226:50158]: Health set to [NEAR_FAILURE] due to Mismatching system model versions
12:48:12.039 (03844/SystemManager) INF> ELEMENT [BCM00] ID [3]: Failed to receive new system model data as requested from node [192.168.1.226:50158]
12:48:12.039 (03844/SystemManager) INF> ELEMENT [BCM00] ID [3]: Requesting new HAC model data from node [192.168.1.226:50158]
12:49:13.027 (03844/SystemManager) INF> ELEMENT [BCM00] ID [3]: Failed to receive new system model data as requested from node [192.168.1.226:50158]
12:49:13.027 (03844/SystemManager) INF> ELEMENT [BCM00] ID [3]: Requesting new HAC model data from node [192.168.1.226:50158]
12:50:14.171 (03844/SystemManager) INF> ELEMENT [BCM00] ID [3]: Failed to receive new system model data as requested from node [192.168.1.226:50158]
User | Count |
---|---|
5 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.