Forum Discussion

Nimbostratus

May 01, 2009

Discovery failure: invalid certificate when trying to update the Big3d

I was able to run the f5mpgui.exe -DD command from a command prompt opened with the run as administrator. The pathing was correct. I should have left a space between management and pack.

Any idea why I'm able to run the command locally but not through SCOM?

Also, I noticed that when I ran the discovery wizard, the checkbox to authorize Big3d Update was not visible until I clicked on show powershell script.

Unfortunately I'm now getting an error about an invalid certificate when I run the discovery and it is trying to update the Big3d.

Failed to discover device at address: 192.168.165.18

Network-related failure has occurred: The request failed with HTTP status 401: F5 Authorization Required.

The account I'm using has full access to the console and web interface of the F5.

So I guess i have 2 questions.

1. Why can I not run the discovery from the SCOM interface?

2. Why am I getting that certificate error and what do I need to do to corrrectly discover the F5 devices so they can be monitored from SCOM?

Thanks,

Glen

management

microsoft

scom

16 Replies

gbunting
Nimbostratus
May 15, 2009
Joel,

I checked /config/big3d and client.crt is there. It is rw by root only. Since I was logging in to do the discovery as admin, does admin have root privileges?

Glen
joel_hendrickso
Historic F5 Account
May 18, 2009
Glen, those permissions are fine.

Another thing to look at would be whether the same certificate in F50.cer is in client.crt. You would need to open both of them in a text editor to find out. The client.crt on Big-IP will most likely contain multiple certificates, and Management Pack certificate should be at or near the top of the list:

===== BEGIN CERTIFICATE =====

(20 or so lines of text)

===== END CERTIFICATE ======

===== BEGIN CERTIFICATE =====

(20 or so lines of text)

===== END CERTIFICATE ======

I've added a double-check for this in the upcoming release.

Thanks, Joel
gbunting
Nimbostratus
May 18, 2009
Joel,

It looks like the F50.cer is included in the client.crt on the F5.

Glen
joel_hendrickso
Historic F5 Account
May 18, 2009
Glen, one more place to check -- you should have a /shared/em/ssl.crt directory on the big-ip containing a file named with the IP address of the management server. If that file is missing, it would cause the problem you saw (and may cause it again in the future).

Thanks , Joel
gbunting
Nimbostratus
May 18, 2009
Joel,

I have a 192.168.165.160.crt file in the /shared/em/ssl.crt dir. That is the IP of the management server.

Glen
joel_hendrickso
Historic F5 Account
Jul 30, 2009
Glen, the newest build on DevCentral may resolve your problem if you are still having issues (v1.2.0.579).

One last cause that I thought of: If the clock time on your management server / RMS changes, it may invalidate the certificate. Could that have happened?

Thanks, Joel

Forum Discussion

Discovery failure: invalid certificate when trying to update the Big3d

16 Replies

Recent Discussions

"Brighten Your Health: Vitamin Dee Me Gummies Now Available in South Africa"

Need help on CLI command to fetch < VIP Name + current connections >

Glycogen Control Australia Is Right For You See Here

APM combine check for ldap group plus IP ACL

Error in REST https call to get the Auth token v15.1.8

Related Content

Out of the Shadows: API Discovery and Security

Service discovery and registration with BIG-IP

Service Discovery and authentication options for Kubernetes providers (EKS, AKS, GCP)

Automating ACMEv2 Certificate Management on BIG-IP

API Discovery and Auto Generation of Swagger Schema