I would like to know what will happen if I skip the host registration and just copy the contents of SmHost.conf file from some other server. I hope it won't work but ..
If you have any further question , shoot me.
I think the thread that Ujwol mentioned answered most of your questions except following:
Why do we need host registration?
R: Policy server needs to trust the client while the client try to connect to policy server. In short, the purpose of host registration is to establish trust between PS and WA so the connection can be established.
Hi Ujwal and Karmeng,
Thanks for your quick replies!
That thread is very useful. But unfortunately, still I have few queries.
1) You have mentioned that hard coded value along with host ID is used to decrypt the shared secret in case of Linux. I would like to know more about this hard coded value.
2) May i know how decryption of shared secret will happen in case of Windows environment?
3) What is the significance of "-sh" while registering the host by command line? Will it change the shared secret value?
Thanks and awaiting return!!
Policy Server generates the SharedSecret during the time of host registration and send it to the WebAgent. Shared Secret is already encrypted but Unix/Linux Agents further encrypts this value with the hostid value of Unix/Linux and save it in the SmHost.conf.
During the agent initialization, webagent decrypts the value of shared secret in SmHost.conf file using the hostid value and then send it to the policy server for handshake. If the hostid value has changed then the decrypted value will not be correct and webagent will not be able to do a proper handshake with the policy server.
Hostid value does not change when the hostname or IP address of the system changes. Some hardware changes may cause the value of hostid to change. If the mount point is changed then also hostid value is changed. There may be other reasons too.
In Windows as the webagent does not further encrypts the value of shared secret sent to it by the policy server.
During initialization webagent sends the same value of shared secret as stored in SmHost.conf file to the Policy Server and handshake works.
Thanks for your detailed and clear explanation.
May I get a response from any expert for my above questions?
Thanks and awaiting returns!
Ujwol => Not much info here. This is how the SSO architect designed.
Ujwol => You can but you should not. If something goes wrong with that trusted host, then all your agents are impacted.
Ujwol => If you don't specify -sh this is how shared secret is created :
Now, when you specify the -sh option , all you are doing is , you are specifying this"seed" string.
If you hostId changes, the shared secret will still be invalid.
Hope this clarifies.
Thanks for your response. I just have few doubts regarding your above feedback.
Yep, I can confirm.
Here is the full list of various keys used in SSO :
If you have any follow up question please create a new thread, this has been stretched far too far :)
Thanks for your response. But, still I have a query regarding your above feedback. I have created a new thread (https://communities.ca.com/thread/241750145) for the same.
Have a nice day!
You said - "Hostid value does not change when the hostname or IP address of the system changes"
This is NOT true.
Please refer to the thread I have referred above for explanation.
You can check with your sustaining engineering as what I said is true.
Also my organization is going through IP and host name changes and I have first hand experience of whether it works or not. And we did not re-register the host. We are using R12 SP3 CR09. hostid does not change by changing IP or hostname.
What OS are we talking about here?
there is no /etc/hostid file in our system.
Do you have /etc/hostid file?
I don't want to get into any troubleshooting or discussion here. I know this for sure and even when I was in CA I have advised customers not to re-register webagent for any IP or hostname changes. And as I have said we have hundreds of Linux servers undergoing IP and hostname changes and there was no need for re-registration so far.
Let's look at Linux Man page:
"In the glibc implementation, the hostid is stored in the file /etc/hostid. (In glibc versions before 2.2, the file /var/adm/hostid was used.)
In the glibc implementation, if gethostid() cannot open the file containing the host ID, then it obtains the hostname using gethostname(2), passes that hostname to gethostbyname_r(3) in order to obtain the host's IPv4 address, and returns a value obtained by bit-twiddling the IPv4 address. (This value may not be unique.)"
So going by this, unless you have defined static hostid by creating /etc/hostid file, if your IPv4 address change, it will almsot certainly result in different hostid.
I have also verified this in my setup.