Docstoc

HP SAFE SC Troubleshooting

Document Sample
HP SAFE SC Troubleshooting Powered By Docstoc
					HP SAFE SC Troubleshooting
Table of Contents
1. Connecting to the HP SAFE SC appliance.....................................................................2 1.1. METHOD-1 The console using a keyboard and monitor .....................................2 1.2. METHOD-2 Using the ssh (Secure Shell) utility ..................................................2 1.3. METHOD-3 Using a WEB Browser. .....................................................................2 2. Console boot up techniques .............................................................................................2 3. Log files ............................................................................................................................3 4. Remote connections to HP SAFE SC appliance ............................................................3 4.1. No ICMP echo-request ............................................................................................3 4.2. Unable to connect to HP SAFE SC at all ...............................................................4 5. SAFE SC Configuration Manager ..................................................................................4 5.1. Postmaster Setting Does Not Work ........................................................................5 5.2. Difference between Standalone and Gateway firewall..........................................5 5.3. Email Standalone and Email Gateway ...................................................................5 6. Web-based Admin GUI ...................................................................................................5 6.1. Can‟t find server ......................................................................................................5 6.2. Can‟t login to web-based admin GUI .....................................................................6 7. PrivacyPost Troubleshooting ..........................................................................................6 7.1. Cannot login at http://<machine>/myprivacy/ .......................................................6 7.2. mysql issues..............................................................................................................6 7.3. Sendmail Configuration Issues .............................................................................12 8. Miscellaneous .................................................................................................................12 8.1. Performance monitoring ........................................................................................12

1. Connecting to the HP SAFE SC appliance
There are three (3) prescribed methods to connect to your HP SAFE SC appliance. The first two provide the user with a command line interface. They are as follows.

1.1. METHOD-1 The console using a keyboard and monitor
By connecting a standard keyboard and monitor to the back of your HP SAFE SC appliance, you are able to access the command line interface and console menus. The console allows you to directly login as user root.

1.2. METHOD-2 Using the ssh (Secure Shell) utility
The use of the ssh utility provides a convenient way to access your HP SAFE SC appliance from remote locations in a secure manner. To establish this type of connection requires that you have a ssh client program on the remote system you are using for the connection. (Note: The HP SAFE SC appliance by default has the ssh server daemon running and no setup is required on the appliance). Once the ssh session is established, login as user root. An opensource ssh client program called putty can be obtained from the url: http://www.chiark.greenend.org.uk/~sgtatham/putty/

1.3. METHOD-3 Using a WEB Browser.
To communicate with the HP SAFE SC appliance Admin GUI, you must connect to the appliance using SSL (Secure Socket Layer) communications. Simply enter the URL https://<machine>:8888/ where <machine> is the hostname or IP address of the appliance you specified in the configuration. You will be asked whether to accept the certificate that is being handed down to you. Accept the certificate to proceed with the login screen.

2. Console boot up techniques
When using a directly connect keyboard/monitor on your HP SAFE SC appliance, there are two key sequences that provide additional capabilities: a. Holding down the Shift/Page-Up key will allow you to scroll backwards. b. Holding down the Alt key and pressing one of the F1/2/3/4/5/6/7/8 keys will „switch‟ you to an additional session on your HP SAFE SC appliance. (This can be useful if you want to monitor a log file while issuing a command in another session).

3. Log files
System log files often assist when troubleshooting system configuration and network problems. On the HP SAFE SC appliance, the messages log file located in the /var/log directory often contains valuable troubleshooting information. This file is accessible in many ways. Some of the ways to view the information in this file are as follows: a. Connect to the HP SAFE SC appliance using command line mode (see sections 1.1 & 1.2) and issue one of the following commands - # more /var/log/messages (to view the entire file) - # tail –f /var/log/messages (to view new messages that appear in the file) b. Using the Web Admin GUI interface and selecting the “System Logs” under the “System Administration” menu item from the left hand side of the screen c. Some of the other log files that may be useful when troubleshooting installation problems are: - /var/log/secure (ssh login issues) - /var/log/hpsafe.log (system setup and configuration problems) - /var/log/boot.log (system/network boot up issues) For troubleshooting at client site where there may be no online connection to their HP SAFE SC appliance to browse through such log files, a convenient script is provided for user to invoke and gather these log files into a compress tar ball. Through command line interface (console or ssh), once user login as root, he can execute the command: # sscexpl A file with file name as: <hostname>-<date>-log.tgz will be created in the /tmp directory, where <hostname> is the hostname of the HP SAFE SC appliance, <date> is the date when the sscexpl script is run. We can request the client to send the compress tar ball through email for us to do an offline inspection before we provide any suggestion to solve their issue.

4. Remote connections to HP SAFE SC appliance
Troubleshooting the inability to make connections to a remote HP SAFE SC appliance. Remote connections include TCP traffics such as ssh, smtp, http, https, imap, imaps, pop and 8888 (Admin GUI), these are the allowed services on the appliance.

4.1. No ICMP echo-request
The default firewall (iptables) policy blocks ICMP echo-request, that means when you ping the HP SAFE SC, you will get a “Request timed out” message. But you are still able to connect to the HP SAFE SC using the allowed services such ssh, smtp etc.

4.2. Unable to connect to HP SAFE SC at all
If the allowed services are not accessible, for example, ssh client such as putty encountered a “Network error: Connection timed out”, it is likely that the IDS on HP SAFE SC has detected an attack-alert, and pro-actively block all remote access from the client machine. SOLUTION: a. Check whether the IDS PortSentry has blocked the client machine: # cd /etc/portsentry # cat portsentry.blocked.atcp and # cat portsentry.blocked.audp If you see log messages such as:
1099849291 – 11/08/2004 01:41:31 Host: lime2.essware.com/10.2.8.33 Port: 993 TCP Blocked

This is due to PortSentry blocks the client machine and stop all remote connections from that client machine, it could due to a false alarm or the client machine has performed port scanning or similar activity. To reset this: Restart firewall: # /etc/init.d/iptables restart Restart PortSentry to reset the log state: # /etc/init.d/portsentry restart b. At times, you may want to completely stop the firewall, and perform a ping test to verify whether there is a network problem: # /etc/init.d/iptables stop Then do a ping test from the client machine to see whether there is any response from HP SAFE SC.

5. SAFE SC Configuration Manager
Troubleshooting about using SAFE SC Configuration Manager. Note: SAFE SC Configuration Manager is to be used to change important system settings like firewall deployment, email deployment and Postmaster alias.

5.1. Postmaster Setting Does Not Work
The HP SAFE SC Intrusion Detection System (IDS) monitors the system log files on a regular basis and emails important logs and security violations to the Postmaster alias. Postmaster is an email alias that refers to actual email account for receiving system emails. Postmaster configuration will be performed during the first boot up and subsequently available for modification through the “safemenu” Configuration Manager. If the email account referred to by Postmaster does not receive the IDS periodical report, most likely reason for this is you have changed the Postmaster setting through the web-based Admin GUI at “Intrusion Detection System” -> “Logcheck Configuration” and the “Email reports to” field. Please refrain from changing it from “postmaster” alias, it should always be “postmaster”. Only change the Postmaster configuration in the “safemenu” Configuration Manager.

5.2. Difference between Standalone and Gateway firewall
A standalone server firewall will not forward packets whereas a gateway server firewall will. Firewall implementations on these two configurations are different. A gateway server will require at least two network interface cards whereas standalone server only needs one. Because of the same reason, trying to configure server with only one NIC to gateway will not work and system will auto revert to standalone server.

5.3. Email Standalone and Email Gateway
An email standalone will serve as a server for virus protection and spam filtering. An email gateway server will deal with all incoming emails, only forward the legitimate ones to an existing email server.

6. Web-based Admin GUI
Troubleshooting about using web-based admin GUI. Note: this web interface is to be used to manage common server settings. To change server deployment scenarios, use SAFE SC Configuration Manager instead. Note: The web-based admin GUI is based on Opensource Webmin but with substantial customizations. Simply updating it with latest Webmin RPM package will result in loss of configurations and the failure of the web-based admin GUI.

6.1. Can’t find server
The Default port for web-based admin GUI is 8888, not 10000. Also make sure the protocol used is secured https, instead of http. If these settings are all correct, check whether your IP address has been blocked by the IDS of the HP SAFE SC server. The correct display in your browser address bar should be https://<machine>:8888 where <machine> is the hostname or IP address of the HP SAFE SC server.

6.2. Can’t login to web-based admin GUI
The default user for web-based administration is “hpsafe”. User cannot login as “root” or other accounts.

6.3. ClamAV database updates fail
While in Admin GUI, choose “HPSSC Pro” -> “Clam Antivirus”, then “Database updates”, under the “Manual update” section, when click at the “Update now” button, the web interface take a while to response with error messages:
ERROR: Can't query current.cvd.clamav.net ERROR: Can't get information about db.local.clamav.net host. ERROR: Connection with db.local.clamav.net failed.

SOLUTION: This is likely due to your DNS server setting is incorrectly set. In Admin GUI, navigate to “Networking” -> “Network Configuration”, choose “DNS Client”, check “DNS servers” setting in the “DNS Client” form, rectify it and manually update the ClamAV database again.

7. PrivacyPost Troubleshooting
Possible troubleshooting issues are as follows.

7.1. Cannot login at http://<machine>/myprivacy/
a. If you try to login as PrivacyPost administrator, the default administrator account is “admin” (without the double quotes). If you have changed the “Email:” of this account at the “System User Edit – admin” form (available at the PrivacyPost Admin GUI at: “System Area” -> “System User List”, by choosing the “admin” account), you will need to login using the new “Email” id for subsequent login. b. For normal user, to access to PrivacyPost Admin GUI, you need to register with PrivacyPost Admin GUI at the PrivacyPost login screen by clicking at the “Sign up here” link under the “Login now” button.

7.2. mysql issues
a. When trying to login to PrivacyPost as “admin” through the url: http://<machine>/myprivacy/, if you encounter a similar message as follow, it is likely due to more than one admin record being inserted into the internal database.
Privacy Network myPrivacy Error We apologize for the inconvenience, but an internal system error has occured. Although you are authorized to use the Privacy Network's myPrivacy, we could not

find your contact information in our database. Our system administrators have been notified, and we will try to resolve this problem as soon as possible. Please try to login again sometime soon.

SOLUTION: Login to the SAFE SC as root at console or through ssh remote access. Issue the following command: $ mysql -u root pn_db mysql> select * from user; Manually verify there is more than one row (record) with the 10 th field (email) contains “admin” (without double quote), if so, with the 1st field as the user_id field, do this: mysql> delete from user where user_id=<id>; on every id but user_id 1. This is to ensure there is only one record in the user table for the admin account. b. The following error means that mysql is not installed, double check by running the rpm -q on all the needed packages as shown below. Also read the section above (See Configuration):
Fatal error: Call to undefined function: mysql_pconnect() in /usr/local/pn/website/privacy_php/db_mysql.inc on line 73

SOLUTION: Check that mysql, php, and php-mysql are installed. If the package is installed, it will return the package version otherwise it will return “package <package name> is not installed” $ rpm -q mysql mysql-3.23.54a-11 $ rpm -q php-mysql php-mysql-4.2.2-17 $ rpm -q mysql-server mysql-server-3.23.54a-11 $ rpm -q php php-4.2.2-17 An example of what happens when a package is not installed. $ rpm -q php-mysql package php-mysql is not installed

NOTE: Make sure to restart the httpd after installing and configuring all the packages. Also check the http://<machine>/myprivacy/phpinfo.php for a section that contains mysql. This lets you know that mysql is installed. For security reasons the phpinfo.php file is shipped with no read permissions. Change the permissions on the phpinfo.php file to 755 so you can use it for debugging. Remember to change it back when done. mysql
MySQL Support Active Persistent Links Active Links Client API version MYSQL_MODULE_TYPE MYSQL_SOCKET MYSQL_INCLUDE MYSQL_LIBS Enabled 0 0 3.23.54 External /var/lib/mysql/mysql.sock -I/usr/include/mysql -L/usr/lib/mysql –lmysqlclient

Error: If mysql is not installed: # chkconfig --list mysqld error reading information on service mysqld: No such file or directory # chkconfig --list mysqld mysqld 0:off 1:off 2:off 3:on 4:on 5:on 6:off SOLUTION: - Install mysql c. The following error means mysql is installed but not running:
Warning: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) in /usr/local/pn/website/privacy_php/db_mysql.inc on line 73 Database error: pconnect(localhost, root, $Password) failed. MySQL Error: () Session halted.

SOLUTION: Start mysql: $ /etc/init.d/mysqld start d. Error: If Privacy NETworks databases not installed
Database error: cannot use database pn_db MySQL Error: 1049 (Unknown database 'pn_db') Session halted.

SOLUTION: - Refer to section 1, login as root, run the “safemenu” (without the double quotes) command, navigate to and select “PrivacyPost Configuration”,

reconfigure PrivacyPost either as “Email-Standalone” or “Email-Gateway”, this will invoke the script to reconfigure the PrivacyPost. - Make sure that /var/lib/mysql is the install directory for the mysql database. e. ERROR: Unable to make connection to mysql too many connections. When a server is under very heavy email load the PrivacyPost system may attempt to make too many connections to the mysql server. SOLUTION: You may need to increase the maximum connections allowed. HP SAFE SC comes with mysql 4.3.x and you can change this setting like this. In the "[mysqld]" section of /etc/my.cnf add this line: set-variable = max_connections=500 This changes from the default of 100 to 500. For mysql versions 5.0 and above, this may need to be set in an alternate way. See www.mysql.com for information. f. ERROR: Trying to get list of email messages in graybox or trash can and messages not showing up. SOLUTION: Check to see if the /usr/local/pn/pn.cfg exists g. PROBLEM: Unable to login into the myprivacy area. Everytime you type in a username and password. It would just return to the prompt. SOLUTION: 1) Check the /etc/php.ini and make sure register_globals is set to On. 2) If if it is still failing it is likely that the php being used by the httpd is using a different php.ini. 3) Check the presence of file /usr/local/pn/website/main/phpinfo.php, if it is there, change its permission to readable for everyone: # chmod 444 phpinfo.php If it is not there, create the file. The contents of the file are: <?php phpinfo(); ?> 4) Now get the php info by http://<servername>/myprivacy/phpinfo.php

5) It will return the information on the location of the php.ini
Configuration File (php.ini) Path /usr/local/lib/php.ini

6) If the php.ini is not located as /etc/php.ini, then edit register_globals and set the register_globals to On in that php.ini file returned by the configuration file information. Otherwise fix the register_globals in /etc/php.ini to On. 7) restart the httpd server to pick up the change # /etc/init.d/httpd restart 8) Now login h. PROBLEM: When connecting to http://<servername>/myprivacy the following message comes up on the screen.
Warning: mysql_pconnect(): Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2) in /usr/local/pn/website/privacy_php/db_mysql.inc on line 73 Database error: pconnect(localhost, root, $Password) failed. MySQL Error: () Session halted.

SOLUTION: This is because mysqld that is running is using a different named socket than the php module being loaded by httpd. 1) The mysqld configuration file is located at: /etc/my.cnf [root@mail mysql]# more /etc/my.cnf [mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock [mysql.server] user=mysql basedir=/var/lib [safe_mysqld] err-log=/var/log/mysqld.log pid-file=/var/run/mysqld/mysqld.pid 2) The socket=/var/lib/mysql/mysql.sock is different than /tmp/mysql.sock. So the httpd server php module is trying to communicate via /tmp/mysql.sock and mysqld is trying to use /var/lib/mysql/mysql.sock. So we have to get these processes to agree on a communication socket.

3) So the easiest way is to change the php.ini to point to /var/lib/mysql/mysql.sock. 4) We need to make sure that the php.ini is the right php.ini. 5) Create the following file /usr/local/pn/website/main/phpinfo.php The contents of the file are: <?php phpinfo(); ?> 6) Now get the php info by http://<servername>/myprivacy/phpinfo.php 7) It will return the information on the location of the php.ini
Configuration File (php.ini) Path /usr/local/lib/php.ini

8) If the php.ini is not located as /etc/php.ini, then edit the php.ini specified by the phpinfo.php, otherwise edit /etc/php.ini. Change the mysql.default_socket as shown: mysql.default_socket = /var/lib/mysql/mysql.sock 9) restart the httpd server to pick up the change # /etc/init.d/httpd restart i. PROBLEM: The email connection does not seem to be getting any email.

SYMPTOMS: 1) In /var/log/maillog the following message shows up
Jun 9 22:11:20 mail pn_asd[13681]: exiting - Relaying denied testuser@andarch.com

2) Telneting to the smtp port gets the following error when entering a message [todd@localhost ~]$ telnet 68.167.229.58 25 Trying 68.167.229.58... Connected to h-68-167-229-58.dnvtco56.covad.net (68.167.229.58). Escape character is '^]'. 220 localhost pn_asd Ready. helo a.com 250 localhost Hello 0-2pool83-33.nas35.thornton1.co.us.da.qwest.net [67.4.83.33], pleased to meet you. mail from: a@b.com

250 a@b.com... Sender Ok, domain (null) Ok. rcpt to: testuser@andarch.com 550 testuser@andarch.com... Relaying denied SOLUTION: 1) The problem is that the machine does not have the domain name configured. So you can configure pn_asd to specify valid domains by adding the domains to /usr/local/pn/pn.domains. Each domain must be on a single line of its own such as: # more /usr/local/pn/bin/pn.domains andarch.com mydomain.com

7.3. Sendmail Configuration Issues
a. ISSUE: Forwarding of email from myprivacy area not working. SOLUTION: Check the permissions of /usr/local/pn/website/main/bin/archiver. The permissions should be -rwsr-sr-t (7755) and owner should be root.

8. Miscellaneous
8.1. Performance monitoring
A powerful utility that can be used when you are connected via the command line interface is called top, and can be started with the command: # top This command can display real time system CPU and Memory utilization to track down what might be causing system performance issues. Please refer to the online man pages for this utility by issuing the command: # man top


				
DOCUMENT INFO