Cloud Service Automation

Software Version: 4.92

For Windows and Linux operating systems

Troubleshooting guide

Document Release Date: February 2017

Software Release Date: February 2017

Legal notices

Warranty

The only warranties for Seattle SpinCo, Inc. and its subsidiaries ("Seattle") products and services are set

forth in the express warranty statements accompanying such products and services. Nothing herein should

be construed as constituting an additional warranty. Seattle shall not be liable for technical or editorial errors

or omissions contained herein. The information contained herein is subject to change without notice.

Restricted rights legend

Confidential computer software. Except as specifically indicated, valid license from Seattle required for

possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software,

Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S.

Government under vendor's standard commercial license.

Trademark notices

Adobe™ is a trademark of Adobe Systems Incorporated.

Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation.

UNIX® is a registered trademark of The Open Group.

Documentation updates

The title page of this document contains the following identifying information:

l Software Version number, which indicates the software version.

l Document Release Date, which changes each time the document is updated.

l Software Release Date, which indicates the release date of this version of the software.

To verify you are using the most recent edition of a document, go to

https://softwaresupport.softwaregrp.com/manuals.

To verify you are using the most recent edition of a document, go to

https://softwaresupport.softwaregrp.com/group/softwaresupport/search-result?doctype=online help.

To check for new versions of software, go to https://www.hpe.com/software/entitlements. To check for recent

software patches, go to https://softwaresupport.softwaregrp.com/patches.

These sites require you sign in with a Software Passport. You can register for a Passport through a link on

each site.

You will also receive updated or new editions if you subscribe to the appropriate product support service.

Contact your Micro Focus sales representative for details.

For information and details about the products, services, and support that Micro Focus offers, contact your

Client Director.

Support

Visit the Micro Focus Software Support Online website at https://softwaresupport.softwaregrp.com.

This website provides contact information and details about the products, services, and support that Micro

Focus offers.

Support and Compatibility Matrix

Cloud Service Automation (4.92)

Micro Focus online support provides customer self-solve capabilities. It provides a fast and efficient way to

access interactive technical support tools needed to manage your business. As a valued support customer,

you can benefit by using the support website to:

l Search for knowledge documents of interest

l Submit and track support cases and enhancement requests

l Access the Software Licenses and Downloads portal

l Download software patches

l Access product documentation

l Manage support contracts

l Look up Micro Focus support contacts

l Review information about available services

l Enter into discussions with other software customers

l Research and register for software training

Most of the support areas require you to register as a Passport user and sign in. Many also require a support

contract.

You can register for a Software Passport through a link on the Software Support Online site.

To find more information about access levels, go to

https://softwaresupport.softwaregrp.com/web/softwaresupport/access-levels.

To check for recent updates or to verify that you are using the most recent edition of a document, contact

your Client Director.

Support and Compatibility Matrix

Cloud Service Automation (4.92)

© 2011-2018 Copyright EntIT Software LLC, a Micro Focus company
1
 Cloud Service Automation Troubleshooting  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  6
1   HPE Cloud Service Automation  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  6
1.1   Support Tool for CSA - Information and Instruction Page  . . . . . . . . . . . . . . . . . . . . . . .  6
1.2   Installation and Initial Configuration  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  7
1.2.1   Cancelling a subscription does not prompt the user for an approver  . . . . . . . . . .  7
1.2.2   Content upload not successful during HPE CSA Installation  . . . . . . . . . . . . . . . . .  7
1.2.3   CSA 4.6 - 4.7 - Enable HTTPs traffic logging  . . . . . . . . . . . . . . . . . . . . . . . . . . . .  8
1.2.4   CSA 4.6 - 4.7 - Multiple JDBC drivers for Oracle in provided directory  . . . . . . . . .  10
1.2.5   CSA 4.6 - 4.7 - The installation hangs with no error state info  . . . . . . . . . . . . . . .  10
1.2.6   CSA 4.6 - 4.7 - Upgrade Failure - HPE OO upgrade fails on unable to delete file   11
1.2.7   CSA 4.7 - HPE CSA on Linux  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  11
1.2.8   CSA 4.7 - Initial installation and configuration tips  . . . . . . . . . . . . . . . . . . . . . . . . .  12
1.2.9   CSA 4.7 - Uninstallation did not finish successfully  . . . . . . . . . . . . . . . . . . . . . . . .  13
1.2.10   CSA 4.7 - Upgrade Failure - The specified service has been marked for deletion  . .  
13
1.2.11   CSA 4.x - Installation fails. Cannot execute bzip2 command.  . . . . . . . . . . . . . . .  14
1.2.12   Multi-tier sequential designs failing with OO 10.20  . . . . . . . . . . . . . . . . . . . . . . .  14
1.2.13   Performance issue importing large archives  . . . . . . . . . . . . . . . . . . . . . . . . . . . .  15
1.3   Miscellaneous Information and Issues  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  15
1.3.1 CSA 4.5 & 4.6 - globalsearch is not working as required configuration is missing in
 elasticsearch  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  15
1.3.2   CSA 4.6 - How to handle split brain situation of elasticsearch with cluster  . . . . . .  16
1.3.3 CSA 4.7 - How to move Global Search data from one CSA instance to another CSA
 instance  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  17
1.3.4   CSA 4.7 - In a High Availability environment, some subscriptions may fail  . . . . . .  18
1.3.5   CSA fails with JDBC rollback error  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  19
1.3.6   Error occurs when publishing a topology design  . . . . . . . . . . . . . . . . . . . . . . . . . .  20
1.3.7   Error updating sequential service design  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  20
1.3.8   HPE CSA REST API - Cannot create property names  . . . . . . . . . . . . . . . . . . . . .  21
1.3.9 OO flows are not executing when name, description, or service end dates are
 modified  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  21
1.3.10 Subscriptions stopped getting processed by CSA back ground services after network
 or database failure  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  22
1.3.11 User authorization fails if base DN of an organization is modified during user session
 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  24
1.3.12 Vcenter_ADM_SIS_UCMDB_320 service subscription goes into Pause state after
 HPE OO flows are successful  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  25
1.3.13   Windows command-line commands do not run  . . . . . . . . . . . . . . . . . . . . . . . . . .  25
1.4   Cloud Service Management Console  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  26
1.4.1   A JBoss service error message appears in server.log during CSA service startup  . . .  
26
1.4.2   Cannot delete a provider associated with failed subscriptions  . . . . . . . . . . . . . . .  27
1.4.3   CSA 4.7 - Cannot view Russian currency symbol  . . . . . . . . . . . . . . . . . . . . . . . . .  27
1.4.4   CSA 4.7 - Chrome reloads SWF on every navigation to a page that uses Flash Player
 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  28
1.4.5 CSA 4.7 - Communication error in Firefox when Use system proxy settings is
 configured  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  28
1.4.6 CSA 4.7 Import of topology designs does not automatically add missing component
 relationship definitions  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  28
1.4.7   CSA 4.7 - Internet Explorer ESC interferes with Management Console  . . . . . . . .  29

© 2011-2018 Copyright EntIT Software LLC, a Micro Focus company
2
1.1.4.8   Error while listing properties in 'Designer' tab  . . . . . . . . . . . . . . . . . . . . . . . . . . . .  30
1.1.4.9   Executive Scorecard integration does not work properly for the Showback Report  . .  
30
1.1.4.10   Failure to add LDAP user to a named approver policy  . . . . . . . . . . . . . . . . . . . .  31
1.1.4.11   No dashboard pages display when tiles under the Cloud Analytics tile are clicked  .  
32
1.1.4.12   Trying to add a valid approver fails with error message  . . . . . . . . . . . . . . . . . . .  32
1.1.4.13 Unable to log in to the Cloud Service Management Console after installation when
 Single Sign-on Is Configured  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  33
1.1.4.14 Various problems when logging into the Cloud Service Management Console in
 multiple browser tabs  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  34
1.1.4.15   Web Browser Remembers Password Credentials  . . . . . . . . . . . . . . . . . . . . . . . .  34
1.1.5   Localization  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  35
1.1.5.1   Non-English characters are not being properly stored by Oracle  . . . . . . . . . . . . .  35
1.1.6   Provider tool can fail to save keystone configuration  . . . . . . . . . . . . . . . . . . . . . . . . . .  35
1.1.7   Upgrade  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  37
1.1.7.1   Icons for some service designs are missing after upgrading to 4.8  . . . . . . . . . . . .  37
1.1.7.2 In 4.7 upgrade setup, the Provider organization log in with LDAP does not work when
 SAML is enabled  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  38
1.1.7.3   SAML configuration is lost after upgrade from CSA 4.7 to CSA 4.8  . . . . . . . . . . .  38
1.1.7.4 Unable to import a design from an upgraded 4.8 instance to a fresh 4.8 instance that
 contains VCENTER_SERVER component  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  39
1.1.7.5   Upgrade fails from earlier supported versions of CSA to 4.8  . . . . . . . . . . . . . . . . .  39
1.1.8   "Resubmit Modify" does not re-apply the values from component.  . . . . . . . . . . . . . . . . . . .  
1.1.9 Problems with running DBPurgeTool, CodarCLI, HealthTool and ProviderTool if they have
 legacy mode of encrypted passwords.  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  40
1.1.10   PasswordMigrationTool and IdmInstaller Tool  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  41
1.1.10.1   Authentication failure while running PasswordMigrationTool (PMT) via cmd prompt   
41
1.1.10.2 Certificate issue during PMT authentication (passphrase change) when CSA is in HA
 mode (either Apache or F5 load balancer)  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  42
1.1.10.3   Could not open Hibernate Session for transaction error while running PMT tool   45
1.1.10.4   Existing Organizations are not working in case of 4.82 to 4.92 upgrade.  . . . . . .  46
1.1.10.5   java.lang.UnsatisfiedLinkError: Cannot load library error while running PMT tool  . . .  
47
1.1.10.6 Not all passwords from CSA and IDM side configuration files are in strong encryption
 mode.  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  48
1.2   Integrations  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  50
1.2.1   Amazon Web Services (AWS)  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  50
1.2.1.1   AWS subscriptions fail with ...Error code_ AuthFailure error  . . . . . . . . . . . . . . . . .  51
1.2.1.2   AWS subscriptions fail with Failed to open HTTP connection error  . . . . . . . . . . .  51
1.2.1.3   Failure to attach the network interface to the server  . . . . . . . . . . . . . . . . . . . . . . .  52
1.2.1.4   Public IP for AWS server instances not visible  . . . . . . . . . . . . . . . . . . . . . . . . . . .  52
1.2.1.5   Unable to access the AWS instance using the public IP  . . . . . . . . . . . . . . . . . . . .  52
1.2.1.6 Unable to provision the server due to difference between access point and zone
 specified in the design  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  53
1.2.1.7 When more than one Network Interface is connected to a single AWS server in the
 design, subscription fails  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  53
1.2.2 CAC: SMC is configured in CAC mode:user in certificate is not present in LDAP, no error
 message  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  54
1.2.3 CAC: When LDAP is not configured and try to access SMC portal, no error message is
 shown in the server.log file.  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  55

© 2011-2018 Copyright EntIT Software LLC, a Micro Focus company
3
2.4   Date parsing exception  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  55
2.5   HPE ArcSight Logger  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  56
2.5.1   Artifact ID is not included in log files  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  56
2.5.2   Device entries are grayed out under HPE ArcSight Logger summary tab.  . . . . . .  56
2.5.3   Integration with HPE ArcSight fails after HPE CSA upgrade  . . . . . . . . . . . . . . . . .  56
2.5.4   Provider's IP address not added to HPE ArcSight Logger portal  . . . . . . . . . . . . .  57
2.6   HPE Helion OpenStack®  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  58
2.6.1 Add Server to Server Group public action executed for HPE Helion OpenStack based
 subscription fails  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  58
2.6.2   HPE Helion OpenStack based subscription fails with HTTP 500 Internal Server Error   
59
2.6.3 Remove server public action executed for HPE Helion OpenStack based subscription
 fails  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  59
2.7   HPE Matrix Operating Environment (MOE)  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  60
2.7.1   HPE MOE Add Disk action fails with SOAP v3 endpoint  . . . . . . . . . . . . . . . . . . . .  60
2.7.2   HPE MOE Add Server action fails  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  61
2.7.3   MOE_COMPUTE_SOAPV4_3.20 subscriber actions fail  . . . . . . . . . . . . . . . . . . .  61
2.7.4   MOE Simple compute fails with error that user does not have impersonate privilege  .  
62
2.7.5 No resource provider selected when subscribing to
 MOE_COMPUTE_CUSTOM_PROVIDER_SELECTION_v3.20  . . . . . . . . . . . . . . . . . . . .  62
2.7.6   Service Design MOE_COMPUTE_3.20 does not have new MOE SOAP v4 actions  .  
63
2.7.7   Subscriptions using service design MOE_COMPUTE_MT_3.20 fail with error  . . .  63
2.8   HPE Network Automation  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  64
2.8.1   Subscription fails while using service designs based on HPE Network Automation  . .  
64
2.9   HPE Operations Orchestration (OO)  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  65
2.9.1   All workflows in the HPE Operations Orchestration public repository are invalid  .  65
2.9.2   HPE CSA Operations Orchestration content not reflected in HPE OO  . . . . . . . . .  65
2.9.3   javax.net.ssl.SSLHandshakeException  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  66
2.9.4 PDT fails in a CSA 4.2 with Embedded OO v.10.20 installation on a system where OO
 v.10.10 Standalone server is running  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  67
2.9.5   Read timed out error when provisioning parallel servers for OOTB Sequence Designs
 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  68
2.9.6   Resources are not cleaned up after a subscription times out and fails  . . . . . . . . .  70
2.9.7   Some workflows under CSA folder are invalid  . . . . . . . . . . . . . . . . . . . . . . . . . . . .  71
2.9.8 Subscription fails because Get User Identifier step in an HPE Operations
 Orchestration (OO) flow failed  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  71
2.9.9   Trust store setup failure causes login lockouts  . . . . . . . . . . . . . . . . . . . . . . . . . . .  72
2.10   HPE Server Automation with HPE Application Deployment Manager  . . . . . . . . . . . . .  72
2.10.1 HPE ADM-based service subscription is paused in HPE CSA even after all the HPE
 OO flows are successful  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  72
2.10.2   HPE MOE ADM deployment fails  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  73
2.10.3   SA – ADM flows failure in OO 10.10 central  . . . . . . . . . . . . . . . . . . . . . . . . . . . .  73
2.11   HPE Server Automation with HPE Database and Middleware Automation  . . . . . . . . .  77
2.11.1   DMA Application deployment fails with WestHttpClientException  . . . . . . . . . . . .  77
2.11.2   Subscription using HPE DMA JBoss application deployment fails  . . . . . . . . . . .  77
2.12   HPE Server Automation with Software Policies  . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  78
2.12.1   A request for a test run remains in Deploying state  . . . . . . . . . . . . . . . . . . . . . . .  78
2.12.2   CSA 4.6 - Failed to load SA Policies  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  78
2.12.3   Subscription fails while using service designs based on HPE SA software policies  .  

© 2011-2018 Copyright EntIT Software LLC, a Micro Focus company
4
79
2.13   HPE Service Manager (HPE SM)  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  79
2.13.1 HPE CSA subscription request not triggered upon HPE Service Manager change
 request ticket approval  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  79
2.13.2   Service Manager Initiate Request Approval workflow execution fails  . . . . . . . . .  80
2.13.3   SOAPException during HPE Service Manager change request ticket approval  .  81
2.14   HPE SiteScope  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  81
2.14.1 HPE SiteScope CSA template does not appear on HPE SiteScope server after
 import  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  81
2.14.2   HPE SiteScope monitor deployment fails  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  82
2.14.3   SiteScope create server monitor fails  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  83
2.15   HPE Universal CMDB  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  84
2.15.1   CI type components not created in uCMDB from CSA/MPP  . . . . . . . . . . . . . . . .  84
2.15.2   Running Software CI not created in the uCMDB from CSA  . . . . . . . . . . . . . . . . .  84
2.15.3   uCMDB Create fails  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  85
2.16   OpenStack - HPE Cloud Services (HPE CS)  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  85
2.16.1   OpenStack - HPE Cloud Services deployment failure  . . . . . . . . . . . . . . . . . . . . .  85
2.16.2   OpenStack - HPE Cloud Services fails to create instance  . . . . . . . . . . . . . . . . .  86
2.16.3   OpenStack - HPE Cloud Services subscription fails  . . . . . . . . . . . . . . . . . . . . . .  87
2.17   VMware vCenter  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  87
2.17.1 Lifecycle Engine does not allow another lifecycle transition to begin if the vCenter
 Add Server fails with timeout  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  87
2.17.2 Modifying active subscription fails when modifying a subscription of vCenter
 Compute Modify  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  88
2.17.3   Subscription fails while using the vCenter Custom Pool Selection service design  . .  
89
2.17.4 Valid Provider selection fails for Resource Offering when subscribing to vCenter
 Compute Modify  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  89
2.17.5   vCenter compute subscriptions fail with Null pointer exception  . . . . . . . . . . . . . .  90
2.17.6   vCenter Customization Template Missing  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  90
2.17.7 vCenter provision server fails when a cloned template specified is not present in the
 given Datacenter  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  91
2.17.8   vCenter subscription goes online without any servers created  . . . . . . . . . . . . . .  91
2.18   CSA 4.7 - OpenStack Provider, Design, and IDM Configuration  . . . . . . . . . . . . . . . . .  92
2.19   Puppet  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  96
2.19.1 CSA 4.7 - OO shows a successful run even if Puppet component is not present on
 the server  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  96
2.20   Cloud Optimizer  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  96
2.20.1   Generated alerts from producer are not getting received by CSA  . . . . . . . . . . . .  96
2.20.2 Graph lines are not displaying properly in MPP service details and topology view
 which is an inconsistent issue.  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  97
2.20.3   Health status column is showing ‘Not Monitored’ in Ops Console  . . . . . . . . . . . .  97
2.20.4   Not able to view the Subscription Health status column in the Ops Console  . . .  98
2.20.5   On the CO we see alerts but is not seen in CSA for server components  . . . . . .  99
2.20.6 User sees SSL Connectivity error while refreshing the health status from the Ops
 Console  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  100
2.20.7   VM's in the CSA are displaying Unknown Health status.  . . . . . . . . . . . . . . . . . .  100
2.21   Docker Universal Control Plane - DOCKER UCP DATA CENTER (CSA)  . . . . . . . . .  101
3   HPE CSA on Linux Platform  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  102
3.1   ArcSight Logger integration fails after upgrade on Ubuntu  . . . . . . . . . . . . . . . . . . . . . .  102
3.2   Cannot stop the CSA service  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  102
3.3   HPE CSA service startup fails  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  103

© 2011-2018 Copyright EntIT Software LLC, a Micro Focus company
5
1.3.4 Installation on Linux completes for wrong user input in the install options for database
 component  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  103
1.4   Marketplace Portal  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  104
1.4.1 After enabling High color contrast, MPP screen in IE has a black background, for Chrome a
 High Contrast plugin is needed to be added  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  105
1.4.2 CSA 3.2 - CSA 4.7 - Subscription modification fails for subscription based on the
 VCENTER_COMPUTE_MODIFY_3.20 sequenced design  . . . . . . . . . . . . . . . . . . . . . . . . . .  107
1.4.3 CSA 4.7 - System time differences between CSA system and MPP browser system may
 prevent login  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  108
1.4.4 Failed to Process Subscription screen in Marketplace Portal if referenced sequence
 designs have no root node  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  108
1.4.5 For HPE CSA on a Windows environment, users might not be able to access the
 Marketplace Portal  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  109
1.4.6 Fresh Install - MPP Service Unavailable message displayed when connecting to MPP login
 page  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  109
1.4.7   Marketplace Portal Power ON-OFF service actions comes back with Failed Services  .  110
1.4.8 MPP Service Unavailable message displayed when connecting to Marketplace Portal login
 page after upgrade  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  110
1.4.9   Remote Console Service  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  111
1.4.9.1   Feature Usage  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  111
1.4.9.2   Installation  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  118
1.4.10   Web Browser Remembers Login Password  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  120
1.4.11 When a public action on an active subscription fails, user has no way of knowing the
 details of failure  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  120
1.5   Topology Designs  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  121
1.5.1 Chef integration does not work when Chef server tries to access the provisioned VMs
 using SSH shell  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  121
1.5.2   CSA 4.6 - CSA 4.7 Import of topology component of custom provider type does not work   
122
1.5.3   CSA 4.7 - Amazon Server component fails to provision  . . . . . . . . . . . . . . . . . . . . . . . .  122
1.5.4   CSA 4.7 - Cannot execute a test run of a topology design  . . . . . . . . . . . . . . . . . . . . . .  123
1.5.5   CSA 4.7 - vCenter Server component fails to provision  . . . . . . . . . . . . . . . . . . . . . . . .  124
1.6   Licensing for CSA  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  124
1.6.1   Relevant message not displayed to user when expired emergency license is re-installed  .  
125
1.6.2   User unable to install license on cluster mode  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  125
1.6.3   HPE Helion Codar Licensing UI issue  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  125
1.7 CSA 4.6 - Windows signature checking reports that the key is not certified with a trusted
 signature  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  126
1.8   MPP/SMC login page shows error instead of login prompt when SAML is configured  . . . . .  128
1.9   Featured Category Drop list is empty for newly created organization  . . . . . . . . . . . . . . . . . .  128
1.10   Installer related issues  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  129
1.10.1 CipherTextNotValidException at ExportContentBkServiceImpl step in csa.log file during
 fresh install or upgrade time for 2nd node (non primary node) of HA  . . . . . . . . . . . . . . . . . . .  129
1.10.2   Installation of CSA 4.92 will fail for Oracle Database if prerequisites are missed  . . . .  129

Cloud Service Automation Troubleshooting

Note that the Troubleshooting Guide is a customer-facing publication. Create new troubleshooting entries

on this page only for issues that are appropriate for customers.

To create a new child page:

Navigate to the troubleshooting page for your product.

Go to the section where you want to create a troubleshooting entry.

Click the button that is above and to the left.Create

Select , and then click .Troubleshooting page Next

Error rendering macro 'recently-updated-dashboard' : null

Recently updated topics with "csa460" label.

Error rendering macro 'recently-updated-dashboard' : null

HPE Cloud Service Automation

This section contains the following topics:

Support Tool for CSA - Information and Instruction Page

Installation and Initial Configuration

Miscellaneous Information and Issues

Cloud Service Management Console

Localization

Provider tool can fail to save keystone configuration

Upgrade

"Resubmit Modify" does not re-apply the values from component.

Problems with running DBPurgeTool, CodarCLI, HealthTool and ProviderTool if they have legacy

mode of encrypted passwords.

PasswordMigrationTool and IdmInstaller Tool

Support Tool for CSA - Information and Instruction Page

Support Tool for CSA is a command line tool that collects important log and configuration files from

different places in the CSA installation directory and packs them in a ZIP archive. The ZIP archive can

then be attached to any service request or defect submission to provide the maximum amount of detailed

information about your actual environment and the current state of the product. The Support Tool can be

used anytime, and is especially useful when investigating and troubleshooting technical issues.

The Support Tool is located in CSA installation folder under the subfolder. It is executed just likeTools

any other tool in HPE CSA. By default, no arguments are needed.

Usage:

java -jar support-tool.jar

Use to see usage hints.–-help

There are two optional parameters:

Options Description

--home <arg>

Use this optional argument to specify the HPE

CSA Home folder location. By default, the tool

detects the HPE CSA home folder.

--output <arg>

Use this optional argument to specify a name to

the output archive file. By default, the archive file

name format is

.logs-and-configs_<yy-MM-dd>.zip

Examples:

java -jar support-tool.jar --home /path/to/csa/home

java -jar support-tool.jar --output myarchive.zip

Installation and Initial Configuration

Cancelling a subscription does not prompt the user for an approver

Problem: Cancelling a subscription does not prompt the user for an approver

Symptoms Cancelling a subscription does not prompt the user

for an approver.

Primary software component HPE CSA

Failure message None

Probable cause By default, cancelling a subscription does not

prompt the user for an approver.

Solution

Prompting the user for an approver when a subscription is cancelled should be configured when the

offering is published.

Navigate to CSA offering > Create offering > Publish > Select catalog > Select approval Policy > select

Manage action approvals and click Cancel.

Content upload not successful during HPE CSA Installation

Problem: When HPE CSA is installed with embedded HPE Operations Orchestration (HPE OO), component tool content packs are

not being automatically exported.

Symptoms When HPE CSA is installed with embedded HPE

OO, the component tool content packs are not

exported and one of the messages listed under

"Failure message" below is noted.

Primary software component HPE CSA

Failure message OO Content upload was not successful. Cannot

Upload Contents. Please follow configuration guide

to upload contents manually.

OO Content upload was not successful. Cannot

create OO user. Please follow configuration guide

to upload contents manually.

Probable cause The first time the embedded HPE OO service

starts during installation, it creates a database

schema, and internal user, and uploads the

content. If these operations do not occur before the

content uploading timeout value is reached due to,

for example, server or database performance

issues, a failure will occur.

Solution

Create the HPE OO user and manually deploy the content packs, as is necessary. Procedures that

explain these operations are contained in the HPE CSA Installation Guide in the section entitled

"Configure HPE Operations Orchestration."

CSA 4.6 - 4.7 - Enable HTTPs traffic logging

Problem: HTTPs logging can be switched on to troubleshoot related issues

Symptoms Need more information about HTTPs traffic going

between CSA server and client endpoints.

Primary software component JBoss

Failure message N/A

Probable cause N/A

Solution

In case you need to have more information about HTTPs traffic when troubleshooting an issue, HTTPs

logging can be switched on in the JBoss configuration file. The configuration file exists on path

%CSA_HOME%\jboss-as\standalone\configuration\standalone.xml

In case of HA setup, the correct path is

%CSA_HOME%\jboss-as\standalone\configuration\standalone-full-ha.xml

Look for the section below and uncomment the last line to enable the logging.

<!--

Uncomment the following line to enable the access log. Please note that

once you activate

the access log you may record and expose personal identifiable information

of your users.

It may violate their privacy. Hewlett Packard Enterprise software respect

people privacy

therefore we recommend:

1. Make sure to delete internal or confident information before

exposing the log.

2. Delete it immediately once you finish debugging.

-->

When the logging is enabled and the server is restarted, a new log file is created that contains information

about the traffic.

%CSA_HOME%\jboss-as\standalone\log\access_log.log

127.0.0.1 18/Nov/2015:17:18:41 +0100 HTTP/1.1 8444 GET /csa/api/ping - 401 - -

127.0.0.1 18/Nov/2015:17:18:43 +0100 HTTP/1.1 8444 GET

/csa/j_spring_security_logout - 302 - -

127.0.0.1 18/Nov/2015:17:18:44 +0100 HTTP/1.1 8444 GET /csa/logout.jsp - 302

v6t5EYIsaAmLrnXP4_jjgixC -

127.0.0.1 18/Nov/2015:17:18:45 +0100 HTTP/1.1 8444 GET /csa/login - 200

v6t5EYIsaAmLrnXP4_jjgixC -

127.0.0.1 18/Nov/2015:17:18:45 +0100 HTTP/1.1 8444 GET

/csa/static/lib/react-intl/react-intl.min.js - 200 v6t5EYIsaAmLrnXP4_jjgixC -

127.0.0.1 18/Nov/2015:17:18:46 +0100 HTTP/1.1 8444 GET

/csa/static/img/hpe_logo.png - 200 v6t5EYIsaAmLrnXP4_jjgixC -

127.0.0.1 18/Nov/2015:17:18:52 +0100 HTTP/1.1 8444 GET

/consumption/rest/organization/accessPoint ?orgName=CSA-Provider 404 - -

127.0.0.1 18/Nov/2015:17:18:52 +0100 HTTP/1.1 8444 POST

/idm-service/v2.0/tokens - 200 zi7NNApDe0q3sWH3NGZBA75N -

127.0.0.1 18/Nov/2015:17:18:52 +0100 HTTP/1.1 8444 POST

/csa/j_spring_security_check - 302 X79hB4pWVLxJilKAF11KP4G4 -

127.0.0.1 18/Nov/2015:17:18:52 +0100 HTTP/1.1 8444 POST /csa/rest/audit/ - 200

- -

127.0.0.1 18/Nov/2015:17:18:54 +0100 HTTP/1.1 8444 GET

/csa/dashboard/index.jsp - 200 X79hB4pWVLxJilKAF11KP4G4 -

127.0.0.1 18/Nov/2015:17:18:54 +0100 HTTP/1.1 8444 GET

/csa/html-lib/js/3rdparty/require/require.js - 200 X79hB4pWVLxJilKAF11KP4G4 -

CSA 4.6 - 4.7 - Multiple JDBC drivers for Oracle in provided directory

Problem: Installation may not finish successfully if the provided directory with JDBC drivers for Oracle contains multiple drivers

(for example, if multiple drivers have the same "ojdbc(6|7)" prefix). Installer will select one at random.

Symptoms Installation may not finish successfully if the

provided directory with JDBC drivers for Oracle

contains multiple drivers (for example, if multiple

drivers have the same "ojdbc(6|7)" prefix). The

installer will select one driver at random, and it may

select the wrong one. Please make sure that the

provided directory contains only relevant JDBC

drivers.

Primary software component Installer

Failure message [org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject]

(JCA PoolFiller) IJ000610: Unable to fill pool:

javax.resource.ResourceException: Could not

create connection (in server.log)

Caused by: java.lang.NoClassDefFoundError:

oracle/dms/console/DMSConsole

Probable cause User is prompted to enter the path to a directory

with JDBC drivers for Oracle. If the directory

contains jars that are not JDBC drivers with

the prefix "ojdbc(6|7)," the installation may finish

with an error.

Solution

Stop CSA.

Change the driver at this path:

<CSA_INSTALL_DIR>\boss-as\modules\system\layers\base\com\oracle\ojdbc(6|7)\main\<driver>.jar

<CSA_INSTALL_DIR>\boss-as\modules\system\layers\base\com\oracle\ojdbc(6|7)\main\module.xml

to point to the correct file name.

Start CSA.

CSA 4.6 - 4.7 - The installation hangs with no error state info

Problem: The installation hangs with no error. The process appears to be running with no issues.

Symptoms The installation gets stuck with no error indication.

Installer log files are empty or do not exist.

Primary software component Installer

Failure message N/A

Probable cause The installer fails in the pre-install phase when log

pro pre-install logs in temporary directory, not to

installer log files.

Solution

Go to c:\Users\user\AppData\Local\Temp\ (Windows) or /tmp (Linux) and check the pre-install log file for

errors. The file name format is similar to:

csa-preinstall-2015-12-08-14-34.log

If this log contains any errors, fix the problem, and run the installation.

CSA 4.6 - 4.7 - Upgrade Failure - HPE OO upgrade fails on unable to delete file

Problem: HPE CSA upgrade fails with the message: HPE OO upgrade failed. HPE OO upgrade log contains: Unable to delete file.

Symptoms HPE CSA upgrade fails with the message: HPE

OO upgrade failed. OO upgrade log contains:

Unable to delete file.

Primary software component HPE OO

Failure message Unable to delete the file:

{OO_install_dir}/central/tomcat/work/Catalina/localhost/oo/org/apache/jsp/WEB_002dINF/jsp/login_jsp.class

Probable cause HPE OO central was started by a user other than

the CSA user, and some files have insufficient

permissions for the CSA user.

Solution

When upgrade fails, perform these steps:

Go to {OO_install_dir}/upgrade/10.50/backup.

Copy the central folder back to {OO_install_dir} (Note: Running rollback in

{OO_install_dir}/upgrade/10.50/bin will not work).

Add execute permission for all files in {OO_install_dir}/central/bin.

Remove or change permissions for all files with the wrong permissions in the central/tomcat/work

directory.

Run CSA to resume upgrade, or upgrade OO manually by running './apply-upgrade -f' in

{OO_install_dir}/upgrade/10.50/bin.

CSA 4.7 - HPE CSA on Linux

HPE CSA service fails to start or stop with unrecognized service error on Linux

Problem: Cannot start or stop HPE CSA service.

Symptoms HPE CSA service start/stop command fails.

Primary software component Linux

Failure message csa: unrecognized service

Probable cause The user does not have permission to execute the

HPE CSA service.

Solution

Follow the steps at the end of the section entitled "Install HPE Cloud Service Automation" in the HPE

to create the service and provide proper permissions.Cloud Service Automation Installation Guide

HPE CSA service stop command results in java not found error on Linux

Problem: Cannot stop HPE CSA service.

Symptoms CSA service stop command fails with java not

found error.

Primary software component Linux

Failure message 'eval: java: not found'

Probable cause JAVA_HOME environment variable is not set.

Solution

For HPE CSA:

Run the following command:

export JAVA_HOME=$CSA_HOME/jre

Stop the CSA service by executing the following command:

$CSA_HOME/scripts/csa stop

CSA 4.7 - Initial installation and configuration tips

Following are troubleshooting tips to verify configuration information for specific scenarios and for checking the application log

files.

Symptom LDAP user is unable to log in to the Cloud Service

Management Console.

Solution

Verify that the LDAP server is accessible.

Verify that the LDAP configuration in the Cloud

Service Management Console is correct.

CSA 4.7 - Uninstallation did not finish successfully

Problem: CSA 4.7 - Uninstallation did not finish successfully

Symptoms When the user runs uninstall of CSA, the following

message is displayed at the end of uninstallation:

"The uninstallation could not complete due to an

error."

Primary software component Installer

Failure message "The uninstallation could not complete due to an

error."

Probable cause Unexpected error when executing all uninstall

related tasks.

Solution

Please follow these steps:

If CSA_HOME foder was not removed, search for the uninstallation log file here:

<CSA_HOME>/_CSA_4_70_0_installation/Logs/uninstallLog.txt

If the uninstallLog.txt exists, please search for the root cause of an uninstallation failure in it.

Remove the impediment found the in the uninstallation log file.

Delete the whole CSA install directory.

Remove all corresponding CSA entries from <CSAUSER_HOME>/.com.zerog.registry.xml file.

CSA 4.7 - Upgrade Failure - The specified service has been marked for deletion

Problem: CSA upgrade fails with message: Failed installing CSA. The specified service has been marked for deletion.

Symptoms CSA upgrade fails with message: Failed installing

CSA. The specified service has been marked for

deletion.

Primary software component HPE CSA

Failure message The specified service has been marked for

deletion.

Probable cause The service that is being upgraded is locked by the

operating system.

Solution

CSA upgrade deletes a Windows service during the upgrade, so it can install a new version of the service.

The service can be locked by the operating system. That can happen, for example, if a Terminal or

Services window is open. In this case, the service is not deleted immediately, it is just marked for deletion.

Subsequent attempts to re-create the service fails.

To avoid this error prior to upgrade:

Close all programs other than the CSA installer when upgrading.

If this error has already occurred during upgrade:

Reboot the computer on which CSA was upgraded.

Access the %CSA_HOME%\jboss-as\bin directory in a command window.

Run the command 'service install CSA'.

CSA 4.x - Installation fails. Cannot execute bzip2 command.

Problem: Install on Linux OS is looking for bzip2.

Symptoms HPE CSA installation fails with the missing file

error during CSA upgrade.

Primary software component CSA Linux Install/Upgrade

Failure message tar (grandchild): bzip2: Cannot exec: No such file

or directory.

Probable cause HPE CSA installation requires bzip2 installed on

Linux system.

Solution

NOTE: Before installing CSA on Linux, ensure that data compressor is installed in the Linuxbzip2

machine.

After installing to Linux OS, run HPE CSA installation again.bzip2

Multi-tier sequential designs failing with OO 10.20

Problem: Multi-tier sequential designs failing with OO 10.20

Symptoms Multi-tier sequential designs fails only with

embedded OO 10.20

Primary software component Marketplace Portal, Cloud Service Management

Console

Failure message java.lang.RuntimeException: java.io.IOException:

Server returned HTTP response code: 500 in CSA.

Solution

MS SQL schema used by the OO 10.20 should be configured by the following settings before the

installation:

AllowSnapshotIsolation=True

IsReadCommittedSnapshotOn=True

Performance issue importing large archives

Problem: Import of large archives (>1.5 MB) is slow

Symptoms Operation spins for a long time.

Primary software component HPE CSA

Failure message "Out of memory" error in server.log during import

Probable cause The default Heap size (1 GB) configured in HPE

CSA is not sufficient for the import process.

Solution

Increase the Heap size configured for HPE CSA and perform the import. For additional details, refer to the

"Import Large Archives" section of the .HPE Cloud Service Automation Configuration Guide

Miscellaneous Information and Issues

CSA 4.5 & 4.6 - globalsearch is not working as required configuration is missing in elasticsearch

Symptom

CSA is installed; however, elasticsearch configuration is not created, and thus globalsearch is not

working.

Resolution

Right after CSA installation, if you notice that elasticsearch configuration (i.e, index names to store

indexed documents and security rules for access permissions) is not created, then run

%CSA_HOME%\csa-search-service\bin\create-index.js script manually. The purpose of this script is to

create required elasticsearch configuration for CSA and globalsearch.

If the %CSA_HOME%\csa-search-service\bin\create-index.js script is not able to communicate with

elasticsearch, try restarting elasticsearch with "searchguard.allow_all_from_loopback: true" and then run

create-index.js script. Once elasticsearch configuration is created, you can revert the change for

"searchguard.allow_all_from_loopback" and restart elasticsearch. The configuration parameter

"searchguard.allow_all_from_loopback" is defined in the

%CSA_HOME%\elasticsearch-1.5.2\config\elasticsearch.yml file.

If the %CSA_HOME%\csa-search-service\bin\create-index.js script fails with security, change

rejectUnauthorized to false in %CSA_HOME%\csa-search-service\app.json. and then run

the create-index.js script.

CSA 4.6 - How to handle split brain situation of elasticsearch with cluster

Problem

During elasticsearch cluster setup, sometimes the elasticsearch cluster goes into an inconsistent state

because of a split-brain problem in which you observe that all the nodes are not part of cluster.

What is split-brain?

Let’s take as an example a simple situation of an elasticsearch cluster with two nodes. The cluster holds a

single index with one shard and one replica. Node 1 was elected as master at cluster start-up and holds

the primary shard (marked as in the schema below), while Node 2 holds the replica shard ( ).0P 0R

What would happen if communication between the two nodes fails? This could happen because of

network failures or simply because one of the nodes becomes unresponsive (such as in a case of a

stop-the-world garbage collection).

Both nodes believe that the other has failed. Node 1 will do nothing, because it is already elected as

master. But Node 2 will automatically elect itself as master, because it believes it is part of a cluster that

does not have a master anymore. In an elasticsearch cluster, it is the responsibility of the master node to

allocate the shards equally among the nodes. Node 2 holds a replica shard, but it believes that the

primary shard is no longer available. Because of this, Node 2 automatically promotes the replica shard to

primary.

Our cluster is now in an inconsistent state. Indexing requests that will reach Node 1 will index data in its

copy of the primary shard, while the requests that go to Node 2 will fill the second copy of the shard. In

this situation, the two copies of the shard have diverged and it would be difficult to realign them without a

full reindexing. Even worse, for a non-cluster aware indexing client (e.g., one using the REST interface)

this problem will be totally transparent – indexing requests will be completed successfully every time,

regardless of which node is called. The problem would be only slightly noticeable when searching for

data: depending on the node the search request checks, results will differ.

Solution

The elasticsearch configuration has excellent defaults. However, the elasticsearch team cannot know in

advance all the details of your particular situation. That is why some configuration parameters should be

changed to suit your specific needs. All the parameters mentioned in this post can be changed in the

elasticsearch.yml file, found in the config folder of your elasticsearch installation.

For avoiding the split-brain situation, the first parameter to view is discovery.zen.minimum_master_nodes.

This parameter determines how many nodes need to be in communication in order to elect a master. Its

default value is 1. The rule of thumb is that this should be set to N/2 + 1, where N is the number of nodes

in the cluster. For example, in the case of a 3-node cluster, the minimum_master_nodes should be set to

3/2 + 1 = 2 (rounding down to the nearest integer).

Imagine what would have happened in the case described above if we would had set the

discovery.zen.minimum_master_nodes to 2 (2/2 + 1). When the communication between the two nodes

was lost, Node 1 would lose its master status, and Node 2 would have never been elected as master.

None of the nodes would accept indexing or search requests, making the problem immediately evident for

all clients. Moreover, none of the shards would be in an inconsistent state.

Another parameter you could tweak is the discovery.zen.ping.timeout. Its default value is 3 seconds, and

it determines how much time a node will wait for a response from other nodes in the cluster before

assuming that the node has failed. Increasing the default value slightly is a good idea in the case of a

slower network. This parameter not only caters to higher network latency but also helps in the case of a

node that is slower to respond because it is overloaded.

The split-brain problem is difficult to solve permanently. elasticsearch’s issue tracker has an open issue

about this problem, describing a case where even with a correct value of the minimum_master_nodes

parameter, the split-brain still occurred. The elasticsearch team is working on a better implementation of

the master election algorithm, but if you are already running an elasticsearch cluster, it is important to be

aware of this potential problem.

It is also very important to identify this problem as soon as possible. An easy way to detect that something

is wrong is to schedule a check for the response of the endpoint for each node. This endpoint/_nodes

returns a short status report of all the nodes in the cluster. If two nodes are reporting a different

composition of the cluster, it is a telltale sign that a split-brain situation has occurred.

Ref: http://blog.trifork.com/2013/10/24/how-to-avoid-the-split-brain-problem-in-elasticsearch/

CSA 4.7 - How to move Global Search data from one CSA instance to another CSA instance

Problem

In an upgraded or migrated CSA environment, Global Search service results appear for new offerings and

subscriptions when elasticsearch is configured, but the results do not appear for offerings and

subscriptions that already exist.

Solution

If global search is enabled, it should find existing subscriptions. If global search is not working, you need

to reenable global search when you restart CSA services, which allows you to see all

offerings/subscriptions.

If an existing CSA database is to be attached to a new node (for example, to recover from a node crash or

because of machine migration), perform the following steps to repopulate existing information to the global

search in the new node.

It is assumed that we have a CSA instance (source server) that has elasticsearch indices used for global

search. If elasticsearch was never enabled in this instance, these indices will be empty, and this migration

step is not needed. If it is enabled currently or was enabled previously, the indices exist, and you need to

perform this migration.

Stop all services in <target instance>, and rename the existing folder "elasticsearch" to say

"elasticsearch_old." This folder can be deleted once the migration is completed.

Copy the elasticsearch folder from instance <source instance> to instance <target instance>.

Restart all services.

instances created in <source instance> are searchable. If any are created in the <target instance>,

they are not searchable.

Any offerings, subscriptions, and service instances created from now on will be globally searchable,

because they will be indexed into elasticsearch as they are created.

CSA 4.7 - How to move Global Search data from one CSA instance to another CSA instance

Validating creation of indexes in elasticsearch

CSA 4.7 - In a High Availability environment, some subscriptions may fail

Problem: In a High Availability environment, some subscriptions may fail with following exception in csa.log.

"nested exception is org.springframework.oxm.MarshallingFailureException: JAXB marshalling exception;

nested exception is javax.xml.bind.MarshalException - with linked exception:[java.io.IOException: An

established connection was aborted by the software in your host machine] "

Symptoms Subscription failure in CSA clustered environment.

Primary software component Load balancer

Failure message "nested exception is

org.springframework.oxm.MarshallingFailureException:

JAXB marshalling exception; nested exception is

javax.xml.bind.MarshalException - with linked

exception:[java.io.IOException: An established

connection was aborted by the software in your

host machine] "

Probable cause Some of the REST call to CSA may take longer to

complete, and this period can surpass the default

proxy timeout of the load balancer. In this scenario,

load balancer terminates the connection, so the

REST call fails to complete.

Solution

The proxy timeout value for load balancer should be set to a higher value than the default. The default

value for proxy timeout is vendor-specific. Please refer vendor-specific guides for further information.

CSA fails with JDBC rollback error

Problem: HPE CSA fails to connect with the database, and a JDBC rollback exception occurs in the log

Symptoms HPE CSA fails to connect with the database, and a

JDBC rollback exception occurs in the log.

Primary software component HPE CSA Provider Console

Failure message HPE CSA functionality fails; JDBC rollback error

appears.

Probable cause The database connection might be broken

because of network issues, or the database

service is unresponsive.

Solution

Add configuration information as indicated in the following procedures.

For Standalone Setup:

Stop the HPE Cloud Service Automation service.

Navigate to <CSA_HOME>\jboss-as\standalone\configuration.

Open the standalone.xml file for editing.

Find the "dataSource" tag used for HPE CSA database configuration.

Add the following after the line that ends with </security>

<validation> <check-valid-connection-sql>select 1</check-valid-connection-sql>

<validate-on-match>false</validate-on-match> </validation>

Start the HPE Cloud Service Automation service.

If your HPE CSA instance uses the Oracle database, use the SQL query "select 1 from DUAL" instead of

"select 1" in the above validation connection sql tag.

For Cluster Setup:

Make sure the HPE CSA service is stopped.

Navigate to <CSA_HOME>\jboss-as\domain\configuration.

Open the domain.xml file for editing.

Find the "dataSource" tag used for HPE CSA database configuration.

Add the following after the line that ends with </security>

<validation> <check-valid-connection-sql>select 1</check-valid-connection-sql>

<validate-on-match>false</validate-on-match> </validation>

If your HPE CSA instance uses the Oracle database, use the SQL query "select 1 from DUAL" instead of

"select 1" in the above validation connection sql tag.

Start the HPE CSA Service in cluster mode.

Error occurs when publishing a topology design

Problem: A topology design is created and saved without error, but an "unable to find the target resource" error occurs when an

attempt is made to publish it

Symptoms An "unable to find the target resource" error occurs

when an attempt is made to publish a given

topology design.

Primary software component HPE OO

Failure message Example failure messages for situations as stated:

-Design Consisting of AWS Network Component

Topology to Execution Plan conversion failed -

Unable to find the target resource of

AmazonNetworkInterfaceTypeToAmazonServerType

for instanceId

-Design Consisting of AWS Volume Component

Topology to Execution Plan conversion failed -

Unable to find the target resource of

AmazonVolumeTypeToAmazonServerType for

instanceId

Probable cause Some component types are defined with input

properties that must be obtained via output

properties of certain other component types. If

such component types are used in a topology

design without the proper companion component

type that is the source of the required input

property, or if a proper relation is not defined

between the components, the publish operation will

fail.

Solution

Ensure that components that require input from certain other component types are properly paired in the

topology design, and that a relationship is defined between them.

Error updating sequential service design

Problem: An error occurs while updating an upgraded sequential service design

Symptoms A generic error occurs while saving an upgraded

sequential service design that has multiple

properties from a single option target bound to the

same service component.

Primary software component Service Design

Failure message Error updating service design

Probable cause Multiple properties from a single option are target

bound to the same service component.

Solution

Ensure that the service design does not have options such as multiple properties from any single option

being target bound to the same property on a service component.

HPE CSA REST API - Cannot create property names

Problem: Cannot create property names using the REST API

Symptoms HPE CSA REST API cannot create property

names.

Primary software component HPE CSA REST API

Failure message Object cannot be found.

Probable cause The property name uses special characters.

Solution

If property names, such as URLs, use special characters, the special characters must be encoded.

OO flows are not executing when name, description, or service end dates are modified

Problem: OO flows attached during the modifying phase are not executing when name, description, or service end dates are

modified

Symptoms OO flows attached during the modifying phase of a

subscription are not executing when name,

description, or service end date are modified.

Primary software component CSA service subscription

Failure message None

Probable cause Modifying the properties of the subscription does

not invoke any modification subscription actions.

The only resource offerings that are processed

during the modifying state are those associated

with service components that are processed during

the modifying state.

Solution

To ensure that the desired service components are processed during the modifying state, set these

service components to have a subscriber option property that gets its value directly from a target binding

or have a property mapping that gets its value indirectly from such a target binding.

The only resource offerings that are processed during the modifying state are those associated with

service components that are processed during the modifying state.

Subscriptions stopped getting processed by CSA back ground services after network or database failure

Problem: Subscriptions stopped getting processed by CSA back ground services after network or database failure

Symptoms In the event of network failure CSA background

services stops processing new subscriptions. CSA

logs will report network or database connection

failure.

Primary software component CSA background services

Failure message Error stack trace like "exception:

net.sourceforge.jtds.jdbc.JtdsConnection@45b58627:

java.sql.SQLException: I/O Error: Connection reset

in the CSA logs.by peer: socket write error"

Probable cause In the event of network failure sometime JDBC

driver get stuck indefinitely in database operation.

The probable cause is the absence of socket time

out configuration in CSA jdbc connection url.

By default CSA DB connection url doesn’t set any

explicit SocketTimeout properties for JDBC.

(Default value is zero, which means wait time is

infinity.)

Socket timeout value for JDBC driver is necessary

when the db connection is terminated abruptly or a

network failure has occurred. Due to this reason

CSA background services get blocked indefinitely.

Solution

In order to unblock the background services, the db operation needs to be terminated. In that situation it

would be terminated automatically only if a timeout is configured for the socket. Socket timeout can be

configured via JDBC driver.

To prevent the infinite waiting situation when there is a network error and shorten the failure time, set the

socket timeout in <CSA_HOME>/jboss-as/standalone/configuration/standalone.xml for both csaDS and

idmDS connection-url as below

DB Type connectTimeout Default Unit Connection URL

Oracle oracle.net.CONNECT_TIMEOUT0 millisecond Needs to set as

property

Example:

<datasource

jndi-name="java:jboss/datasources/csaDS"

pool-name="OracleDS">

<connection-url>jdbc:oracle:thin:@//

<DB_HOST>

:1521/csa.cdl.local</connection-url>

<driver>oracleDriver</driver>

....

<connection-property

name="oracle.net.CONNECT_TIMEOUT">

300000

</connection-property>

<connection-property

name="oracle.jdbc.ReadTimeout">

300000

</connection-property>

</datasource>

oracle.jdbc.ReadTimeout0 millisecond

MS SQL loginTimeout 0 second Needs to specify in

the jdbc connection

url.

Example:

<connection-url>

jdbc:jtds:sqlserver://

<DB_HOST>:1433/csa;ssl=request;loginTimeout=300;socketTimeout=300</connection-url>

socketTimeout 0 second

Postgresql connectTimeout 0 second Needs to set as

property

Example:

<datasource

jta="true"

jndi-name="

java:jboss/datasources/csaDS

pool-name="csaPostgresDS"

enabled="true"

use-java-context="true"

use-ccm="true">

<connection-url>

jdbc:postgresql://

<DB_HOST>:5431/csadb</connection-url>

<driver>pgsqlDriver</driver>

....

<connection-property

name="loginTimeout">300</connection-property>

<connection-property

name="socketTimeout">300</connection-property>

<connection-property

name="connectionTimeout">300</connection-property>

</datasource>

socketTimeout 0 second

MySQL connectTimeout 0 millisecond Needs to specify in

the jdbc connection

url.

Example:

<connection-url>

jdbc:mysql://

<DB_HOST>:3306/csadb?connectTimeout=300000&socketTimeout=300000</connection-url>

socketTimeout 0 millisecond

Note: Here in the example socket time is configured 5 mins. Please determine socket time out value

based on your environment.

User authorization fails if base DN of an organization is modified during user session

Problem: User authorization fails if the base DN of an organization is modified during user session

Symptoms If the admin user modifies the base DN in the

LDAP settings of an organization while a user is

logged in, the user authorization fails and

navigation is disabled.

Primary software component Marketplace Portal/CSA Management Console

Failure message Authorization exceptions

Probable cause A user is logged into an organization when the

admin user changes the base DN in the LDAP

settings of that organization.

Solution

Once the user cache is cleared after the configured timeout that is set in the csa.properties file, the user

can log in again and the user groups will be refreshed.

Vcenter_ADM_SIS_UCMDB_320 service subscription goes into Pause state after HPE OO flows are successful

Problem: The Vcenter_ADM_SIS_UCMDB_320 service subscription goes into the Pause state in HPE CSA even after all the HPE

Operations Orchestration (HP OO) flows are successful and the return code from HPE OO indicates a success.

Symptoms The Vcenter_ADM_SIS_UCMDB_320 service

subscription goes into the Pause state in HPE CSA

even after all the HPE Operations Orchestration

(HPE OO) flows are successful and the return

code from HPE OO indicates a success.

Primary software component HPE CSA, HPE OO

Failure message None.

Probable cause The HPE CSA timeout that is set to wait for the

HPE OO flow action to complete is shorter than the

actual time taken by the action to complete the

deployment of the application using HPE ADM.

Solution

Increase the default timeout value for the Deploy Application action in the SA_ADM_3.20 Resource

Offering.

Windows command-line commands do not run

Problem: Windows® command-line commands do not run

Symptoms Scripts or commands typed into the Windows

command prompt fail.

Primary software component Windows command prompt

Failure message <partial_path_name is not recognized as an>

internal or external command, operable program or

batch file.

For example, 'C:\Program' is not recognized as an

internal or external command, operable program or

batch file.

Probable cause If a variable is used in the command, the variable

might contain a space in the directory path name.

Solution

If a command uses a variable, enclose the command in quotation marks.

For example,

"%CSA_HOME%\jre\bin\java" -jar process-defn_tool.jar -d db.properties -i

HPOOInfoInput.xml

"%ICONCLUDE_HOME%\jre1.6\bin\java" -jar CSA-3_10-ContentInstaller.jar

-centralPassword mypassword

Cloud Service Management Console

A JBoss service error message appears in server.log during CSA service startup

Problem: A JBoss service error message appears in server.log when CSA service is starting up

Symptoms During CSA service start up a JBoss service error

message appears in server.log.

Primary software component Cloud Service Management Console

Failure message JBAS014775: New missing/unsatisfied

dependencies:

service jboss.binding.http (missing)

dependents: [service jboss.web.connector.http]

ERROR [org.jboss.as] (Controller Boot Thread)

JBAS015875: JBoss AS 7.1.3.Final "Arges" started

(with errors) in 98633ms - Started 647 of 733

services (1 services failed or missing

dependencies, 83 services are passive or

on-demand)

Probable cause HTTP socket binding is disabled in standalone.xml.

But HTTP to HTTPS redirection configuration still

exists in standalone.xml

Solution

This is a harmless error message. There is no functional impact due to this error.

Cannot delete a provider associated with failed subscriptions

Problem: Cannot delete a provider associated with failed subscriptions.

Symptoms During service subscription, a resource provider

associated with a resource offering or resource

environment might be bound to a service

component of a service instance. Once a resource

provider is bound, it cannot be deleted from HPE

CSA.

Primary software component HPE Cloud Service Management Console

Probable cause This is by design. Removing a bound resource

provider leaves the service instance in an

inconsistent state.

Solution

If you are deleting a resource provider because of a typographical error while configuring the Service

Access Point information (such as the URL, user name, or password), use the edit button to modify the

resource provider information in the HPE Cloud Service Management Console.

CSA 4.7 - Cannot view Russian currency symbol

Problem: Cannot view Russian currency symbol.

Symptoms Cannot view Russian currency symbol.

Primary software component SMC user interface, MPP user interface.

Failure message No failure message. Instead of seeing the currency

symbol in the SMC or MPP, an empty box is

displayed.

Probable cause User does not have Unicode 7 font installed.

Solution

On Windows, Unicode 7 may be installed by following a link in the following Microsoft KB Article (

).https://support.microsoft.com/en-us/kb/2970228

Here are quick links to the Windows Updates:

x86: https://www.microsoft.com/en-us/download/details.aspx?id=44057

x64: https://www.microsoft.com/en-us/download/details.aspx?id=44052

Background: http://en.wikipedia.org/wiki/Russian_ruble

CSA 4.7 - Chrome reloads SWF on every navigation to a page that uses Flash Player

Problem: Chrome reloads SWF on every navigation to a page that uses Flash Player.

Symptoms When accessing the Cloud Service Management

Console in Chrome, areas that involve a SWF file

(the Organizations area) reload on every user

navigation to the area.

Primary software component Cloud Service Management Console

Failure message N/A

Probable cause Chrome will reload an SWF from an HTTPS web

site if the SSL certificate configured for that site is

not trusted by the browser.

Solution

Configure a CA-signed certificate for use with HPE CSA, as described in the HPE Cloud Service

.Automation Configuration Guide

CSA 4.7 - Communication error in Firefox when Use system proxy settings is configured

Problem: Communication error in Firefox when 'Use system proxy settings' is configured.

Symptoms A communication error is received in Firefox

immediately after you log in to the Cloud Service

Management Console.

Primary software component Cloud Service Management Console

Failure message Communication error

Probable cause In certain network environments, Firefox is unable

to communicate with the Cloud Service Automation

service when Use system proxy settings is

configured.

Solution

Configure Firefox network settings to use a method other than Use system proxy settings. For example,

configure Firefox to use either a manual or automatic proxy configuration. In Firefox 47, these settings are

configured in Options / Advanced / Network / Settings.

CSA 4.7 Import of topology designs does not automatically add missing component relationship definitions

Problem: Import of topology designs does not automatically add missing component relationship definitions.

Symptoms Import of a topology design fails with an error.

Information in the detailed report indicates a

needed relation is missing.

Primary software component Cloud Service Management Console

Failure message After clicking View Detailed Report, you'll see

either

relation.<relation_name>_<component_id> -

Missing in repository component type OR

relation.<relation_name>_<component_id> -

Exist different (review needed)

Probable cause The definition of the topology component on the

system in which the import is occurring lacks

relationship definitions that are needed by the

design being imported.

Solution

The missing relationships must first be added to the component in the Components area prior to

performing import. Alternatively, the associated component may be deleted (if not otherwise used on the

HPE CSA system) and the import will re-create the component, with the needed relationships, when the

design is imported.

To add the missing relationship(s), follow these steps:

By clicking View Detailed Report, either after a Preview operation or after the actual Import, the

details of any missing or misconfigured relationships will be displayed.

If the missing relationship was a required relationship, a message of the following form will be

displayed:

relation.<relation_name>_<component_id> - Missing in repository component

type

If the missing relationship was not a required relationship, a message of the following form will be

displayed:

relation.<relation_name>_<component_id> - Exist different (review needed)

These messages will be displayed in the context of a particular topology component that is missing

the needed relationship.

To allow the design import to succeed, navigate to the Designs / Topology / Components area of

the Cloud Service Management Console, select the relevant component with the specified

<component_id>, and create the needed relationship, using the precise <relation_name> value that

was specified in the detailed report.

The design can then be imported normally.

CSA 4.7 - Internet Explorer ESC interferes with Management Console

Problem: Internet Explorer ESC interferes with Management Console.

Symptoms When viewing the Cloud Service Management

Console in Internet Explorer on a system in which

IE Enhanced Security Configuration is enabled, the

Management Console may not display properly.

You may be presented with a blank screen when

accessing the Management Console.

Primary software component Cloud Service Management Console

Failure message N/A

Probable cause IE Enhanced Security Configuration interferes with

proper display of the Cloud Service Management

Console.

Solution

To access the Cloud Service Management Console using IE on a system in which IE Enhanced Security

Configuration is enabled, select from one of the following options:

Option 1: Add HPE CSA as a Trusted site (in IE, select Internet Options / Security / Trusted sites /

Sites, and add https://<csa_hostname>).

Option 2: Add HPE CSA as a site in the Local intranet zone (in IE, select Internet Options / Security

/ Local intranet / Sites / Advanced, and add https://<csa_hostname>).

Option 3: Disable IE ESC (in Server Manager on Windows®, disable IE ESC).

Error while listing properties in 'Designer' tab

Problem: An error occurs when listing properties in 'Designer' tab.

Symptoms An error occurs while listing component properties

in 'Designer' tab.

Failure message Unexpected error while listing properties: null

Probable cause This error occurs when the component is

dependent on a property of the provider which is

not created.

Solution

Verify whether the component has any property attached to the provider, and whether the provider is

created. If not, create the provider.

Executive Scorecard integration does not work properly for the Showback Report

Problem: Executive Scorecard integration does not work properly for the Showback Report

Symptoms The Showback Report, accessible via the Cloud

Analytics tile of the Cloud Service Management

Console, does not display properly.

Primary software component HPE Cloud Service Management Console,

Executive Scorecard

Failure message Page was not found.

Probable cause CAP files need to be imported into Executive

Scorecard.

Solution

.https://hpln.hpe.com/contentoffering/executive-scorecard-cap-content-acceleration-pack

Click the button to download the "CSA CAP" .zip file .Download

Upload the CAP files to the Executive Scorecard application. For details, see the procedure entitled

"Upload a CAP to the Executive Scorecard application" in the Guide to XS Content Acceleration

for Executive Scorecard.Packs

Failure to add LDAP user to a named approver policy

Problem: After a failed attempt to add an invalid approver, the next attempt to add a valid approver will fail, but the second attempt

will succeed.

Symptoms When attempting to add an LDAP user who does

not have access to an organization to a NAMED

APPROVER POLICY, the user will receive the

message "Error Adding User. Person not assigned

any roles for this organization." The next attempt to

add a valid approver who does have organization

access will fail with the message "User does not

have the permission ORGANIZATION_READ to

perform the operation;" however, the second

attempt to add a valid approver is successful.

Primary software component Approval Policies

Failure message After the first attempt (user does not have access

to an organization) - "Error Adding User. Person

not assigned any roles for this organization."

After next attempt (user is a valid approver who

has organization access) - "User does not have the

permission ORGANIZATION_READ to perform the

operation."

Probable cause User does not have the permission

ORGANIZATION_READ to perform the operation.

Solution

After the first attempt to add a valid approver, add the valid LDAP user to the Named Approver policy

again without exiting the pop-up UI.

No dashboard pages display when tiles under the Cloud Analytics tile are clicked

Problem: No dashboard pages open when the tiles under the Resource Analytics, Service Analytics, or Showback Report tiles

under the Cloud Analytics tile are clicked.

Symptoms When the Resource Analytics, Service Analytics,

or Showback Report tiles that are under the Cloud

Analytics tile are clicked, the relevant embedded

dashboard page may not display, and an error

might appear indicating the page could not be

loaded.

Primary software component HPE Cloud Service Management Console

Failure message Possible message indicating that the relevant page

could not be loaded.

Probable cause The Cloud Analytics dashboard pages are

provided by HPE IT Executive Scorecard and are

embedded in HTML iframes (inline frames)

communicating over HTTPS in the HPE CSA

interface. Iframe integration over HTTPS requires

that the sites being connected must use trusted

certificates.

Solution

Follow these steps:

Locate the URLs in the dashboard configuration file for the Resource Analytics, Service Analytics,

and Showback Report.

The dashboard configuration file "config.json" is in the <CSA Installation

directory>\jboss-as\standalone\deployments\ csa.war\dashboard\ directory.

Open each of the URLs in the browser in use, export their certificates, add the certificates to the

Windows trusted root CA, and then close the browser.

Reopen the browser and click on the tiles. The embedded dashboard pages should now appear.

Trying to add a valid approver fails with error message

Problem: Trying to add a valid approver after a failed attempt to add an invalid approver who does not have access to the

organization fails with an error message.

Symptoms

When trying to add a valid approver after a

failed attempt to add an invalid approver, the

following message displays: User does not

have the permission ORGANIZATION_READ

to perform the operation.

After clicking , an attempt is made to addOK

the same valid user to the policy again without

exiting the popup UI, and the add operation is

successful.

Primary software component Cloud Service Management Console

Failure message User does not have the permission

ORGANIZATION_READ to perform the operation.

Solution

Click when the message "User does not have the permission ORGANIZATION_READ to perform theOK

operation" displays. Then add the same user to the policy again. The user is successfully added in the

second attempt without exiting the popup UI.

Unable to log in to the Cloud Service Management Console after installation when Single Sign-on Is Configured

Problem: Unable to log in to the Cloud Service Management Console after installation when Single Sign-on Is Configured.

Symptoms The user is unable to log in to Cloud Service

Management Console.

Primary software component HPE Cloud Service Management Console

Failure message No message is displayed to the user attempting to

continually taken back to the login screen. In the

csa.log file, an error message will be logged

containing the text "setSSOToken cannot be

performed, configured creationDomains does not

contain received request domain."

Probable cause The domain for Single Sign-on is not properly

specified.

Solution

If you install HPE CSA on a system with a fully qualified domain name of the format , and ifname.a.b.com

you enable Single Sign-on during installation, you must specify a domain name of on the installa.b.com

screen where the domain name is requested.

If you specify , you will be unable to log in to the Cloud Service Management Console after theb.com

installation. The HPE Single Sign-on functionality requires a domain name of to be specified ina.b.com

this scenario.

If you have already installed HPE CSA, you can edit the

CSA_HOME/jboss-as/standalone/deployments/csa.war/WEB-INF/hpssoConfiguration.xml file to set the

domain property correctly, and then restart the CSA service.

Various problems when logging into the Cloud Service Management Console in multiple browser tabs

Problem: Various problems can occur when a user logs in with different user credentials to the Cloud Service Management

Console in multiple browser tabs.

Symptoms If you log in as different HPE CSA users in multiple

tabs, the last user logged in determines the access

rights of all currently open browser tabs. This can

result in error messages being displayed when a

user attempts to perform an action that the last

logged in user does not have rights to perform.

Primary software component Cloud Service Management Console

Probable cause Improper handling of multiple tabs.

Solution

Use only one browser tab at a time to log in to the Cloud Service Management Console. If multiple tabs

are used, ensure that the same user is logged in to each tab.

To switch which user is logged in, first log out and then log back in as the different user.

Web Browser Remembers Password Credentials

Problem: Internet Explorer, Chrome, and Firefox offer the ability to remember login credentials to the Cloud Service Management

Console.

Symptoms When logging in to the Cloud Service Management

Console, your browser may prompt you to save the

credentials in other Cloud Service Management

Console web forms as well.

Primary software component Cloud Service Management Console

Probable cause Some major browsers have been designed to

ignore the autocomplete=off attribute in web forms,

offering users the ability to save passwords even

when web developers want to explicitly prohibit

that ability.

Solution

If you do not want to have your login credentials saved by the browser, indicate when prompted that you

do not wish to have your login or password information saved (or remembered). You can often instruct the

browser to not to prompt you in the future for the web site.

It is often also possible to configure a given browser to not prompt you to remember passwords at all. This

can often be configured either in the browser itself or via corporate IT policy. Refer to your browser

documentation or contact your system administrator for more details.

Localization

Non-English characters are not being properly stored by Oracle

Problem: Non-English characters are corrupt after being stored in Oracle.

Symptoms Non-English characters are not correct after being

stored in the Oracle database.

Primary software component Oracle database

Probable cause Oracle database localization parameters were not

set before installing HPE CSA.

Solution

To support localization, the Oracle database must be configured to support non-English characters. This

configuration must be completed before HPE Cloud Service Automation is installed.

If the necessary parameters are not set to the required values, and you have already installed and started

using HPE CSA, you must create another database configured for localization and then migrate the data

to the new database instance that will support non-English characters. See the "Configure Oracle for

Localization" section of the .HPE Cloud Service Automation Installation Guide

Provider tool can fail to save keystone configuration

Problem: Tracing levels for the provider-tool allows keystone configuration errors to happen silently.

Symptoms When you create a new provider with the provider

tool the following messages are displayed:

Loading Application Context

.....................

Finished Loading Application Context

Tool Action: create

Creating resource provider(s)

Created provider '<providerName>'.

Finished running the provider tool ....

Depending on the SSL configuration, the

idm-service configuration, or the database settings

being incorrect, it is possible that the provider was

not created successfully.

Currently, the provider-tool.log as configured

through log4j2.xml does not output the error

messages to alert if errors occur with idm keystone

configuration.

Primary software component provider-tool.jar

Failure message None

Probable cause logging does not output errors appropriately

Solution

After creating a provider via the provider-tool, verify that the " " property haskeystoneConfigurationID

been set to a value by querying the provider. For example, java -jar provider-tool.jar -a

.read -t OPENSTACK

If the property is not present in the "provider_out.xml",

1) Use the UI to delete and recreate the provider

2) Delete the provider through the UI or provider tool, and then turn up the logging for the provider-tool

before recreating the provider.

The following is a sample log4j2.xml file which can be used to enable logging for the provider tool:

<?xml version="1.0" encoding="UTF-8"?>

</Console>

<RollingFile name="fileappender" filename="provider-tool.log"

filePattern="provider-tool-%i.log"

append="true">

</Policies>

</RollingFile>

</Appenders>

</Root>

</Logger>

</Logger>

</Logger>

</Logger>

</Logger>

</Logger>

</Logger>

</Logger>

</Logger>

</Loggers>

</Configuration>

When you run the provider-tool specify: java -Dlog4j.configurationFile=log4j2.xml -jar

provider-tool.jar -a create -p newprovider.xml

Any exceptions during configuration should be visible on the console.

Upgrade

Icons for some service designs are missing after upgrading to 4.8

Problem: Icons for some service designs are missing after upgrading to 4.8

Symptoms Service designs that use the icon with name

'Service_Design.png' will not display the icon.

These icons are used by the following service

designs that are available out-of-the-box with CSA.

Amazon EC2 Compute in VPC

Amazon EC2 Compute in ELB

Provision VLAN using Network Automation

SA Audit Compliance on Vcenter Compute

SA Patching Compliance on Vcenter Compute

Primary software component CSA Designer in Provider Portal

Failure message File not found

Probable cause The icon is renamed to 'service_design.png'

Solution

The image Service_Design.png is renamed to service_design.png due to which the image loading fails

for designs that used the older name. Identify all designs that use the older name, and edit them to

re-select the same image. Re-publish the designs after saving them.

In 4.7 upgrade setup, the Provider organization log in with LDAP does not work when SAML is enabled

Problem: In 4.7 upgrade setup, the Provider organization log in with LDAP does not work when SAML is enabled

Symptoms In 4.7 upgrade setup, the Provider organization log

in with LDAP does not work when SAML is

enabled.

Primary software component HPE Cloud Service Management Console

Failure message Log in to Provider organization will fail

Probable cause When SAML is configured, LDAP representation

with abolute DN is expected for successful login

but, relative DN is available in upgrade setup.

Solution:

Update the existing DN in access control of provider organization.

SAML configuration is lost after upgrade from CSA 4.7 to CSA 4.8

Problem: SAML configuration is lost after upgrade to CSA 4.8

Symptoms SAML configuration is lost after upgrade from CSA

4.7 to CSA 4.8

Primary software component CSA Upgrade Installer

Failure message All SAML configurations will be lost after upgrade.

Probable cause All SAML configuration changes need to be

handled in CSA upgrade installer.

Solution

If SAML is configured in CSA 4.7 and you have upgraded to CSA 4.8, you need to configure SAML again

from scratch by referring to the SAML configuration guide.

Unable to import a design from an upgraded 4.8 instance to a fresh 4.8 instance that contains VCENTER_SERVER

component

Problem: Unable to import a design from an upgraded 4.8 instance to a fresh 4.8 instance that contains VCENTER_SERVER

component

Symptoms Import fails with an error message that

VCENTER_SERVER component is not found in

the CSA instance.

Primary software component CSA Designer in Provider Portal

Failure message Error importing service design archive. Service

Component Type 'VCENTER_SERVER' does not

exist in the system

Probable cause vCenter Palette is not available in CSA 4.8

Solution

Export the vCenter Palette and its associated OO content from the upgraded CSA 4.8 instance and import

into the fresh CSA 4.8 instance. Then import the service design into the fresh CSA 4.8 instance. If

Import-Preview displays the error message Unable to find a constraint between "Server Group" and

"vCenter Server" or similar, then ignore the error message and import the design.

Upgrade fails from earlier supported versions of CSA to 4.8

Problem: CSA upgrade fails from earlier versions to 4.8

Symptoms Upgrade fails when CSA upgraded from earlier

versions of CSA 4.6 or 4.7 to 4.8

Primary software component CSA Upgrade Installer

Failure message Caused by: java.lang.RuntimeException:

org.springframework.beans.factory.BeanCreationException:

Error creating bean with name

'seededDataMigrator' defined in ServletContext

resource

Probable cause For Microsoft SQL Server, snapshot isolation is not

IdM database before upgrade to 4.8enabled for

Solution

For Microsoft SQL Server, it is mandatory to enable the snapshot isolation for Identity management

database which can be achieved through following database statements:

ALTER DATABASE idmdbName SET ALLOW_SNAPSHOT_ISOLATION ON;

ALTER DATABASE idmdbName SET READ_COMMITTED_SNAPSHOT ON;

"Resubmit Modify" does not re-apply the values from component.

Problem:

Modify subscription fails as one of the modify actions fail and 'Resubmit Modify' doesn't re-apply the

values or doesn't run again.

The detail steps to see this scenario is as below-

Create a design/offering in which the action on modify for a component always fails.

Initiate a modify action on subscription.

The action fails and the subscription now has "Resubmit Modify" .

Make changes to the values of the affected component.

"Resubmit Modify" does not re-apply the values from component.

Solution:

Resubmit modification does push the values if it sees the component property has changed. In the first

modification, the properties are pushed and the action fails after that. When a resubmit modify is

submitted, the old properties that was pushed when it failed is not changed and so the resubmit modify

doesn't come into affect. When this happens, one has to bring back the property values of the

and when modification is resubmitted, the values get pushed againcomponent before the modification

on the component.

Problems with running DBPurgeTool, CodarCLI, HealthTool and ProviderTool if they have legacy mode

of encrypted passwords.

Problem: Some of the tools will fail to run for the first time in CSA 4.92 fresh or upgrade setup due to old legacy mode of

passwords.

Symptoms DBPurgeTool, CodarCLI, HealthTool and

ProviderTool's will fail to run with authentication

errors due to wrong encrypted passwords.

Primary software component CLI Tools

Failure message Authentication error

Probable cause config.properties of DBPurgeTool, CodarCLI,

HealthTool and ProviderTool's were not updated

with Strong encrypted passwords during fresh or

upgrade time due to the presence of escape

character in earlier legacy password.

PasswordMigrationTool fails to re-encrypt legacy

passwords to strong passwords due to the

presence of escape character leading to

authentication failures when tools are run in cli

mode.

Solution

Recommended to change passwords to plain text in the tools property file before running the tool for the

very first time for 4.92. Once run the first time the passwords provided in plain text will be re-encrypted by

the tool automatically by using the new encryption key and passphrase profile.

PasswordMigrationTool and IdmInstaller Tool

Authentication failure while running PasswordMigrationTool (PMT) via cmd prompt

Problem: Authentication failure while running PasswordMigrationTool (PMT) via cmd prompt

Symptoms PMT tool fails to run with Authentication failure.

Primary software component Tools - PasswordMigrationTool

Failure message ERROR: The username or password provided is

not correct. Please provide a valid username

and/or password.

Probable cause

PMT tool config.property file

(<CSA_HOME>/CSA\Tools\PasswordMigrationTool/config.properties)

file having old legacy encrypted passwords.

PMT tool config.property file having wrong

plain texts or strong encrypted passwords, set

against securityAdminPassword,

securityIdmTransportUserPassword or

securityTransportPassword.

CSA service might be down.

In case of HA mode, PMT tool, config.property

file, csa.Url and idmConfig.Url points to local url

and not load balancer url.

Solution

In case of standalone mode, please do the following:

a. Check if CSA service is up and running. If not, please start the service and ensure that the

authentication is working fine.

b. Check if securityAdminPassword, securityIdmTransportUserPassword or

securityTransportPassword are having correct passwords.

Passwords can be mentioned in plain text format or in strong encrypted mode (encrypted using

4.92 CSA PasswordUtil tool).

c. Check if csa.Url and idmConfig.Url are pointing to correct CSA url along with port number.

Note: This should be FQDN name. Example:

csa.Url=https://shiwinsql-csa2.csacloud.local:8444

idmConfig.Url=https://shiwinsql-csa2.csacloud.local:8444

In case of HA mode, please do the following:

a. Check if CSA service is up and running via load balancer URL. If not, please start the service and

ensure authentication is working fine.

b. Check if securityAdminPassword, securityIdmTransportUserPassword

or securityTransportPassword are having correct passwords.

Passwords can be mentioned in plain text format or in strong encrypted mode (encrypted using

4.92 CSA PasswordUtil tool).

c. Check if csa.Url and idmConfig.Url are pointing to Load Balancer CSA url and port and not

individual node FQDN.

Certificate issue during PMT authentication (passphrase change) when CSA is in HA mode (either Apache or F5 load

balancer)

Problem: Certificate issue during PMT authentication for Apache or F5 load balancer

Symptoms Certificate issue when you run PMT tool from cmd.

for Apache or F5 load balance setup.

Primary software component Tools - PMT

Failure message Caused by:

sun.security.validator.ValidatorException: PKIX

path building failed:

sun.security.provider.certpath.SunCertPathBuilderException:

unable to find valid certification path to requested

target

sun.security.validator.PKIXValidator.doBuild(PKIXValidator.

) ~[?:?]java:387

sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.

) ~[?:?]java:292

sun.security.validator.Validator.validate(Validator.

) ~[?:?]java:260

sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.

) ~[?:?]java:324

sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.

) ~[?:?]java:229

sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.

) ~[?:?]java:124

sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.

) ~[?:?]java:1488

... 143 more

Caused by:

sun.security.provider.certpath.SunCertPathBuilderException:

unable to find valid certification path to requested

target

sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.

) ~[?:?]java:146

sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.

) ~[?:?]java:131

java.security.cert.CertPathBuilder.build(CertPathBuilder.

) ~[?:1.8.0_60]java:280

sun.security.validator.PKIXValidator.doBuild(PKIXValidator.

) ~[?:?]java:382

sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.

) ~[?:?]java:292

sun.security.validator.Validator.validate(Validator.

) ~[?:?]java:260

sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.

) ~[?:?]java:324

sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.

) ~[?:?]java:229

sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.

) ~[?:?]java:124

sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.

) ~[?:?]java:1488

Probable cause F5 loadbalancer certificate is not imported into

cacerts of openjre.

Solution

Export the certificate of F5 loadbalancer.

Import the certificate into cacerts of CSA openjre using below command:

keytool -import -trustcacerts -noprompt -keystore cacerts -storepass <password for

keystore> -alias <Alias for cert> -file <full path for cert>

Could not open Hibernate Session for transaction error while running PMT tool

Problem: Could not open Hibernate Session for transaction error while running PMT tool

Symptoms PMT tool fails to run with "ERROR: Could not open

Hibernate Session for transaction; nested

exception is

org.hibernate.exception.GenericJDBCException:

Could not open connection" error message.

Primary software component Tools - PasswordMigrationTool

Failure message "ERROR: Could not open Hibernate Session for

transaction; nested exception is

org.hibernate.exception.GenericJDBCException:

Could not open connection" error while running

PMT via cmd prompt.

Probable cause Wrong JDBC credentials and connection

parameters.

Solution

PasswordMigrationTool needs database connection to re-encrypt all confidential data from old encryption

profile to new encryption profile(or while changing passphrase). Please ensure to provide correct

database connection details in config.properties file of PMT tool as shown below:

jdbc.dialect=org.hibernate.dialect.PostgreSQLDialect

jdbc.driverClassName=org.postgresql.Driver

jdbc.databaseUrl=jdbc:postgresql://<DB machine IP/name>:<DB port>/csadb

jdbc.username=postgres

jdbc.password=password (password can be either in plain text mode or in encrypted mode)

Note: While running PMT tool via cmd prompt for the first time in CSA 4.92 fresh or upgrade setup, please

specify password in plain text mode. PMT tool re-encrypts the password with strong mode during first run.

No need to change this password in subsequent runs.

Existing Organizations are not working in case of 4.82 to 4.92 upgrade.

Problem: <Description>

Symptoms Existing Organizations are not working in case of

4.82 to 4.92 upgrade. There are no issues with

new organizations created after upgrade to 4.92.

Primary software component Organization module.

Failure message Failure to login or edit old organization which were

created prior to upgrade.

Probable cause Failure to IdmInstaller tool to re-encrypt IDM

Database passwords.

Solution

During upgrade, IdmInstaller tool might have failed to re-encrypt database passwords from legacy to

strong due to JDBC connection issues.

Notice for any errors while running IdmInstaller tool from Install.log:

======================================

Start to upgrade the idm installation crypto data

Replaced 2 of 2 ENC(...) occurrences in C:\Program Files\Micro

Focus\CSA\jboss-as\standalone\deployments\idm-service.war\WEB-INF\classes\consumer-users.properties.

Replaced 1 of 1 ENC(...) occurrences in C:\Program Files\Micro

Focus\CSA\jboss-as\standalone\deployments\idm-service.war\WEB-INF\classes\integrationusers.properties.

Replaced 6 of 6 ENC(...) occurrences in C:\Program Files\Micro

Focus\CSA\jboss-as\standalone\deployments\idm-service.war\WEB-INF\classes\provider-users.properties.

Succeed to upgrade the idm database crypto data

Start to upgrade the idm database crypto data

Established the connection to IdM Database

Start to update the table ldap_configuration, columns=[password,transport_password]

Succeed to update the table ldap_configuration, columns=[password,transport_password],

totalRow=0, passedRow=0

Start to update the table keystoneconfiguration, columns=[transport_password]

Succeed to update the table keystoneconfiguration, columns=[transport_password], totalRow=0,

passedRow=0

Start to update the table system_resource_config, columns=[value]

crypto

06 Feb 2018 14:26:46,261 INFO : Exit executing Ant target: idmPwdMigration

======================================

Solution would be to:

Run IdmInstaller tool manually post upgrade if there are issues with JDBC connection

Provide modified new encrypted passwords via PasswordUtil Tool.

Run IdmInstaller tool manually post upgrade if there are issues with JDBC connection

Follow below steps to run Idm:

Go to <CSA-HOME>\idm-encryption\idm-installer\conf directory and open idmMigrate.properties file

in text editor.

Provide required JDBC connection parameters and passwords (can be in plain text format).

Ensure idm.service.war is pointing to correct location.

Example: idm.service.war=C:/Program Files/Micro

Focus/CSA/jboss-as/standalone/deployments/idm-service.war

Ensure idm.crypto.keyConfiguration is pointing to IDM security folder.

Example: idm.crypto.keyConfiguration=C:/Program Files/Micro

Focus/CSA/jboss-as/standalone/deployments/idm-service.war/WEB-INF/classes/security

If the database is oracle, please ensure to copy the required JDBC jar to

<CSA_HOME>\idm-encryption\idm-installer\lib location.

Ensure to keep From profile as legacy and To profile as local as shown below:

idm.crypto.enckeytype.from=legacy

idm.crypto.enckeytype.to=local

On cmd go to <CSA-HOME>\idm-encryption\idm-installer

Run the following command (for unix, use .sh file) to migrate all legacy passwords from IDM

configration files and database passwords to strong encryption mode.

<CSA-HOME>\idm-encryption\idm-installer>idm.bat crypto migrate

Provide modified new encrypted passwords via PasswordUtil Tool.

Other approach is to directly edit old password with new password (created via new PasswordUtil

Tool) in configuration file or database in its respective location. But this is not a recommended

approach, as there are chances of altering other content in the database by mistake.

java.lang.UnsatisfiedLinkError: Cannot load library error while running PMT tool

Problem: java.lang.UnsatisfiedLinkError: Cannot load library error while running PMT tool

Symptoms PMT tool fails with UnsatisfiedLinkError during

passphrase change in DPAPI or profile change to

DPAPI.

Primary software component Tools - PMT

Failure message java.lang.UnsatisfiedLinkError: Can't load library

error while running PMT tool

Probable cause Missing dll folder from either "from.key.path" or

"to.key.path" location.

Solution

If PMT is run while changing passphrase for DPAPI, please make sure DLL folder (from

<CSA_HOME>/CSA/encryption location) exists in both "from.key.path" and "to.key.path" locations.

For example:

If "from.key.path" in <CSA_HOME>\CSA\Tools\PasswordMigrationTool\config.properties is mentioned as

"from.key.path= " then make sure to copy "dll" folderC\:/Program Files/Micro Focus/CSA/encryption/old

from <CSA_HOME>/CSA/encryption folder to "<CSA_HOME>/CSA\encryption\old" directory.

Similarly,

If "to.key.path" in <CSA_HOME>\CSA\Tools\PasswordMigrationTool\config.properties is mentioned as

"from.key.path= then make sure to copy "dll" folderC\:/Program Files/Micro Focus/CSA/encryption"

from <CSA_HOME>/CSA/encryption folder to "<CSA_HOME>/CSA\encryption" directory.

Not all passwords from CSA and IDM side configuration files are in strong encryption mode.

Problem: After 4.92 fresh or upgrade installation, some of the tools config.properties and csa.properties are still having legacy

mode of passwords.

Symptoms After 4.92 fresh or upgrade installation, some of

the tools config.properties are still having legacy

mode of passwords.

Primary software component CLI Tools, database components, LDAP, SAML or

audit related features which involve password

authentication.

Failure message Authentication errors, Tools failure to run via cli

mode. LDAP, SAML, Audit features not working as

expected.

Probable cause Some of the passwords from config files and

database tables are still having legacy mode of

encryption (4.82 style of encryption). This is due to

the presence of some special characters within

these passwords due to which

PasswordMigrationTool or IdmInstallerTool fails to

re-encrypt the passwords.

Solution

Passwords which get failed to re-encrypt, can be found from installation log files (install.log).

Search for below section from install.log file where PasswordMigrationTool tries to re-encrypt legacy

mode of passwords to strong passwords. PasswordMigrationTool prints a list of configuration files which it

scans through and tries to re-encrypt the passwords. Each file prints successful re-encrypted passwords

count. For example, "Replaced 1 of 4 ENC(...) occurrences in C:\Program Files\Micro

" line mentions 3 out of 4 legacy passwords got failedFocus\CSA\Tools\HealthTool\config.properties.

to re-encrypt from HealthTool\config.properties file. Probable cause might be due to having escape

characters in legacy mode of passwords.

========= Password Migration Tool ==========

Initializing application

.............................

Successfully initialized application

Validating inputs...

Generating key config file for re-encryption...

Re-encrypting input files...

reading configuration: migrate

Replaced 1 of 1 ENC(...) occurrences in C:\Program Files\Micro

Focus\CSA\Tools\SchemaInstallationTool\db.properties.

reading configuration: migrate

Replaced 0 of 1 ENC(...) occurrences in C:\Program Files\Micro

Focus\CSA\Tools\ProviderTool\config.properties.

reading configuration: migrate

Replaced 1 of 1 ENC(...) occurrences in C:\Program Files\Micro

Focus\CSA\Tools\OrgMigrationTool\config.properties.

reading configuration: migrate

Replaced 1 of 4 ENC(...) occurrences in C:\Program Files\Micro

Focus\CSA\Tools\HealthTool\config.properties.

reading configuration: migrate

Replaced 1 of 4 ENC(...) occurrences in C:\Program Files\Micro

Focus\CSA\Tools\DBPurgeTool\config.properties.

reading configuration: migrate

Replaced 1 of 1 ENC(...) occurrences in C:\Program Files\Micro

Focus\CSA\Tools\ComponentTool\config.properties.

reading configuration: migrate

Replaced 1 of 1 ENC(...) occurrences in C:\Program Files\Micro

Focus\CSA\Tools\ContentArchiveTool\config.properties.

reading configuration: migrate

Replaced 16 of 16 ENC(...) occurrences in C:\Program Files\Micro

© 2011-2018 Copyright EntIT Software LLC, a Micro Focus company
50
Focus\CSA\jboss-as\standalone\deployments\csa.war\WEB-INF\classes\csa.properties.
Re-encryption completed for files.
Re-encrypting Database content...
Re-encryption completed for database.
Re-encrypting config file passwords...
reading configuration: migrate
Replaced 1 of 4 ENC(...) occurrences in config.properties.
Re-encryption completed for files.
=================== Password Migration End =====================
Fix would be to either mention plain text passwords in tools config.properties file or
encrypt the plain text password via PasswordUtil tool and update the config.properties
file with new encrypted passwords.
 
Integrations
This section contains the following topics:
Amazon Web Services (AWS)
CAC: SMC is configured in CAC mode:user in certificate is not present in LDAP, no error message
CAC: When LDAP is not configured and try to access SMC portal, no error message is shown in
the server.log file.
Date parsing exception
HPE ArcSight Logger
HPE Helion OpenStack®
HPE Matrix Operating Environment (MOE)
HPE Network Automation
HPE Operations Orchestration (OO)
HPE Server Automation with HPE Application Deployment Manager
HPE Server Automation with HPE Database and Middleware Automation
HPE Server Automation with Software Policies
HPE Service Manager (HPE SM)
HPE SiteScope
HPE Universal CMDB
OpenStack - HPE Cloud Services (HPE CS)
VMware vCenter
CSA 4.7 - OpenStack Provider, Design, and IDM Configuration
Puppet
Cloud Optimizer
Docker Universal Control Plane - DOCKER UCP DATA CENTER (CSA)

Amazon Web Services (AWS)

AWS subscriptions fail with ...Error code_ AuthFailure error

Problem: AWS subscriptions fail with the error: AWS was not able to validate the provided access credentials. Error code:

AuthFailure

Symptoms All AWS subscriptions fail with the message stated

below.

Primary software component Amazon Web Services

Failure message

"AWS was not able to validate the provided

access credentials. Error code: AuthFailure"

message appears on the HPE Operations

Orchestration (HPE OO) flow.

Probable cause Invalid credentials.

Solution

Set the credentials correctly and try the operation again.

AWS subscriptions fail with Failed to open HTTP connection error

Problem: All AWS subscriptions fail with the error "Failed to open HTTP connection."

Symptoms All AWS subscriptions fail with the message stated

below.

Primary software component Amazon Web Services

Failure message "Failed to open HTTP connection" error message

on the HPE Operations Orchestration (HPE OO)

flow.

Probable cause The HPE OO flow operation is not able to access

the Internet.

Solution

Check that an Internet connection is available on the HPE OO machine, and fix the issue if

necessary.

If an Internet connection is available on the HPE OO machine, check if HTTP proxy configuration is

required to access the Internet. If it is, make sure that the HTTP proxy values for

"CSA_Proxy_Host" and "CSA_Proxy_Port" are set on HPE OO under "Content Management" ->

"Configuration Items" -> "System Properties."

If HTTP proxy configuration is not required or is configured correctly, check if the AWS provider's

"Service Access Point" parameter is configured correctly.

4. If the "Service Access Point" parameter is configured correctly, contact your HPE support

representative.

Failure to attach the network interface to the server

Problem: Failure to attach the network interface to the server.

Symptoms In a topology design that has server and network

interfaces connected to it, both the server and

network Interface components get provisioned in

AWS, but attaching of the network interface to the

server fails.

Primary software component Amazon Web Services

Failure message "You may not attach a network interface to an

instance if they are not in the same availability

zone. Error code: InvalidParameterCombination"

Probable cause The subnet ID of the server and network interface

are in different zones.

Solution

Make sure the subnet id ID the server and network interface are in the same availability zone.

Public IP for AWS server instances not visible

Problem: The public IP address for AWS server instances is not visible.

Symptoms The public IP address property value of an AWS

server, which had been present, has since

disappeared.

Primary software component Amazon Web Services

Failure message None.

Probable cause The server might have been stopped and

restarted.

Solution

This is normal behavior for Amazon Web Services when the server is stopped and restarted. For more

information, see the Amazon user documentation.

Unable to access the AWS instance using the public IP

This is applicable only for topology content.

Problem: An AWS instance cannot be reached using its public IP address.

Symptoms An AWS instance is provisioned with a public IP

address; however, it cannot be accessed via that

address.

Primary software component Amazon Web Services

Failure message None.

Probable cause Either the AWS server property "securityGroupIds"

is not set, or the securityGroupIds that is set does

not have a rule set up properly to allow network

traffic to the server instance.

Solution

Ensure that the correct security group ids are set in the AWS server in the design to enable access to the

instance. For more information, see the Amazon documentation.

Unable to provision the server due to difference between access point and zone specified in the design

Problem: You are unable to provision a server due to a difference between your access point and the zone specified in the design.

Symptoms You are sometimes able to provision a given AWS

server and sometimes the provisioning operation

fails.

Primary software component Amazon Web Services

Failure message "An internal error has occurred. Error code:

InternalError" message on the HPE Operations

Orchestration (HPE OO) flow.

Probable cause The AWS provider selected for deploying the

design might have a mismatch between its zone

and the design. For example, the provider might be

configured for the "west" zone while the design has

an availability zone set to "east."

Solution

If multiple AWS providers are configured in HPE CSA, then make sure the correct provider instance is

chosen for subscribing to a given subscription.

You can create different "Environments" for different AWS provider zones. Group the offerings based on

the zone values configured in the design and add them to different catalogs, and add the catalogs to the

appropriate environments.

When more than one Network Interface is connected to a single AWS server in the design, subscription fails

This is applicable only for topology content.

Problem: When more than one Network Interface or Volume is connected to a single AWS server in a design, the subscription fails.

Symptoms You are able to attach only one network interface

or volume to a server. A failure occurs if you attach

a second network interface or volume to the

server.

Primary software component Amazon Web Services

Failure message Instance <id_of_network_interface_or_volume>

already has an interface attached at device index

'1.

Probable cause If the object causing the failure is a Network

Interface, the "deviceIndex" property value is not

set.

If the object causing the failure is a Volume, the "

deviceName " property value is not set.

Solution

In designs where more than one network interface or volume is to be connected to a single AWS server,

different values must be given to the property 'deviceIndex' for the network interfaces or 'deviceName' for

the volumes.

CAC: SMC is configured in CAC mode:user in certificate is not present in LDAP, no error message

Problem: When SMC is configured in CAC mode and user in certificate is not present in LDAP, there is

no error message in idm log file saying "Could not find the user."

Symptoms When SMC is configured in CAC mode and user in

certificate is not present in LDAP, there is no error

message in IdM log file saying "Could not find the

user."

Primary software component SMC in CAC mode.

Failure message When SMC is configured in CAC mode and user in

certificate is not present in LDAP, there should be

an error message in IdM log file saying "Could not

".find the user

When login to MPP fails for same reason, there is

an error message in IdM log file saying "

UsernameNotFoundException: Could not find

".the user

This is applicable only for topology content.

Solution

Configure SMC/MPP in CAC mode. Use a certificate to login to SMC for which the user is not present in

LDAP; the login will fail. Then check the IdM log file; you will not see any error message which indicates

that user is not found in LDAP.

Do the same for MPP and you will see the error ".UsernameNotFoundException: Could not find the user".

CAC: When LDAP is not configured and try to access SMC portal, no error message is shown in the

server.log file.

Problem: When LDAP is not configured and try to access SMC portal, no error message is shown in

the server.log file.

Symptoms When LDAP is not configured and try to access

SMC portal, an error message is displayed.

Primary software component

Failure message "Access Point for an Organization cannot be null

(OrgId=BFA0DB53DA404B90E04059106D1A24B5)"

Probable cause

Solution

Configure SMC/MPP in CAC mode.

Do not configure LDAP for provider or consumer.

Try to access SMC using a certificate.

Check the server.log. You will not see any error message.

Try accessing MPP portal using a certificate.

Check the server.log file. You will see an error "Access Point for an Organization cannot be null

(OrgId=BFA0DB53DA404B90E04059106D1A24B5)".

Date parsing exception

Problem: HPE CSA subscription or public actions Add Server fails due to Date Parsing Exception.

Symptoms HPE CSA subscription or public actions Add

Server fails due to Date Parsing Exception.

Primary software component HPE CSA

Failure message Similar to the following:

Date Parsing Exception : JavaException:

java.text.ParseException: Unparseable date:

"2014-03-28T02:17:39+05:30"

Probable cause Unknown.

Solution

Re-create a new subscription for the same offering.

HPE ArcSight Logger

Artifact ID is not included in log files

Problem: csa.log or HPE ArcSight Logger does not include information on the artifactId.

Symptom artifactId details (for example, artifactName) for a

subscription are not available in the log files.

Possible Cause loggerEnabled is not set to true in csa.properties

under

%CSA_HOME%\jboss-as\standalone\deployments

\csa.war\WEB-INF\classes.

Solution

Set the loggerEnabled property to true in csa.properties.

Restart the HPE CSA service.

Device entries are grayed out under HPE ArcSight Logger summary tab.

Problem: Device entries are grayed out under HPE ArcSight Logger summary tab.

Symptoms Device entries are grayed out under HPE ArcSight

Logger tab.Summary

Primary software component HPE ArcSight Logger

Failure message None

Probable cause HPE ArcSight Logger is missing hyperlinks for

device entries.

Solution

Restart HPE ArcSight Logger to get the hyperlinks for device entries in the tab.Summary

Integration with HPE ArcSight fails after HPE CSA upgrade

Problem: Integration with HPE ArcSight fails after HPE CSA upgrade.

Symptoms Integration with HPE ArcSight fails after HPE CSA

upgrade

Primary software component HPE ArcSight Logger

Failure message CSA Server log:

Tue, 27 Nov 2012 15:18:03,373 ERROR [stderr]

(MSC service thread 1-3) log4j:ERROR Exception

on host name [192.x.x.x]: [192.x.x.x Tue, 27 Nov

2012 15:18:12,700 ERROR [stderr] (MSC service

thread 1-3) log4j:ERROR Exception on host name

[192.x.x.x]: [192.x.x.x

Probable cause During the upgrade, HPE ArcSight properties get

appended to the existing log4j.properties file.

Solution

After the upgrade, verify the

file%CSA_HOME%\jboss-as\standalone\deployments\csa.war\WEB-INF\classes\log4j.properties

does not contain any duplicate entries. If you find duplicate entries, comment them out.

For example:

#log4j.appender.cef1=com.hp.esp.arcsight.cef.appender.Log4jAppender

#log4j.appender.cef1.deviceVendor=HP

#log4j.appender.cef1.deviceProduct=HP Cloud Service Automation

#log4j.appender.cef1.deviceVersion=3.2

#log4j.appender.cef1.transportType=SYSLOG

#log4j.appender.cef1.hostName=192.x.x.x

#log4j.appender.cef1.port=515

#log4j.appender.cef1.layout=org.apache.log4j.PatternLayout

#log4j.appender.cef1.layout.ConversionPattern="%d{DATE}[%t] %-5p %x %C{1}: %m%n"

#log4j.appender.cef1.appender.threshold=off

Provider's IP address not added to HPE ArcSight Logger portal

Problem: When integrating HPE ArcSight Logger with HPE CSA, the IP address of the provider is not added to the HPE ArcSight

Logger portal.

Symptoms When integrating HPE ArcSight Logger with HPE

CSA, the IP address of the provider is not added to

the HPE ArcSight Logger portal.

Primary software component HPE ArcSight Logger

Failure message IP address (device entry) of the provider is not

seen in HPE ArcSight Logger portal.

Probable causes

log4j.appender.cef1.hostName file does not

have the correct IP address of the HPE

ArcSight Logger server.

log4j.properties file is saved as

log4j.properties.txt.

User might not have restarted the provider

service after replacing the log4j.properties.

No error log was generated in csa.log, and

since default log level is ERROR in the

log4j.properties, no log message was sent to

HPE ArcSight Logger for the device to be

detected.

Solution

Add the IP address of the HPE ArcSight server to thelog4j.appender.cef1.hostName file.

Verify that UDP port configured in HPE ArcSight is correct. > > ArcSightLogger Event input UDP

should be the same as CSA log4j.appender.cef1.port=<udp port> in log4j.properties.receiver port

Save the file as log4j.properties. Note: do not save the file with the .txt extension.

Restart the provider services - HPE CSA, HPE MOE, HP SiteScope, UCMDB, and HPE OO.

HPE Helion OpenStack®

Add Server to Server Group public action executed for HPE Helion OpenStack based subscription fails

Problem: Cannot add more servers to the existing topology-based subscription when max limit for the number of servers in server

group is exceeded

Symptoms "Add Server to Server Group" public action

execution fails when user tries to add new server

to the HPE Helion OpenStack based subscription.

Primary software component HPE CSA, HPE Helion OpenStack

Failure message Cannot add more servers because the

maximum server is configured to be x. Cannot add

more servers because the designer of the binding

has configure a maximum limit for the number of

servers in server group.

Here "Maximum Instances" property value ofNote:

Server Group component is set to 5.

Probable cause In HPE Helion OpenStack based topology service

designer, the "Maximum Instances" property value

of Server Group component is set to 5. When

consumer tries to add the sixth server to the HPE

Helion OpenStack-based subscription, the above

stated failure message is observed.

Solution

In HPE CSA, make the following changes:

In the Cloud Service Management console, increase the value of property "Maximum Instances" of

the Server Group component in the HPE Helion OpenStack-based topology service designer

(example : Set "Maximum Instances" property value to 10).

In the HPE Marketplace Portal, browse the Catalog and request a new subscription using the

published HPE Helion OpenStack based service offering.

The add new server public action will now be successful until it reaches the set value of "Maximum

Instances."

HPE Helion OpenStack based subscription fails with HTTP 500 Internal Server Error

Problem: HPE Helion OpenStack based subscription or public action for a subscription fails for the HPE Helion OpenStack

Provider.

Symptoms HPE Helion OpenStack based subscription or

public action for a subscription fails for the HPE

Helion OpenStack Provider.

Primary software component HPE CSA, HPE Helion OpenStack

Failure message 10 Jan 2014 11:36:19,054 [pool-19-thread-2]

ERROR PublicAction : Failed to get the connection

from Helion OpenStack:Server returned HTTP

response code: 500

Probable cause There was a failure on HPE Helion OpenStack.

Solution

Check the HPE Helion OpenStack logs for further analysis.

Remove server public action executed for HPE Helion OpenStack based subscription fails

Problem: Cannot remove servers from the existing topology based subscription when min limit for the number of servers in server

group is exceeded.

Symptoms "Remove server" public action execution fails when

user tries to remove a server from the HPE Helion

OpenStack based subscription.

Primary software component HPE CSA, HPE Helion OpenStack.

Failure message Cannot remove servers because the minimum

server is configured to be 1. Cannot remove

servers because the designer of the binding has

configured a minimum limit for the number of

servers in server group.

Probable cause In HPE Helion OpenStack based topology service

designer, the value of property "Minimum

Instances" of the Server Group component is set to

1. When the user tries to remove the last server

from the HPE Helion OpenStack based

subscription, the above stated failure message is

observed.

Solution

This is the expected behavior in HPE Helion OpenStack based subscriptions. The HPE Helion OpenStack

based subscription retains the number of servers equal to "Minimum Instances."

HPE Matrix Operating Environment (MOE)

HPE MOE Add Disk action fails with SOAP v3 endpoint

Problem: Add Disk action executed for the HPE MOE-based subscription fails.

Symptoms

Add subscriber action executed on the HPEDisk

Matrix Operating Environment (MOE)

SOAPv3-based subscription fails.

Primary software component HPE Matrix Operating Environment

Probable cause HPE MOE templates are not designed to support

operation.Add Disk

Solution

Verify whether the HPE MOE template is designed to support operation. To verify the template:Add Disk

Open the HPE MOE template used for provisioning in the HPE MOE designer portal.

The server group on which the operation is performed should have a non-boot diskAdd Disk

attached to it.

If the disk is not attached, add a data disk to the server group.

Save the HPE MOE template.

Create a new HPE CSA subscription.

"Minimum Instances" value should be set to 1 or more.

Request from the Server Group of the newly created subscription.Add Disk

HPE MOE Add Server action fails

Problem: Add Server action executed for the MOE-based subscription fails.

Symptoms

Add subscriber action executed on theServer

HPE MOE-based subscription fails.

Primary software component HPE Matrix Operating Environment

Probable cause HPE MOE templates are not designed to support

.Add Server

Solution

Verify whether the MOE template is designed to support the operation. To verify theAdd Server

template:

Open the HPE MOE template used for provisioning in the HPE MOE designer portal.

Open the configurations for the server group on which action is to be performed.Add Server

In the configuration window, on the tab, verify that the maximum number of servers isConfig

greater than the initial number of servers.

Modify the maximum number of servers if it does not meet this requirement, and save the HPE

MOE template.

Create a new subscription using this template.

Request from the Server Group of the newly created subscription.Add Server

MOE_COMPUTE_SOAPV4_3.20 subscriber actions fail

Problem: MOE_COMPUTE_SOAPV4_3.20 subscriber actions fails to execute the request.

Symptoms Subscriber action for

MOE_COMPUTE_SOAPV4_3.20 service design

fails to execute.

Primary software component HPE Matrix Operating Environment

Failure message soap:Client</faultcode><faultstring>Message part

http://v3.soap.io.hp.com/</faultstring>

Probable cause HPE MOE provider should be configured with

SOAPv4 endpoint.

Solution

Matrix Operating Environment provider should have a SOAP v4 endpoint, which will be in the following

format:

https://<moehostname>:51443/hpio/controller/soap/v4

MOE Simple compute fails with error that user does not have impersonate privilege

Problem: MOE Simple compute fails with error that user does not have impersonate privilege.

Symptoms MOE Simple compute fails with error that user

does not have impersonate privilege.

Primary software component HPE Matrix Operating Environment

Failure message User does not have impersonate privilege.

Probable cause The Administrator user for MOE does not have

impersonation privileges for the CSA consumer

user used to create MOE simple compute

subscriptions.

Solution

The MOE provider user configured in HPE CSA should have impersonate privileges.

No resource provider selected when subscribing to MOE_COMPUTE_CUSTOM_PROVIDER_SELECTION_v3.20

Problem: No resource provider selected when subscribing to MOE_COMPUTE_CUSTOM_PROVIDER_SELECTION_v3.20.

Symptoms No resource provider is selected when a

subscription is requested for a service offering that

uses the

MOE_COMPUTE_CUSTOM_PROVIDER_SELECTION_3.20

service design.

Primary software component HPE Matrix Operating Environment

Failure message ERROR SelectProviderAction: Could not select a

provider as valid providers list is empty for

Resource Binding:

8f5afbff39b5329c0139bbd285240747

Probable cause The providers associated with the

MOE_COMPUTE_3.20 resource offering do not

contain an ORGANIZATIONS property, or none of

the provider ORGANIZATIONS contain the user

organization name as a value.

Solution

Verify whether the providers associated with the MOE_COMPUTE_3.20 resource offering have a

correctly defined ORGANIZATIONS property.

ORGANIZATIONS property value should be populated with the name of the HPE MOE

configured in HPE MOE.Organizations

At least one of the provider organizations should contain the user organization name as a value.

See the guide for more information.HPE Cloud Service Automation Integration Pack

Service Design MOE_COMPUTE_3.20 does not have new MOE SOAP v4 actions

Problem: MOE_COMPUTE_3.20 does not have new MOE SOAPv4 actions.

Symptoms When MOE_COMPUTE_3.20 service design is

used with MOE SOAP v4 endpoint, no new SOAP

v4 actions are visible in the consumer portal.

Primary software component HPE Matrix Operating Environment

Failure message None

Probable cause New SOAP v4 actions are not supported with

MOE_COMPUTE_3.20 service design.

Solution

Actions in the service design MOE_COMPUTE_3.20 are limited to MOE SOAPv3 endpoint, irrespective of

the MOE SOAP endpoint configured on the provider.

To get new actions of MOE SOAPv4, use MOE_COMPUTE_SOAPV4_3.20 service design following the

below steps.

Import the HPE CSA content archive CSA_BP_MOE_COMPUTE_SOAPV4_v3.20.00.

The HPE Matrix Operating Environment provider associated with the

MOE_COMPUTE_SOAPV4_3.20 offering must have the endpoint SOAPv4.

Create an HPE CSA service offering using the MOE_COMPUTE_SOAPV4_3.20 service design.

Publish the new offering and subscribe to it.

See the guide for more information.HPE Cloud Service Automation Integration Pack

Subscriptions using service design MOE_COMPUTE_MT_3.20 fail with error

Problem: Subscriptions using service design MOE_COMPUTE_MT_3.20 fail with error "Impersonated user is not recognized."

Symptoms Subscription using MOE_COMPUTE_MT_3.20

service design fails with error in HP OO reports.

Primary software component HPE MOE 7.0 and later versions

This is applicable only for legacy OOTB content.

Failure message

Impersonated user '<username>' is not

recognized

Example 1 : Impersonated user 'cirrus\finance1' is

not recognized

Example 2 : Impersonated user 'csatest2' is not

recognized

Probable cause

HPE MOE is not configured to support

multi-tenancy.

HPE MOE user-organization configuration is

incorrect.

The domain name used by HPE CSA (in

conjunction with the user name) to login to

HPE MOE is incorrect.

Solution

Verify the following configurations:

For HPE MOE multitenancy-based subscriptions, the domain name for the requesting user is

retrieved from the user configured with the resource provider in HPE CSA. This domain name and

the requesting user's name are combined to create the login name that is used to log in to HPE

MOE during service creation. The login name uses the following format:

<Provider_User's_Domain_Name> \ <Requesting_User's_Name>

In HPE MOE, verify that the active directory is configured to support multi-tenancy

In HPE MOE, verify that the user is correctly mapped to the HPE MOE organization.

See the guide, and the HPE MOE documentation onHPE Cloud Service Automation Integration Pack

Multi-tenancy and Active Directory Integration for more information.

HPE Network Automation

Subscription fails while using service designs based on HPE Network Automation

Problem: Subscription fails to get networking switch configuration details.

Symptoms VLAN provisioning with networking switch using

HPE Network Automation fails with an error in HPE

OO reports (shown in failure message below).

Primary software component HPE Network Automation

Failure message Failed to execute Get Configurations By IP

operation.

This is applicable only for legacy OOTB content.

Probable cause Get Switch Configuration by IP operation of Get

VLAN Details workflow cannot communicate with

HPE Network Automation because:

Connection time out happened for: Get Switch

Configuration by IP operation of Get VLAN

Details workflow

Wrong Provider SAP is provided in HPE ECSA

for HPE NA.

Solution

Ensure that the correct provider SAP is provided for HPE NA.

In HPE Network Automation server, restart the following services:

TrueControl FTP Server

TrueControl Management Engine

TrueControl SWIM Server

TrueControl Syslog Server

TrueControl TFTP Server

HPE Operations Orchestration (OO)

All workflows in the HPE Operations Orchestration public repository are invalid

Problem: All workflows in the HPE OO public repository are invalid.

Symptoms The names of all workflows in the HPE OO public

repository are in red font.

Primary software component HPE Operations Orchestration

Failure message None

Probable cause RAS Operator Path configured incorrectly

Solution

in the HPE OO public repository.Operator Path

Verify that the RAS operator path is configured correctly with a valid IP address or fully qualified

domain name and port number.

HPE CSA Operations Orchestration content not reflected in HPE OO

Problem: HPE CSA Operations Orchestration content is not reflected on HPE OO.

Symptoms After installing the HPE CSA OO content installer

(CSA-3_20-ContentInstaller.jar), the CSA flows are

not reflected in HPE OO Studio.

Primary software component HPE Operations Orchestration

Solution

Follow these steps in the given order:

Clean up the HPE OO repository.

Reinstall HPE OO-SA content.

Reinstall HPE OO Content Pack.

Reinstall the HPE CSA-OO content, CSA-3_20-ContentInstaller.jar.

javax.net.ssl.SSLHandshakeException

Problem: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed.

Symptoms javax.net.ssl.SSLHandshakeException:

sun.security.validator.ValidatorException: PKIX

path building failed.

Primary software component HPE CSA and HPE Operations Orchestration

(HPE OO)

Failure message Caught exception:

javax.net.ssl.SSLHandshakeException:

sun.security.validator.ValidatorException: PKIX

path building failed:

sun.security.provider.certpath.SunCertPathBuilderException:

unable to find valid certification path to requested

target.

Probable cause The HPE OO certificate is not imported into the

HPE CSA Installed JRE security cacerts path.

Solution

Make sure the $PATH variable has $JRE_HOME\bin set per the HPE CSA installation JRE

selected during the HPE CSA installation (for example, either openjre or Oracle JRE).

Verify that the OO10.x certificate is imported properly to the HPE CSA installed JRE cacerts path,

using commands below:

If Oracle JRE is selected during HPE CSA installation, then import the OO 10.x certificate

using a command like the following:

keytool.exe -importcert -alias tomcat -file

"C:\Temp\oo10-certificate.cer" –keystore "C:\Program

Files\Java\jre7\lib\security\cacerts"

If openjre is selected during HPE CSA installation, then the OO10.x certificate has to be

imported to the path "C:\Program Files\Hewlett-Packard\CSA\openjre\lib\security" using a

command like the following:

keytool.exe -importcert -alias tomcat -file

"C:\Temp\oo10-certificate.cer" -keystore "C:\Program

Files\Hewlett-Packard\CSA\openjre\lib\security\cacerts" password:

changeit

After the certificate has been imported, restart the CSA service.

For more information, see the Configure HPE Operations Orchestration section of the HPE CSA

.Installation Guide

PDT fails in a CSA 4.2 with Embedded OO v.10.20 installation on a system where OO v.10.10 Standalone server is

running

Problem: PDT fails when Run with CSA 4.2 installed with Embedded OO 10.20 on port 8445 on a system where OO 10.10

Standalone server is already running on port 8443.

Symptoms Process Definition Tool (PDT) fails when it runs in

an environment with CSA 4.2 installed with

Embedded OO 10.20 on port 8445 with OO

central credential ooadmin/ooadmin, and where

OO 10.10 Standalone server is already running on

port 8443 with OO 10.10 central credential

admin/admin.

When both services of OO 10.20 (installed with

CSA 4.2 embedded OO 10.20 on port 8445) and

Standalone OO 10.10 service are running on the

on port 8443, running PDT integratedsame system

with OO10.20 in CSA 4.2 Embedded OO on port

8445 will produce an error:

Failure: User was not authenticated. Please see

log file for details. at

org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:222).

When the service of OO 10.10 central running on

port 8443 is stopped and you run,

PDT integrated with OO 10.20 in CSA 4.2

Embedded OO on port 8445, you may get an error:

faultCode:

{http://schemas.xmlsoap.org/soap/envelope/}Server.userException

faultSubCode:

faultString: java.lang.NullPointerException

Primary software component HPE Operations Orchestration (OO)

Failure message Possible error messages:

Failure: User was not authenticated. Please

see log file for details. at

org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:222).

faultCode:

{http://schemas.xmlsoap.org/soap/envelope/}Server.userException

faultSubcode: faultString:

java.lang.NullPointerException

Probable cause Standalone OO 10.10 central is already running as

a separate service on port 8443 on default OO

path ''C:\Program Files\Hewlett-Packard\HPE

Operations Orchestration' ' with central credential

admin/admin.

On the same system, installing a fresh CSA 4.20

build with an embedded OO 10.20 option, and with

Embedded OO 10.20 with non-path as

'c:\OOEmbedded1020' will complete a successful

installation.

However, after running PDT integrated with CSA

4.20, the embedded OO 10.20 on port 8445 will

give the user this Error:

Failure: User was not authenticated. Please see

log file for details. at

org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:222).

When both OO 10.10 service on port 8443 and OO

10.20 service on port 8445 are running, and PDT

runs integrated with OO10.20 on port 8445, the

user may get the following error:

faultCode:

{http://schemas.xmlsoap.org/soap/envelope/}Server.userException

faultSubcode:

faultString: java.lang.NullPointerException

Solution

Uninstall the existing unused OO 10.10 server that is running on port 8443 in default OO installation path

'C:\Program Files\Hewlett-Packard\HP Operations Orchestration'. Then restart embedded OO 10.20

service and run PDT again with CSA 4.2- Integrated with Embedded OO 10.20 running on port 8445.

Read timed out error when provisioning parallel servers for OOTB Sequence Designs

Problem: java.lang.RuntimeException: java.net.SocketTimeoutException: Read timed out when provisioning parallel servers for

OOTB Sequence Designs.

Symptoms One or both of the following messages appear

(depending on the environment) in the cloud

services management console and HPE OO log

when a request is submitted to provision parallel

servers for an OOTB sequenced design.

Primary software component HPE CSA

Failure message In cloud services management console:

java.lang.RuntimeException:

java.net.SocketTimeoutException: Read timed out

In HP OO logs:

WorkerExecutionThread-17_149417227-PluginAdapterImpl.java:317

ERROR - java.lang.RuntimeException: Couldn't

connect to VIM service

OO 10.10 ==>

localhost_access_log.2014-07-03.txt

10.1.12.107 - - [03/Jul/2014:15:46:24 -0700]

"POST

/PAS/services/rest/run_async/35d34b4b-b544-4531-8667-3c26619ffe63?

CSA_CONTEXT_ID=8a818ceb46f958850146fe668f5a468a&CSA_PROCESS_ID=8a818ceb46f958850146fe68068e47ed&

RSC_PROVIDER_ID=8a818ceb46f913060146f91363460001&RSC_POOL_ID=%5BTOKEN%3ARSC_POOL_ID%5D&RSC_SUBSCRIPTION_ID=8a818ceb46f958850146fe668f5a468a&

SVC_INSTANCE_ID=8a818ceb46f958850146fe66024f43f6&SVC_COMPONENT_ID=8a818ceb46f958850146fe665b964567&

SVC_COMPONENT_TYPE=SERVER&SVC_SUBSCRIPTION_ID=8a818ceb46f958850146fe65f5ae43d5&SVC_SUBSCRIPTION_EMAIL=donna.j.molinari%40hp.com

&PRN_COMPONENT_ID=8a818ceb46f958850146fe6602c944a0&REQ_ORG_ID=BFA0DB53DA404B90E04059106D1A24B5&

REQ_USER_ID=8a818ceb46f958850146f95f2b1d0004&USR_ORG_ID=BFA0DB53DA404B90E04059106D1A24B5&

RSC_BINDING_ID=8a818ceb46f958850146fe665b99456b&

HTTP/1.1" 500 –

Probable cause Communication between HPE OO and HPE CSA

is not stable.

Solution

Verify that the DNS settings and IP Gateway are configured correctly for the vCenter provider. If the

vCenter provider contains two NIC cards, the address might not resolve correctly when using a FQDN

name as the vCenter provider's Access Point. In such a case, do either of the following:

Add a line like the following example line to the HOSTS file of the HPE CSA machine. The line

should contain the access point IP address of the vCenter provider along with its FQDN:

10.1.0.24 sct-cloud.acme.local sct-cloud # VCENTER 5.10 (CSA)

Specify the IP address for the Service Access Point when setting up the vCenter provider, like the

following example:

Resources are not cleaned up after a subscription times out and fails

Problem: Resources are not cleaned up after a subscription times out and fails.

Symptoms An attempt to fulfill a subscription fails as the result

of a time out, and some resources that were

provisioned during the operation are not cleaned

up. Normally, when a subscription fails, such

resources should get cleaned up.

Primary software component HPE CSA, HPE Operations Orchestration

Failure message None

Probable cause The subscription fulfillment operation times out

before HPE CSA receives reference identifiers for

certain resources being provisioned as a result of

the operation, and without such references, HPE

CSA cannot clean up the resources when the

operation fails.

Solution

The HPE CSA administrator will have to manually clean up any resources that were created as a result of

the failed subscription fulfillment operation but not cleaned up.

Some workflows under CSA folder are invalid

Problem: Some workflows under CSA folder are invalid.

Symptoms The names of some workflows under /Library/CSA

in the HPE OO public repository are in red font.

Primary software component HPE Operations Orchestration

Failure message Moving the mouse over an invalid workflow will

display messages similar to the following:

The operation this step links to has problems

Transition source step has no operation linked

to it

Operation cannot be found

Probable cause Required HPE OO content may not have been

installed.

Solution

Verify that all the required HPE OO content has been installed as described in the "HPE Operations

Orchestration Support Requirements" section in the HPE Cloud Service Automation Solution and

.Software Support Matrix

Subscription fails because Get User Identifier step in an HPE Operations Orchestration (OO) flow failed

Problem: A subscription fails because the Get User Identifier step in an HPE Operations Orchestration (OO) flow failed.

Symptoms A subscription fails because the Get User Identifier

step in an HPE Operations Orchestration (OO) flow

failed with status "Failed to Execute".

Primary software component HPE Operations Orchestration

Failure message Status of Get User Identifier step in the HPE OO

flow is: Failed to Execute.

Probable cause HPE CSA user credentials or the URI setting in

HPE OO are not configured correctly.

Solution

In HPE OO Studio, verify that the settings for CSA_REST_CREDENTIALS and CSA_REST_URI are

configured correctly. HPE recommends the following values:

Configuration > > : https://<csa_hostname>:8444/csa/restSystem Properties CSA_REST_URI

Configuration > > : user name: ooInboundUser,System Accounts CSA_REST_CREDENTIALS

password: cloud

For more information, see the Configure HPE Operations Orchestration section in the HPE Cloud Service

.Automation Installation Guide

Trust store setup failure causes login lockouts

Problem: Trust store setup failure causes login lockouts.

Symptoms After installation and setup of HPE CSA and

configuration of the HPE CSA trust store to enable

access to HPE OO, it is not possible to login to

either HPE CSA or HPE OO.

Primary software component HPE CSA, HP OO, Java keytool, certificate files,

McAfee trust authentication services

Failure message Browser errors. No login page is presented for

either HPE CSA or HPE OO. Indication that the

web services are inaccessible or non-existent.

Probable cause Misstep or typographical error occurred when

running the keytool export/import process, followed

by manipulation and/or replacement of the

monitored certificate files, triggering the McAfee

trust authentication security software to intercept

and prevent access to either the HPE CSA or HPE

OO web services.

Solution

Do modify the trust store certificates file in its source directory. Modify a copy of this file and verify thatnot

all steps, passwords, and entry changes are correct before replacing it.

HPE Server Automation with HPE Application Deployment Manager

HPE ADM-based service subscription is paused in HPE CSA even after all the HPE OO flows are successful

Problem: HPE ADM-based service subscription is paused in HPE CSA even after all the HPE OO flows are successful.

Symptoms HPE ADM-based service subscription moves into a

Pause state in HPE CSA even after all the HPE

OO flows are successful and the return code from

HPE OO is successful.

Primary software component HPE Server Automation, HPE Operations

Orchestration, HPE MOE

Failure message Unknown macro: {Result=-1;returnResult=Timeout!

The job having the id} in the OO Report.

Probable cause The timeout in HPE CSA for HPE ADM

deployment actions is less than the time taken to

deploy applications using HPE ADM flows.

Solution

Increase the timeout value on the Timeout field set for the actions on the HPE ADM resource offerings.

HPE MOE ADM deployment fails

Problem: HPE MOE ADM deployment fails after provisioning the server instances.

Symptoms HPE OO flow MOE ADM Simple Compute Linux -

Deploy fails.

Primary software component HPE Server Automation

Failure message The HPE OO Central report indicates failure at

step validate MOE - ADM.

Probable cause Server Group Node names from the HPE MOE

templates does not match the property

MOEGROUPNAME on the associated DB Group

or Web Group_ Server Group components.

Solution

Update MOEGROUPNAME property on the service design with associated HPE MOE Server Group

Node name from the HPE MOE template.

SA – ADM flows failure in OO 10.10 central

Problem: Failure at SA – ADM flows in HPE OO 10.10 central in the flow; Deploy Application Service -->ADM Make Target --> create

Target.

Symptoms Failure at SA – ADM flows in HPE OO 10.10

central in the flow; Deploy Application Service

-->ADM Make Target --> create Target.

Primary software component HPE Server Automation with Application

Deployment

ManagerOO10.10,OO10.02,oo10-sa-cp-1.0.2.jar

Failure message Error messages in OO Execution Log similar to the

following:

2014-04-05 08:26:44,086

[WorkerExecutionThread-6_140531362]

(PluginAdapterImpl.java:298) ERROR -

org.apache.wink.client.ClientRuntimeException:

java.lang.RuntimeException:

javax.net.ssl.SSLPeerUnverifiedException: peer

not authenticated

org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:228)

org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:178)

org.apache.wink.client.internal.ResourceImpl.get(ResourceImpl.java:289)

com.opsware.content.actions.sas.da.ADMServiceWrapper.getEnvironments

(ADMServiceWrapper.java:874)

com.opsware.content.actions.sas.da.ADMServiceWrapper.getEnvironmentByName

(ADMServiceWrapper.java:889)

com.opsware.content.actions.sas.da.ADMServiceWrapper.createTarget

(ADMServiceWrapper.java:382)

com.opsware.content.actions.sas.da.CreateTarget.execute(CreateTarget.java:38)

sun.reflect.NativeMethodAccessorImpl.invoke0(Native

Method)

sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.

java:43)

java.lang.reflect.Method.invoke(Method.java:606)

com.hp.oo.sdk.plugins.abstracts.BaseActionPlugin.execute

(BaseActionPlugin.java:53)

sun.reflect.NativeMethodAccessorImpl.invoke0(Native

Method)

sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.

java:57)

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod

AccessorImpl.java:43)

java.lang.reflect.Method.invoke(Method.java:606)

com.hp.oo.maven.PluginAdapterImpl.executePlugin(PluginAdapterImpl.java:295)

com.hp.oo.maven.PluginAdapterImpl.execute(PluginAdapterImpl.java:227)

com.hp.oo.execution.control.actions.contentexecution.ContentExecutionActions.

executeContentAction(ContentExecutionActions.java:85)

sun.reflect.GeneratedMethodAccessor514.invoke(Unknown

Source)

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.

java:43)

java.lang.reflect.Method.invoke(Method.java:606)

com.hp.oo.execution.reflection.ReflectionAdapterImpl.executeControlAction

(ReflectionAdapterImpl.java:48)

com.hp.oo.execution.services.ExecutionServiceImpl.executeStep

(ExecutionServiceImpl.java:531)

com.hp.oo.execution.services.ExecutionServiceImpl.execute

(ExecutionServiceImpl.java:101)

com.hp.oo.execution.services.SimpleExecutionRunnable.doRun

(SimpleExecutionRunnable.java:128)

com.hp.oo.execution.services.SimpleExecutionRunnable.run

(SimpleExecutionRunnable.java:88)

java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)

java.util.concurrent.FutureTask.run(FutureTask.java:262)

java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

com.hp.oo.execution.services.WorkerThreadFactory$1.run(WorkerThreadFactory.

java:23)

at java.lang.Thread.run(Thread.java:744)

Caused by: java.lang.RuntimeException:

javax.net.ssl.SSLPeerUnverifiedException: peer

not authenticated

Probable cause The HPE SA certificate needs to be imported on

HPE OO Central to use ADM functionality.

Certificate is required only with oo10-sa-cp-1.0.2 if

OO version >= 10.02.

Solution

Note: Refer also to the oo10-sa-cp-1.0.2 CP Release notes.

Import the HPE SA core certificate to the OO10.10 central client truststore. To import the HPE SA

certificate in HO OO Central:

Run the following command:

<OO_HOME>\java\bin\keytool.exe -import -alias opsware -file <SA_certificate_path>

-keystore <OO_HOME>\central\var\security\client.truststore

where <OO_HOME> is the path to the installation folder of HPE OO 10.10, and

<SA_certificate_path> is the path to where the HPE SA certificate was downloaded from the

core.

For example, C:\Program Files\Hewlett-Packard\HP Operations

Orchestration\java\bin\keytool.exe -import -alias opsware -file c:\opsware.cer -keystore

"C:\Program Files\Hewlett-Packard\HP Operations

Orchestration\central\var\security\client.truststore"

Restart the Central service.

HPE Server Automation with HPE Database and Middleware Automation

DMA Application deployment fails with WestHttpClientException

Problem: HPE DMA Application deployment fails with WestHttpClientException.

Symptoms HPE DMA Application deployment fails with

WestHttpClientException.

Primary software component HPE DMA

Failure message Exception in WestHttpClient: dma1010: Name or

service not known 2013-06-18 09:52:24 - Error

occurred during WEST execution in the DMA

Console job history Connect Errors

Probable cause Target VMs are not able to reach the HPE DMA

server with the hostname or FQDN.

Solution

Add the host-name or FQDN of the HPE DMA server to the \etc\hosts in VM-template and sanitize it.

Subscription using HPE DMA JBoss application deployment fails

Problem: Subscription using HPE DMA JBoss application deployment fails.

Symptoms HPE DMA workflow deployment on the server fails.

Primary software component HPE Server Automation

Failure message None

Probable causes

The consumer user organization has not been

created on HPE DMA.

DMA resource offering properties are not

populated appropriately.

The software packages required by the HPE

DMA workflow are not imported on the HPE SA

core.

The web user configured for the property

JBoss Validate Stand Alone Parameters.Web

Service User does not have sufficient privileges

to run the HPE DMA workflows.

Solution

Verify the properties of the DMA resource offering. dmaWorkflowName property should be

populated with the name of the HPE DMA workflow. Other properties on the DMA resource

offerings (dmaParam[1...n]) should have the values as per the parameters defined in DMA

workflow.

Verify that the software packages required by the HPE DMA workflow are available on the HPE SA

core.

Verify that the consumer user organization has been created in HPE DMA. If not, create an

organization with the same name as the organization.

Verify the Web Service User configured has sufficient privileges to run the DMA workflows.

HPE Server Automation with Software Policies

A request for a test run remains in Deploying state

Problem: A request for a test run remains in Deploying state.

Symptoms A request for a test run remains in Deploying state

for a long time before changing to Failed.

Primary software component VMware vCenter

Failure message During server provisioning, the HPE OO workflow

Update SA Server ID on CSA fails repeatedly at

Poll For Server VO step.

Probable cause The VM template was not sanitized with an HPE

SA agent.

Solution

Follow the steps to sanitize a VM template with an HPE SA agent as described in the "Prepare a VMware

Template to Self-Register with HPE Serve Automation" section in the HPE Cloud Service Automation

.Installation Guide

CSA 4.6 - Failed to load SA Policies

Problem: Failed to load SA policies.

Symptoms When attempting to import topology components

using the HPE Server Automation import source in

the Designs / Topology / Components area of the

Cloud Service Management Console, the import

may fail on Red Hat Enterprise Linux installations

of HPE CSA.

Primary software component SA Server Policy

Failure message A message such as the following may appear in

csa.log:

SaClient : Json file created for policy list not

found./tmp/policyTmp_1609896274.json

Probable cause -

Solution

Restart the HPE CSA service, and try importing again.

Subscription fails while using service designs based on HPE SA software policies

Problem: Subscription fails while using service designs based on HPE SA software policies.

Symptoms Subscription failure occurs while using service

designs based on HPE SA software policies.

Primary software component HPE Server Automation

Failure message Open the HPE OO Central report for workflow

Deploy Using Software Policies and scroll to the

step where subflow Apply or Remove Software

Policies to Server is invoked. This subflow will

indicate a failure at the step Attach Software Policy

with the following message: No software policy

with name 'PHP' was found

Probable cause The software policy is missing in HPE SA, or does

not have the name as expected by the service

design.

Solution

Verify that the software policy is in HPE SA, and that the name of the software component defined in the

service design and the name of the HPE SA software policy are the same. Correct as needed.

HPE Service Manager (HPE SM)

HPE CSA subscription request not triggered upon HPE Service Manager change request ticket approval

Problem: HPE CSA subscription request not triggered upon HPE Service Manager (HPE SM) change request ticket approval.

Symptoms HPE CSA subscription request is not triggered

even after an HPE SM change request ticket

approval using HPE Service Manager, with an

error message in the debug_log file (shown in

failure message below).

Primary software component HPE Service Manager

Failure message ns1:Authentication Failure: User was not

authenticated. Please see log file for details.

Invalid username or password.

Probable cause In the HPE SM server, the script OO_CSA has

invalid credentials or URL for the HPE Operations

Orchestration Central server.

Solution

In the HPE Service Manager server, verify the correct HPE OO central credentials by completing the

following steps:

Log on to the HPE Service Manager Windows client using the falcon account or another account

with administrator privileges.

Navigate in the System Navigator to > > .Connection Tailoring Script Library

Type OO_CSA in the Name field and click Search. Now you should be able to view and edit the

script.

Edit OO_CSA and verify that the script has valid credentials for the HPE Operations Orchestration

Central server.

If the credentials are not valid, then modify the centralUser and centralPassword script variables

with the correct credentials and click .Save

Update the URL for the HPE Operations Orchestration Central server. View the OO_CSA script

and update the value for centralURL.

Replace localhost with the hostname of the HPE Operations Orchestration Central server, and click

.Save

Service Manager Initiate Request Approval workflow execution fails

Problem: Subscription fails to get the correct HP Service Manager (HP SM) version or valid Initiator.

Symptoms SM Initiate Request Approval workflow execution

using HP Service Manager fails with an error in the

HP OO (9.x) reports (shown in failure message

below).

Primary software component HP Service Manager

Failure message

Incorrect smversion.

Please provide a valid Initiator.

Probable cause

HP Service Manager Content Pack 7 is not

installed in HP OO server.

HP CSA Consumer user is not created in HP

SM.

Solution

For failure message 1 In HP OO 9.x server:

Download and install OO_SM_Content_Pack_7_Installer.zip (HP Service Manager Content Pack

7).

For failure message 2 In HP Service Manager:

Create a new power user with the same name created for the HP CSA Consumer user in Active

Directory (consumer) by cloning an administrator account such as falcon. See the HP Service

Manager documentation for instructions on how to create a new contact and its corresponding

operator.

SOAPException during HPE Service Manager change request ticket approval

Problem: HPE Service Manager (HPE SM) change request approval fails with a SOAPException.

Symptoms HPE SM change request ticket approval using

HPE Service Manager Windows client fails with an

exception in the HPE SM client window (shown in

failure message below).

Primary software component HPE Service Manager

Failure message Error calling method: doSoapRequest in

class:com/hp/ov/sm/server/utility/SoapClient

Exception

(com.sun.xml.messaging.saaj.SOAPExceptionImpl:

java.security.PrivilegedActionException:

com.sun.xml.messaging.saaj.SOAPExceptionImpl:

Message send failed)

Probable cause HPE Operations Orchestration (HPE OO) server IP

address entry is missing in hosts file (located at

C:\Windows\system32\drivers\etc) of the HPE

Service Manager Server.

Solution

In the HPE Service Manager server, you must map opsware.com to the DNS name where the HPE

Operations Orchestration 9.x Central server is installed by following these steps:

Browse to C:\Windows\system32\drivers\etc\ and open the hosts file.

Add the following line to the file:

<IP address of HPE OO Central server> opsware.com

For example: 192.168.50.50 opsware.com

where, 192.168.50.50 is the IP address of the HPE Operations Orchestration 9.x Central server.

Save and close the file.

HPE SiteScope

HPE SiteScope CSA template does not appear on HPE SiteScope server after import

Problem: Auto import of SiteScope template fails.

Symptoms HPE SiteScope CSA template does not appear on

HPE SiteScope server after import.

Primary software component HPE SiteScope

Failure message None

Probable cause Auto import of HPE SiteScope template CSA

templates autoimport.tmpl fails intermittently.

Because of the import failure, credential

preferences are not created.

Solution

Follow these steps to manually import the HPE SiteScope template and create the credential preferences

with the login details for the target serve

Log on to the HPE SiteScope server using administrator credentials using url

http://<ServerIP>:8080/.

In the left page, select the Templates tab.

If there is no group with both Windows and Linux templates:CSA templates

Right click the template container name (e.g., SiteScope) and select .import

Browse and select the file " " and complete the import.CSA templates.tmpl

Manual import does not create credential preferences. To create the credential preferences for

Windows and Linux targets manually, do the following:

Select the tab in the HP SiteScope browser left-most panel.Preferences

Choose .Credential Preferences

Create a LINUX credential with the name LINUX-CSA-TARGETS.

Set the username and password for LINUX target server.

Create a WINDOWS credential with the name .WINDOWS-CSA-TARGETS

Set the username and password for WINDOWS target server.

HPE SiteScope monitor deployment fails

Problem: Remote connection from the HPE SiteScope server to the target server fails.

Symptoms HPE SiteScope monitor deployment fails with an

error in HPE OO reporting as shown in failure

message below.

Primary software component HPE SiteScope

Failure message Property remote name remote:19 probably remote

connection failed. Please check if remote:19

defined in SiteScope configuration or in domain.

Probable cause The credential preferences are not updated with

the target server login credentials.

Solution

Follow these steps to update the credential profiles with the login details for the target server:

The credential profiles are found in the HPE SiteScope server under > Preferences Credential

. Default HPE CSA credential profiles are WINDOWS-CSA-TARGETS for WindowsPreferences

systems and LINUX-CSA-TARGETS for Linux target systems.

Select the credential profile to edit.

Enter the login and password values for the target servers.

Click OK to save the details.

SiteScope create server monitor fails

Problem: HP SiteScope create server monitor fails.

Symptoms HP SiteScope template name mismatch.

Primary software component VMware vCenter and MOE

Failure message Error Code: 55636. Error Description: could not

find Template name LINUX in the

configuration.;returnResult=com.mercury.sitescope.api.configuration.

exception.ExternalServiceAPIException: Error

Code: 55636. Error Description: could not find

Template name LINUX in the

configuration.;returnCode=-1;sessionId=iconclude-5039678751334013037;

exception=com.mercury.sitescope.api.configuration.exception.ExternalServiceAPIException:

Error Code: 55636. Error Description: could not

find Template name LINUX in the configuration in

the OO Report.

Probable cause

HP SiteScope monitor creation fails since the

template is not imported on the SiteScope

server.

Template name does not match the designer

property.

Solution

If the template is not imported on the SiteScope server, import the template from the CSAKit folder.

For more information, see the .HP Cloud Service Automation Installation Guide

2. Verify the template name on the designer matches the name on the SiteScope server, including

spaces and capitalization.

HPE Universal CMDB

CI type components not created in uCMDB from CSA/MPP

Problem: CI type components not created in uCMDB from CSA/MPP

Symptoms CI type components were not created in uCMDB

after deployment of CI type Sequence design from

CSA or when MPP subscription state is active for

CI type based sequence design.

Primary software component CSA and uCMDB

Failure message User does not see any error message.

Probable cause

uCMDB provider not configured in CSA.

uCMDB certificate not imported in CSA server.

After importing the uCMDB certificate into

CSA, if CSA service is not restarted then this

problem may occur.

Solution

Check the CSA 4.8 configuration guide to configure uCMDB provider and uCMDB certificate

import/export.

Running Software CI not created in the uCMDB from CSA

Problem: Running Software CI not created in the uCMDB from CSA

Symptoms After deployment of CI type sequence design from

CSA, server group and server CI get created but

running software CI's are not created in the

uCMDB.

Primary software component CSA and uCMDB

Failure message No failure messages

Probable cause Product type ENUM is not configured or not

matching the one in uCMDB.

Solution

Check the CI type sequence design for running software component. TheProduct type ENUM in the

product type field should not be empty and it should match the product type in uCMDB.

For example: <product_type> <oracle_database>

uCMDB Create fails

Problem: uCMDB Create fails.

Symptoms uCMDB Create object fails.

Primary software component VMware Vcenter and MOE

Failure message Unknown macro: {ucmdbId=Class

"application_service" is not defined in the uCMDB

class

model;FailureMessage=;TimedOut=;Result=;}

Probable cause Topology is not imported on the uCMDB server.

Solution

If the topology is not imported on the uCMDB server, import the uCMDB topology from the CSAKit folder.

For more information, see the guide.HP CSA Integration Help

Test

Problem:

Symptoms

Primary software component

Failure message

Probable cause

Solution

OpenStack - HPE Cloud Services (HPE CS)

OpenStack - HPE Cloud Services deployment failure

Problem: OpenStack - HPE Cloud Service fails to deploy server instance.

Symptoms Create server instance fails in HPE Cloud Services

environment.

Primary software component OpenStack - HPE Cloud Services

Failure message HPE Operations Orchestration (HP OO) Central

Report shows failure for the flow Get Auth Token

with exception:

java.net.SocketException: Connection reset at

java.net.SocketInputStream.read(Unknown

Source) at

org.apache.http.impl.io.AbstractSessionInputBuffer.

fillBuffer (AbstractSessionInputBuffer.java:149)

Probable cause The HPE Cloud Services environment is not

reachable from HPE OO server.

Solution

In order to access the HPE Cloud Services environment, port 35357 must be opened on the HPE OO

server.

OpenStack - HPE Cloud Services fails to create instance

Problem: OpenStack - HPE Cloud Services fails to create instance when subscribing using OpenStack_HPCS_Compute_v3.20.00

Symptoms OpenStack - HPE Cloud Operations Orchestration

(HPE OO) flow "HPCS OpenStack Create

Instance" fails to execute for subscription using

Openstack_HPCS_Compute_v3.20.00.

Primary software component OpenStack - HPE Cloud Services

Failure message HPE OO flow "HPCS Openstack Create Instance"

fails to execute and in the flow there is a message

"No match found for XPath query;returnResult=No

match found for XPath

query;returnCode=0;sessionId=iconclude-4316373317873968843"

Probable cause

OpenStack - HPE Cloud Services provider is

configured with invalid access point URL.

OpenStack - HPE Cloud Services provider

properties are case sensitive.

tenantId value is incorrect.

Solution

The Provider Access point URL for OpenStack - HPE Cloud Services should start with "https."

Properties defined for OpenStack - HPE Cloud Services provider are case sensitive. Define

property names as "tenantId," "proxyPort," and "proxyServer" instead of defining all property names

in capital letters.

Verify correct tenantId value is entered in the tenantId property.

OpenStack - HPE Cloud Services subscription fails

Problem: OpenStack - HPE Cloud Services subscription fails.

Symptoms OpenStack - HPE Cloud Services subscription fails

when invalid region, geography, or zone are

selected on subscriber options.

Primary software component OpenStack - HPE Cloud Services

Failure message The HPE Operations Orchestration (HPE OO)

Central report will have the following exception at

step Get Auth Token:

com.iconclude.dharma.runengine.RunException:

Result expression 'serverId' produced null value. at

com.iconclude.dharma.runengine.impl.RunImpl.cycle

(RunImpl.java:751) at

com.iconclude.dharma.runengine.impl.RunImpl.

access$600(RunImpl.java:86) at

com.iconclude.dharma.runengine.impl.RunImpl$Cycle

Task$1.call(RunImpl.java:598) at

com.iconclude.dharma.runengine.impl.RunImpl$CycleTask$1.

call(RunImpl.java:596) at

java.util.concurrent.FutureTask$Sync.innerRun(Unknown

Source) at

java.util.concurrent.FutureTask.run(Unknown

Source) at

java.util.concurrent.ThreadPoolExecutor$Worker.runTask

(Unknown Source) at

java.util.concurrent.ThreadPoolExecutor$Worker.run

(Unknown Source) at

java.lang.Thread.run(Unknown Source)

Probable cause Invalid subscriber option Region, Zone, or

Geography selected for the subscription.

Solution

Verify that the HPE Cloud Services user has permission to create a server instance with region, zone or

geography subscriber option.

For more information, see the "Configuring HPE Cloud Services and Openstack" section in the HPE

guide.Cloud Service Integration Pack

VMware vCenter

Lifecycle Engine does not allow another lifecycle transition to begin if the vCenter Add Server fails with timeout

Problem: When vCenter Add Server fails with timeout, Lifecycle Engine does not allow another lifecycle transition to begin.

Symptoms When vCenter Add Server fails with timeout,

Lifecycle Engine does not allow another lifecycle

transition to begin.

Primary software component VMware vCenter

Failure message Lifecycle Engine is already executing.

Probable cause Add Server action has failed, but it is still trying to

clean up the resources from the failed action.

Solution

Follow one of these workarounds:

Wait for a few minutes before submitting the next request for modification.

Increase the timeout for the vCenter flex-in Server/vCenter flex-out Server flows in the content pack

"VMware vCenter Compute". The following steps explain how to make this change:

Open the HPE Operations Orchestration studio.

Open the "vCenter Flex-in Server" subflow found under "/Library/CSA Content

Pack/CSA3.2/Providers/Infrastructure/vCenter/vCenter Flex Server Count/Subflows/".

Right click on the "Poll LCE" step and click on properties.

Change the value of the "waitCounter" input to 120 (double the timeout minutes of the undeploy

flow).

Save the flow changes.

Follow the same steps for the "vCenter Flex-out Server" subflow found under "/Library/CSA Content

Pack/CSA3.2/Providers/Infrastructure/vCenter/vCenter Flex Server Count/Subflows/" and change the

value of the "waitCounter" input to 120 (double the timeout minutes of the deploy flow).

Modifying active subscription fails when modifying a subscription of vCenter Compute Modify

Problem: Modifying active subscription fails when modifying a subscription of "vCenter Compute Modify"

Symptoms Modifying online active subscription fails with error

"usedByCsa value cannot be greater than

availableToCsa" when modifying a subscription of

"vCenter Compute Modify".

Primary software component VMware vCenter

Failure message OO flow in OO central 'vcenter simple

compute-server group modify CPU and Memory'

will fail in step 'validate and update resource pool'

with error "usedByCsa value cannot be greater

than availableToCsa."

Probable cause Resource Type CPU and Memory Capacities

available to HPE CSA in the resource pool for the

vCenter Provider is less than the capacities

requested by the user.

Solution

Increase the resource type CPU and memory capacities available to HPE CSA in the resource pool of the

vCenter provider.

Subscription fails while using the vCenter Custom Pool Selection service design

Problem: Subscription fails while using "vCenter Custom Pool Selection" service design.

Symptoms Provider Pool selection fails.

Provision fails to allocate appropriate disk size for

the instance (should match template).

Primary software component VMware vCenter

Failure message ERROR BuildProviderPoolListAction :

Errorjava.util.MissingResourceException: Can't find

resource for bundle

java.util.PropertyResourceBundle, key

exception.buildProviderPoolList.missingResourcePools

Probable cause Valid Resource Pool is not created and enabled.

The free space on the data store for the resource

enabled does not match the size of the template.

Solution

Verify the Resource Pool is created and enabled with resource type storage.

Verify that one of the pools created has enough space on the data store based on the disk size

provided in the subscriber options.

Verify the pool is created with the same name as the data store name in the vCenter.

Valid Provider selection fails for Resource Offering when subscribing to vCenter Compute Modify

Problem: Valid Provider selection fails for resource offering when subscribing to "vCenter Compute Modify."

Symptoms Cannot select a provider because the valid

provider list is empty for resource binding when

subscribing to "vCenter Compute Modify."

Primary software component VMware vCenter

Failure message ERROR SelectPoolAndProviderAction : Could not

select a provider as valid providers list is empty for

Resource Binding:

8f5afb083ea87821013ec5bdd66a6636 in csa.log

file.

Probable cause

Resource type CPU and memory are not

defined in the resource pool of the vCenter

provider.

Resource pool is disabled for the vCenter

provider.

Resource yype CPU and memory available

capacity is less than the capacities requested

in the initial Subscription for "vCenter Compute

Modify."

Solution

Define resource type CPU and memory capacities in the resource pool of the vCenter provider.

Enable the resource pool for vCenter provider.

Increase the resource type available capacities for CPU and memory in the resource pool of the

vCenter provider.

vCenter compute subscriptions fail with Null pointer exception

Problem: vCenter compute subscriptions fail with Null pointer exception

Symptoms "vCenter Compute" service design based

subscriptions fail with Null pointer exceptions in

csa.log.

Primary software component VMware vCenter

Failure message Input values are required. Null pointer exception.

Probable cause The process definition for vCenter flows is not

updated with the new flow inputs.

Solution

Verify the following to resolve the issue:

Check the HPE Operations Orchestration flow inputs with the Resource offering action inputs. If the

inputs are different, then regenerate the HPOOInput.xml file from the process definition tool.

Rerun the process definition tool to add or update the existing definitions, with Update = true.

vCenter Customization Template Missing

Problem: vCenter customization template is missing on the vCenter server.

Symptoms Simple Compute Linux server deployment fails due

to the missing customization template on the

vCenter server.

Primary software component VMware vCenter

Probable cause vCenter server does not contain the specified

customization template.

Solution

Verify the vCenter server configured on the HPE Cloud Service Management Console contains the

specified customization template name in the service design.

If the template does not exist, create a customization template with the name on vCenter server.

Request for new subscription.

vCenter provision server fails when a cloned template specified is not present in the given Datacenter

Problem: vCenter provision server fails when cloned template specified is not present in the given Datacenter.

Symptoms vCenter Provision server fails because the cloned

template specified is not present in the given

Datacenter.

Primary software component VMware vCenter

Failure message exception=java.lang.IllegalArgumentException: VM

specified as "NAME:Rhel53x64_SA913:CSAQAB"

not found.

Probable cause Cloned template is missing in the given Datacenter

of the vCenter provider.

Solution

Make cloned template available in the Datacenter of the vCenter provider.

vCenter subscription goes online without any servers created

Problem: vCenter Subscription goes online and active without creating any server components

Symptoms vCenter subscription goes online and active

without creating any servers.

Primary software component VMware vCenter

Failure message None.

Probable cause When a vCenter subscription is created with

serverCount as 0, the subscription goes online

without creating a server component.

Solution

This behavior is expected if the serverCount is 0. ServerCount property defines the number of servers

required in the subscription. Modify the Service design property for the number of servers required, and

re-request the subscription.

CSA 4.7 - OpenStack Provider, Design, and IDM Configuration

Problem: OpenStack resource providers and service designs, as well as IDM integration with

Keystone, need to be appropriately configured to allow OpenStack based designs to be successfully

provisioned.

Solution

OpenStack Keystone Configuration:

The user you configure for your provider must have permissions inside of KeyStone to list users

and roles. This means that they must possess the and identity:list_projects

roles inside of keystone.identity:list_users

For OpenStack systems, this might require modifications to the keystone policy.json file followed by

a restart of the server.

Configure horizon to use v3 APIs to handle multiple domains and permissions.

CSA only uses the v3 APIs for user trust establishment.

V3 and v2 APIs can and do exist side by side.

Issue: Horizon does not support v3 administration of domains and permission in HOS 1.1.

All operations must be performed manually through the OpenStack interface when Horizon is

configured for v3 operation, because the 'admin' tab is not present.

OpenStack Resource Provider, CSA Organization/Catalog, and IDM Keystone Configuration:

Differences between Keystone v2 and v3 and impact on resource provider, and IDM configuration

Keystone v2.0 does not include Trust extension (OS-TRUST) OpenStack Identity service APIs. It is

only available from keystone v3. OS-TRUST APIs are needed by IDM to perform secondary

authentication for Keystone users logging into CSA and MPP.

Service Access Point for OpenStack Resource Providers should be defined using Keystone version

3. For example: http:<OpenStack-IP>:<port for identity service>/v3

Differences between domain-scoped and project-scoped tokens:

Between HOS 1.0 and HOS 1.1, keystone configuration in policy.json was modified to limit access

to certain REST interfaces. Previously project-scoped tokens had the right to list users and

projects; with the change, it is expected that a domain level token be acquired to list users and

perform many of the standard operations on the system. In general, older unmodified policy.json

files for HOS and OpenStack systems allow project scoped tokens to list users. More recent

OpenStack and HOS releases limit this access to users authenticated against the domain.

When the tenant property needs to be set on an OpenStack provider?

The tenant property for the OpenStack resource provider should be set in two cases:

If the OpenStack offerings need to executed in the context of subscriber (enableUserContext

component properties set as true) but the keystone transport user configured in the provider

does not necessarily have domain admin specific privileges, then during secondary

authentication process, project scoped authentication token will be used for the project

specified in the tenant property of OpenStack Provider.

If you are planning to execute the OpenStack offerings in the context of keystone transport

user configured in the provider (enableUserContext component properties set as false), then

tenant property will be used during provisioning to get project scoped token.

Setup Organization in CSA with a directory service endpoint: OpenLDAP or Microsoft Active

Directory that is also configured in the OpenStack Keystone instance.

Mapping CSA organizations LDAP to LDAP of OpenStack Keystone instance and identity

management secondary authentication with Keystone ensure that all subscription requests from

organization users are fulfilled in the context of user and the selected project.

Environments must be associated to the Resource Provider and Catalog in order for project

selection to be exposed to subscribers.

CSA provides additional Provider Selection Option Set for choosing providers for service offerings

that are based on Topology designs. To get a list of providers, you must associate the provider with

an appropriate resource environment. The service catalog that has the OpenStack Offering

published in also should be associated with same resource environment.

For a keystone user, the list will show a combination of OpenStack provider and the projects that

the user has access to.

For a seeded user or a non-keystone user, the list will show OpenStack resource providers

configured in CSA.

OpenStack Topology Design/Offering:

Configuration Requirements:

OpenStack Providers must be created in CSA.

Each Provider must be associated with Environments.

All the Catalogs that include OpenStack offerings must also be associated with Environments.

The service offerings associated with OpenStack Topology components can be executed in two modes:

User Impersonation Mode - In this mode, all the subscriptions are fulfilled in the context of the

subscriber who is also a keystone user.

Requirements: Keystone must be enabled in IDM.

To enable the keystone, set in the idm.keystone.enabled = true C:\Program

Files\Hewlett-Packard\CSA\jboss-as\standalone\deployments\idm-service.war\WEB-INF\spring\applicationContext.properties

file.

To execute the service offerings associated with OpenStack Topology components in User

Impersonation Mode, follow these steps:

Select the OpenStack Offering from a specific Catalog.

For the OpenStack Offerings that meet all the requirements specified before, the user will

see a list of providers and OpenStack projects that the user has access to in the OpenStack

Environment and Provider Selection CSA seeded Option Set.

Once you select the specific provider:project where the service needs to be provisioned, set

to .enableUserContext true

All the Dynamic Lists will be populated at this point, with the values based on the context

selected (Provider, Project, and User).

Choose the value from each list and specify values for other non-list properties, such as

Server Name Prefix, Volume Name Prefix, and so on.

Click from the right panel.Checkout

Enter a name for the subscription, and select an end date.

Submit the request.

Admin Mode - In this mode, all the subscriptions are fulfilled by the user configured in the

OpenStack Resource Provider.

Keystone may or may not be enabled in IDM for this mode.

To execute the service offerings associated with OpenStack Topology components in Admin Mode,

follow these steps:

If "Any Environment" or "Any Provider in this Environment" is selected, any provider

and its associated project will be randomly selected. There is no way to ensure in this

method that all the JSPs select the same provider/project. This is not a

recommended choice for OpenStack dynamic options.

Select an OpenStack Offering from a specific Catalog.

If , the user will see a list of provider and OpenStack projects thatIDM Keystone is enabled

the user has access to in the in the OpenStack Environment and Provider Selection CSA

seeded Option Set.

If , the user will see a list of OpenStack providers only in inIDM Keystone is not enabled

the OpenStack Environment and Provider Selection CSA seeded Option Set.

Once you select the specific provider where the service needs to be provisioned, set the

enableUserContext to false.

All the Dynamic Lists will be populated at this point with the values based on the context

If "Any Environment" or "Any Provider in this Environment" is selected, any provider

and its associated project will be randomly selected. There is no way to ensure in this

method that all the JSPs select the same provider/project. This is not a

recommended choice for OpenStack dynamic options.

In Admin Mode, the project used will be always the one configured in the OpenStack

Resource Provider even if the IDM Keystone is enabled.

selected (Provider, Provider Project, and Provider User).

Choose the value from each list and specify values for other non-list properties such as

Server Name Prefix, Volume Name Prefix, etc.

Click from the right panel.Checkout

Enter a name for the subscription, and select an end date.

Submit the request.

Puppet

CSA 4.7 - OO shows a successful run even if Puppet component is not present on the server

Problem: Puppet component is not present on a server after a successful subscription (Puppet 3.7).

Symptoms You create a topology design with a vCenter server

and you want to install some Puppet component

(e.g. Java) on it. After ordering such a design from

MPP, the service is in active status, iand n OO the

run is successful as well. If you log to the

provisioned server and you want to verify if the

software was installed successfully, it will not be.

Primary software component server component + Puppet component

Failure message There is no error message. The server node is

attached to the "Puppet master" server, but no

software is installed on it.

Probable cause The server prefix name contains some uppercase

characters. Puppet master server then does not

assign the node to the right group, which contains

a class to be installed.

Solution

Make sure you only use lowercase characters for your server prefix name property (vmNamePrefix

property for the vCenter server component).

Cloud Optimizer

Generated alerts from producer are not getting received by CSA

Problem: Generated alerts from producer are not getting received by CSA.

Symptoms CSA health status in Ops Console or MPP is not

getting updated through alerts/notification.

Primary software component CSA and Cloud Optimizer

Failure message There is no error message.

Probable cause This issue occurs when the user has missed

configuration mapping in the host file /etc/hosts in

Cloud Optimizer.

Solution

Syntax: <CO ipaddress>space<localhost>space<127.0.0.1>space<localhost>

For example: 10.2.14.104 localhost 127.0.0.1 localhost

Graph lines are not displaying properly in MPP service details and topology view which is an inconsistent issue.

Problem: Graph lines are not displaying properly in MPP service details and topology view which is an inconsistent issue.

Symptoms Graph lines are not displaying properly in MPP

service details and topology view which is an

inconsistent issue.

Primary software component CSA and MPP

Failure message NA

Probable cause The Library (angular NVD3) used has inconsistent

issue with respect to display of line graph and it

occurs rarely.

Solution

Refresh the chart either by clicking view health link or do page refresh.

Health status column is showing ‘Not Monitored’ in Ops Console

Problem: Health status column is showing ‘Not Monitored’ in Ops Console.

Symptoms User is not able to see the Health status column in

the Subscriptions view from Ops Console tile.

Primary software component CSA and Cloud Optimizer

Failure message User does not see any error message.

Probable cause

The Subscription is being deployed

The subscription is created on a supported

provider, but multiple vCenter/OpenStack

providers are configured.

The subscription is created on an unsupported

providers, such as a provider other than

vCenter/OpenStack.

The subscription may contain a custom server

component, and the configuration to enable

monitoring custom component is missing in the

csa.properties file.

Solution

Check if the subscription is being deployed

Wait until the subscription is deployed completely

Check if the subscription is provisioned on one of the supported providers such as vCenter/Helion

OpenStack and if it is

Ensure if the Cloud Optimizer provider is correctly configured

Ensure on the vCenter/Helion OpenStack provider, a property with the name 'COURL' is created and

it value is set to the correct Cloud Optimizer providers access point URL

For more details refer to CSA configuration guidelines

Check if the subscription is provisioned on an unsupported providers, then this is expected behavior as

the servers are not monitored for health status.

Check if the subscription has custom server components, then

Ensure that the customer server name is configured in the csa.properties file where the property

name is 'custom.server.component.type'

For more details refer to CSA configuration guide to enable monitoring.

Not able to view the Subscription Health status column in the Ops Console

Problem: Not able to view the Subscription Health status column in the Ops Console.

Symptoms No health status column is shown in the

Subscription view under Ops Console tile.

Primary software component CSA and Cloud Optimizer

Failure message There is no error message.

Probable cause This issue is seen when:

The Cloud Optimizer provider is not configured.

The Cloud Optimizer provider is configured, but

the COURL property is not configured in the

vCenter/OpenStack provider.

An unsupported version of the Cloud Optimizer

provider is configured. The currently supported

version is 3.01.

Solution

Check that the Cloud Optimizer version is 3.01 or higher. CSA does not support older versions of Cloud

Optimizer, as the integration APIs are provided in 3.01 version and later.

Make sure the Cloud Optimizer provider is configured per configuration guidelines.

Check that the COURL property is created in the vCenter/OpenStack provider and the value is set to the

Service Access point value of the Cloud Optimizer provider that monitors the

respective vCenter/OpenStack provider.

On the CO we see alerts but is not seen in CSA for server components

Problem: On the CO we see alerts but is not seen in CSA for server components.

Symptoms Health alerts are not seen in CSA for server

components, even though all certificates have

been exported and imported successfully in both

CSA and Cloud Optimizer.

Primary software component CSA and Cloud Optimizer

Failure message There is no error message.

Probable cause The iptable service may be blocking the Kafka

broker port to accept the connections from CSA

The broker is configured to listen on a non

localhost IP address and the notification producer

is sending the message to the broker on localhost

Solution:

Check on the CO system, if the firewall is not enable to accept the connections from CSA to listen for the

health status notifications

By default the Kafka broker runs on the default port 9092. User need to enable this port to accept

TCP connections by running the following command

iptables -I INPUT -s 0/0 -p tcp --dport <nondefault-port> -j ACCEPT

100

Note: This fix applies to default port 9092 also. It must be enabled to accept the connections if is not

already done.

Check the localhost is mapped to the actual IP address the Kafka broker is running on

Syntax: <CO ipaddress>space<localhost>space<127.0.0.1>space<localhost>

For example: 10.2.14.104 localhost 127.0.0.1 localhost

With these above changes, user should be able to receive new serer health status notifications from

Cloud Optimizer. If still user is not able to view the new health status notifications then

Go to the CSA Provider's tile and select the Cloud Optimizer provider and click edit

Disable and Save and enable it again and save the provider.

This action will reset the notification consumer.

User sees SSL Connectivity error while refreshing the health status from the Ops Console

Problem: User sees the SSL Connectivity error while refreshing the health status from the Ops Console.

Symptoms User sees the SSL Connectivity error message

while trying to refresh the health status for a

subscription/deployment.

Primary software component CSA and Cloud Optimizer

Failure message Unable to communicate with the monitoring

provider. Verify SSL connectivity requirements to

the server, which could be the likely cause.

Probable cause The SSL certificaute is not imported into CSA, and

if imported, then the CSA service may not have

been restarted.

Solution

Import the SSL certificate from the Cloud Optimizer server, import into CSA, and restart the CSA service.

Follow the instructions specified in the CSA for export and import of theConfiguration Guide

SSL certificate from Cloud Optimizer to CSA.

VM's in the CSA are displaying Unknown Health status.

Problem: VM's in the CSA are displaying Unknown Health status.

Symptoms Provisioned VM's in the CSA are displaying

Unknown Health status even after couple of hours.

Primary software component CSA and Cloud Optimizer (CO)

101

Failure message User does not see any error message.

Probable cause Disruption in data collection due to network or any

other failure between CO and vCenter.

Solution

Manually restart data collection from CO UI.

1) Login into the CO.

2) Restart the data collection by refreshing on the data source and wait until data collection is completed

successfully.

3) Go to CSA and do the refresh on the VM to see the updated health status.

Docker Universal Control Plane - DOCKER UCP DATA CENTER (CSA)

Problem: Docker UCP component won't get deployed due to missing "Undeploy" flow

Symptoms After importing the images as components from

Docker trusted registry, when the Docker UCP

components are added to the design and deployed

the design will not get deployed.

Primary software component Provider Type : DOCKER UCP DATA CENTER

Solution

Follow these steps in the given order:

credentials.

Download the content pack

https://hpln.hpe.com/rest/contentofferings/dockerucp/contentpackages/10928/contentfiles/26444

and it will download a file named " " .Docker UCP V1.0.0.zip

Delete the existing content with the name "Docker Universal Control Pane Content" or "UCP"

Extract the downloaded zip file "Docker UCP V1.0.0.zip" to a folder

Extract the zip file docker-ucp-data-center.zip which will be inside the previously extracted folder

from above step 4

Deploy the content pack docker-ucp-data-center-1.0.0-SNAPSHOT.jar in to HPE Operations

Orchestration

Import the component and this component should have "Deploy and Undeploy" flows

Add it to the design and deploy it. Please follow the Docker Universal Control Pane content guide

for more information. (

)https://hpln.hpe.com/rest/contentofferings/dockerucp/contentpackages/10928/contentfiles/26447

102

HPE CSA on Linux Platform

This section contains the following topics:

ArcSight Logger integration fails after upgrade on Ubuntu

Cannot stop the CSA service

HPE CSA service startup fails

Installation on Linux completes for wrong user input in the install options for database component

ArcSight Logger integration fails after upgrade on Ubuntu

Problem: ArcSight Logger integration fails after upgrade on Ubuntu platform.

Symptoms HPE CSA logs are not updated on ArcSight after

an HPE CSA upgrade from 3.20 to 4.0 on the

Ubuntu platform.

Primary software component HPE Cloud Service Automation

Failure message ArcSight integration fails. HPE CSA logs are not

updated on ArcSight Logger.

Probable cause Log4j.properties related to ArcSight are overwritten

during the upgrade.

Solution

Go to the $CSA_HOME/_CSA_4_0_installation/backup/standalone/csa.war/WEB-INF/classes

directory.

Open the log4j.properties file.

Copy the ArcSight properties.

Paste them into the $CSA_HOME/jboss-as/standalone/csa.war/WEB-INF/classes/log4j.properties

file.

Cannot stop the CSA service

Problem: Cannot stop CSA Service using the CSA service script.

Symptoms CSA Service script completes successfully but the

JBoss process is still running.

Primary software component HPE Cloud Service Automation

Failure message No failure message. JBoss process is running.

103

Probable cause JAVA HOME should be excluded for env reset in

sudoers.

Solution

Add the following to /etc/sudoers:

Defaults env_keep+="JAVA_HOME CSA_HOME"

HPE CSA service startup fails

Problem: csauser fails to start the HPE CSA service.

Symptoms User fails to access the Cloud Service

Management Console.

Primary software component HPE Cloud Service Automation

Failure message No error message displayed, but after HPE CSA

startup, verify the csa running status by executing

the command "service csa status" and you will see

a message "CSA Service is not running."

Probable cause Sudo permission is not granted to csauser.

Solution

In the HPE CSA server:

service script (which starts, stops, restarts, and reports the status of HPE CSA) and preserve the

JAVA_HOME and CSA_HOME variables for the sudo session.

Add the following entries to /etc/sudoers:

csauser ALL=(ALL) NOPASSWD: /etc/init.d/csa,/bin/sh env_keep+="JAVA_HOME

CSA_HOME"

Installation on Linux completes for wrong user input in the install options for database component

Problem: HPE CSA installation on Linux completes successfully for the wrong user input when

configuring the database component install options.

104

Symptoms During the database component installation portion

of the HPE CSA installation procedure, if the user

wants to install the database components but

provides any input other than yes (such as 'y' or

some other input such as 'abc'), the database

tables will not be created on the remote database

server. The installer will show the installation

completed successfully anyway, however. The

installer will create the database tables only if yes

is specified during the installation.

Primary software component HPE CSA Installer

Failure message None.

Probable cause When any input other than yes is provided as

input, the installer assumes that the option

provided is no.

Solution

During HPE CSA installation on a Linux platform, enter "yes" to install the database components and

create the database schema. Enter "no" to skip the install of database components.

Marketplace Portal

This section contains the following topics:

After enabling High color contrast, MPP screen in IE has a black background, for Chrome a High

Contrast plugin is needed to be added

CSA 3.2 - CSA 4.7 - Subscription modification fails for subscription based on the

VCENTER_COMPUTE_MODIFY_3.20 sequenced design

CSA 4.7 - System time differences between CSA system and MPP browser system may prevent

Failed to Process Subscription screen in Marketplace Portal if referenced sequence designs have

no root node

For HPE CSA on a Windows environment, users might not be able to access the Marketplace

Portal

Fresh Install - MPP Service Unavailable message displayed when connecting to MPP login page

Marketplace Portal Power ON-OFF service actions comes back with Failed Services

MPP Service Unavailable message displayed when connecting to Marketplace Portal login page

after upgrade

Remote Console Service

Web Browser Remembers Login Password

Do not provide any other input other than or . For all other inputs, installer skips the installyes no

of database components.

105

When a public action on an active subscription fails, user has no way of knowing the details of

failure

After enabling High color contrast, MPP screen in IE has a black background, for Chrome a High

Contrast plugin is needed to be added

Problem: <Description>

Symptoms After enabling High color contrast, the color of the

SMC and MPP screens does not have a black

background.

Primary software component SMC and Market Place

Failure message None

Probable cause IE supports High Contrast Mode(Windows

command) where as, Chrome does not support

High contrast by default but require high contrast

plugin.

Solution

How to Put Chrome in High Contrast Mode

If you have trouble in high-contrast mode, to see clearly, you can use an extension in Chrome. High

Contrast, an extension made by Google, "inverts" colors so that white text shows up on black

backgrounds.

Here's how to install and use High Contrast:

1. on the in the Chrome Web Store.Click "Add to Chrome" High Contrast extension

106

2. in the resulting pop-up.Click "Add extension"

3. in the top right-hand corner of the browser. You will be able to pick a variety ofClick on the new icon

options, including setting the color scheme to invert, grayscale, yellow on black or simply disabling the

extension.

107

Pages will appear in the new color scheme (with the exception of photos). Click on the icon again at any

time to change your settings, or use the keyboard shortcuts listed in the extension to make changes.

CSA 3.2 - CSA 4.7 - Subscription modification fails for subscription based on the

VCENTER_COMPUTE_MODIFY_3.20 sequenced design

Problem: Subscription modification fails for subscription based on the

VCENTER_COMPUTE_MODIFY_3.20 sequenced design.

Symptoms If a subscription modification fails for a subscription

that is based on the

VCENTER_COMPUTE_MODIFY_3.20 sequenced

design, a subsequent modification initiated by the

Resubmit Last Modification button in the

Marketplace Portal may succeed but will not honor

the selections made during the initial failed

subscription modification.

Primary software component Marketplace Portal

Failure message No failure message.

Probable cause Defect in the handling of modification failures by

this design and the associated HPE Operations

Orchestration flows.

108

Solution

After correcting the source of the subscription modification failure, multiple subscription modification

requests must be initiated. First, Resubmit Last Modification must be performed to result in a successful

modification.

After that completes successfully, Modify Subscription can be performed to select the new desired values.

CSA 4.7 - System time differences between CSA system and MPP browser system may prevent login

Problem

A user trying to log in to the Marketplace Portal may be repeatedly taken back to the Log In page with no

explanation of why the login was not allowed.

Solution

This situation can occur when the configured time on the CSA system is significantly different than the

time on the system that is running the browser used to access the Marketplace Portal. To resolve the

problem, update the time of each system to be accurate. Note that the system's need not be all

configured for the same time zone, but the configured time should be accurate for each system.

Failed to Process Subscription screen in Marketplace Portal if referenced sequence designs have no

root node

Problem: Failed to Process Subscription screen in Marketplace Portal if referenced sequenced design

has no root node.

Symptoms In the Marketplace Portal, a large blue Failed to

Process Subscription screen is shown when

attempting to order a subscription.

Primary software component Marketplace Portal, Cloud Service Management

Console

Failure message Failed to Process Subscription

Probable cause Sequenced designs require a root component in

order for a service offering to be created from

them. However, after the offering is created, the

source design can be modified in any manner that

doesn't impact the target bindings configured in the

Subscriber Options tab for the design. If the design

contains no target bindings and is modified to have

no root node (i.e. no nodes at all), this Failed to

Process Subscription message will be seen in the

Marketplace Portal when ordering the service

offering.

109

Solution

If there is a need for widespread changes in the source design, create a new sequenced

design. Superficial changes, such as changing display names or descriptions of components or

properties, are appropriate.

For HPE CSA on a Windows environment, users might not be able to access the Marketplace Portal

Problem: After installing HPE CSA in a Windows environment, users might not be able to access the

Marketplace Portal.

Symptoms After installing HPE CSA in a Windows

environment, users might not be able to access the

Marketplace Portal. A blank page is displayed

when accessing the Marketplace Portal at

https://<Host>:<Marketplace Portal Port>/mpp.

Primary software component Marketplace Portal

Failure message A blank page is displayed when accessing the

Marketplace Portal at https://<Host>:<Marketplace

Portal Port>/mpp.

Probable cause This issue happens intermittently. The script used

for starting the Marketplace Portal service via the

installer fails to start the Marketplace Portal

service. As a result, the Marketplace Portal is not

accessible.

Solution

Installing HPE CSA in a Windows environment creates an HPE Marketplace Portal service. If the

Marketplace Portal is not accessible after installing HPE CSA, users can verify if the HPE Marketplace

Portal service is running by navigating to > > .Control Panel Administrative Tools Services

If the HPE Marketplace Portal service is not running, start the service.

If the HPE Marketplace Portal service is running, restart the service.

Fresh Install - MPP Service Unavailable message displayed when connecting to MPP login page

Problem: Fresh Install - MPP Service Unavailable message displayed when connecting to MPP login

page.

Symptoms The MPP service is not able to connect to the CSA

service after an upgrade.

Primary software component Marketplace Portal

Failure message MPP service unavailable.

110

Probable cause The MPP service is not able to communicate with

HPE CSA due to the unresolved FQDN of the HPE

CSA machine.

Solution

To verify this issue, ping the FQDN from the MPP machine and check the response.

If the FQDN is not reachable, add the FQDN entry in the hosts file of the Windows or Linux system and

restart the MPP service.

Marketplace Portal Power ON-OFF service actions comes back with Failed Services

Problem: Marketplace Portal - Power ON-OFF service actions comes back with Failed Services.

Symptoms: Marketplace Portal - Power ON-OFF service

actions comes back with Failed Services.

Primary software component: HPE CSA and HPE MOE

Failure message: Failed Services is seen for the MPP offering under

my service details. HPE CSA-operations page

shows ."Under HPServer Flow execution failed

Operations Orchestration, reports errorMsg=Could

not sign in. Please verify user name and password.

Probable cause: HPE MOE provider credentials changed under

MOE CSA providers or HPE MOE itself.

Solution

To fix this issue:

Click the resources box.

Select the MOE provider, enable edit to change to the new password, and then check save.

Redo the power ON/OFF service actions to the online instance on the Marketplace Portal.

Verify the new changed state.

MPP Service Unavailable message displayed when connecting to Marketplace Portal login page after

upgrade

Problem: MPP Service Unavailable message displayed when connecting to Marketplace Portal login

page after upgrade.

Symptoms Marketplace Portal service is not able to connect to

the HPE CSA service after an upgrade.

111

Primary software component MPP

Failure message MPP service unavailable. Also, see "MPP Log File

Message" below.

Probable cause MPP service is not able to communicate with HPE

CSA due to an expired SSL certificate.

MPP Log File Message

After an HPE CSA upgrade, CSA service continues to use existing SSL certificate which was configured

for the previous version. This certificate has expired and can no longer be used.

Following message appears in the mpp log file (<CSA_HOME>\portal\logs\mpp.log):

{"level":"error","message":"Could not communicate with IDM server: Error: SSL Error:

CERT_HAS_EXPIRED\n at Request.onResponse (C:Program

Files\\Hewlett-Packard\\CSA\\portal\\node_modules\\mpp-server\\node_modules\\request\\index.js:665:24)\n

at ClientRequest.g (events.js:175:14)\n at ClientRequest.EventEmitter.emit (events.js:95:17)\n at

HTTPParser.parserOnIncomingClient [as onIncoming] (http.js:1689:21)\n at

HTTPParser.parserOnHeadersComplete [as onHeadersComplete] (http.js:120:23)\n at

CleartextStream.socketOnData [as ondata] (http.js:1584:20)\n at CleartextStream.read [as _read]

(tls.js:508:12)\n at CleartextStream.Readable.read (_stream_readable.js:320:10)\n at

EncryptedStream.write [as _write] (tls.js:366:25)\n at doWrite

(_stream_writable.js:221:10)","timestamp":"2013-11-26T00:56:30.039Z"}

Solution

In this case, the user is responsible for replacing the old expired certificate with the new valid certificate.

To resolve this issue, the user needs to follow the procedure entitled "Configure HPE CSA to Use a

Certificate Authority-Signed or Subordinate Certificate Authority-Signed Certificate" in the HPE CSA

.Configuration Guide

Remote Console Service

Feature Usage

Error "Invalid Parameters Passed to the host" shown when Remote console is accessed

Problem 1 : Remote console configured incorrectly.

Symptoms

Remote console does not open on click of Open

button from MPPConsole

Primary software component Remote console service

Failure message

"Invalid Parameters Passed to the host."

112

Probable cause

The property must be presentrcs.sharedKey

in both the following files:

HPE\CSA\jboss-as\standalone\deployments\

csa.war\WEB-INF\classes\csa.properties

and

/home/hpegwuser/.guacamole/guacamole.properties

The value for rcs.sharedKey should be same in

both the files.

The property inguacd-url

/home/hpegwuser/.guacamole/guacamole.properties

can be FQDN or IPAddress, any other value

(Ex: localhost) may cause this error.

Problem 2 : When Guacd deamon is down

Symptoms Trouble in loading Remote Desktop in browser

Primary software component Remote Console Service

Failure message

"Invalid Parameters passed to host"

Probable cause Guacd deamon is down

Solution 1 :

Copy the property and value from file and paste it in rcs.sharedKey guacamole.properties

file.csa.properties

Provide RCS server's FQDN or IP address for the property in guacamole.properties.guacd-url

Solution 2 :

If you are getting above mentioned failure message, check whether guacd deamon is running by

executing below command on the remote console server.

sudo service guacd status

In case the guacd service is down, start the service by executing the below command.

sudo service guacd start

Open Console button shows the error - The remote console service is not configured

113

Problem: Open Console button shows error page

Symptoms When the user clicks on OpenConsole button in

the subscription details page, the below given

exception is thrown.

Primary software component Marketplace Portal

Failure message

"The remote console service is not configured,

please contact your system administrator."

Probable cause

This error is thrown if the value for url property

(url property under remoteconsoleservice section)

in the is not provided. The url propertympp.json

should contain the remote console service

hostname and port.

Solution

Configure the gateway url for property under in url remoteconsoleservice

.CSA_HOME\portal\conf\mpp.json

Example: >>https://<<remoteConsoleServer>>:<<8443

Remote Console Service not configured but we can see OpenConsole button for all the server

components.How to disable it?

Problem: How to disable Remote Console Service for not showing OpenConsole button?

Symptoms Users seeing the OpenConsole button even the

Remote Console Service is not configured

Primary software component Marketplace Portal

Failure message NA

Probable cause The cause for this behavior would be setting the

property to under enabled false

in remoteconsoleservice mpp.json

Solution

To solve this set the property to under in enabled false remoteconsoleservice

.CSA_HOME\portal\conf\mpp.json

Unable to alter the console screen size in Remote Console

114

Problem: The screen size of target VM console can not be changed when the browser size is altered.

Symptoms On altering the size of the browser, users

experience no change in the screen resolution of

remote console of target VM

Primary software component Remote Console Service

Failure message NA

Probable cause This is a limitation. The initial screen size of the

remote console can not be changed.

Solution

This is a limitation of Remote Console service in 4.8 release

Unable to connect to target VM through remote console

Problem 1 : Unable to communicate with the host

Symptoms Unable to load Remote Console in browser

Primary software component Marketplace Portal

Failure message

" "Unable to communicate with the host

Probable cause

The property must be present inrcs.sharedKey

both the following files:

HPE\CSA\jboss-as\standalone\deployments

\csa.war\WEB-INF\classes\csa.properties

and

/home/hpegwuser/.guacamole/guacamole.properties

The value for should be same in rcs.sharedKey

both the files.

Problem 2 : Unable to communicate with the host

Symptoms Unable to load Remote Desktop in browser

Primary software component Marketplace Portal

Failure message

"Unable to communicate with the host"

115

Probable cause server.hostname and server.ipAddress properties

HPE\CSA\jboss-as\standalone\deployments

\csa.war\WEB-INF\classes\csa.properties

should contain names of the hostname/ipAddress

properties that are defined in the service design.

Ex: server.hostname=host, hostname1

server.ipAddress=ip1, primary_ip_address

In the above example, host, hostname1, ip1 and

primary_ip_address are custom properties defined

on a server component in the service design.

The probable cause for the above mentioned error

is missing entries in server.hostname or

server.ipAddress for custom hostname/ipAddress

properties.

Problem 3 : Error occurred when connecting to the host

Symptoms Remote RDP system does not open when you

click on Connect RDP button.

Primary software component Remote Console Service

Failure message

"Error occurred when connecting to the host."

Probable cause Network Level Authentication (remote settings) is

enabled on the target windows server.

Problem 4 : Guac-client might be down after establishing connection with Remote Server

Symptoms Trouble in loading Remote Desktop in browser

Primary software component Remote Console Service

Failure message

"Error creating remote console tunnel. The

gateway might be down"

Probable cause HPERCS server is down

Problem 5 : While clicking Open Console, if connection is not established with Target VM.

Symptoms Unable to load Remote Desktop in browser

Primary software component Remote Console Service

116

Failure message

"Unable to communicate with the host"

Probable cause Target VM is down or not within the network

Problem 6 : Unable to communicate with the host

Symptoms None of the protocol(s) are not listed when you

click on the button from MPP.Open Console

Primary software component Remote Console Service

Failure message

"Unable to communicate with the host."

Probable cause Expected protocol(s) are not running on the default

port as provided in file.guacamole.properties

Problem 7 : Gateway is not reachable.

Symptoms Hpercs service is running, but the gateway is not

reachable

Primary software component Hpercs service

Failure message 404 error page

Probable cause When keystore path is configured incorrectly in the

remote console service, the above error is thrown.

Solution 1 :

The property rcs.sharedKey must be present in both

HPE\CSA\jboss-as\standalone\deployments\csa.war\WEB-INF\classes\csa.properties

and /home/hpegwuser/.guacamole/guacamole.properties files. The value for rcs.sharedKey should be

same in both the files.

Solution 2 :

Check whether ipaddress/hostname property names is configured in csa.properties. OR

Check whether ipaddress/hostname property names are matching the server component properties. OR

Check whether ipaddress/hostname values of server component is null or empty.

Solution 3 :

117

To connect to an RDP system from remote console you need to:

1. Click Window's button.Start

2. Right-click icon and select .This PC/Computer Properties

3. Select , the window opens.Advanced system settings System Properties

4. Go to tab.Remote

5. Un-check Allow connections only from computers running Remote Desktop with Network Level

.Authentication (recommended)

6. Click .OK

Note: Remote console service will not work with IPv6 addresses for RDP connections.

Group Policy setting:

Go to Computer Configuration > Policies > Windows Components > Remote Desktop Services > Remote

Desktop Session Host > Connections > Allow users to connect remotely using Remote Desktop Services

and set the option to Enabled

Solution 4 :

If you are getting above mentioned Failure message, check whether hpercs server is running by executing

the following command in guacamole installed CentOS server.

sudo service hpercs status

If it is not showing any service is running, execute the following command to start it.

sudo service hpercs start

Solution 5 :

Check whether Target VM is up and running. If it is up, check whether it is within network. To ensure it is

in network, try ping to target VM.

Solution 6 :

On the target VM, make sure port number(s) for SSH/RDP/VNC protocols are not blocked and are

specified correctly in the /home/hpegwuser/.guacamole/guacamole.properties file.

Solution 7:

On Remote console server, in the catalina log file /opt/hpercs/logs/catalina.out, the following error

message will be thrown:

"SEVERE [main] org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore

Failed to load keystore type JKS with path /home/hpegwuser/.keystore due to

/home/hpegwuser/.keystore (No such file or directory)

118

java.io.FileNotFoundException:

/home/hpegwuser/.keystore (No such file or directory)"

To resolve this issue, the user has to add the correct path of generated keystore file.

Edit the tomcat configuration, i.e /opt/hpercs/conf/server.xml

and make sure the keystoreFile attribute in Connector element has the correct path to the generated

keystore file.

Unable to see OpenConsole button for accessing the remote connection for any server component in

subscription details page

Problem: Unable to see OpenConsole button for accessing the remote connection for any server component in subscription

details page

Symptoms The user is unable to see the Open Console button

for any of the server components in the

subscription details page.

Primary software component Marketplace Portal

Failure message NA

Probable cause The cause for this behavior is not setting the

property to under enabled true

in remoteconsoleservice mpp.json

Solution

To solve this, set the property to under in enabled true remoteconsoleservice

CSA_HOME\portal\conf\mpp.json.

Installation

Incorrect proxy configurations

Problem: Proxy environment variable are not defined correctly.

Symptoms install.sh script execution aborted with error

message

Primary software component Remote Console Service

119

Failure message Checking internet connectivity... Attempting test

connection to https://www.hpe.com

Connectivity test failed, please confirm your proxy

settings are set properly if a proxy is required. No

HTTPS proxy server configuration was found.

Probable cause Proxy related environment variables are not set

properly.

Solution

Set proper proxy url to http_proxy, https_proxy, ftp_proxy OR HTTP_PROXY, HTTPS_PROXY,

FTP_PROXY.

Other solution is to add above proxy based environment variable to /etc/environment file with proper proxy

url.

While running the install.sh script user does not choose jdk1.8

Problem: When user chooses wrong jdk version during remote console service installation.

Symptoms If the user selects any other jdk version apart from

jdk1.8 and proceeds with the script execution, the

installer fails with the error mentioned below.

Primary software component Remote console service

Failure message Exception in thread "main"

java.lang.UnsupportedClassVersionError:

com/hp/csa/security/util/AESHelperWithMarkersStatic

: Unsupported major.minor version 52.0

Probable cause Password encryption fails as it expects jdk1.8

Solution

User needs to re-execute install.sh script and enter y when prompted for JDK 1.8 version download. Once

the dependencies are installed, user needs to enter the selection pointing to

/usr/lib/jvm/jre-1.8.0-openjdk.x86_64/bin/java

yum update command fails during remote console installation

Problem: yum update failed due to proxy issue.

120

Symptoms sudo yum update fails with

1.Time out error.

2.Network unreachable error.

Primary software component Remote console service

Failure message Timeout error similar as below

Downloading Packages:

http://centos-hcm.viettelidc.com.vn/6.8/updates/x86_64/Packages/ORBit2-2.14.17-6.el6_8.x86_64.rpm

: [Errno 12] Timeout on

http://centos-hcm.viettelidc.com.vn/6.8/updates/x86_64/Packages/ORBit2-2.14.17-6.el6_8.x86_64.rpm

: (28, 'connect() timed out!') Trying other mirror.

Network unreachable error as below.

[Errno 14] PYCURL ERROR 7 - "Failed to connect

to 2405:7600:0:6::69: Network is unreachable"

Probable cause unable to reach proxy.

yum expects proxy details in /etc/yum.conf

Solution

Add proxy to /etc/yum.conf file.

Web Browser Remembers Login Password

Problem: Internet Explorer, Chrome, and Firefox offer the ability to remember login credentials to the

Marketplace Portal.

Symptoms When logging in to the Marketplace Portal, your

browser might prompt you to save the login

credentials.

Primary software component Marketplace Portal

Probable cause Some major browsers have been designed to

ignore the autocomplete=off attribute in web forms,

offering users the ability to save passwords even

when web developers wish to explicitly prohibit that

ability.

Solution

If you do not wish to save the login credentials in the web browser or do not want the browser to prompt

you to remember passwords at all, configure the browser or use a corporate IT policy. For more

information, see the browser documentation or contact your system administrator.

121

When a public action on an active subscription fails, user has no way of knowing the details of failure

Problem: When a public action on an active subscription fails, the user has no way of knowing the

details of the failure.

Symptoms When HPE CSA is in unlicensed mode, the OSI

count is 25, and an Add Server request is

submitted on an active subscription, the Add

Server request will be rejected.

Primary software component HPE CSA

Failure message None

Probable cause The request may have been rejected due to the

OSI limitation of HPE CSA in unlicensed mode.

Solution

The license limitation is an expected behavior.

Topology Designs

This section contains the following topics:

Chef integration does not work when Chef server tries to access the provisioned VMs using SSH

shell

CSA 4.6 - CSA 4.7 Import of topology component of custom provider type does not work

CSA 4.7 - Amazon Server component fails to provision

CSA 4.7 - Cannot execute a test run of a topology design

CSA 4.7 - vCenter Server component fails to provision

Chef integration does not work when Chef server tries to access the provisioned VMs using SSH shell

Problem: Chef integration does not work when Chef server tries to access the provisioned VMs using

SSH shell, which are not trusted by Chef Server.

Symptoms Chef-based design provisioning fails with

connection refused error.

Primary software component Chef-based design provisioning, Topology Design

component.

Failure message Following error message received in Chef HPE

OO:

Deploy flow, " " stepCheck Node

Connection refused:connect

122

Probable cause During Chef-based design realization, the Chef

server connects to provisioned VMs using SSH

shell to execute Chef operations. If the provisioned

VMs are not trusted by the Chef server, the

operation fails.

Solution

Add the following lines in the SSH config file of Chef server for the user as defined in Chef Provider

configuration property ( " "):chefClient

Host *

StrictHostKeyChecking no

UserKnownHostsFile /dev/null

For example, for a chefClient user of developer, the SSH config file location would be

./home/developer/.ssh/config

CSA 4.6 - CSA 4.7 Import of topology component of custom provider type does not work

Problem: Import of topology component of custom provider type does not work.

Symptoms In the Cloud Service Management Console, in the

Designs / Topology / Components area, when

importing a new topology component, you will not

be able to find OO flows for standard components

in the Import Topology Component dialog.

Primary software component Import Topology Component dialog in the Cloud

Service Management Console

Failure message No failure message is provided, but the associated

flows cannot be found.

Probable cause Import of a new component that has flows in a

directory that conforms to the standard component

structure does not work for custom provider types.

Solution

Instead of importing a new topology component, use the Create Component dialog to create a new

component of the appropriate provider type. Then, on the Operations tab for the newly created

component, select Import to manually import the appropriate flows for the component.

CSA 4.7 - Amazon Server component fails to provision

Problem: Provision fails with Amazon Server component.

123

Symptoms A topology design containing an Amazon Server

component fails to provision.

Primary software component Topology Design

Failure message The service instance status of the design is shown

as "Failed."

Probable cause Incorrect configuration of the Amazon provider

and/or the Amazon Server component in your

design.

Solution

From the HPE CSA Cloud Service Management Console, click the tile and check theProviders

configuration of the Amazon AWS resource provider.

When saving the provider, any validation warnings that are displayed that may indicate a problem

connecting to the provider and may require additional proxy configuration. To configure a proxy in

CSA, see the Configure a Proxy for Resource Providers Outside the Internal Network section

of the .Configuration Guide

Check the values of the properties of the Amazon Server component in your design. Important

properties to consider are "keyName", "amiId", and "availabilityZone".

Descriptions of these properties can be found by selecting the Amazon Server component in the

Designs / Topology / Components area of the Cloud Service Management Console.

CSA 4.7 - Cannot execute a test run of a topology design

Problem: Cannot execute a test run of a topology design.

Attribute Description

Symptoms A topology design cannot be published.

Primary software component Topology Design

Failure message

"Parameter serviceUrl cannot be null or empty.

Must provide a valid service URL."

A message informing the user about a missing

certificate.

Probable cause

HPE CSA is not configured with HPE OO

server information (most likely a result of not

having selected an embedded OO during CSA

install).

The HPE OO certificate is missing.

Solution 1

124

For HPE CSA:

On your HPE CSA server, find the file that is located at "csa.properties

", and checkCSA_HOME\jboss-as\standalone\deployments\csa.war\WEB-INF\classes

if it contains the following properties:

OOS_URL=

OOS_USERNAME=

OOS_PASSWORD=

Specify correct values for the properties according to the HPE OO server present in your

environment.

Solution 2

Import the HPE OO server certificate to the Java keystore used for HPE CSA by following the Configure

section of the .a Secure Connection between CSA and Operations Orchestration Configuration Guide

CSA 4.7 - vCenter Server component fails to provision

Problem: Cannot provision vCenter Server component.

Symptoms A topology design containing a vCenter Server

component fails to provision.

Primary software component Topology Design component

Failure message The service instance status of the design is shown

as "Failed."

Probable cause Incorrect configuration of the VMware vCenter

provider and/or the vCenter Server component in

your design.

Solution

From the HPE CSA Cloud Service Management Console, click the tile and check theProviders

configuration of the VMware vCenter resource provider.

When saving the provider, if any validation warnings are displayed that may indicate a problem

connecting to the provider.

Confirm that the DATACENTERNAME property of the provider is properly configured.

Check the values of the properties of the vCenter Server component in your design. Important

properties to check include "vmTemplateReference" and "customizationSpec."

Licensing for CSA

This section contains the following topics:

Relevant message not displayed to user when expired emergency license is re-installed

125

User unable to install license on cluster mode

HPE Helion Codar Licensing UI issue

Relevant message not displayed to user when expired emergency license is re-installed

Problem: Relevant message is not displayed to the user when an expired emergency license is

re-installed.

Symptoms Relevant message is not displayed to the user

when an expired emergency license is re-installed.

Primary software component Licensing

Failure message An error has occurred; Licensing error.

Probable cause This error will occur when an emergency license is

re-installed after the expiry period of 15 days.

Solution

An emergency license has a validity of 15 days only. If you need an emergency license after the expiry

period, get a new license.

User unable to install license on cluster mode

Problem: User is not able to install a license in cluster mode

Symptoms Adding a license fails with "Licensing error" in

cluster mode.

Primary software component Licensing

Failure message An error has occurred ; Licensing error.

Probable cause The csa.provider.ip attribute is missing a valid IP in

csa.properties, or a generated license does not

match the IP in the attribute.

Solution

Check the cluster IP address that is set for the csa.provider.ip attribute in the csa.properties file.

Add the valid cluster IP details to the csa.provider.ip attribute and get the license key from HPE for

the specified IP.

HPE Helion Codar Licensing UI issue

If the attribute is not set, licensing will fall back to "Unlicensing mode."

126

Problem: HPE Helion Codar Licensing UI Issue with Chrome.

Symptoms While on organization tab, open licensing UI.

Primary software component Licensing

Failure message License window overlap with Organization window.

Probable cause Chrome Browser Version

Solution

Upgrade to the latest version of Chrome. Chrome Version 31 and above are supported.

CSA 4.6 - Windows signature checking reports that the key is not certified with a trusted

signature

Problem: Performing a signature check on the downloaded installer bits on Windows is not well documented and can

result in multiple problems.

Symptoms The gpg2 tool used to validate the .sig file is not a

standard Windows application.

Primary software component gpg2.exe used during the download validation

process.

Failure message C:\> gpg2.exe

'gpg2.exe' is not recognized as an internal or

external command, operable program, or batch file.

Probable cause https://www.gpg4win.org/download.html

To validate a signature, the binary for gpg2 needs

to be downloaded and verified from a well-known

source.

Symptoms When checking the signature, the validation tool

fails to verify the signature with the downloaded

bits.

Primary software component gpg2.exe, setup.zip, setup.zip.sig

Failure message C:\Users\Administrator\Downloads>\Gnu\GnuPG\gpg2.exe

--verify setup.zip.sig setup.zip

gpg: Signature made 01/11/16 09:27:51 Mountain

Standard Time using RSA key ID B564A643

gpg: Can't check signature: No public key

127

Probable cause The user has not installed the public keys needed

for signature validation. The codesigning keys

need to be downloaded from:

https://ftp.hp.com/pub/keys/HP-GPG-Public-Keys.tar.gz

Unpack the file into a temporary directory

Imported the file into gpg2: gpg2.exe --import

HP-GPG-Public-Keys/*.pub

Symptoms The gpg2 tool indicates that the key is not certified

with a trusted provider.

Primary software component gpg2.exe, setup.zip, setup.zip.sig

Failure message C:\Users\Administrator\Downloads>\Gnu\GnuPG\gpg2.exe

--verify setup.zip.sig setup.zip

gpg: Signature made 01/11/16 09:27:51 Mountain

Standard Time using RSA key ID B564A643

gpg: Good signature from "Hewlett-Packard

Company RSA (HP Codesigning Service) - 2"

[unknown]

gpg: WARNING: This key is not certified with a

trusted signature!

gpg: There is no indication that the signature

belongs to the owner.

Primary key fingerprint: F8CD CA0C BFEB E7A9

EFD8 540C D527 0404 B564 A643

Probable cause The CA certificate used by HPE is not a trusted CA

certificate.

Solution

Get the gpg2 tool from a known binary for Windows.

Install the most recent public keys for HPE signing by importing them into gpg2.

Be aware that when you execute the signature check command on Windows, you will see a

warning that indicates the HPE Codesigning key is not a trusted key with an known CA backing it.

You need to:

Validate the signature of the zip using gpg2 (the message returned did not change regardless of

the system time).

Install the product.

Run the product.

128

Validate the signatures on the few jars we sign.

To do this on Windows, perform the following steps:

Download gpg4win from:

https://www.gpg4win.org/download.html

(Suggested) Use the following document to help finish the task:

https://h30670.www3.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPLinuxCodeSigning2

Download:

https://ftp.hp.com/pub/keys/HP-GPG-Public-Keys.tar.gz

Imported the unpacked keys using:

gpg2 –import *.pub

Run the following:

C:\>\gpg2.exe --verify setup.zip.sig setup.zip

gpg: Signature made 01/11/16 09:27:51 Mountain Standard Time using RSA key ID B564A643

gpg: Good signature from "Hewlett-Packard Company RSA (HP Codesigning Service) - 2"

[unknown]

gpg: WARNING: This key is not certified with a trusted signature!

gpg: There is no indication that the signature belongs to the owner.

Primary key fingerprint: F8CD CA0C BFEB E7A9 EFD8 540C D527 0404 B564 A643

MPP/SMC login page shows error instead of login prompt when SAML is configured

Problem: MPP/SMC login page shows error instead of login prompt when SAML is configured.

Symptoms MPP/SMC login page shows error instead of login

prompt when SAML is configured

Primary software component CSA

Failure message IDP login page will show error message instead of

the login screen

Probable cause Time is not synchronised between IDP and

IDM(CSA)

Solution

Synchronise the time between IDP and IDM server

Featured Category Drop list is empty for newly created organization

Problem: Featured Category Drop list is empty for newly created organization

Symptoms Featured category drop list is empty for newly

created organization

129

Primary software component HPE Cloud Service Management Console

Failure message No error message, the drop down list will be empty

Probable cause The organization synchronization is not complete

after a new organization is created in IDM tables.

Once the synchronization is completed, the

catalogs and featured category list will appear.

Solution

The Drop down list will list out the entries after 30 seconds.

Installer related issues

CipherTextNotValidException at ExportContentBkServiceImpl step in csa.log file during fresh install or

upgrade time for 2nd node (non primary node) of HA

Problem: CipherTextNotValidException at ExportContentBkServiceImpl step in csa.log file for 2nd node (non primary node) of HA

Symptoms csa.log file shows

com.hp.shared.dataprotection.CipherTextNotValidException

related exceptions for ExportContentBkServiceImpl

step in non primary nodes (2nd, 3rd ... nodes)

Primary software component csa.log file

Failure message [pool-21-thread-9] ERROR []

ExportContentBkServiceImpl : ======== Export of

content Event ======= Error ======

com.hp.shared.dataprotection.CipherTextNotValidException

Probable cause Fresh install or upgrade of CSA from 4.8 patch1 to

4.92 will convert confidential data from CSA

filesystem and DB in strong 128 bit encryption

mode. But during install/upgrade service start time

on 2nd node, jboss service tries to update Elastic

Search Cache before migrating from legacy (56 bit

DES key) to Strong (128 bit AES) encryption.

Since 2nd node filesystem is in legacy mode and

DB content is in strong mode, CSA will not be able

to decrypt DB passwords causing

CipherTextNotValidException in csa.log file.

Solution

This error can be ignored. Installer will convert CSA filesystem to strong encryption mode at later stage of

installation and restart jboss once again. Hence Elastic Search cache will get updated properly during

second time service restart and we dont see this exception hence forth.

130

Installation of CSA 4.92 will fail for Oracle Database if prerequisites are missed

Problem: Installation of CSA 4.92 will fail for Oracle Database if prerequisites are missed

Symptoms Installation will fail with permission error

Primary software component hpcloud-idm-service.log

Failure message permission related error messages will be be seen

in the install log

Probable cause Fresh and upgrade installation with Oracle DB will

need additional permission to be set for the

idmuser.

grant create any procedure to idmuser;

grant execute any procedure to idmuser;

If you miss to give the above permission,

installation will fail and will create an entry in the

IDM table "schema_version" setting the "success"

value to 0. We will have to delete this entry from

the table, without which all subsequent installation

attempts will fail

Solution

1) Execute the below query on the IDM database.

DELETE FROM “schema_version” where “success”=0

2) Ensure that idmuser is having create and execute permission and invoke the installer.

grant create any procedure to idmuser;

grant execute any procedure to idmuser;