Management
Reply
Visitor
RobinT
Posts: 5
Registered: ‎02-05-2009
0
Accepted Solution

NSMXpress 2008.2r1 No devSVR.cfg RSA keys

Hello,

 

I just got a new NSM appliance and upgraded it from 2007.3r1 to 2008.2r1 and have it taking to the Windows UI piece.  However, the windows UI reports the Device Server as down while the server reports it as up (/etc/init.d/devSvr status returns all OK).   I've done a lot of reading about deleting the RSA keys from devSrv.cfg or using the .xdbViewEdit.sh script to fix mismatched keys.  However, in our case the /var/netscreen/DevSvr/errorLog/device.Daemon.0 file I have line after line of:

 

[Error] [1123680-soCfgFile.c:142]  "ourRsaPrivateKey" is missing in /use/netscreen/DevSvr/var/devSvr.cfg!

 

I've got no keys to delete anywhere.  Most of the things I've read imply that deleting the keys causes new keys to be generated, but that doesn't seem to work.  I've put in a blank value with the ourRsaPrivateKey line in the cfg file, restarted the devSvr, rebooted the box, etc, etc and it won'r generate keys.

 

Any ideas would be greatly appreciated.  Thanks. 

Recognized Expert Recognized Expert
Recognized Expert
CB
Posts: 159
Registered: ‎05-09-2008
0

Re: NSMXpress 2008.2r1 No devSVR.cfg RSA keys

Hi Robin,

 

if you remove your empty entries, and restart the devSvr service (/etc/init.d/devSvr restart) i should generate and repopulate them in the devSvr.cfg file.

 

Kind regards

 

Colin

If this worked for you please flag my post as an "Accepted Solution" so others can benefit.
Visitor
RobinT
Posts: 5
Registered: ‎02-05-2009
0

Re: NSMXpress 2008.2r1 No devSVR.cfg RSA keys

Hi Colin,

 

I've removed the empty entry from the devSvr.cfg file, but where else should I look?   I've used xdbViewEdit to check for keys via Option 7 and then looking in 0.server.0 and 0.server.1 and there are no RSA key fields to remove.   I've checked that the one-time passwords match and everything else could think of.   Should I just delete the entire server record for the devSvr?

 

Robin 

Recognized Expert Recognized Expert
Recognized Expert
CB
Posts: 159
Registered: ‎05-09-2008
0

Re: NSMXpress 2008.2r1 No devSVR.cfg RSA keys

Hi Robin,

 

yip from .xdbViewEdit.sh option 7 (in read write mode , the guiSvr will have to be stopped)

then 0.shadow_server.1 and you will see the old RSA keys listed there also. Just remove (using dd) the entire rsa key lines and write ad quit.

Delete the devSvr rsakeys from the devSvf.cfg file also (/var/netscreen/DevSvr/devSvr.cfg) and restart the services.

 

Kind regards

 

Colin

If this worked for you please flag my post as an "Accepted Solution" so others can benefit.
Visitor
RobinT
Posts: 5
Registered: ‎02-05-2009
0

Re: NSMXpress 2008.2r1 No devSVR.cfg RSA keys

Hi Colin,

 

No can do...  There are no RSA keys in the 0.shadow_server.1 entry, just like there never were any in the devSvr.cfg file.  My entire 0.shadow_server.1 file consists of:

 

(server_1

    :type (devSvr)

    :clientOneTimePassword (dk2003ns)

 

I think I may need a re-install.   The only other thing that I've noticed is that I hunted down a file based on a release note.  It mentions deleting keys from shadow_server__table.nml, but I have a file called shadow_server_table_STANDALONE.nml.      I'm begininning to suspect I messed up my upgrade. 

 

Robin 

Recognized Expert Recognized Expert
Recognized Expert
CB
Posts: 159
Registered: ‎05-09-2008
0

Re: NSMXpress 2008.2r1 No devSVR.cfg RSA keys

Hey Robin,

 

well if you are going to reinstall, check the folder /var/netscreen/installerBackup

 

this should contain backups of the dev and gui server.

 

Also you could tar up the /var/netscreen/GuiSvr/xdb so that you can restore the config database after reinstalling.

 

Either way i would recommend that you make a backup of your current /var/netscreen folders or move them elsewhere on the filesystem so that you can recover the databases after reinstall.

 

Kind regards

 

Colin

If this worked for you please flag my post as an "Accepted Solution" so others can benefit.
Recognized Expert Recognized Expert
Recognized Expert
CN
Posts: 316
Registered: ‎10-28-2008
0

Re: NSMXpress 2008.2r1 No devSVR.cfg RSA keys

Robin,

 

There are a certain more check that can be performed.

 

1. Make sure that the onetime password in the /usr/netscreen/DevSvr/var/devSvr.cfg is the same as what is there in your GUI Server. In your case, it is dk2003ns on the Device Server.

 

To verify that on GUI Server, you can start xdbViewEdit.sh in the readonly mode, select 7 and select 0.shadow_server.1

 

2. In the DevSvr.cfg, make sure that the IP Address of the GUI Server is defined correct.

 

3. I am assuming that this is an install with GUI Server & Device Server being installed on 2 different systems. In such a case, if the Dev Server is started before it is added on the GUI server, we have seen this happen. Unfortunately in such a situation, you will need to reinstall the Device Server, don't start it up until it is added through the GUI on the GUI server.

 

Hope this helps.

 

Thanks,
Chandra

Visitor
RobinT
Posts: 5
Registered: ‎02-05-2009
0

Re: NSMXpress 2008.2r1 No devSVR.cfg RSA keys

Hi Chandra,

 

1.  I've checked the passwords and they are the same.

 

2.  In  /var/netscreen/DevSvr/devSrv.cfg the IP address of the GUI server is correct because...

 

3.  The GUI server and the Dev server are on the same box.  It's a Juniper NSMXpress appliance.

 

I'm going to try re-installing the Dev server and see if that helps, otherwise I'm not sure what to do.

 

Thanks,

Robin

Visitor
RobinT
Posts: 5
Registered: ‎02-05-2009
0

Re: NSMXpress 2008.2r1 No devSVR.cfg RSA keys

[ Edited ]

Fixed it.  For anybody interested I reinstalled the servers with:

 

# cd /var/install

# sh ./nsm2008.2r1_servers_linux_x86.sh

 

answered all the questions, explicitly entered "dk2003ns" for GUI server one-time pass and chose NO for "Start servers at end of install".  Then:

 

# /etc/init.d/guiSrv start

 

Waited for that to initialize and then connected to the NSM server using the 'super' user from my Windows box.  Confirmed that the Gui server was up and the Dev server down.  Then back to the NSM box and

 

# /etc/init.d/devSrv start

 

and...  success.   It came up and changed status in the Windows UI and looks good so far.    The /var/netscreen/DevSrv/devSrv.cfg file has the RSA keys in it now.

 

Thanks to Colin and Chandra for their suggestions.  

Robin

Message Edited by RobinT on 02-05-2009 07:15 PM
Message Edited by RobinT on 02-05-2009 07:16 PM
Recognized Expert Recognized Expert
Recognized Expert
CN
Posts: 316
Registered: ‎10-28-2008
0

Re: NSMXpress 2008.2r1 No devSVR.cfg RSA keys

Hi Robin,

 

Its interesting that being all these values being correct, the problem still exists. One thought that I had was probably to look at the permissions of the file. Just to make sure they are owned by NSM (guiSvr.cfg & devSvr.cfg)

 

Since its a new install, you can restore the NSMXpress back to factory defaults. This can be done by using the details in the link

 

KB10372 

 

Thanks,

Chandra 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.