Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

251

252

253

254

255

256

257

258

259

260

Troubleshooting

Appendix G

245

Enter command>>ping

Wed Nov 24 20:53:23 2004: libcomm: pid=14582

thread_id=1:open_connection: Handshake error (ssl_err=1,ret=0) as client

1:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad

certificate:s3_pkt.c:1052:SSL alert number 42 Wed Nov 24 20:53:23 2004:

libcomm: pid=14582 thread_id=1: write_msg: error opening connection to

remote host, errno=607:Error during SSL handshake.

Wed Nov 24 20:53:23 2004: libcomm: pid=14582 thread_id=1: write_msg:

Returning failure, errno=607:Error during SSL handshake Wed Nov 24

20:53:23 2004: libcomm: pid=14582 thread_id=1:

comm_write_msg: Error writing message, errno==607:Error during SSL

handshake

Use IDS_checkAgentCert to get the validity duration of the agent certiﬁcate, and

compare it with the system time of the agent host. If the certiﬁcate is not yet valid on the

agent host, either adjust the system time of the agent host, or wait until the certiﬁcate

becomes valid.

IDS_checkInstall fails with a kmtune error

IDS_checkInstall reports that a kmtune ﬁle write operation fails and the idds driver is

not conﬁgured:

# /opt/ids/bin/IDS_checkInstall

kmtune: Cannot write file -- /stand/.kmsystune_lock

WARNING: The idds driver is not configured into the kernel.

❏ If patch PHCO_24112 is installed on your system, you need to apply patch

PHCO_25342 for HP-UX 11.0 and PHCO_25429 for HP-UX 11i.

❏ If patch PHCO_24112 is not installed on your system, please contact HP Support.

IDS_genAdminKeys or IDS_genAgentCerts does not complete

successfully

❏ The normal completion is shown in the steps in “Setting Up the HP-UX HIDS Secure

Communications” on page 20.

❏ Check the messages in the error log ﬁle /var/opt/ids/certs.log for correctable

errors.

❏ Contact HP Support.

IDS_genAdminKeys or idsgui quits early

On occasion, apparently due to a swlist timeout, the IDS_genAdminKeys and idsgui

commands may quit early. (The swlist command is used to verify that the correct

version of Java is available.)

❏ The IDS_genAdminKeys command may quit before it ﬁnishes making the keys. The

symptom is that the ﬁnal banner is not displayed. The banner is shown in Chapter 2,

“Conﬁguration,” on page 17.

❏ The idsgui command may quit before it launches the System Manager. The

symptom is that the prompt returns and the following message is not displayed.