![HOW to fix a HMAC error:
A HMAC error is a result of multiple Tivoli endpoints sharing the same IP address in the
Endpoint Manager database.
You will see in the SD4 Tivoli log the error:
Operation unsuccessful.
decrypt_data: HMAC does not match encrypted data!
If you do a wadminep <endpointlabel> view_version you will see:
decrypt_data: HMAC does not match encrypted data!
To Fix:
First verify that the Endpoint manager has the current IP address for the hostname that is
giving you a HMAC.
Ping the hostname and get its IP address.
Reply from 171.184.104.36: bytes=32 time<1ms TTL=128
Next ping the IP address with the –a switch to resolve fully qualified DNS name.
Example:
C:>ping -a 171.184.104.36
Fully qualified DNS name Pinging B00028A30BAC6.nc.bankofamerica.com [171.184.104.36] with 32 bytes of
data:
Reply from 171.184.104.36: bytes=32 time<1ms TTL=128
Reply from 171.184.104.36: bytes=32 time<1ms TTL=128
Reply from 171.184.104.36: bytes=32 time<1ms TTL=128
Reply from 171.184.104.36: bytes=32 time<1ms TTL=128
Verify that the fully qualified DNS name matches the endpoint in which you pinged
earlier.
Now open a telnet session to the HUB or the regional TMR in which the EP lives
Wep the endpoint label and notice the IP address
{rtxtmr03:cdi}/tmp> wep B00028A30BAC6
object 1027514829.74851.517+#TMF_Endpoint::Endpoint#
label B00028A30BAC6
version 106
id 99X401896T965690001818419200
gateway 1027514829.27863.21
pref_gateway 1027514829.27863.21
netload 131072
interp w32-ix86
login_mode desktop, variable
protocol TCPIP
Here is the IP Address that EP MGR shows-> address 171.184.104.36+9495
mac address (WOL) 00:07:40:79:7a:10
subnet mask (WOL) 255.255.255.0
policy 1027514829.1.10367
httpd tivoli:3>}svKuU
alias OBJECT_NIL
crypt_mode NONE
upgrade_mode enable](https://image.slidesharecdn.com/1a422fc0-92fd-4e47-af99-81cb75c97288-160813094941/85/HOW-to-fix-a-HMAC-error-1-320.jpg)
HOW to fix a HMAC error
- 1. HOW to fix a HMAC error: A HMAC error is a result of multiple Tivoli endpoints sharing the same IP address in the Endpoint Manager database. You will see in the SD4 Tivoli log the error: Operation unsuccessful. decrypt_data: HMAC does not match encrypted data! If you do a wadminep <endpointlabel> view_version you will see: decrypt_data: HMAC does not match encrypted data! To Fix: First verify that the Endpoint manager has the current IP address for the hostname that is giving you a HMAC. Ping the hostname and get its IP address. Reply from 171.184.104.36: bytes=32 time<1ms TTL=128 Next ping the IP address with the –a switch to resolve fully qualified DNS name. Example: C:>ping -a 171.184.104.36 Fully qualified DNS name Pinging B00028A30BAC6.nc.bankofamerica.com [171.184.104.36] with 32 bytes of data: Reply from 171.184.104.36: bytes=32 time<1ms TTL=128 Reply from 171.184.104.36: bytes=32 time<1ms TTL=128 Reply from 171.184.104.36: bytes=32 time<1ms TTL=128 Reply from 171.184.104.36: bytes=32 time<1ms TTL=128 Verify that the fully qualified DNS name matches the endpoint in which you pinged earlier. Now open a telnet session to the HUB or the regional TMR in which the EP lives Wep the endpoint label and notice the IP address {rtxtmr03:cdi}/tmp> wep B00028A30BAC6 object 1027514829.74851.517+#TMF_Endpoint::Endpoint# label B00028A30BAC6 version 106 id 99X401896T965690001818419200 gateway 1027514829.27863.21 pref_gateway 1027514829.27863.21 netload 131072 interp w32-ix86 login_mode desktop, variable protocol TCPIP Here is the IP Address that EP MGR shows-> address 171.184.104.36+9495 mac address (WOL) 00:07:40:79:7a:10 subnet mask (WOL) 255.255.255.0 policy 1027514829.1.10367 httpd tivoli:3>}svKuU alias OBJECT_NIL crypt_mode NONE upgrade_mode enable
- 2. last_login_time 2004/03/17-19:38:34 last_migration_time 2004/03/17-15:19:11 last_method_time 2004/03/17-21:27:50 {rtxtmr03:cdi}/tmp> Verify that the IP address that Endpoint Manager has corresponds with what you received in the Ping. If the IP address in EP MGR does NOT match the address you receive from a ping stop and start the endpoint of the host that is giving you an HMAC. This should refresh the EP manager data. If this does not fix please escalate to SWAT team member. Now all that is left is if EP manager and ping IP address are the same then that means that known to Tivoli there is another machine out there with the same IP address. You will need to find out which devices share the IP address in Endpoint Manager DB There are two ways to do this I would do both. Process 1 for finding machines that share an IP address in EP manager DB: Telnet to the Hub and run: epschk –n –e <hostname> B0010A482311E -------------- Matching label B0010A482311E#rvad09.reg.pr found for B0010A482311E B0010A482311E#rvad09.reg.pr oid is 1197421919.19127.517 B0010A482311E#rvad09.reg.pr version is 106 B0010A482311E#rvad09.reg.pr is currently on gateway crpatltwg03 B0010A482311E#rvad09.reg.pr has a preferred gateway crpatltwg03 B0010A482311E#rvad09.reg.pr is currently managed from rvatmr09 B0010A482311E#rvad09.reg.pr is currently reporting an IP of 171.133.228.107 and a port of 9495 Ping replies received from 171.133.228.107 B0010A482311E#rvad09.reg.pr is currently failing a view version with : HMAC B0010A482311E#rvad09.reg.pr is not really at 171.133.228.107 but B00D059CA87C0 with a matching hostname is. Not a true HMAC. B0010A482311E#rvad09.reg.pr had a last login time of 2004/02/09-16:08:11 Notice that the view version fails with: HMAC The next line tells you the device that shares that IP address in Endpoint manager. Process 2 for finding machines that share an IP address in EP manager DB Telnet to the regional TMR that the HMAC endpoint lives on. Run: cat /nb_tools/node1/tivoli/Current/Custom/scripts/data/epinfo_full.dat |grep <IPaddress> Example: {rvatmr06:cdi}/tmp> cat /nb_tools/node1/tivoli/Current/Custom/scripts/data/epinfo_full.dat |grep 171.184.104.35 The output of this command will tell you all devices that have attempted to login with the IP address given.
- 3. Now that we have discovered the machines that share an IP address in Tivoli it is time to resolve the problem. To resolve this problem ping both devices to verify that they are on. Look at the output to the ping commands and notice which one is wrong in EP MGR DB. Connect to that device and stop and start the service. If you start and stop the service and it does not resolve the problem. You may need to delete the endpoint that has the incorrect IP in EP MGR and bring it back into magi. For documentation on how to do this see the Delete_refresh_Endpoint.doc.