Quick Post – Check Linux Certificate Issued by SCOM

I assume you have already deployed SCOM and you are monitoring Linux or another kind of UNIX derivate. If you are new to cross platform monitoring I recommend my older blog posts in the Xplat category .

SCOM uses certificates to communicate with the Linux/UNIX agent. These certificates are signed by a randomly chosen management servers in the Resource Pool which you are using to deploy an agent to the Linux/UNIX server. Because ANY of the management servers in the same Resource Pool will be picked to sign the certificate you need to export / import the certificate from each management server in a mesh order. For example you have three management server MS01, MS02 and MS03. You need to export the certificate from MS01 and import it into MS02 and MS03. The same you need to do for the certificate from MS02 which you will need to export and import into MS01 and MS03 and repeat this procedure for the last certificate from MS03 in a similar way. How you can do that check this post here using scxcertconfig.exe.

The following steps occur after you ran the Linux/UNIX discovery wizard in SCOM and right after you click Manage on the last page of the wizard…

Deployment
The Discovery Wizard copies the agent package to the UNIX-based or Linux-based computer and then starts the installation process.

Certificate Signing
Operations Manager retrieves the certificate from the agent, signs the certificate, deploys the certificate back to the agent, and then restarts the agent.

Discovery
The Discovery Wizard discovers the computer and tests to see that the certificate is valid. If the Discovery Wizard verifies that the computer can be discovered and that the certificate is valid, the Discovery Wizard adds the newly discovered computer to the Operations Manager database.

Cool, but wouldn’t it be great we could check the certificate on the Linux/UNIX server to see which management server signed (issued) the certificate and what the subject name is e.g. for troubleshooting purposes?

Well, for that case use the very powerful openssl command which is installed on most Linux/UNIX platforms….

Linux
openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer –dates

Solaris
/usr/sfw/bin/openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates

If you run the command for example on SUSE Linux you will see this output…

image

This tells you that the subject name on the certificate is Linux02.bigfirm.com and the issuer / management server who signed the certificate is MS02. You also notice the certificate date when it will expire.

Note: The command uses the scx.pem which is actually a “link” to the physical certificate on the machine. Because of that we can run the command on any machine without changing the its syntax…

image

Have fun :)…

1 Comment

  1. Would it be possible to use a universal domain certificate (*.domain.com) and overwrite the certificate on the linux machine ?
    After that, running the discovery to sign the universal certificate by the MS. And using this certificate on all linux machine.

    It would be more simple than exporting/importing each certificate of each linux machine on the differents MS.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s