SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

solrhscomagentinstall

SCOM Agent Installation on Red Hat and Solaris

Even though the SCOM installation can be done automatically from the SCOM management consoles we experienced a few issue which I wanted to address. We got a few errors and I got some commands I want to share.

Usefull Commands

Solaris SCOM Commands

If you want to reinstall the SCOM agent use these commands:

solhost:~# pkginfo | grep scx
system      MSFTscx                          Microsoft System Center 2012 Operations Manager for UNIX/Linux agent

solhost:~# pkgrm MSFTscx

The following package is currently installed:
   MSFTscx  Microsoft System Center 2012 Operations Manager for UNIX/Linux agent
            (x86) 1.4.1-292

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance <MSFTscx>

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <MSFTscx> dependencies in global zone
## Processing package information.
## Executing preremove script.
/var/sadm/pkg/MSFTscx/install/preremove: /etc/opt/microsoft/scx/conf/sudodir: does not exist
## Removing pathnames in class <config>
........
/etc/opt/microsoft/scx/ssl <non-empty directory not removed>
/etc/opt/microsoft/scx/conf/installinfo.txt
/etc/opt/microsoft/scx/conf <non-empty directory not removed>
/etc/opt/microsoft/scx <non-empty directory not removed>
/etc/opt/microsoft <non-empty directory not removed>
## Executing postremove script.
## Updating system information.

Now you need to remove the old certificates in the /etc/opt/microsoft/scx/ssl directory. You can remove everything under {{{/etc/opt/microsoft:

solhost:/etc/opt# rm -rf microsoft/

After the installation you can check if the service is running like this:

solhost:/$ svcs scx-cimd
STATE          STIME    FMRI
online         Apr_16   svc:/application/management/scx-cimd:default

If it is not running you can start it with:

solhost:/$ sudo svcadm restart scx-cimd

Red Hat SCOM Commands

On Red Hat you can use the normal rpm or yum commands to uninstall the software. The rpm command is:

rpm –e scx

Fix: Certificate Error

On Solaris we had this error for quite a while, the installation failed on verifying the certificates:

Certificate Errors/Certificate Signing Errors
 Signed certificate verification operation was not successful
Error Description
Agent verification failed. Error detail: The server certificate on the destination computer (lx1.contoso.com:1270) has the following errors:
The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
The SSL certificate contains a common name (CN) that does not match the hostname.    
It is possible that:
   1. The destination certificate is signed by another certificate authority not trusted by the management server.
   2. The destination has an invalid certificate, e.g., its common name (CN) does not match the fully qualified domain name (FQDN) used for the connection.  The FQDN used for the connection is: lx1.contoso.com.
   3. The servers in the resource pool have not been configured to trust certificates signed by other servers in the pool.
Possible Causes

 * The agent certificate’s CN value does not match the provided or resolved Fully-Qualified Domain name

Resolutions
 
 * For certificate CN failures, confirm that that agent host’s hostname and domain name match the Fully-Qualified Domain Name resolved through DNS.  More information can be found here. 

It finally came down to the host name. The certificate had the FQDN hostname in it, while the actual hostname was the short version. The fix is easy, during the installation of the SCOM agent temporarily change the host name to the FQDN name, and change it back afterwards. We did this in production without donwtime or problems:

Changing the hostname is done using the hostname command:

hostname

hostname solarisbox.getshifting.com

hostname solarisbox
  • Hostname
    • Will show you the current hostname
  • hostname solarisbox.getshifting.com
    • Will change the hostname to the fully qualified domain name
  • hostname solarisbox
    • Will change the hostname back to the short name

Checking the Certificate

You can check the certificate by converting the certificate by using the openssl command openssl x509 -in certificate.crt -text -noout. However, this command is not always available. I printed out the certificate using cat:

sjoerd@solarisbox:/etc/opt/microsoft/scx/ssl$ cat scx-host-solarisbox.getshifting.com.pem
"
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXX==
-----END CERTIFICATE-----

"

And enter the information that is between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- on this website and it will display the hostname information.

Note that I've seen the mentioned to not work with Internet Explorer. If you experience any issue please use Firefox.
You could leave a comment if you were logged in.
solrhscomagentinstall.txt · Last modified: 2021/09/24 00:25 (external edit)