SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


solrhscomagentinstall
Differences

This shows you the differences between two versions of the page.

Link to this comparison view

solrhscomagentinstall [2014/04/23 16:20] (current)
sjoerd created
Line 1: Line 1:
 += SCOM Agent Installation on Red Hat and Solaris =
 +Even though the SCOM installation can be done automatically from the SCOM management consoles we experienced a few issue which I wanted to address. We got a few errors and I got some commands I want to share. ​
  
 += Usefull Commands =
 +
 +== Solaris SCOM Commands ==
 +If you want to reinstall the SCOM agent use these commands:
 +
 +<​code>​
 +solhost:~# pkginfo | grep scx
 +system ​     MSFTscx ​                         Microsoft System Center 2012 Operations Manager for UNIX/Linux agent
 +
 +solhost:~# pkgrm MSFTscx
 +
 +The following package is currently installed:
 +   ​MSFTscx ​ Microsoft System Center 2012 Operations Manager for UNIX/Linux agent
 +            (x86) 1.4.1-292
 +
 +Do you want to remove this package? [y,n,?,q] y
 +
 +## Removing installed package instance <​MSFTscx>​
 +
 +This package contains scripts which will be executed with super-user
 +permission during the process of removing this package.
 +
 +Do you want to continue with the removal of this package [y,n,?,q] y
 +## Verifying package <​MSFTscx>​ dependencies in global zone
 +## Processing package information.
 +## Executing preremove script.
 +/​var/​sadm/​pkg/​MSFTscx/​install/​preremove:​ /​etc/​opt/​microsoft/​scx/​conf/​sudodir:​ does not exist
 +## Removing pathnames in class <​config>​
 +........
 +/​etc/​opt/​microsoft/​scx/​ssl <​non-empty directory not removed>
 +/​etc/​opt/​microsoft/​scx/​conf/​installinfo.txt
 +/​etc/​opt/​microsoft/​scx/​conf <​non-empty directory not removed>
 +/​etc/​opt/​microsoft/​scx <​non-empty directory not removed>
 +/​etc/​opt/​microsoft <​non-empty directory not removed>
 +## Executing postremove script.
 +## Updating system information.
 +</​code>​
 +
 +Now you need to remove the old certificates in the {{{/​etc/​opt/​microsoft/​scx/​ssl}}} directory. You can remove everything under {{{{{{/​etc/​opt/​microsoft}}}:​
 +<​code>​
 +solhost:/​etc/​opt#​ rm -rf microsoft/
 +</​code>​
 +
 +After the installation you can check if the service is running like this:
 +<​code>​
 +solhost:/$ svcs scx-cimd
 +STATE          STIME    FMRI
 +online ​        ​Apr_16 ​  ​svc:/​application/​management/​scx-cimd:​default
 +</​code>​
 +
 +If it is not running you can start it with:
 +<​code>​
 +solhost:/$ sudo svcadm restart scx-cimd
 +</​code>​
 +
 +== Red Hat SCOM Commands ==
 +On Red Hat you can use the normal rpm or [[redhatsoftware|yum]] commands to uninstall the software. The rpm command is:
 +<​code>​
 +rpm –e scx
 +</​code>​
 +
 += Fix: Certificate Error =
 +On Solaris we had this error for quite a while, the installation failed on verifying the certificates:​
 +<​code>​
 +Certificate Errors/​Certificate Signing Errors
 + ​Signed certificate verification operation was not successful
 +Error Description
 +Agent verification failed. Error detail: The server certificate on the destination computer (lx1.contoso.com:​1270) has the following errors:
 +The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable. ​   ​
 +The SSL certificate contains a common name (CN) that does not match the hostname. ​   ​
 +It is possible that:
 +   1. The destination certificate is signed by another certificate authority not trusted by the management server.
 +   2. The destination has an invalid certificate,​ e.g., its common name (CN) does not match the fully qualified domain name (FQDN) used for the connection. ​ The FQDN used for the connection is: lx1.contoso.com.
 +   3. The servers in the resource pool have not been configured to trust certificates signed by other servers in the pool.
 +Possible Causes
 +
 + * The agent certificate’s CN value does not match the provided or resolved Fully-Qualified Domain name
 +
 +Resolutions
 + 
 + * For certificate CN failures, confirm that that agent host’s hostname and domain name match the Fully-Qualified Domain Name resolved through DNS.  More information can be found here. 
 +</​code>​
 +
 +It finally came down to the host name. The certificate had the FQDN hostname in it, while the actual hostname was the short version. The fix is easy, during the installation of the SCOM agent temporarily change the host name to the FQDN name, and change it back afterwards. We did this in production without donwtime or problems:
 +
 +Changing the hostname is done using the hostname command:
 +<​code>​
 +hostname
 +
 +hostname solarisbox.getshifting.com
 +
 +hostname solarisbox
 +</​code>​
 +
 +* Hostname
 +** Will show you the current hostname
 +* hostname solarisbox.getshifting.com
 +** Will change the hostname to the fully qualified domain name
 +* hostname solarisbox
 +** Will change the hostname back to the short name
 +
 +== Checking the Certificate ==
 +You can check the certificate by converting the certificate by using the openssl command {{{openssl x509 -in certificate.crt -text -noout}}}. However, this command is not always available. I printed out the certificate using cat:
 +<​code>​
 +sjoerd@solarisbox:/​etc/​opt/​microsoft/​scx/​ssl$ cat scx-host-solarisbox.getshifting.com.pem
 +"
 +-----BEGIN CERTIFICATE-----
 +XXXXXXXXXXXXXXXXXX==
 +-----END CERTIFICATE-----
 +
 +"
 +</​code>​
 +And enter the information that is between {{{-----BEGIN CERTIFICATE-----}}} and {{{-----END CERTIFICATE-----}}} on [[https://​www.sslshopper.com/​certificate-decoder.html|this website]] and it will display the hostname information. ​
 +
 +> Note that I've seen the mentioned to not work with Internet Explorer. If you experience any issue please use Firefox. ​
 +
 +
 +{{tag>​redhat linux solaris}}
solrhscomagentinstall.txt · Last modified: 2014/04/23 16:20 by sjoerd