OpsMgr : Certificate for this system is not valid when installing Linux agent

Today I ran into some Linux agent deployment issues. I needed to monitor about 20 Redhat Machines . In such an environment environment, Kerberos authentication is not possible. Therefore, certificates are used between the management server and the UNIX-based or Linux-based computers.

First if you have some Cross-platform agent deployment issues please have a look at the following blog posts:

• http://wmug.co.uk/blogs/aquilaweb/archive/2009/07/21/opsmgr-r2-xplat-agent-deployment-field-notes.aspx
• http://wmug.co.uk/blogs/aquilaweb/archive/2009/09/02/more-opsmgr-x-plat-notes.aspx
• http://wmug.co.uk/blogs/aquilaweb/archive/2009/07/22/enable-opsmgr-module-logging.aspx
• http://blog.xplatxperts.com/xplat-xperts/2009/08/opsmgr-cross-platform-discovery-errors.html

 

Ok, let’s start!

So after making sure I had all the pre-requisites needed to deploy an Linux agent I launched the discovery wizard

But my agent installation failed because the certificate could not be signed.

The certificate signing process does the following:

Operations Manager retrieves the certificate from the agent, signs the certificate, deploys the certificate back to the agent, and then restarts the agent.

For an unknow reason my certifcate was not signed and trusted.

 I also got the following error in my event log:

Unexpected ScxCertLibException: Unable to open root store
; input data is: —–BEGIN CERTIFICATE—–
MIIDHjCCAgYCAQEwDQYJKoZIhvcNAQEFBQAwZjEYMBYGA1UEAxMPU0NYLUNlcnRp
ZmljYXRlMTAwLgYDVQQMEydTQ1g2MzMzNzZEMi1FM0UyLTRmMzEtODQ2MS1EMDky

 

To solve this problem you need to sign the certificate on your OpsMgr server following this procedure:

 Download and install Winscp on your OpsMgr server.

 Start Winscp and connect to your Linux machine

Click yes

Browse to /etc/opt/microsoft/scx/ssl

Copy the key scx-host-.pem  to your opsmgr server.

Open the command prompt on your OpsMgr server and change directories to the location where you copied the certificate. Type the command

“scxcertconfig -sign scx-host-.pem scx_new.pem”

and then press ENTER. This command will self-sign your certificate (scx-host-.pem) and then save the new certificate.

Rename your scx_new.pem file with scx-host-.ad.pem and replace the original file on your linux server with this file.

Connect to your Linux server with putty

and type scxadmin –restart

This step is very important! If you don’t restart the scxadmin the discovery wizard will still complain about the certificate not being signed!!

 

Now close your discovery wizard and re launch it.

The Discovery Wizard discovers the computer and tests to see that the certificate is valid. If the Discovery Wizard verifies that the computer can be discovered and that the certificate is valid, the Discovery Wizard adds the newly discovered computer to the Operations Manager database.Almost immediately you will get a message saying the agent is successfully signed and installed:

 

Hope this helps,

Alexandre Verkinderen