SystemCenter

All about System Center Articles and Tutorials

Fixing SSL Certificate error for UNIX/Linux devices

Posted by on Sep 19, 2016 in SCOM 2012

Fixing SSL Certificate error for UNIX/Linux devices

Last week I came across this scenario wherein team was not able to discover and monitor the Linux devices having same hostnames with different IP addresses. They told that their Voice Team has given them around thirty Linux devices and out of those, ten devices are having same hostname.

When it was asked why the devices are having same hostnames, the answer was it’s an old deployment wherein team kept the default hostnames which they got while installing the devices and can’t be changed now.

I asked them to create alias DNS entries for their devices with different names and manually generate the certificate for servers with that alias name.

Later they reported that the discovery was successful with the alias hostname however after few minutes the discovered device grayed out with below alerts:

1: SSL Certificate error: The SSL Certificate used by the Agent has a configuration
error.

2: Heartbeat failed: The System is not responding to heartbeats.

It’s not a big deal.

Mostly we get “The SSL Certificate used by the Agent has a configuration error.” when another management server in the resource pool is trying to communicate with the UNIX/Linux machine and that management server is not trusting the first management server as certificate authority, the one that sign the certificate.

Therefore when the UNIX/Linux machine is trying to communicate with the management server its saying it’s using an untrusted certificate.

In order to resolve this issue we need to copy the certificate from the management server that sign the agent certificate (UNIX/Linux machine in this case) to all other management server in the resource pool.

Below is the process to copy the certificate between Management Servers:

1: Log on to first Management server and open Command Prompt as Administrator.

2: At the command prompt, change the directory to:

 %ProgramFiles%\Microsoft System Center 2012 R2\Operations Manager\Server

3: Run the following command, specifying a file name of your choice such as MS1.cert:

scxcertconfig.exe  –export <filename>

1

The exported certificate can be found under below location:

%ProgramFiles%\Microsoft System Center 2012 R2\Operations Manager\Server

2

4: Copy the exported certificate file on another Management Server under same location

%ProgramFiles%\Microsoft System Center 2012 R2\Operations Manager\Server

Alternatively you can copy the exported certificate file under shared directory that is accessible by all the management servers in the resource pool.

5: Repeat the previous four steps until another servers / shared directory contains all the exported certificate files from each management server in the resource pool.

6: Log on to another management server to start the certificate importing process.

7: Open Command Prompt as Administrator.

8: At the command prompt, change the directory to:

 %ProgramFiles%\Microsoft System Center 2012 R2\Operations Manager\Server

9: Run the following command for each exported certificate file (except for the file that was exported by the current management server):

scxcertconfig.exe –import <filename>

3

Import is done on second Management Server.

10: Repeat these steps until all the certificate files have been imported to the applicable management servers in the resource pool.

Uninstall the grayed out device from SCOM server and run the discovery again. This time the device should reflect on console in healthy status.

Note: If you attempt to import the certificate file that was exported by that same management server, the process will fail with an error message that the object or property already exists.

Delete the certificate files from server location / shared directory. Although the file contains only the public key of the certificate, you should still treat it as a security-sensitive file.

Perform this procedure whenever you add a new management server to the resource pool so that high availability is maintained.

You can refer below article for more information:

https://technet.microsoft.com/en-us/library/hh287152.aspx

Submit a Comment

Your email address will not be published. Required fields are marked *