Install SCOM agent on Red Hat Linux
The steps below describe how to install the SCOM agent on Red Hat Linux 5 x64. We don’t like to enroll the agent by using the SCOM Discovery wizard, as you need to enter the super-user (root)credentials and we’re not sure where the application stores those credentials and it’s used for. So we’re still searching for the minimal permissions for the agent to be installed.
It is possile to install the agent, copy the unsigned client-side generated certificate to the SCOM server, sign the certificate on the SCOM server and copy the signed certificate back to the client. Once you have restarted the scx daemon you can use the discovery wizard on the SCOM server to add the server without using super-user credentials in SCOM.
Once you have installed the Cross Platform Cumulative Update 2 for System Center Operations Manager 2007 R2, a newer version of the agent becomes available on the SCOM server in Program Files\System Center Operations Manager 2007\AgentManagement\UnixAgents.
# rpm -ivh scx-1.0.4-258.rhel.5.x64.rpm Preparing... ########################################### [100%] 1:scx ########################################### [100%] Generating certificate with hostname="host001", domainname="example.local" WARNING! Could not read 256 bytes of random data from /dev/random. Will revert to less secure /dev/urandom. See the security guide for how to regenerate certificates at a later time when more random data might be available. /var/tmp/rpm-tmp.63356: line 163: /usr/lib/lsb/install_initd: No such file or directory Starting Microsoft SCX CIM Server: [ OK ] #
To fix the above problem you can use the following work-around.
rm /dev/random rm: remove character special file `/dev/random'? y # mknod -m 644 /dev/random c 1 9 # chown root:root /dev/random # cd # rpm -ivh scx-1.0.4-258.rhel.5.x64.rpm Preparing... ########################################### [100%] 1:scx ########################################### [100%] Generating certificate with hostname="host001", domainname="example.local" /var/tmp/rpm-tmp.10879: line 163: /usr/lib/lsb/install_initd: No such file or directory Starting Microsoft SCX CIM Server: [ OK ] # rm /dev/random # mknod -m 644 /dev/random c 1 8 # chown root:root /dev/random
Sorry — this article is misleading and incomplete. On Linux systems, /dev/random and /dev/urandom are world-readable devices with world-writable permissions and different minor numbers (8 vs. 9). /dev/random is blocking — meaning that the entropy you need for /dev/random to output data is seeded by system activity (disk reads, network scans, etc.). Few systems are busy enough to keep /dev/random’s entropy “buffer” full. /dev/urandom is non-blocking, meaning less entropy and more “fudged” random data. It’s less secure but few people care.
Furthermore the RPM install just generates a warning that it’s falling back to /dev/urandom because it couldn’t get enough data from /dev/random. All you’re doing is “tricking” the RPM installer into using /dev/urandom in the first place by creating — incorrectly — a /dev/random special file that actually uses the urandom driver. To make matters worse, you are recreating the /dev/random special file with 0644 permissions, not 0666. You have just broken your system.
The incomplete part is:
“It is possile to install the agent, copy the unsigned client-side generated certificate to the SCOM server, sign the certificate on the SCOM server and copy the signed certificate back to the client.”
It would be nice to know what you mean by this statement. Where is this certificate kept?
To answer my own question….the certificates are kept in /etc/opt/microsoft/scx/ssl.
@Greg
I tried the workaround and then read your reply on it. I want to make sure I have a correct /dev/random file on the concerning system (centos 5). I think I have set things the way they were but I want to make sure.
I remove the /dev/random file and created it back again by:
# rm /dev/random
# mknod -m 666 /dev/random c 1 9
# chown root:root /dev/random
Is that correct?
Thanx in advance.
Regards,
Chris
Correction:
I did the following:
# rm /dev/random
# mknod -m 666 /dev/random c 1 8
# chown root:root /dev/random