Rootless SCOM agent setup
The setup of a SCOM agent without having to enter the root password in the SCOM management console is actually very simple. At first I thought it would be necessary to export the key by which the client certificates are signed to do the signing on the system used to roll out new Linux systems.
I have described the the process below in a few steps.
1. Install the agent.
You can find the manual installation instructions on this site.
2. Create a new user on the Linux client, in my case ‘scom’.
This user and password must match the action account credentials you have entered somewhere in the SCOM administration section.
# useradd scom # passwd scom
3. Change ownership and permissions on /etc/opt/microsoft/scx/ssl/scx-host-[hostname].pem
# chown scom: /etc/opt/microsoft/scx/ssl/scx-host-[hostname].pem # chmod 644 /etc/opt/microsoft/scx/ssl/scx-host-[hostname].pem
4. Start the discovery wizard, add your host and uncheck ‘Enable SSH based discovery’.
Under the host information enter the scom user and the corresponding password. Check the ‘This is a superuser account’ check box.
Make sure the SCOM server can communicate on port 1270/tcp, otherwise discovery will fail.
5. Discovery will report the current (self-signed) certificate is invalid and will suggest to sign the certificate with the SCOM CA key.
Once this step is finished it will report no results, but the certificate is signed. You can verify this with OpenSSL.
6. Restart the scx daemon on the Linux system.
# /opt/microsoft/scx/bin/tools/scxadmin -restart
This will initialize the modified certificate.
7. Re-issue a discovery of the same host (press the previous button two times).
In this final step the host is discovered successfully without having entered the root password.
I have created a Puppet recipe for the above to automate the roll-out of SCOM on Linux:
class scom {
package { scx:
ensure => installed
}
service { scx-cimd:
ensure => true,
enable => true,
hasrestart => true,
hasstatus => true,
subscribe => [ File["/etc/init.d/scx-cimd"], Package[scx] ]
}
file { "/etc/init.d/scx-cimd":
owner => root,
group => root,
mode => 744,
require => Package["scx"],
}
file { "/etc/opt/microsoft/scx/ssl/scx-host-$hostname.pem":
owner => scom,
group => scom,
mode => 644,
checksum => md5,
notify => service[scx-cimd],
require => [ Package["scx"], User["scom"] ]
}
user { "scom":
ensure => present,
name => "scom",
uid => "6004",
comment => "SCOM monitoring agent",
shell => "/bin/bash",
home => "/var/opt/microsoft/scx",
managehome => "true",
password => '$1$vS1boUVQ$vMmabY1rt4FQokoweKvXw/',
require => [ Class["users"], Package["scx"] ]
}
}
Hi I managed to successfully use your document to add an agent with no ssh, port 22 communication between the ms server and the client scom agent. (Meaning the part with the manual certificate signing)
The question I have is you labled this document “Rootless SCOM agent setup” but I cannot add the agent if I am not root or if I do not have an equivilant user with uid and gid of 0 at the time of adding the agent to the scom console. After that we have managed to get the agent working properly with the default core OS management pack for RHEL 4 and only using a regular user… no priviledged account was defined in the priviledged profile.
I read your doc 2 times but I cannot determine anything that I overlooked.
You actually added the agent with no root credentials of anykind defined anywhere? If yes can you please let me know what I am overlooking?
please disregard my last post I got it working now…. your document is correct
Thank you for taking the time to document this.