Linux | Dirk-Jan's blog

Rootless SCOM agent setup

May 17th, 2010 2 comments

The setup of a SCOM agent without having to enter the root password in the SCOM management console is actually very simple. At first I thought it would be necessary to export the key by which the client certificates are signed to do the signing on the system used to roll out new Linux systems.

I have described the the process below in a few steps.

1. Install the agent.
You can find the manual installation instructions on this site.

2. Create a new user on the Linux client, in my case ’scom’.
This user and password must match the action account credentials you have entered somewhere in the SCOM administration section.

# useradd scom

# passwd scom

3. Change ownership and permissions on /etc/opt/microsoft/scx/ssl/scx-host-[hostname].pem

# chown scom: /etc/opt/microsoft/scx/ssl/scx-host-[hostname].pem

# chmod 644 /etc/opt/microsoft/scx/ssl/scx-host-[hostname].pem

4. Start the discovery wizard, add your host and uncheck ‘Enable SSH based discovery’.
Under the host information enter the scom user and the corresponding password. Check the ‘This is a superuser account’ check box.
Make sure the SCOM server can communicate on port 1270/tcp, otherwise discovery will fail.

5. Discovery will report the current (self-signed) certificate is invalid and will suggest to sign the certificate with the SCOM CA key.
Once this step is finished it will report no results, but the certificate is signed. You can verify this with OpenSSL.

6. Restart the scx daemon on the Linux system.

# /opt/microsoft/scx/bin/tools/scxadmin -restart

This will initialize the modified certificate.

7. Re-issue a discovery of the same host (press the previous button two times).
In this final step the host is discovered successfully without having entered the root password.

I have created a Puppet recipe for the above to automate the roll-out of SCOM on Linux:

class scom {
        package { scx:

                ensure => installed

        }
        service { scx-cimd:

                ensure => true,

                enable => true,

                hasrestart => true,

                subscribe => [ File["/etc/init.d/scx-cimd"], Package[scx] ]

        }
        file { "/etc/init.d/scx-cimd":

                owner => root,

                group => root,

                mode => 744,

                require => Package["scx"],

        }
        file { "/etc/opt/microsoft/scx/ssl/scx-host-$hostname.pem":

                owner => scom,

                group => scom,

                mode => 644,

                checksum => md5,

                notify => service[scx-cimd],

                require => [ Package["scx"], User["scom"] ]

        }
        user { "scom":

                ensure => present,

                name => "scom",

                uid => "6004",

                comment => "SCOM monitoring agent",

                shell => "/bin/bash",

                home => "/var/opt/microsoft/scx",

                managehome => "true",

                password => ‘$1$vS1boUVQ$vMmabY1rt4FQokoweKvXw/’,

                require => [ Class["users"], Package["scx"] ]

        }

}

Categories: Linux Tags: Linux, SCOM

Manual SCOM agent certificate signing

April 22nd, 2010 No comments

The SCOM Linux agent (scx) uses a SSL certificate to trust communication between the SCOM server and Linux agents. The SCOM server communicates with the agent running on port 1270/tcp.

Normally you will deploy the agent by using the discovery wizard. The SCOM server initially makes a SSH connection to the agent and tries to detect which Linux distribution and version it’s dealing with. Then it will push (sftp) and install the scx package. At the end of the installation it will create a certificate. This certificate needs to be signed by the SCOM server, so the server will fetch the certificate, signs it and delivers it back to the client. At the end the agent will restart to initialize the newly created certificate and agent communication over port 1270/tcp is trusted. The above described actions are executed using the privileged account.

It is also possible to manually sign the certificate created during manual installation of the scx package. This process is described below.

1. Copy the output of the following command including ‘—–BEGIN CERTIFICATE—–’ and ‘—–END CERTIFICATE—–’ to your paste buffer.

$ cat /etc/opt/microsoft/scx/ssl/scx-host-[hostname].pem

By using the following command you can view the contents of the certificate:

$ openssl x509 -noout -text \

-in /etc/opt/microsoft/scx/ssl/scx-host-[hostname].pem

2. Create a new file on the SCOM server ’scx-host-[hostname].pem’, paste the certificate data into it and save this file.

3. Open a windows console and execute the following:

scxcertconfig -sign scx-host-[hostname].pem scx_signed.pem

This command will sign your certificate (scx-host-[hostname].pem) and save it to a new file.

4. Copy the contents of the signed certificate to the paste buffer.

5. Open the ‘/etc/opt/microsoft/scx/ssl/scx-host-[hostname].pem’ on the Linux server, delete it’s contents and paste the newly created certificate data from the paste buffer.

6. Restart the agent by running the following command.

# /opt/microsoft/scx/bin/tools/scxadmin -restart

This will initialize the new certificate.

The last step is open the SCOM management console and walk through the discovery wizard to register the agent. A super-user account is probably not required anymore.

After the installation of the scx package you need to create a action account user. The SCOM agent will be run under this user.

Related article: install-scom-agent-on-red-hat-linux

Categories: Linux Tags: Linux, SCOM, SSL

Install SCOM agent on Red Hat Linux

March 23rd, 2010 2 comments

The steps below describe how to install the SCOM agent on Red Hat Linux 5 x64. We don’t like to enroll the agent by using the SCOM Discovery wizard, as you need to enter the super-user (root)credentials and we’re not sure where the application stores those credentials and it’s used for. So we’re still searching for the minimal permissions for the agent to be installed.

It is possile to install the agent, copy the unsigned client-side generated certificate to the SCOM server, sign the certificate on the SCOM server and copy the signed certificate back to the client. Once you have restarted the scx daemon you can use the discovery wizard on the SCOM server to add the server without using super-user credentials in SCOM.

Once you have installed the Cross Platform Cumulative Update 2 for System Center Operations Manager 2007 R2, a newer version of the agent becomes available on the SCOM server in Program Files\System Center Operations Manager 2007\AgentManagement\UnixAgents.

# rpm -ivh scx-1.0.4-258.rhel.5.x64.rpm

Preparing…                ########################################### [100%]

   1:scx                    ########################################### [100%]

Generating certificate with hostname="host001", domainname="example.local"
WARNING!

Could not read 256 bytes of random data from /dev/random. Will revert to less secure /dev/urandom.

See the security guide for how to regenerate certificates at a later time when more random data might be available.
/var/tmp/rpm-tmp.63356: line 163: /usr/lib/lsb/install_initd: No such file or directory

Starting Microsoft SCX CIM Server: [  OK  ]

#

To fix the above problem you can use the following work-around.

rm /dev/random

rm: remove character special file `/dev/random’? y

# mknod -m 644 /dev/random c 1 9

# chown root:root /dev/random

# cd

# rpm -ivh scx-1.0.4-258.rhel.5.x64.rpm 

Preparing…                ########################################### [100%]

   1:scx                    ########################################### [100%]

Generating certificate with hostname="host001", domainname="example.local"

/var/tmp/rpm-tmp.10879: line 163: /usr/lib/lsb/install_initd: No such file or directory

Starting Microsoft SCX CIM Server: [  OK  ]

# rm /dev/random

# mknod -m 644 /dev/random c 1 8

# chown root:root /dev/random

Categories: Linux Tags: Linux, Red Hat, SCOM

Moving into the cloud

January 17th, 2010 No comments

Last week I setup a server in a cloud based on Xen virtualization technology. After some hours research I decided to go for the Rackspace cloud. I chose the minimal setup to start with, which is a 256MB memory configuration that comes with 10GB disk space. As stated in the specs, the 256MB plan will get you 1/64 of the CPU allocation. Which is fine to start with for a standard LAMP setup.

For now they only offer a large variety of Linux distributions. I chose Debian 5.0 Lenny, because it makes migration easier as the site is running on Debian 5.0 already. The registration process and setup of the minimal Debian install went very smoothly. In under two hours I had successfully migrated a website. So for the setup part I am totally satisfied, let’s see how the availability part will develop.

Categories: Linux Tags: Cloud computing, Debian, Linux

Jmeter JSF client state

January 15th, 2010 2 comments

In order to know what kind of resources a new application needed I figured out to do a load test. The load testing software I used for this test is Apache Jmeter. The application to test is a Java based application deployed in Tomcat 6.

I used the Jmeter HTTP Proxy Recorder to simulate a normal user session to create a realistic test plan. Once I executed the test plan against the web application it returned Internal Server Error (Response code: 500). By using the “View Results Tree” Listener I was able to locate the problem as the Listener displays basic HTML and XML representations of the response.

javax.faces.application.ViewExpiredException: viewId:/presentation/task.jsf - View /presentation/task.jsf could not be restored.

It appeared that the HTTP Proxy Recorder had recorded the server and client state. The javax.faces.ViewState field is written for both server and client side state saving. So removing this attribute from the sampler data makes Jmeter process the pages without error.

It took me a couple of hours to resolve this issue, hope this helps someone stumbling across the same.

Categories: Linux Tags: Jmeter, Tomcat

Search and replace MySQL content

January 6th, 2010 No comments

Today I switched from the Code Markup to the Code Snippet WordPress plugin. Therefore I had to change the way the code block is activated. This is a time consuming job if you have to do this by hand, so I figured out there should be a smarter way of doing this. Check out the MySQL replace function below:

update [table_name] set [field_name] = replace([field_name],’[string_to_find]‘,’[string_to_replace]‘);

And so the above translated to the lines I needed:

mysql> update wp_vleeuwen_posts set post_content = replace(post_content, ‘<pre><code>’, ‘[code lang="text"]‘);

Query OK, 35 rows affected (0.06 sec)

Rows matched: 72  Changed: 35  Warnings: 0
mysql> update wp_vleeuwen_posts set post_content = replace(post_content, ‘</code></pre>’, ‘[/ code]‘);

Query OK, 35 rows affected (0.01 sec)

Rows matched: 72  Changed: 35  Warnings: 0
mysql>

Notice the little typo I had to make in order to let the above code snippet work ([/ code]).

Categories: Linux Tags: MySQL, WordPress

Backup Lenny using TSM

January 2nd, 2010 No comments

The few steps below describe in short how to install Tivoli Storage Manager (TSM) on Debian 5.0.3 (Lenny) x64.

1. Download the latest 5.x TSM client

# wget ftp://ftp.wu-wien.ac.at/mirrors/tsm/maintenance/client/v5r5/Linux/LinuxX86/v552/5.5.2.0-TIV-TSMBAC-LinuxX86.tar

2. Install alien and dependencies

# apt-get install alien gawk libstdc++5

3. untar the TSM client software

# tar -xvf 5.5.2.0-TIV-TSMBAC-LinuxX86.tar 

NOTICES.TXT

README_enu.htm

README_api_enu.htm

README_hsm_enu.htm

TIVsm-API.i386.rpm

TIVsm-API64.rpm

TIVsm-BA.i386.rpm

TIVsm-HSM.i386.rpm

4. Convert the RPM packages using alien

# alien -g TIVsm-API.i386.rpm

Warning: Skipping conversion of scripts in package TIVsm-API: postinst prerm

Warning: Use the –scripts parameter to include the scripts.

Directories TIVsm-API-5.5.2 and TIVsm-API-5.5.2.orig prepared.

# alien -g TIVsm-BA.i386.rpm

Warning: Skipping conversion of scripts in package TIVsm-BA: postinst prerm

Warning: Use the –scripts parameter to include the scripts.

Directories TIVsm-BA-5.5.2 and TIVsm-BA-5.5.2.orig prepared.

5. Adjust the control files

# mv TIVsm-API-5.5.2/debian TIVsm-API-5.5.2/DEBIAN

# mv TIVsm-BA-5.5.2/debian TIVsm-BA-5.5.2/DEBIAN

# vi TIVsm-API-5.5.2/DEBIAN/control 

# vi TIVsm-BA-5.5.2/DEBIAN/control

The control file should like the following:

Source: tivsm-api

Section: non-free

Priority: extra

Maintainer: root <root@localhost>

Package: tivsm-api

Architecture: all

Depends: ${shlibs:Depends}

Description: IBM Tivoli Storage Manager API

6. Build the packages

# dpkg -b TIVsm-API-5.5.2

dpkg-deb: building package `tivsm-api’ in `TIVsm-API-5.5.2.deb’.

# dpkg -b TIVsm-BA-5.5.2

dpkg-deb: building package `tivsm-ba’ in `TIVsm-BA-5.5.2.deb’.

7. Install the packages

# dpkg -i TIVsm-API-5.5.2.deb

Selecting previously deselected package tivsm-api.

(Reading database … 146642 files and directories currently installed.)

Unpacking tivsm-api (from TIVsm-API-5.5.2.deb) …

Setting up tivsm-api (5.5.2) …

# dpkg -i TIVsm-BA-5.5.2.deb

Selecting previously deselected package tivsm-ba.

(Reading database … 146716 files and directories currently installed.)

Unpacking tivsm-ba (from TIVsm-BA-5.5.2.deb) …

Setting up tivsm-ba (5.5.2) …

#

8. Post install issues

# echo "/opt/tivoli/tsm/client/ba/bin" >> /etc/ld.so.conf

# ldconfig

# ln -s /opt/tivoli/tsm/client/lang/en_US /opt/tivoli/tsm/client/ba/bin/

And you’re done installing TSM. You’re now ready to proceed to the configuration. The TSM configuration files are located in /opt/tivoli/tsm/client/ba/bin. You can start by copying the sample files.

# cd /opt/tivoli/tsm/client/ba/bin
# cp dsm.opt.smp dsm.opt
# cp dsm.sys.smp dsm.sys

Have a look at the IBM docs for the configuration options.

Categories: Linux Tags: Debian, Linux, TSM

Switched to RoundCube

December 30th, 2009 No comments

Since I first started using a webmail client Squirrelmail was my number one. But lately I missed some functions like viewing HTML formatted mail, auto address completion and LDAP address book functionality. So I started to look for a webmail client that comes with this functionality build-in and came up with this nice AJAX based webmail solution for IMAP servers, called RoundCube.

The fact that RC will be in the next Debian stable release (squeeze) was the final straw. Using the Lenny backports repo you can install RC on Lenny (current stable). See the following steps below:

1. Create to following file if it not exists:

# vi /etc/apt/preferences

2. Add the following lines:

Package: *

Pin: release a=stable

Pin-Priority: 600
Package: roundcube roundcube-core roundcube-mysql

Pin: release a=lenny-backports

Pin-Priority: 999

There is also a postgresql and sqlite database meta-package available.

3. Edit /etc/apt/sources.list and add the following lines:

# Testing (squeeze) for gallery2

deb http://ftp.us.debian.org/debian/ squeeze main contrib non-free

deb-src http://ftp.us.debian.org/debian/ squeeze main contrib non-free

4. Update the apt database and upgrade the gallery2 package:

# apt-get update

# apt-get install roundcube

Next thing is to walk through the main.inc.php config file located in ‘/etc/roundcube’ and the Apache configuration.

Restart apache and navigate to your RoundCube url and off you go.

I have been test driving RoundCube for about a month and can conclude that RoundCube is here to stay!

Categories: Linux Tags: RoundCube, Webmail

Older Entries

Dirk-Jan’s blog

Archive