Dirk-Jan's blog

Rootless SCOM agent setup

Dirk-Jan — Mon, 17 May 2010 21:08:00 +0000

The setup of a SCOM agent without having to enter the root password in the SCOM management console is actually very simple. At first I thought it would be necessary to export the key by which the client certificates are signed to do the signing on the system used to roll out new Linux systems.

I have described the the process below in a few steps.

1. Install the agent.
You can find the manual installation instructions on this site.

2. Create a new user on the Linux client, in my case ’scom’.
This user and password must match the action account credentials you have entered somewhere in the SCOM administration section.

# useradd scom

# passwd scom

3. Change ownership and permissions on /etc/opt/microsoft/scx/ssl/scx-host-[hostname].pem

# chown scom: /etc/opt/microsoft/scx/ssl/scx-host-[hostname].pem

# chmod 644 /etc/opt/microsoft/scx/ssl/scx-host-[hostname].pem

4. Start the discovery wizard, add your host and uncheck ‘Enable SSH based discovery’.
Under the host information enter the scom user and the corresponding password. Check the ‘This is a superuser account’ check box.
Make sure the SCOM server can communicate on port 1270/tcp, otherwise discovery will fail.

5. Discovery will report the current (self-signed) certificate is invalid and will suggest to sign the certificate with the SCOM CA key.
Once this step is finished it will report no results, but the certificate is signed. You can verify this with OpenSSL.

6. Restart the scx daemon on the Linux system.

# /opt/microsoft/scx/bin/tools/scxadmin -restart

This will initialize the modified certificate.

7. Re-issue a discovery of the same host (press the previous button two times).
In this final step the host is discovered successfully without having entered the root password.

I have created a Puppet recipe for the above to automate the roll-out of SCOM on Linux:

class scom {
        package { scx:

                ensure => installed

        }
        service { scx-cimd:

                ensure => true,

                enable => true,

                hasrestart => true,

                subscribe => [ File["/etc/init.d/scx-cimd"], Package[scx] ]

        }
        file { "/etc/init.d/scx-cimd":

                owner => root,

                group => root,

                mode => 744,

                require => Package["scx"],

        }
        file { "/etc/opt/microsoft/scx/ssl/scx-host-$hostname.pem":

                owner => scom,

                group => scom,

                mode => 644,

                checksum => md5,

                notify => service[scx-cimd],

                require => [ Package["scx"], User["scom"] ]

        }
        user { "scom":

                ensure => present,

                name => "scom",

                uid => "6004",

                comment => "SCOM monitoring agent",

                shell => "/bin/bash",

                home => "/var/opt/microsoft/scx",

                managehome => "true",

                password => ‘$1$vS1boUVQ$vMmabY1rt4FQokoweKvXw/’,

                require => [ Class["users"], Package["scx"] ]

        }

}

Manual SCOM agent certificate signing

Dirk-Jan — Thu, 22 Apr 2010 17:30:47 +0000

The SCOM Linux agent (scx) uses a SSL certificate to trust communication between the SCOM server and Linux agents. The SCOM server communicates with the agent running on port 1270/tcp.

Normally you will deploy the agent by using the discovery wizard. The SCOM server initially makes a SSH connection to the agent and tries to detect which Linux distribution and version it’s dealing with. Then it will push (sftp) and install the scx package. At the end of the installation it will create a certificate. This certificate needs to be signed by the SCOM server, so the server will fetch the certificate, signs it and delivers it back to the client. At the end the agent will restart to initialize the newly created certificate and agent communication over port 1270/tcp is trusted. The above described actions are executed using the privileged account.

It is also possible to manually sign the certificate created during manual installation of the scx package. This process is described below.

1. Copy the output of the following command including ‘—–BEGIN CERTIFICATE—–’ and ‘—–END CERTIFICATE—–’ to your paste buffer.

$ cat /etc/opt/microsoft/scx/ssl/scx-host-[hostname].pem

By using the following command you can view the contents of the certificate:

$ openssl x509 -noout -text \

-in /etc/opt/microsoft/scx/ssl/scx-host-[hostname].pem

2. Create a new file on the SCOM server ’scx-host-[hostname].pem’, paste the certificate data into it and save this file.

3. Open a windows console and execute the following:

scxcertconfig -sign scx-host-[hostname].pem scx_signed.pem

This command will sign your certificate (scx-host-[hostname].pem) and save it to a new file.

4. Copy the contents of the signed certificate to the paste buffer.

5. Open the ‘/etc/opt/microsoft/scx/ssl/scx-host-[hostname].pem’ on the Linux server, delete it’s contents and paste the newly created certificate data from the paste buffer.

6. Restart the agent by running the following command.

# /opt/microsoft/scx/bin/tools/scxadmin -restart

This will initialize the new certificate.

The last step is open the SCOM management console and walk through the discovery wizard to register the agent. A super-user account is probably not required anymore.

After the installation of the scx package you need to create a action account user. The SCOM agent will be run under this user.

Related article: install-scom-agent-on-red-hat-linux

Install SCOM agent on Red Hat Linux

Dirk-Jan — Tue, 23 Mar 2010 21:18:28 +0000

The steps below describe how to install the SCOM agent on Red Hat Linux 5 x64. We don’t like to enroll the agent by using the SCOM Discovery wizard, as you need to enter the super-user (root)credentials and we’re not sure where the application stores those credentials and it’s used for. So we’re still searching for the minimal permissions for the agent to be installed.

It is possile to install the agent, copy the unsigned client-side generated certificate to the SCOM server, sign the certificate on the SCOM server and copy the signed certificate back to the client. Once you have restarted the scx daemon you can use the discovery wizard on the SCOM server to add the server without using super-user credentials in SCOM.

Once you have installed the Cross Platform Cumulative Update 2 for System Center Operations Manager 2007 R2, a newer version of the agent becomes available on the SCOM server in Program Files\System Center Operations Manager 2007\AgentManagement\UnixAgents.

# rpm -ivh scx-1.0.4-258.rhel.5.x64.rpm

Preparing…                ########################################### [100%]

   1:scx                    ########################################### [100%]

Generating certificate with hostname="host001", domainname="example.local"
WARNING!

Could not read 256 bytes of random data from /dev/random. Will revert to less secure /dev/urandom.

See the security guide for how to regenerate certificates at a later time when more random data might be available.
/var/tmp/rpm-tmp.63356: line 163: /usr/lib/lsb/install_initd: No such file or directory

Starting Microsoft SCX CIM Server: [  OK  ]

#

To fix the above problem you can use the following work-around.

rm /dev/random

rm: remove character special file `/dev/random’? y

# mknod -m 644 /dev/random c 1 9

# chown root:root /dev/random

# cd

# rpm -ivh scx-1.0.4-258.rhel.5.x64.rpm 

Preparing…                ########################################### [100%]

   1:scx                    ########################################### [100%]

Generating certificate with hostname="host001", domainname="example.local"

/var/tmp/rpm-tmp.10879: line 163: /usr/lib/lsb/install_initd: No such file or directory

Starting Microsoft SCX CIM Server: [  OK  ]

# rm /dev/random

# mknod -m 644 /dev/random c 1 8

# chown root:root /dev/random

Moving into the cloud

Dirk-Jan — Sun, 17 Jan 2010 20:25:32 +0000

Last week I setup a server in a cloud based on Xen virtualization technology. After some hours research I decided to go for the Rackspace cloud. I chose the minimal setup to start with, which is a 256MB memory configuration that comes with 10GB disk space. As stated in the specs, the 256MB plan will get you 1/64 of the CPU allocation. Which is fine to start with for a standard LAMP setup.

For now they only offer a large variety of Linux distributions. I chose Debian 5.0 Lenny, because it makes migration easier as the site is running on Debian 5.0 already. The registration process and setup of the minimal Debian install went very smoothly. In under two hours I had successfully migrated a website. So for the setup part I am totally satisfied, let’s see how the availability part will develop.

Jmeter JSF client state

Dirk-Jan — Fri, 15 Jan 2010 20:35:28 +0000

In order to know what kind of resources a new application needed I figured out to do a load test. The load testing software I used for this test is Apache Jmeter. The application to test is a Java based application deployed in Tomcat 6.

I used the Jmeter HTTP Proxy Recorder to simulate a normal user session to create a realistic test plan. Once I executed the test plan against the web application it returned Internal Server Error (Response code: 500). By using the “View Results Tree” Listener I was able to locate the problem as the Listener displays basic HTML and XML representations of the response.

javax.faces.application.ViewExpiredException: viewId:/presentation/task.jsf - View /presentation/task.jsf could not be restored.

It appeared that the HTTP Proxy Recorder had recorded the server and client state. The javax.faces.ViewState field is written for both server and client side state saving. So removing this attribute from the sampler data makes Jmeter process the pages without error.

It took me a couple of hours to resolve this issue, hope this helps someone stumbling across the same.

Search and replace MySQL content

Dirk-Jan — Wed, 06 Jan 2010 20:27:02 +0000

Today I switched from the Code Markup to the Code Snippet WordPress plugin. Therefore I had to change the way the code block is activated. This is a time consuming job if you have to do this by hand, so I figured out there should be a smarter way of doing this. Check out the MySQL replace function below:

update [table_name] set [field_name] = replace([field_name],’[string_to_find]‘,’[string_to_replace]‘);

And so the above translated to the lines I needed:

mysql> update wp_vleeuwen_posts set post_content = replace(post_content, ‘

’, ‘[code lang="text"]‘);

Query OK, 35 rows affected (0.06 sec)

Rows matched: 72  Changed: 35  Warnings: 0
mysql> update wp_vleeuwen_posts set post_content = replace(post_content, ‘

’, ‘[/ code]‘);
Query OK, 35 rows affected (0.01 sec)
Rows matched: 72 Changed: 35 Warnings: 0

mysql>

Notice the little typo I had to make in order to let the above code snippet work ([/ code]).

Backup Lenny using TSM

Dirk-Jan — Sat, 02 Jan 2010 11:19:14 +0000

The few steps below describe in short how to install Tivoli Storage Manager (TSM) on Debian 5.0.3 (Lenny) x64.

1. Download the latest 5.x TSM client

# wget ftp://ftp.wu-wien.ac.at/mirrors/tsm/maintenance/client/v5r5/Linux/LinuxX86/v552/5.5.2.0-TIV-TSMBAC-LinuxX86.tar

2. Install alien and dependencies

# apt-get install alien gawk libstdc++5

3. untar the TSM client software

# tar -xvf 5.5.2.0-TIV-TSMBAC-LinuxX86.tar 

NOTICES.TXT

README_enu.htm

README_api_enu.htm

README_hsm_enu.htm

TIVsm-API.i386.rpm

TIVsm-API64.rpm

TIVsm-BA.i386.rpm

TIVsm-HSM.i386.rpm

4. Convert the RPM packages using alien

# alien -g TIVsm-API.i386.rpm

Warning: Skipping conversion of scripts in package TIVsm-API: postinst prerm

Warning: Use the –scripts parameter to include the scripts.

Directories TIVsm-API-5.5.2 and TIVsm-API-5.5.2.orig prepared.

# alien -g TIVsm-BA.i386.rpm

Warning: Skipping conversion of scripts in package TIVsm-BA: postinst prerm

Warning: Use the –scripts parameter to include the scripts.

Directories TIVsm-BA-5.5.2 and TIVsm-BA-5.5.2.orig prepared.

5. Adjust the control files

# mv TIVsm-API-5.5.2/debian TIVsm-API-5.5.2/DEBIAN

# mv TIVsm-BA-5.5.2/debian TIVsm-BA-5.5.2/DEBIAN

# vi TIVsm-API-5.5.2/DEBIAN/control 

# vi TIVsm-BA-5.5.2/DEBIAN/control

The control file should like the following:

Source: tivsm-api

Section: non-free

Priority: extra

Maintainer: root 

Package: tivsm-api

Architecture: all

Depends: ${shlibs:Depends}

Description: IBM Tivoli Storage Manager API

6. Build the packages

# dpkg -b TIVsm-API-5.5.2

dpkg-deb: building package `tivsm-api’ in `TIVsm-API-5.5.2.deb’.

# dpkg -b TIVsm-BA-5.5.2

dpkg-deb: building package `tivsm-ba’ in `TIVsm-BA-5.5.2.deb’.

7. Install the packages

# dpkg -i TIVsm-API-5.5.2.deb

Selecting previously deselected package tivsm-api.

(Reading database … 146642 files and directories currently installed.)

Unpacking tivsm-api (from TIVsm-API-5.5.2.deb) …

Setting up tivsm-api (5.5.2) …

# dpkg -i TIVsm-BA-5.5.2.deb

Selecting previously deselected package tivsm-ba.

(Reading database … 146716 files and directories currently installed.)

Unpacking tivsm-ba (from TIVsm-BA-5.5.2.deb) …

Setting up tivsm-ba (5.5.2) …

#

8. Post install issues

# echo "/opt/tivoli/tsm/client/ba/bin" >> /etc/ld.so.conf

# ldconfig

# ln -s /opt/tivoli/tsm/client/lang/en_US /opt/tivoli/tsm/client/ba/bin/

And you’re done installing TSM. You’re now ready to proceed to the configuration. The TSM configuration files are located in /opt/tivoli/tsm/client/ba/bin. You can start by copying the sample files.

# cd /opt/tivoli/tsm/client/ba/bin
# cp dsm.opt.smp dsm.opt
# cp dsm.sys.smp dsm.sys

Have a look at the IBM docs for the configuration options.

Switched to RoundCube

Dirk-Jan — Wed, 30 Dec 2009 22:14:22 +0000

Since I first started using a webmail client Squirrelmail was my number one. But lately I missed some functions like viewing HTML formatted mail, auto address completion and LDAP address book functionality. So I started to look for a webmail client that comes with this functionality build-in and came up with this nice AJAX based webmail solution for IMAP servers, called RoundCube.

The fact that RC will be in the next Debian stable release (squeeze) was the final straw. Using the Lenny backports repo you can install RC on Lenny (current stable). See the following steps below:

1. Create to following file if it not exists:

# vi /etc/apt/preferences

2. Add the following lines:

Package: *

Pin: release a=stable

Pin-Priority: 600
Package: roundcube roundcube-core roundcube-mysql

Pin: release a=lenny-backports

Pin-Priority: 999

There is also a postgresql and sqlite database meta-package available.

3. Edit /etc/apt/sources.list and add the following lines:

# Testing (squeeze) for gallery2

deb http://ftp.us.debian.org/debian/ squeeze main contrib non-free

deb-src http://ftp.us.debian.org/debian/ squeeze main contrib non-free

4. Update the apt database and upgrade the gallery2 package:

# apt-get update

# apt-get install roundcube

Next thing is to walk through the main.inc.php config file located in ‘/etc/roundcube’ and the Apache configuration.

Restart apache and navigate to your RoundCube url and off you go.

I have been test driving RoundCube for about a month and can conclude that RoundCube is here to stay!

Windows wireless driver for Amilo Li 2727

Dirk-Jan — Fri, 11 Dec 2009 17:52:23 +0000

It took me some time to figure out how to get the wireless device of my Amilo Li 2727 working with Windows 7. For the ones who stumble across the same problem I have describe how to solve it.

Download the Windows XP Drivers For Amilo Li 2727 here
Extract the contents of the compressed file
Open ‘Control Panel’, click on ‘System’ and choose ‘Device Manager’
Open the ‘Action’ menu item and click on ‘Add legacy hardware’
Next -> Next -> Next and pick ‘Network Adapters’
Choose ‘Have disk’ and Navigate into the ‘04 WLAN’ directory
Select ‘Atheros AR5007EG Wireless Network Adapter’
Install the FSC Launchmanager from the ‘05 FSC_LaunchManager’ directory by executing the setup.exe
Reboot

Once you have rebooted you should have a working wireless device. To active the wireless device, you need to press the Fn+F1 button combination and choose WLAN. I can confirm this driver works on Windows 7.

Good luck!

vsftpd and SSL

Dirk-Jan — Sat, 28 Nov 2009 16:10:36 +0000

This howto describes how to configure vsftpd to enable SSL using so called intermediate/ chaining certificates.

Edit vsftpd.conf so that SSL is enabled:

ssl_enable=YES

rsa_cert_file=/usr/share/ssl/certs/vsftpd.pem

force_local_data_ssl=NO

force_local_logins_ssl=NO

It is very important to construct the certificate file /usr/share/ssl/certs/vsftpd.pem with the correct certificate order. The fist Your certificate file has to be a .pem file. If you also received an Intermediate Certificate then you have to concatenate this with the Domain Certificate and your Private Key file into one single .pem file. Make sure all the information is included, without any spaces or blanks, see below.

—–BEGIN CERTIFICATE—–

 (your_domain_name.crt)

—–END CERTIFICATE KEY—–

—–BEGIN CERTIFICATE—–

 (chaining certificate 3)

—–END CERTIFICATE KEY—–

—–BEGIN CERTIFICATE—–

 (chaining certificate 2)

—–END CERTIFICATE KEY—–

—–BEGIN CERTIFICATE—–

 (chaining certificate 1)

—–END CERTIFICATE KEY—–

—–BEGIN RSA PRIVATE KEY—–

 (your_domain_name.key)

 —–END RSA PRIVATE KEY—–

This is how to check a SSL enabled FTP service (FTP Secure). See the result below:

$ lftp -u username localhost -e "debug;set ftp:ssl-protect-data true;ls;exit"

Password: 

—- Connecting to ftp.student.vu.nl (130.37.129.243) port 21

<— 220 Welcome to the Storage FTP service.

—> FEAT

<— 211-Features:

<—  AUTH SSL

<—  AUTH TLS

<—  EPRT

<—  EPSV

<—  MDTM

<—  PASV

<—  PBSZ

<—  PROT

<—  REST STREAM

<—  SIZE

<—  TVFS

<—  UTF8

<— 211 End

—> AUTH TLS

<— 234 Proceed with negotiation.

—> OPTS UTF8 ON

Certificate: C=NL,O=Vereniging VU-Windesheim,OU=UC-IT,CN=ftp.student.vu.nl

 Issued by:        C=NL,O=TERENA,CN=TERENA SSL CA

 Checking against: C=NL,O=TERENA,CN=TERENA SSL CA

  Trusted

Certificate: C=NL,O=TERENA,CN=TERENA SSL CA

 Issued by:        C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware

 Checking against: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware

  Trusted

Certificate: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware

 Issued by:        C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root

 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root

  Trusted

Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root

 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root

  Trusted

<— 200 Always in UTF8 mode.

—> USER xxx330

<— 331 Please specify the password.

—> PASS XXXX

<— 230 Login successful.       

—> PWD

<— 257 "/"

—> PBSZ 0

<— 200 PBSZ set to 0.

—> PROT P

<— 200 PROT now Private.

—> PROT P

<— 200 PROT now Private.

—> PASV

<— 227 Entering Passive Mode (130,37,129,243,196,139).

—- Connecting data socket to (130.37.129.243) port 50315

—- Data connection established

—> LIST

<— 150 Here comes the directory listing.

Certificate: C=NL,O=Vereniging VU-Windesheim,OU=UC-IT,CN=ftp.student.vu.nl

 Issued by:        C=NL,O=TERENA,CN=TERENA SSL CA

 Checking against: C=NL,O=TERENA,CN=TERENA SSL CA

  Trusted

Certificate: C=NL,O=TERENA,CN=TERENA SSL CA

 Issued by:        C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware

 Checking against: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware

  Trusted

Certificate: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware

 Issued by:        C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root

 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root

  Trusted

Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root

 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root

  Trusted

—- Got EOF on data connection 

—- Closing data socket

drwxrwsr-x    3 72745    513          4096 Oct 23 14:28 public_html

<— 226 Directory send OK.

—> QUIT

—- Closing control socket

$