Manual SCOM agent certificate signing

The SCOM Linux agent (scx) uses a SSL certificate to trust communication between the SCOM server and Linux agents. The SCOM server communicates with the agent running on port 1270/tcp.

Normally you will deploy the agent by using the discovery wizard. The SCOM server initially makes a SSH connection to the agent and tries to detect which Linux distribution and version it’s dealing with. Then it will push (sftp) and install the scx package. At the end of the installation it will create a certificate. This certificate needs to be signed by the SCOM server, so the server will fetch the certificate, signs it and delivers it back to the client. At the end the agent will restart to initialize the newly created certificate and agent communication over port 1270/tcp is trusted. The above described actions are executed using the privileged account.

It is also possible to manually sign the certificate created during manual installation of the scx package. This process is described below.

1. Copy the output of the following command including ‘—–BEGIN CERTIFICATE—–‘ and ‘—–END CERTIFICATE—–‘ to your paste buffer.

$ cat /etc/opt/microsoft/scx/ssl/scx-host-[hostname].pem

By using the following command you can view the contents of the certificate:

$ openssl x509 -noout -text \
-in /etc/opt/microsoft/scx/ssl/scx-host-[hostname].pem

2. Create a new file on the SCOM server ‘scx-host-[hostname].pem’, paste the certificate data into it and save this file.

3. Open a windows console and execute the following:

scxcertconfig -sign scx-host-[hostname].pem scx_signed.pem

This command will sign your certificate (scx-host-[hostname].pem) and save it to a new file.

4. Copy the contents of the signed certificate to the paste buffer.

5. Open the ‘/etc/opt/microsoft/scx/ssl/scx-host-[hostname].pem’ on the Linux server, delete it’s contents and paste the newly created certificate data from the paste buffer.

6. Restart the agent by running the following command.

# /opt/microsoft/scx/bin/tools/scxadmin -restart

This will initialize the new certificate.

The last step is open the SCOM management console and walk through the discovery wizard to register the agent. A super-user account is probably not required anymore.

After the installation of the scx package you need to create a action account user. The SCOM agent will be run under this user.

Related article: install-scom-agent-on-red-hat-linux
[ad name=”Google Adsense Banner”]

vsftpd and SSL

This howto describes how to configure vsftpd to enable SSL using so called intermediate/ chaining certificates.

Edit vsftpd.conf so that SSL is enabled:

ssl_enable=YES
rsa_cert_file=/usr/share/ssl/certs/vsftpd.pem
force_local_data_ssl=NO
force_local_logins_ssl=NO

It is very important to construct the certificate file /usr/share/ssl/certs/vsftpd.pem with the correct certificate order. The fist Your certificate file has to be a .pem file. If you also received an Intermediate Certificate then you have to concatenate this with the Domain Certificate and your Private Key file into one single .pem file. Make sure all the information is included, without any spaces or blanks, see below.

-----BEGIN CERTIFICATE-----
 (your_domain_name.crt)
-----END CERTIFICATE KEY-----
-----BEGIN CERTIFICATE-----
 (chaining certificate 3)
-----END CERTIFICATE KEY-----
-----BEGIN CERTIFICATE-----
 (chaining certificate 2)
-----END CERTIFICATE KEY-----
-----BEGIN CERTIFICATE-----
 (chaining certificate 1)
-----END CERTIFICATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
 (your_domain_name.key)
 -----END RSA PRIVATE KEY-----

This is how to check a SSL enabled FTP service (FTP Secure). See the result below:

$ lftp -u username localhost -e "debug;set ftp:ssl-protect-data true;ls;exit"
Password:
---- Connecting to ftp.student.vu.nl (130.37.129.243) port 21
<--- 220 Welcome to the Storage FTP service.
---> FEAT
<--- 211-Features:
<---  AUTH SSL
<---  AUTH TLS
<---  EPRT
<---  EPSV
<---  MDTM
<---  PASV
<---  PBSZ
<---  PROT
<---  REST STREAM
<---  SIZE
<---  TVFS
<---  UTF8
<--- 211 End
---> AUTH TLS
<--- 234 Proceed with negotiation.
---> OPTS UTF8 ON
Certificate: C=NL,O=Vereniging VU-Windesheim,OU=UC-IT,CN=ftp.student.vu.nl
 Issued by:        C=NL,O=TERENA,CN=TERENA SSL CA
 Checking against: C=NL,O=TERENA,CN=TERENA SSL CA
  Trusted
Certificate: C=NL,O=TERENA,CN=TERENA SSL CA
 Issued by:        C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
 Checking against: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
  Trusted
Certificate: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
 Issued by:        C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
  Trusted
Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
  Trusted
<--- 200 Always in UTF8 mode.
---> USER xxx330
<--- 331 Please specify the password.
---> PASS XXXX
<--- 230 Login successful.
---> PWD
<--- 257 "/"
---> PBSZ 0
<--- 200 PBSZ set to 0.
---> PROT P
<--- 200 PROT now Private.
---> PROT P
<--- 200 PROT now Private.
---> PASV
<--- 227 Entering Passive Mode (130,37,129,243,196,139).
---- Connecting data socket to (130.37.129.243) port 50315
---- Data connection established
---> LIST
<--- 150 Here comes the directory listing.
Certificate: C=NL,O=Vereniging VU-Windesheim,OU=UC-IT,CN=ftp.student.vu.nl
 Issued by:        C=NL,O=TERENA,CN=TERENA SSL CA
 Checking against: C=NL,O=TERENA,CN=TERENA SSL CA
  Trusted
Certificate: C=NL,O=TERENA,CN=TERENA SSL CA
 Issued by:        C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
 Checking against: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
  Trusted
Certificate: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
 Issued by:        C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
  Trusted
Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
  Trusted
---- Got EOF on data connection
---- Closing data socket
drwxrwsr-x    3 72745    513          4096 Oct 23 14:28 public_html
<--- 226 Directory send OK.
---> QUIT
---- Closing control socket
$

eToken, Personal certificate and the Mozilla suite

Recently I have a personal certificate also known as a Digital ID on a smart card (Aladdin eToken) to access a secure web service. While installing the certificate I noticed it is also possible to use it to digitally sign and encrypt email with the same certificate, so I fired up Thunderbird and added the PCKS#11 security device to configure signing using S/MIME. See the steps below.

“PKCS#11 is one of the family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories. It defines a platform-independent API to cryptographic tokens, such as Hardware Security Modules (HSM) and smart cards.” (Source: http://en.wikipedia.org/wiki/PKCS11)

I assume you already have installed the eToken software. In case you haven’t, take a look at this article I wrote earlier.

Open Thunderbird and go to Preferences -> Advanced -> Encryption -> Security Devices

Click on “Load” and enter a Module name or choose the default like I did, which is “New PKCS#11 Module” and browse for the ‘libeTPkcs11.so’ library. This file probably sits in ‘/usr/lib’ or ‘/usr/lib64’. Be sure to pick the right one, because you need the 64bit version if you’re using 64bit Firefox.

Open Account Settings -> Security

Select the certificate on your smart card you like to use.

Thunderbird and Firefox are not bundled with the needed CA’s to support GlobalSign PersonalSign Class 2 out-of-the-box. You have to Import the GlobalSign Primary Class 2 CA (http://secure.globalsign.net/cacert/PrimClass2.crt) and GlobalSign PersonalSign Class 2 CA (http://secure.globalsign.net/cacert/PersonalSignClass2.crt) to make it work in Thunderbird, otherwise you’ll notice you’re not able to send digitally signed email.