SCOM 2007: Certificate for This System Is Not Valid When Installing a Linux Agent

Certificates are used between the management server and the UNIX-based or Linux-based computers.

So after making sure I had all the pre-requisites needed to deploy an Linux agent I launched the discovery wizard

http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/scom/image_5F00_thumb_5F00_6BD648A3.png

But my agent installation failed because the certificate could not be signed.

http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/scom/image_5F00_thumb_5F00_2076A4DF.png

The certificate signing process does the following:

http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/scom/image_5F00_thumb_5F00_2DDCB7E5.png

For an unknown reason my certifcate was not signed and trusted.

 I also got the following error in my event log:

Unexpected ScxCertLibException: Unable to open root store 
; input data is: -----BEGIN CERTIFICATE----- 
MIIDHjCCAgYCAQEwDQYJKoZIhvcNAQEFBQAwZjEYMBYGA1UEAxMPU0NYLUNlcnRp 
ZmljYXRlMTAwLgYDVQQMEydTQ1g2MzMzNzZEMi1FM0UyLTRmMzEtODQ2MS1EMDky

http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/scom/image_5F00_thumb_5F00_37387D19.png

To solve this problem you need to sign the certificate on your OpsMgr server following this procedure:

 Download and install Winscp on your OpsMgr server.

 Start Winscp and connect to your Linux machine

http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/scom/image_5F00_thumb_5F00_4BBDCC97.png

Click yes

http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/scom/image_5F00_thumb_5F00_60431C15.png

Browse to /etc/opt/microsoft/scx/ssl

http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/scom/image_5F00_thumb_5F00_7F85C2E8.png

Copy the key scx-host-<hostname>.pem  to your opsmgr server.

http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/scom/image_5F00_thumb_5F00_3D81E458.png

Open the command prompt on your OpsMgr server and change directories to the location where you copied the certificate. Type the command

“scxcertconfig -sign scx-host-<hostname>.pem scx_new.pem”

and then press ENTER. This command will self-sign your certificate (scx-host-<hostname>.pem) and then save the new certificate.

http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/scom/image_5F00_thumb_5F00_4AE7F75E.png

Rename your scx_new.pem file with scx-host-<hostname>.ad.pem and replace the original file on your linux server with this file.

http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/scom/image_5F00_thumb_5F00_4A7BC469.png

Connect to your Linux server with putty

http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/scom/image_5F00_thumb_5F00_73F2965A.png

and type scxadmin –restart

http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/scom/image_5F00_thumb_5F00_7AA59FDD.png

This step is very important! If you don’t restart the scxadmin the discovery wizard will still complain about the certificate not being signed!!

Now close your discovery wizard and re launch it.

http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/scom/image_5F00_thumb_5F00_335049EB.png

The Discovery Wizard discovers the computer and tests to see that the certificate is valid. If the Discovery Wizard verifies that the computer can be discovered and that the certificate is valid, the Discovery Wizard adds the newly discovered computer to the Operations Manager database.Almost immediately you will get a message saying the agent is successfully signed and installed:

http://scug.be/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/scom/image_5F00_thumb_5F00_47D59969.png

Hope this helps,
Courtesy: scug.be

-Chandan Bharti