Planning for Client Deployment for Linux and UNIX Servers

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Note

The information in this topic applies to System Center 2012 Configuration Manager SP1 or later, and System Center 2012 R2 Configuration Manager or later.

Use the information in the following sections to help you plan to deploy the Configuration Manager client for Linux and UNIX.

  • Prerequisites for Client Deployment to Linux and UNIX Servers

    • Dependencies External to Configuration Manager:
  • Planning for Communication across Forest Trusts for Linux and UNIX Servers

    • Service Location by the client for Linux and UNIX
  • Planning for Security and Certificates for Linux and UNIX Servers

    • About Certificates for use by Linux and UNIX Servers

    • Configuring Certificates for Linux and UNIX Servers

  • About Linux and UNIX Operating Systems That do not Support SHA-256

Planning for Client Deployment to Linux and UNIX Servers

Before you deploy the Configuration Manager client for Linux and UNIX, review the information in this section to help you plan for a successful deployment.

Prerequisites for Client Deployment to Linux and UNIX Servers

Use the following information to determine the prerequisites you must have in place to successfully install the client for Linux and UNIX.

Dependencies External to Configuration Manager:

The following tables describe the required UNIX and Linux operating systems and package dependencies.

Red Hat Enterprise Linux ES Release 4

Required package

Description

Minimum version

glibc

C Standard Libraries

2.3.4-2

Openssl

OpenSSL Libraries; Secure Network Communications Protocol

0.9.7a-43.1

PAM

Pluggable Authentication Modules

0.77-65.1

Red Hat Enterprise Linux Server release 5.1 (Tikanga)

Required package

Description

Minimum version

glibc

C Standard Libraries

2.5-12

Openssl

OpenSSL Libraries; Secure Network Communications Protocol

0.9.8b-8.3.el5

PAM

Pluggable Authentication Modules

0.99.6.2-3.14.el5

Red Hat Enterprise Linux Server release 6

Required package

Description

Minimum version

glibc

C Standard Libraries

2.12-1.7

Openssl

OpenSSL Libraries; Secure Network Communications Protocol

1.0.0-4

PAM

Pluggable Authentication Modules

1.1.1-4

Solaris 9 SPARC

Required package

Description

Minimum version

Required operating system patch

PAM memory leak

112960-48

SUNWlibC

Sun Workshop Compilers Bundled libC (sparc)

5.9,REV=2002.03.18

SUNWlibms

Forte Developer Bundled Shared libm (sparc)

5.9,REV=2001.12.10

OpenSSL

SMCosslg (sparc)

Sun does not provide a version of OpenSSL for Solaris 9 SPARC. There is a version available from Sunfreeware.

0.9.7g

PAM

Pluggable Authentication Modules

SUNWcsl, Core Solaris, (Shared Libs) (sparc)

11.9.0,REV=2002.04.06.15.27

Solaris 10 SPARC

Required package

Description

Minimum version

Required operating system patch

PAM memory leak

117463-05

SUNWlibC

Sun Workshop Compilers Bundled libC (sparc)

5.10, REV=2004.12.22

SUNWlibms

Math & Microtasking Libraries (Usr) (sparc)

5.10, REV=2004.11.23

SUNWlibmsr

Math & Microtasking Libraries (Root) (sparc)

5.10, REV=2004.11.23

SUNWcslr

Core Solaris Libraries (Root) (sparc)

11.10.0, REV=2005.01.21.15.53

SUNWcsl

Core Solaris Libraries (Root) (sparc)

11.10.0, REV=2005.01.21.15.53

OpenSSL

SUNopenssl-librararies (Usr)

Sun provides the OpenSSL libraries for Solaris 10 SPARC. They are bundled with the operating system.

11.10.0,REV=2005.01.21.15.53

PAM

Pluggable Authentication Modules

SUNWcsr, Core Solaris, (Root) (sparc)

11.10.0, REV=2005.01.21.15.53

Solaris 10 x86

Required package

Description

Minimum version

Required operating system patch

PAM memory leak

117464-04

SUNWlibC

Sun Workshop Compilers Bundled libC (i386)

5.10,REV=2004.12.20

SUNWlibmsr

Math & Microtasking Libraries (Root) (i386)

5.10, REV=2004.12.18

SUNWcsl

Core Solaris, (Shared Libs) (i386)

11.10.0,REV=2005.01.21.16.34

SUNWcslr

Core Solaris Libraries (Root) (i386)

11.10.0, REV=2005.01.21.16.34

OpenSSL

SUNWopenssl-libraries; OpenSSL Libraries (Usr) (i386)

11.10.0, REV=2005.01.21.16.34

PAM

Pluggable Authentication Modules

SUNWcsr Core Solaris, (Root)(i386)

11.10.0,REV=2005.01.21.16.34

Solaris 11 SPARC

Required package

Description

Minimum version

SUNWlibC

Sun Workshop Compilers Bundled libC

5.11, REV=2011.04.11

SUNWlibmsr

Math & Microtasking Libraries (Root)

5.11, REV=2011.04.11

SUNWcslr

Core Solaris Libraries (Root)

11.11, REV=2009.11.11

SUNWcsl

Core Solaris, (Shared Libs)

11.11, REV=2009.11.11

SUNWcsr

Core Solaris, (Root)

11.11, REV=2009.11.11

SUNWopenssl-libraries

OpenSSL Libraries (Usr)

11.11.0,REV=2010.05.25.01.00

Solaris 11 x86

Required package

Description

Minimum version

SUNWlibC

Sun Workshop Compilers Bundled libC

5.11, REV=2011.04.11

SUNWlibmsr

Math & Microtasking Libraries (Root)

5.11, REV=2011.04.11

SUNWcslr

Core Solaris Libraries (Root)

11.11, REV=2009.11.11

SUNWcsl

Core Solaris, (Shared Libs)

11.11, REV=2009.11.11

SUNWcsr

Core Solaris, (Root)

11.11, REV=2009.11.11

SUNWopenssl-libraries

OpenSSL Libraries (Usr)

11.11.0,REV=2010.05.25.01.00

SUSE Linux Enterprise Server 9 (i586)

Required package

Description

Minimum version

Service Pack 4

SUSE Linux Enterprise Server 9

OS Patch lib gcc-41.rpm

Standard shared library

41-4.1.2_20070115-0.6

OS Patch lib stdc++-41.rpm

Standard shared library

41-4.1.2_20070115-0.6

Openssl

OpenSSL Libraries; Secure Network Communications Protocol

0.9.7d-15.35

PAM

Pluggable Authentication Modules

0.77-221-11

SUSE Linux Enterprise Server 10 SP1 (i586)

Required package

Description

Minimum version

glibc-2.4-31.30

C Standard shared library

2.4-31.30

OpenSSL

OpenSSL Libraries; Secure Network Communications Protocol

0.9.8a-18.15

PAM

Pluggable Authentication Modules

0.99.6.3-28.8

SUSE Linux Enterprise Server 11 (i586)

Required package

Description

Minimum version

glibc-2.9-13.2

C Standard shared library

2.9-13.2

PAM

Pluggable Authentication Modules

pam-1.0.2-20.1

Universal Linux (Debian package) Debian, Ubuntu Server

Required package

Description

Minimum version

libc6

C Standard shared library

2.3.6

OpenSSL

OpenSSL Libraries; Secure Network Communications Protocol

0.9.8 or 1.0

PAM

Pluggable Authentication Modules

0.79-3

Universal Linux (RPM package) CentOS, Oracle Linux

Required package

Description

Minimum version

glibc

C Standard shared library

2.5-12

OpenSSL

OpenSSL Libraries; Secure Network Communications Protocol

0.9.8 or 1.0

PAM

Pluggable Authentication Modules

0.99.6.2-3.14

IBM AIX 5L 5.3

Required package

Description

Minimum version

OS version

Version of the operating system

AIX 5.3, Technology Level 6, Service Pack 5

xlC.rte

XL C/C++ Runtime

9.0.0.2

openssl.base

OpenSSL Libraries; Secure Network Communications Protocol

0.9.8.4

IBM AIX 6.1

Required package

Description

Minimum version

OS version

Version of operating system

AIX 6.1, any Technology Level and Service Pack

xlC.rte

XL C/C++ Runtime

9.0.0.5

OpenSSL/openssl.base

OpenSSL Libraries; Secure Network Communications Protocol

0.9.8.4

IBM AIX 7.1 (Power)

Required package

Description

Minimum version

OS version

Version of operating system

AIX 7.1, any Technology Level and Service Pack

xlC.rte

XL C/C++ Runtime

OpenSSL/openssl.base

OpenSSL Libraries; Secure Network Communications Protocol

HP-UX 11i v2 IA 64

Required package

Description

Minimum version

HPUXBaseOS

Base OS

B.11.23

HPUXBaseAux

HP-UX Base OS Auxiliary

B.11.23.0706

HPUXBaseAux.openssl

OpenSSL Libraries; Secure Network Communications Protocol

A.00.09.07l.003

PAM

Pluggable Authentication Modules

On HP-UX, PAM is part of the core operating system components. There are no other dependencies.

HP-UX 11i v2 PA-RISC

Required package

Description

Minimum version

HPUX11i-OE

HP-UX Foundation Operating Environment

B.11.23.0706

OS-Core.MinimumRuntime.CORE-SHLIBS

Compatible development tools libraries

B.11.23

HPUXBaseAux

HP-UX Base OS Auxiliary

B.11.23.0706

HPUXBaseAux.openssl

OpenSSL Libraries; Secure Network Communications Protocol

A.00.09.071.003

PAM

Pluggable Authentication Modules

On HP-UX, PAM is part of the core operating system components. There are no other dependencies.

HP-UX 11i v3 PA-RISC

Required package

Description

Minimum version

HPUX11i-OE

HP-UX Foundation Operating Environment

B.11.31.0709

OS-Core.MinimumRuntime.CORE2-SHLIBS

Specific IA emulator libraries

B.11.31

openssl/Openssl.openssl

OpenSSL Libraries; Secure Network Communications Protocol

A.00.09.08d.002

PAM

Pluggable Authentication Modules

On HP-UX, PAM is part of the core operating system components. There are no other dependencies.

HP-UX 11i v3 IA64

Required package

Description

Minimum version

HPUX11i-OE

HP-UX Foundation Operating Environment

B.11.31.0709

OS-Core.MinimumRuntime.CORE-SHLIBS

Specific IA development libraries

B.11.31

SysMgmtMin

Minimum Software Deployment Tools

B.11.31.0709

SysMgmtMin.openssl

OpenSSL Libraries; Secure Network Communications Protocol

A.00.09.08d.002

PAM

Pluggable Authentication Modules

On HP-UX, PAM is part of the core operating system components. There are no other dependencies.

Configuration Manager Dependencies: The following table lists site system roles that support Linux and UNIX clients. For more information about these site system roles, see Determine the Site System Roles for Client Deployment in Configuration Manager.

Configuration Manager site system

More information

Management point

Although a management point is not required to install a Configuration Manager client for Linux and UNIX, you must have a management point to transfer information between client computers and Configuration Manager servers. Without a management point, you cannot manage client computers.

Distribution point

The distribution point is not required to install a Configuration Manager client for Linux and UNIX. However, the site system role is required if you deploy software to Linux and UNIX servers.

Because the Configuration Manager client for Linux and UNIX does not support communications that use SMB, the distribution points you use with the client must support HTTP or HTTPS communication.

Fallback status point

Note

Beginning with cumulative update 1, the Configuration Manager client for Linux and UNIX supports the use of fallback status points.

The fallback status point is not required to install a Configuration Manager client for Linux and UNIX. However, The fallback status point enables computers in the Configuration Manager site to send state messages when they cannot communicate with a management point. Client can also send their installation status to the fallback status point.

Firewall Requirements: Ensure that firewalls do not block communications across the ports you specify as client request ports. The client for Linux and UNIX communicates directly with management points, distribution points, and fallback status points.

For information about client communication and request ports, see the Configure Request Ports for the Client for Linux and UNIX section in the How to Install Clients on Linux and UNIX Computers in Configuration Manager topic.

Planning for Communication across Forest Trusts for Linux and UNIX Servers

Linux and UNIX servers you manage with Configuration Manager operate as workgroup clients and require similar configurations as Windows-based clients that are in a workgroup. For information about communications from computers that are in workgroups, see the Planning for Communications Across Forests in Configuration Manager section in the Planning for Communications in Configuration Manager topic.

Service Location by the client for Linux and UNIX

The task of locating a site system server that provides service to clients is referred to as service location. Unlike a Windows-based client, the client for Linux and UNIX does not use Active Directory for service location. Additionally, the Configuration Manager client for Linux and UNIX does not support a client property that specifies the domain suffix of a management point. Instead, the client learns about additional site system servers that provide services to clients from a known management point you assign when you install the client software.

For more information about service location, see the Service Location and how clients determine their assigned management point section in the Planning for Communications in Configuration Manager topic.

Planning for Security and Certificates for Linux and UNIX Servers

For secure and authenticated communications with Configuration Manager sites, the Configuration Manager client for Linux and UNIX uses the same model for communication as the Configuration Manager client for Windows.

When you install the Linux and UNIX client, you can assign the client a PKI certificate that enables it to use HTTPS to communicate with Configuration Manager sites. If you do not assign a PKI certificate, the client creates a self-signed certificate and communicates only by HTTP.

Clients that are provided a PKI certificate when they install use HTTPS to communicate with management points. When a client is unable to locate a management point that supports HTTPS, it will fall back to use HTTP with the provided PKI certificate.

When a Linux or UNIX client uses a PKI certificate you do not have to approve them. When a client uses a self-signed certificate, review the hierarchy settings for client approval in the Configuration Manager console. If the client approval method is not Automatically approve all computers (not recommended), you must manually approve the client.

For more information about how to manually approve the client, see the Managing Clients from the Devices Node section in the How to Manage Clients in Configuration Manager topic.

For information about how to use certificates in Configuration Manager, see PKI Certificate Requirements for Configuration Manager.

About Certificates for use by Linux and UNIX Servers

The Configuration Manager client for Linux and UNIX uses a self-signed certificate or an X.509 PKI certificate just like Windows-based clients. There are no changes to the PKI requirements for Configuration Manager site systems when you manage Linux and UNIX clients.

The certificates you use for Linux and UNIX clients that communicate to Configuration Manager site systems must be in a Public Key Certificate Standard (PKCS#12) format, and the password must be known so you can specify it to the client when you specify the PKI certificate.

The Configuration Manager client for Linux and UNIX supports a single PKI certificate, and does not support multiple certificates. Therefore, the certificate selection criteria you configure for a Configuration Manager site does not apply.

Configuring Certificates for Linux and UNIX Servers

To configure a Configuration Manager client for Linux and UNIX servers to use HTTPS communications, you must configure the client to use a PKI certificate at the time you install the client. You cannot provision a certificate prior to installation of the client software.

When you install a client that uses a PKI certificate, you use the command-line parameter -UsePKICert to specify the location and name of a PKCS#12 file that contains the PKI certificate. Additionally you must use the command line parameter -certpw to specify the password for the certificate.

If you do not specify -UsePKICert, the client generates a self-signed certificate and attempts to communicate to site system servers by using HTTP only.

About Linux and UNIX Operating Systems That do not Support SHA-256

The following Linux and UNIX operating systems that are supported as clients for Configuration Manager were released with versions of OpenSSL that do not support SHA-256:

  • Red Hat Enterprise Linux Version 4 (x86/x64)

  • Solaris Version 9 (SPARC) and Solaris Version 10 (SPARC/x86)

  • SUSE Linux Enterprise Server Version 9 (x86)

  • HP-UX Version 11iv2 (PA-RISH/IA64)

To manage these operating systems with Configuration Manager, you must install the Configuration Manager client for Linux and UNIX with a command line switch that directs the client to skip validation of SHA-256. Configuration Manager clients that run on these operating system versions operate in a less secure mode than clients that support SHA-256. This less secure mode of operation has the following behavior:

  • Clients do not validate the site server signature associated with policy they request from a management point.

  • Clients do not validate the hash for packages that they download from a distribution point.

System_CAPS_security Security Note

The ignoreSHA256validation option allows you to run the client for Linux and UNIX computers in a less secure mode. This is intended for use on older platforms that did not include support for SHA-256. This is a security override and is not recommended by Microsoft, but is supported for use in a secure and trusted datacenter environment.

When the Configuration Manager client for Linux and UNIX installs, the install script checks the operating system version. By default, if the operating system version is identified as having released without a version of OpenSSL that supports SHA-256, the installation of the Configuration Manager client fails.

To install the Configuration Manager client on Linux and UNIX operating systems that did not release with a version of OpenSSL that supports SHA-256, you must use the install command line switch ignoreSHA256validation. When you use this command line option on an applicable Linux or UNIX operating system, the Configuration Manager client will skip SHA-256 validation and after installation, the client will not use SHA-256 to sign data it submits to site systems by using HTTP. For information about configuring Linux and UNIX clients to use certificates, see Planning for Security and Certificates for Linux and UNIX Servers in this topic. For information about requiring SHA-256, see the Configure Signing and Encryption section in the Configuring Security for Configuration Manager topic.

Note

The command line option ignoreSHA256validation is ignored on computers that run a version of Linux and UNIX that released with versions of OpenSSL that support SHA-256.