Continuing from Part 1 where I explained how to dual home SCOM UNIX/LINUX agents (the method is still NOT supported by Microsoft), it is time to blog about how to migrate the dual homed SCOM UNIX/LINUX agents to the New Management Group.
Pre-Requisites:
My setup:
** Management Group name does not matter in this process. So I am omitting those.
** I will refer the SCOM 2012 R2 MG as Old MG and SCOM 2019 MG as New MG.
Steps:
monuser ALL=(root) NOPASSWD: /bin/sh -c openssl x509 -noout -text -in /etc/opt/microsoft/scx/ssl/scx.pem | grep 'Signature Algorithm'
Option 1: From the SCOM console
Navigate to Monitoring -> Unix/Linux Computers -> Select an agent -> Run the task “UNIX/Linux Verify Certificate Signature Task”.
**You might not see the task if you are not having the last UNIX/LINUX library MP.
Option 2: From the X-Plat agent
Run the below command on the X-Plat agent
openssl x509 -noout -text -in /etc/opt/microsoft/scx/ssl/scx.pem | grep 'Signature Algorithm'
Option 3: Using the below PowerShell script for bulk check
But before you can use the script, create a xml file in one of the MS and paste these contents.
** This is the reason I left one MS in the RTM version to create a certificate with SHA1.
<p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem"> <p:Command>openssl x509 -noout -text -in /etc/opt/microsoft/scx/ssl/scx.pem | grep 'Signature Algorithm'</p:Command> <p:timeout>10</p:timeout> </p:ExecuteShellCommand_INPUT>
Now run the below script on the MS.
** Replace the Username and Password of the LINUX user.
** Replace the location where the xml file is saved. In my case it is C:\temp\SCXSignature.xml
#Import SCOM Module $InstallDir=(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Setup').InstallDirectory $OMPowerShellDir=$InstallDir.Replace('Server','PowerShell') $Modulepath=$OMPowerShellDir + "OperationsManager\OperationsManager.psd1" Import-Module $Modulepath #Get all X-Plat agents $SCXAgents=Get-SCXAgent foreach($SCXAgent in $SCXAgents) { $output=winrm invoke ExecuteShellCommand http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem?__cimnamespace=root/scx -remote:https://$($SCXAgent.Name):1270 -auth:basic -username:<replaceusername> -password:<replacepassword> -skipCAcheck -skipCNcheck -skiprevocationcheck -encoding:utf-8 -file:<replace the xml location> if($Output -cmatch "sha256WithRSAEncryption") { $taskresultOutput="SHA256" } elseif($Output -cmatch "sha1WithRSAEncryption") { $taskresultOutput="SHA1" } else { $taskresultOutput="No SHA256 or SHA1" } [PSCustomObject]@{ Agent = $SCXAgent.Name Output = $taskresultOutput } }
Sample results:
Agent Output
—– ——
ubuntu1704.nfs.lab SHA1
SLES12SP3.nfs.lab SHA256
<p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem"> <p:Command>openssl x509 -noout -text -in /etc/opt/microsoft/scx/ssl/scx.pem | grep Issuer</p:Command> <p:timeout>10</p:timeout> </p:ExecuteShellCommand_INPUT>
Now run the below script on the MS.
** Replace the Username and Password of the LINUX user.
** Replace the location where the xml file is saved. In my case it is C:\temp\SCXCertsigningMS.xml
#Import SCOM Module $InstallDir=(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Setup').InstallDirectory $OMPowerShellDir=$InstallDir.Replace('Server','PowerShell') $Modulepath=$OMPowerShellDir + "OperationsManager\OperationsManager.psd1" Import-Module $Modulepath #Get all X-Plat agents $SCXAgents=Get-SCXAgent foreach($SCXAgent in $SCXAgents) { $output=winrm invoke ExecuteShellCommand http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem?__cimnamespace=root/scx -remote:https://$($SCXAgent.Name):1270 -auth:basic -username:<replace username> -password:<replace password> -skipCAcheck -skipCNcheck -skiprevocationcheck -encoding:utf-8 -file:<replace the xml file path> $issuer=$output[3] $issuer=$issuer.split(',')[1] $issuer=$issuer.Split('=')[1] [PSCustomObject]@{ Agent = $SCXAgent.Name Issuer = $issuer } }
Sample results:
Agent Issuer
—– ——
rhel7-8.nfs.lab SCOM2019MS1
SLES12SP3.nfs.lab SCOM2012R2MS
As we can see the dual homed agent SLES12SP3 agent is signed by the old MS. Let us sign it with the new MS.
In order to do this, Navigate to Monitoring -> Unix/Linux Computer -> Select an agent -> Run the task “UNIX/LINUX Update Certificate Task”
To do this in bulk a script is provided in this blog. Once the task completes successfully, run the script again to verify all the SCX Agents have the certificate signed from the new MS/GW in the new MG.
When you are done with the entire migration, you can remove the SCX certificate of the old MS/GW from the new MS/GW. They are no longer required.
That’s all for now. Best of luck for your migration. If you are stuck anywhere you can reach out to me.
Hope that was helpful.
Thanks!
Explore, Learn, Share, Repeat!
This is a single list of all the supported UNIX/LINUX Operating System in SCOM. (more…)
Release!! SCOM 2019 UR4 and SCOM 2022 onwards support Rocky Linux 8 monitoring. In this…
Release!! SCOM 2019 UR4 and SCOM 2022 onwards support Alma Linux 8 monitoring. In this…
“A picture is worth a hundreds words” : News!! News!! SCOM 2019 UR3 supports Ubuntu20.04/Debian10/Debian…
System Center Operations Manager UNIX/LINUX (SCX) Agent Version List (more…)
One of the tasks for a SCOM administrator is to do a parallel migration of…