One of the more annoying tasks when configuring monitoring for nix/xplat agents is exporting management server certificates, then importing those certificates on all other members of the designated cross-platform resource pool. When you deploy a nix agent, the agent will automatically trust only the management server which performed the certificate signing procedure during the agent deployment task (described here). You must import that original management server cert on all other management servers which may participate in management of the agent. This ensures that any management servers which are members of the resource pool can manage/monitor any of the nix agent servers. This certificate sharing procedure is usually done manually and is very tedious.
Behold, an easier way!
Most of you reading this are already familiar with Kevin’s SCOM Management management pack. That MP contains a useful task to execute PowerShell on any target computer. You can use this task to run the below PowerShell command on your Nix resource pool members.
Note: You must customize the shared folder path. Using an admin share like the example below is easy.
$SharedFolder = ‘\\MS01.CONTOSO.COM\c$\SCOM_Mgmt_Certs‘;
Copy the command below.
Customize the path.
IT MUST BE ALL ON ONE SINGLE LINE IN ORDER FOR THE TASK TO WORK.
$SharedFolder = '\\MS01.CONTOSO.COM\c$\SCOM_Mgmt_Certs'; $thisComputer = [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties(); $SCOMPath =((Get-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Setup" -name InstallDirectory).InstallDirectory); GCI "$($SharedFolder)\$($thisComputer.HostName).$($thisComputer.DomainName).cert" | % {Rename-Item -Path $_.FullName -NewName "$($_).$(Get-Date -f 'yyyyMMdd-hhmmss')" -Force}; & ($SCOMPath+'scxcertconfig.exe') -export (Join-Path $($SharedFolder) "$(($thisComputer).HostName).$(($thisComputer).DomainName).cert"); Start-Sleep -Seconds 5; Get-ChildItem $SharedFolder -Include "*.cert" -Exclude "$($thisComputer.HostName).$($thisComputer.DomainName).cert" -Recurse | ForEach { & ($SCOMPath+'scxcertconfig.exe') -import $_.FullName }; & ($SCOMPath+'scxcertconfig.exe') -list
Here’s a breakdown of what each statement does…
# CUSTOMIZE THIS FOLDER PATH. THIS PATH MUST ALREADY EXIST! $SharedFolder = '\\MS01.CONTOSO.COM\c$\SCOM_Mgmt_Certs'; # Stores the FQDN of the local computer $thisComputer = [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties(); # Identify the path where SCOM was installed $SCOMPath =((Get-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Setup" -name InstallDirectory).InstallDirectory); # Rename any existing certs in the folder GCI "$($SharedFolder)\$($thisComputer.HostName).$($thisComputer.DomainName).cert" | % {Rename-Item -Path $_.FullName -NewName "$($_).$(Get-Date -f 'yyyyMMdd-hhmmss')" -Force}; # Export SCOM cert of local computer to shared folder & ($SCOMPath+'scxcertconfig.exe') -export (Join-Path $($SharedFolder) "$(($thisComputer).HostName).$(($thisComputer).DomainName).cert"); # Wait for all other mgmt servers to complete their cert export task Start-Sleep -Seconds 15; # Import certs from other mgmt servers Get-ChildItem $SharedFolder -Include "*.cert" -Exclude "$($thisComputer.HostName).$($thisComputer.DomainName).cert" -Recurse | ForEach { & ($SCOMPath+'scxcertconfig.exe') -import $_.FullName }; & ($SCOMPath+'scxcertconfig.exe') -list
Where do I begin?
Identify the names of your Nix resource pool members…
This is whichever resource pool you have designated to be used for your unix/linux agent management.
Locate the server objects in the “SCOM Mgmt Servers” state view (from Kevin’s MP) then run the task as shown…
Successful display of imported SCOM certs.
You can see that all other management server certificates are now imported on each management server
One Reply on “Easily Configure SCOM Cross-Platform Management Server Certificates”