SCOM 2019 Linux agent push fail when enable FIPS mode

Asoka Chang 46 Reputation points
2022-03-02T23:58:34.097+00:00

We have fix Redhat 8.5 same Ciphers and enable update-crypto-policies --set FIPS, and then to push Linux agent from SCOM 2019 MS.

Redhat Ciphers are:
sed -i '27a Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com' /etc/ssh/sshd_config
sed -i '28a KexAlgorithms diffie-hellman-group-exchange-sha256,curve25519-sha256@libssh.org' /etc/ssh/sshd_config

and setup FIPS and enable it:
update-crypto-policies --set FIPS
fips-mode-setup --enable

when to push Linux agent, it is still to get error from push process:

Failed to install kit. Exit code: 1
Standard Output: Sudo path: /usr/bin/
Extracting...
Installing cross-platform agent ...
----- Installing package: omi (omi-1.6.8-1.ulinux.x64) -----
----- Installing package: scx (scx-1.6.8-1.universal.x64) -----
----- Removing package: scx -----
----- Removing package: omi -----
----- Installing package: omi (omi-1.6.8-1.ulinux.x64) -----
Install failed

Standard Error: package omi-1.6.8-1.x86_64 does not verify: no digest

Please hellp to solve this trouble, Thanks

Operations Manager
Operations Manager
A family of System Center products that provide infrastructure monitoring, help ensure the predictable performance and availability of vital applications, and offer comprehensive monitoring for datacenters and cloud, both private and public.
1,425 questions
0 comments No comments
{count} vote

3 answers

Sort by: Most helpful
  1. AlexZhu-MSFT 5,551 Reputation points Microsoft Vendor
    2022-03-03T02:20:27.53+00:00

    Hi,

    It seems this version of CentOS has already reached its end of life on 31 December 2021. And all the download links are broken now.

    http://isoredirect.centos.org/centos/8/isos/x86_64/

    For the current supported versions, we can download it and have a try with FIPS.

    http://isoredirect.centos.org/centos/7/isos/x86_64/
    http://isoredirect.centos.org/centos/8-stream/isos/x86_64/
    Note: the above links are from CentOS, not Microsoft.

    Regards
    Alex

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. AlexZhu-MSFT 5,551 Reputation points Microsoft Vendor
    2022-03-04T08:20:42.157+00:00

    Hi,

    Thank you for the patience. Here's some update.

    If we set system crypto policy to FIPS, it seems it will break the SSH connection. During my test, I encoutered similar problem. When FIPS is enabled, the Linux agent discovery is broken, after it is disabled, the discovery works the subsequent deploying, installing continues.

    I will do more research to check if the problem relates to specific distribution or something else and report back once there is any findings.

    179977-scom-rhel85-01.jpg

    discovery failed due to ssh error
    180027-scom-rhel85-05-ssh-error.png

    after disabling FIPS, discovery succeeds
    179979-scom-rhel85-07.png

    Regards
    Alex

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  3. Jared 1 Reputation point
    2022-08-29T21:10:54.99+00:00

    I have the same issue when running 2022. I am unable to install and run the agent on RHEL 8 if FIPS is enabled. Has anyone found a work around other than disabling FIPS as that is also not an option for me?

    0 comments No comments