Planning for Client Deployment for Linux and UNIX Servers
Updated: May 14, 2015
Applies To: System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1
Note
The information in this topic applies to System Center 2012 Configuration Manager SP1 or later, and System Center 2012 R2 Configuration Manager or later.
Use the information in the following sections to help you plan to deploy the Configuration Manager client for Linux and UNIX.
Prerequisites for Client Deployment to Linux and UNIX Servers
- Dependencies External to Configuration Manager:
Planning for Communication across Forest Trusts for Linux and UNIX Servers
- Service Location by the client for Linux and UNIX
Planning for Security and Certificates for Linux and UNIX Servers
About Certificates for use by Linux and UNIX Servers
Configuring Certificates for Linux and UNIX Servers
About Linux and UNIX Operating Systems That do not Support SHA-256
Planning for Client Deployment to Linux and UNIX Servers
Before you deploy the Configuration Manager client for Linux and UNIX, review the information in this section to help you plan for a successful deployment.
Prerequisites for Client Deployment to Linux and UNIX Servers
Use the following information to determine the prerequisites you must have in place to successfully install the client for Linux and UNIX.
Dependencies External to Configuration Manager:
The following tables describe the required UNIX and Linux operating systems and package dependencies.
Red Hat Enterprise Linux ES Release 4
Required package |
Description |
Minimum version |
|---|---|---|
glibc |
C Standard Libraries |
2.3.4-2 |
Openssl |
OpenSSL Libraries; Secure Network Communications Protocol |
0.9.7a-43.1 |
PAM |
Pluggable Authentication Modules |
0.77-65.1 |
Red Hat Enterprise Linux Server release 5.1 (Tikanga)
Required package |
Description |
Minimum version |
|---|---|---|
glibc |
C Standard Libraries |
2.5-12 |
Openssl |
OpenSSL Libraries; Secure Network Communications Protocol |
0.9.8b-8.3.el5 |
PAM |
Pluggable Authentication Modules |
0.99.6.2-3.14.el5 |
Red Hat Enterprise Linux Server release 6
Required package |
Description |
Minimum version |
|---|---|---|
glibc |
C Standard Libraries |
2.12-1.7 |
Openssl |
OpenSSL Libraries; Secure Network Communications Protocol |
1.0.0-4 |
PAM |
Pluggable Authentication Modules |
1.1.1-4 |
Solaris 9 SPARC
Required package |
Description |
Minimum version |
|---|---|---|
Required operating system patch |
PAM memory leak |
112960-48 |
SUNWlibC |
Sun Workshop Compilers Bundled libC (sparc) |
5.9,REV=2002.03.18 |
SUNWlibms |
Forte Developer Bundled Shared libm (sparc) |
5.9,REV=2001.12.10 |
OpenSSL |
SMCosslg (sparc) Sun does not provide a version of OpenSSL for Solaris 9 SPARC. There is a version available from Sunfreeware. |
0.9.7g |
PAM |
Pluggable Authentication Modules SUNWcsl, Core Solaris, (Shared Libs) (sparc) |
11.9.0,REV=2002.04.06.15.27 |
Solaris 10 SPARC
Required package |
Description |
Minimum version |
|---|---|---|
Required operating system patch |
PAM memory leak |
117463-05 |
SUNWlibC |
Sun Workshop Compilers Bundled libC (sparc) |
5.10, REV=2004.12.22 |
SUNWlibms |
Math & Microtasking Libraries (Usr) (sparc) |
5.10, REV=2004.11.23 |
SUNWlibmsr |
Math & Microtasking Libraries (Root) (sparc) |
5.10, REV=2004.11.23 |
SUNWcslr |
Core Solaris Libraries (Root) (sparc) |
11.10.0, REV=2005.01.21.15.53 |
SUNWcsl |
Core Solaris Libraries (Root) (sparc) |
11.10.0, REV=2005.01.21.15.53 |
OpenSSL |
SUNopenssl-librararies (Usr) Sun provides the OpenSSL libraries for Solaris 10 SPARC. They are bundled with the operating system. |
11.10.0,REV=2005.01.21.15.53 |
PAM |
Pluggable Authentication Modules SUNWcsr, Core Solaris, (Root) (sparc) |
11.10.0, REV=2005.01.21.15.53 |
Solaris 10 x86
Required package |
Description |
Minimum version |
|---|---|---|
Required operating system patch |
PAM memory leak |
117464-04 |
SUNWlibC |
Sun Workshop Compilers Bundled libC (i386) |
5.10,REV=2004.12.20 |
SUNWlibmsr |
Math & Microtasking Libraries (Root) (i386) |
5.10, REV=2004.12.18 |
SUNWcsl |
Core Solaris, (Shared Libs) (i386) |
11.10.0,REV=2005.01.21.16.34 |
SUNWcslr |
Core Solaris Libraries (Root) (i386) |
11.10.0, REV=2005.01.21.16.34 |
OpenSSL |
SUNWopenssl-libraries; OpenSSL Libraries (Usr) (i386) |
11.10.0, REV=2005.01.21.16.34 |
PAM |
Pluggable Authentication Modules SUNWcsr Core Solaris, (Root)(i386) |
11.10.0,REV=2005.01.21.16.34 |
Solaris 11 SPARC
Required package |
Description |
Minimum version |
|---|---|---|
SUNWlibC |
Sun Workshop Compilers Bundled libC |
5.11, REV=2011.04.11 |
SUNWlibmsr |
Math & Microtasking Libraries (Root) |
5.11, REV=2011.04.11 |
SUNWcslr |
Core Solaris Libraries (Root) |
11.11, REV=2009.11.11 |
SUNWcsl |
Core Solaris, (Shared Libs) |
11.11, REV=2009.11.11 |
SUNWcsr |
Core Solaris, (Root) |
11.11, REV=2009.11.11 |
SUNWopenssl-libraries |
OpenSSL Libraries (Usr) |
11.11.0,REV=2010.05.25.01.00 |
Solaris 11 x86
Required package |
Description |
Minimum version |
SUNWlibC |
Sun Workshop Compilers Bundled libC |
5.11, REV=2011.04.11 |
SUNWlibmsr |
Math & Microtasking Libraries (Root) |
5.11, REV=2011.04.11 |
SUNWcslr |
Core Solaris Libraries (Root) |
11.11, REV=2009.11.11 |
SUNWcsl |
Core Solaris, (Shared Libs) |
11.11, REV=2009.11.11 |
SUNWcsr |
Core Solaris, (Root) |
11.11, REV=2009.11.11 |
SUNWopenssl-libraries |
OpenSSL Libraries (Usr) |
11.11.0,REV=2010.05.25.01.00 |
SUSE Linux Enterprise Server 9 (i586)
Required package |
Description |
Minimum version |
|---|---|---|
Service Pack 4 |
SUSE Linux Enterprise Server 9 |
|
OS Patch lib gcc-41.rpm |
Standard shared library |
41-4.1.2_20070115-0.6 |
OS Patch lib stdc++-41.rpm |
Standard shared library |
41-4.1.2_20070115-0.6 |
Openssl |
OpenSSL Libraries; Secure Network Communications Protocol |
0.9.7d-15.35 |
PAM |
Pluggable Authentication Modules |
0.77-221-11 |
SUSE Linux Enterprise Server 10 SP1 (i586)
Required package |
Description |
Minimum version |
|---|---|---|
glibc-2.4-31.30 |
C Standard shared library |
2.4-31.30 |
OpenSSL |
OpenSSL Libraries; Secure Network Communications Protocol |
0.9.8a-18.15 |
PAM |
Pluggable Authentication Modules |
0.99.6.3-28.8 |
SUSE Linux Enterprise Server 11 (i586)
Required package |
Description |
Minimum version |
|---|---|---|
glibc-2.9-13.2 |
C Standard shared library |
2.9-13.2 |
PAM |
Pluggable Authentication Modules |
pam-1.0.2-20.1 |
Universal Linux (Debian package) Debian, Ubuntu Server
Required package |
Description |
Minimum version |
|---|---|---|
libc6 |
C Standard shared library |
2.3.6 |
OpenSSL |
OpenSSL Libraries; Secure Network Communications Protocol |
0.9.8 or 1.0 |
PAM |
Pluggable Authentication Modules |
0.79-3 |
Universal Linux (RPM package) CentOS, Oracle Linux
Required package |
Description |
Minimum version |
|---|---|---|
glibc |
C Standard shared library |
2.5-12 |
OpenSSL |
OpenSSL Libraries; Secure Network Communications Protocol |
0.9.8 or 1.0 |
PAM |
Pluggable Authentication Modules |
0.99.6.2-3.14 |
IBM AIX 5L 5.3
Required package |
Description |
Minimum version |
|---|---|---|
OS version |
Version of the operating system |
AIX 5.3, Technology Level 6, Service Pack 5 |
xlC.rte |
XL C/C++ Runtime |
9.0.0.2 |
openssl.base |
OpenSSL Libraries; Secure Network Communications Protocol |
0.9.8.4 |
IBM AIX 6.1
Required package |
Description |
Minimum version |
|---|---|---|
OS version |
Version of operating system |
AIX 6.1, any Technology Level and Service Pack |
xlC.rte |
XL C/C++ Runtime |
9.0.0.5 |
OpenSSL/openssl.base |
OpenSSL Libraries; Secure Network Communications Protocol |
0.9.8.4 |
IBM AIX 7.1 (Power)
Required package |
Description |
Minimum version |
|---|---|---|
OS version |
Version of operating system |
AIX 7.1, any Technology Level and Service Pack |
xlC.rte |
XL C/C++ Runtime |
|
OpenSSL/openssl.base |
OpenSSL Libraries; Secure Network Communications Protocol |
HP-UX 11i v2 IA 64
Required package |
Description |
Minimum version |
|---|---|---|
HPUXBaseOS |
Base OS |
B.11.23 |
HPUXBaseAux |
HP-UX Base OS Auxiliary |
B.11.23.0706 |
HPUXBaseAux.openssl |
OpenSSL Libraries; Secure Network Communications Protocol |
A.00.09.07l.003 |
PAM |
Pluggable Authentication Modules |
On HP-UX, PAM is part of the core operating system components. There are no other dependencies. |
HP-UX 11i v2 PA-RISC
Required package |
Description |
Minimum version |
|---|---|---|
HPUX11i-OE |
HP-UX Foundation Operating Environment |
B.11.23.0706 |
OS-Core.MinimumRuntime.CORE-SHLIBS |
Compatible development tools libraries |
B.11.23 |
HPUXBaseAux |
HP-UX Base OS Auxiliary |
B.11.23.0706 |
HPUXBaseAux.openssl |
OpenSSL Libraries; Secure Network Communications Protocol |
A.00.09.071.003 |
PAM |
Pluggable Authentication Modules |
On HP-UX, PAM is part of the core operating system components. There are no other dependencies. |
HP-UX 11i v3 PA-RISC
Required package |
Description |
Minimum version |
|---|---|---|
HPUX11i-OE |
HP-UX Foundation Operating Environment |
B.11.31.0709 |
OS-Core.MinimumRuntime.CORE2-SHLIBS |
Specific IA emulator libraries |
B.11.31 |
openssl/Openssl.openssl |
OpenSSL Libraries; Secure Network Communications Protocol |
A.00.09.08d.002 |
PAM |
Pluggable Authentication Modules |
On HP-UX, PAM is part of the core operating system components. There are no other dependencies. |
HP-UX 11i v3 IA64
Required package |
Description |
Minimum version |
|---|---|---|
HPUX11i-OE |
HP-UX Foundation Operating Environment |
B.11.31.0709 |
OS-Core.MinimumRuntime.CORE-SHLIBS |
Specific IA development libraries |
B.11.31 |
SysMgmtMin |
Minimum Software Deployment Tools |
B.11.31.0709 |
SysMgmtMin.openssl |
OpenSSL Libraries; Secure Network Communications Protocol |
A.00.09.08d.002 |
PAM |
Pluggable Authentication Modules |
On HP-UX, PAM is part of the core operating system components. There are no other dependencies. |
Configuration Manager Dependencies: The following table lists site system roles that support Linux and UNIX clients. For more information about these site system roles, see Determine the Site System Roles for Client Deployment in Configuration Manager.
Configuration Manager site system |
More information |
|---|---|
Management point |
Although a management point is not required to install a Configuration Manager client for Linux and UNIX, you must have a management point to transfer information between client computers and Configuration Manager servers. Without a management point, you cannot manage client computers. |
Distribution point |
The distribution point is not required to install a Configuration Manager client for Linux and UNIX. However, the site system role is required if you deploy software to Linux and UNIX servers. Because the Configuration Manager client for Linux and UNIX does not support communications that use SMB, the distribution points you use with the client must support HTTP or HTTPS communication. |
Fallback status point |
Note Beginning with cumulative update 1, the Configuration Manager client for Linux and UNIX supports the use of fallback status points. The fallback status point is not required to install a Configuration Manager client for Linux and UNIX. However, The fallback status point enables computers in the Configuration Manager site to send state messages when they cannot communicate with a management point. Client can also send their installation status to the fallback status point. |
Firewall Requirements: Ensure that firewalls do not block communications across the ports you specify as client request ports. The client for Linux and UNIX communicates directly with management points, distribution points, and fallback status points.
For information about client communication and request ports, see the Configure Request Ports for the Client for Linux and UNIX section in the How to Install Clients on Linux and UNIX Computers in Configuration Manager topic.
Planning for Communication across Forest Trusts for Linux and UNIX Servers
Linux and UNIX servers you manage with Configuration Manager operate as workgroup clients and require similar configurations as Windows-based clients that are in a workgroup. For information about communications from computers that are in workgroups, see the Planning for Communications Across Forests in Configuration Manager section in the Planning for Communications in Configuration Manager topic.
Service Location by the client for Linux and UNIX
The task of locating a site system server that provides service to clients is referred to as service location. Unlike a Windows-based client, the client for Linux and UNIX does not use Active Directory for service location. Additionally, the Configuration Manager client for Linux and UNIX does not support a client property that specifies the domain suffix of a management point. Instead, the client learns about additional site system servers that provide services to clients from a known management point you assign when you install the client software.
For more information about service location, see the Service Location and how clients determine their assigned management point section in the Planning for Communications in Configuration Manager topic.
Planning for Security and Certificates for Linux and UNIX Servers
For secure and authenticated communications with Configuration Manager sites, the Configuration Manager client for Linux and UNIX uses the same model for communication as the Configuration Manager client for Windows.
When you install the Linux and UNIX client, you can assign the client a PKI certificate that enables it to use HTTPS to communicate with Configuration Manager sites. If you do not assign a PKI certificate, the client creates a self-signed certificate and communicates only by HTTP.
Clients that are provided a PKI certificate when they install use HTTPS to communicate with management points. When a client is unable to locate a management point that supports HTTPS, it will fall back to use HTTP with the provided PKI certificate.
When a Linux or UNIX client uses a PKI certificate you do not have to approve them. When a client uses a self-signed certificate, review the hierarchy settings for client approval in the Configuration Manager console. If the client approval method is not Automatically approve all computers (not recommended), you must manually approve the client.
For more information about how to manually approve the client, see the Managing Clients from the Devices Node section in the How to Manage Clients in Configuration Manager topic.
For information about how to use certificates in Configuration Manager, see PKI Certificate Requirements for Configuration Manager.
About Certificates for use by Linux and UNIX Servers
The Configuration Manager client for Linux and UNIX uses a self-signed certificate or an X.509 PKI certificate just like Windows-based clients. There are no changes to the PKI requirements for Configuration Manager site systems when you manage Linux and UNIX clients.
The certificates you use for Linux and UNIX clients that communicate to Configuration Manager site systems must be in a Public Key Certificate Standard (PKCS#12) format, and the password must be known so you can specify it to the client when you specify the PKI certificate.
The Configuration Manager client for Linux and UNIX supports a single PKI certificate, and does not support multiple certificates. Therefore, the certificate selection criteria you configure for a Configuration Manager site does not apply.
Configuring Certificates for Linux and UNIX Servers
To configure a Configuration Manager client for Linux and UNIX servers to use HTTPS communications, you must configure the client to use a PKI certificate at the time you install the client. You cannot provision a certificate prior to installation of the client software.
When you install a client that uses a PKI certificate, you use the command-line parameter -UsePKICert to specify the location and name of a PKCS#12 file that contains the PKI certificate. Additionally you must use the command line parameter -certpw to specify the password for the certificate.
If you do not specify -UsePKICert, the client generates a self-signed certificate and attempts to communicate to site system servers by using HTTP only.
About Linux and UNIX Operating Systems That do not Support SHA-256
The following Linux and UNIX operating systems that are supported as clients for Configuration Manager were released with versions of OpenSSL that do not support SHA-256:
Red Hat Enterprise Linux Version 4 (x86/x64)
Solaris Version 9 (SPARC) and Solaris Version 10 (SPARC/x86)
SUSE Linux Enterprise Server Version 9 (x86)
HP-UX Version 11iv2 (PA-RISH/IA64)
To manage these operating systems with Configuration Manager, you must install the Configuration Manager client for Linux and UNIX with a command line switch that directs the client to skip validation of SHA-256. Configuration Manager clients that run on these operating system versions operate in a less secure mode than clients that support SHA-256. This less secure mode of operation has the following behavior:
Clients do not validate the site server signature associated with policy they request from a management point.
Clients do not validate the hash for packages that they download from a distribution point.
.jpeg "System_CAPS_security") Security Note |
|---|
The ignoreSHA256validation option allows you to run the client for Linux and UNIX computers in a less secure mode. This is intended for use on older platforms that did not include support for SHA-256. This is a security override and is not recommended by Microsoft, but is supported for use in a secure and trusted datacenter environment. |
When the Configuration Manager client for Linux and UNIX installs, the install script checks the operating system version. By default, if the operating system version is identified as having released without a version of OpenSSL that supports SHA-256, the installation of the Configuration Manager client fails.
To install the Configuration Manager client on Linux and UNIX operating systems that did not release with a version of OpenSSL that supports SHA-256, you must use the install command line switch ignoreSHA256validation. When you use this command line option on an applicable Linux or UNIX operating system, the Configuration Manager client will skip SHA-256 validation and after installation, the client will not use SHA-256 to sign data it submits to site systems by using HTTP. For information about configuring Linux and UNIX clients to use certificates, see Planning for Security and Certificates for Linux and UNIX Servers in this topic. For information about requiring SHA-256, see the Configure Signing and Encryption section in the Configuring Security for Configuration Manager topic.
Note
The command line option ignoreSHA256validation is ignored on computers that run a version of Linux and UNIX that released with versions of OpenSSL that support SHA-256.