Managing certificates for UNIX and Linux computers


This version of Operations Manager has reached the end of support. We recommend you to upgrade to Operations Manager 2022.

With System Center Operations Manager, you can deploy agents to UNIX or Linux computers. Kerberos authentication isn't possible. Therefore, certificates are used between the management server and the UNIX or Linux computers. In this scenario, the management server acts as a standalone certificate authority. (Although it's possible to use third-party certificates, they aren't needed.)

Prior to Operations Manager 2016, the Linux Agent used to generate certificates and encrypt it with SHA1. From 2016, the Linux Agent generates a SHA1 certificate and then, as part of the discovery process, the certificate gets encrypted with SHA256.

With Operations Manager 2022, the certificate gets encrypted with SHA256.

There are two methods you can use to deploy agents. You can use the Discovery Wizard or you can manually install an agent. Of these two methods, manually installing an agent is the more secure option. When you use the Discovery Wizard to push agents to UNIX or Linux computers, you trust that the computer you're deploying to is really the computer that you think it is. When you use the Discovery Wizard to deploy agents, it involves a greater risk than when you deploy to computers on the public network or in a perimeter network.

When you use the Discovery Wizard to deploy an agent, the Discovery Wizard performs the following functions:

  • Deployment - The Discovery Wizard copies the agent package to the UNIX or Linux computer and then starts the installation process.

  • Certificate Signing - Operations Manager retrieves the certificate from the agent, signs the certificate, deploys the certificate back to the agent, and then restarts the agent.

  • Discovery - The Discovery Wizard discovers the computer and tests to see that the certificate is valid. If the Discovery Wizard verifies that the computer can be discovered and that the certificate is valid, the Discovery Wizard adds the newly discovered computer to the Operations Manager database.

When you manually deploy an agent, you perform the first two steps that are typically handled by the Discovery Wizard: deployment and certificate signing. Then, you use the Discovery Wizard to add the computer to the Operations Manager database.

If there are existing certificates on the system, they're reused during agent installation. New certificates aren't created. Certificates aren't automatically deleted when you uninstall an agent. You must manually delete the certificates that are listed in the /etc/opt/microsoft/scx/ssl folder. To regenerate the certificates during installation, you must remove this folder before agent installation.

For instructions on how to manually deploy an agent, see Install Agent and Certificate on UNIX and Linux Computers Using the Command Line, and then use the following procedure to install the certificates.

UNIX and Linux firewall considerations

If you've a firewall on your UNIX or Linux computer, you must open port 1270 (inbound). This port number isn't configurable. If you're deploying agents in a low security environment and you use the Discovery Wizard to deploy and sign the certificates, you must open the SSH port. The SSH port number is configurable. By default, SSH uses inbound TCP port 22. For more information about firewall configuration for Operations Manager, see Configuring a Firewall for Operations Manager.

Next steps