Recently i came across strange error while trying to discover a SCOM cross platform agent on an IBM AIX Unix server:
When discovering the agent you will get the fallowing error message:
“Signed certificate verification operation was not successful
The agent responded to the request but the WSMan connection failed due to: Access is Denied.”
For those of you who are not familiarize with the discovery process for cross platform agents it goes something like this:
1. The SCOM server is checking the OS of the server and also if it’s a 32 or 64 Bit – via a ssh script.
2. SCOM will move the proper files to the server via SSH.
3. It will then try and run the installation file (RPM for linux red hat ect..) using the credentials you have entered.
4. During the installation process, SCOM will create a self signed certificate on the Unix\Linux server.
5. The cert will be moved back to the SCOM server for signing on the SCOM side.
6. SCOM will move the New double signed cert to the Unix\Linux server
During stage 4, SCOM will try to authenticate the cert using the credentials you have entered.
Strangely, this check will not occur inside the cross platform server BUT from the SCOM server itself via WINRM.
The message i’ve received states the SCOM have failed to authenticate the cert via WINRM using the credentials.
I order to double check that this is in fact the problem we are facing, you can test the WINRM query using powershell.
Just log on to the SCOM server from which you are trying the run the discovery, open powershell or powershell ise and run this command:
Test-WSMan -Port 1270 -ComputerName “ServerName” -Authentication Basic -Credential (Get-Credential) -UseSSL
*Remember to enter the proper server name.
If you have winrm problem then you will get an error.
Now, that we know what is the problem, let move on to the solution:
While installing cross platform agents, SCOM will do one move thing on top the stages i’ve told you before – Updating the “/etc/pam.conf” file.
This file is a Security/Policy/Authentication file which manage privileges on the server.
Normally, While installing the agent, the installation will write into this file and give the agent the privileges he needs.
Our problem is because the installation process failed to write the appropriate lines into the file.
After some investigation, i discovered the lines that was missing:
# The configuration of omi is generated by the scx installer.
omi auth sufficient pam_vas3.so create_homedir get_nonvas_pass store_creds try_first_pass
omi auth requisite pam_vas3.so echo_return
omi auth required /usr/lib/security/pam_aix use_new_state use_first_pass
omi account required /usr/lib/security/pam_seos.o
omi account sufficient pam_vas3.so
omi account requisite pam_vas3.so echo_return
omi account required /usr/lib/security/pam_aix
# End of section generated by the scx installer.
* CREATE A BACKUP BEFORE CHANGING THIS FILE!!!
* DO NOT LOG OFF FROM THE SSH SESSION BEFORE YOU DOUBLE CHECK EVERYTHING IS CONFIGURED PROPERLY.
After updating the file, re-run the discovery and wait for the success notification