Archive

Posts Tagged ‘agent’

Deploying the System Center Operations Manager 2007 Linux Agent fails with “The certificate Common Name (CN) does not match”

December 24, 2011 Leave a comment

I have recently tried to install automatically the SCOM agent on a Red Hat 5 Server.

I have encountered the  “The certificate Common Name (CN) does not match” error during the deployment. The other error was about the issuer of the certificate which was not recognized by the Linux server.

You have to know that during the installation of the agent a certificate is generated from your RMS (Root Management Server) which is the issuer for your server in such way that the RMS can trust the messages sent by the SCOM agent.

To have an idea about the content of this certificate, please type this command :

openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates

You will have two information about the subject (your hostname server) and the issuer (the RMS).

Please check your hostname by using the HOSTNAME command. If you want to change it in such way that you add the DNS suffix for example (in this case you can add your A record in your DNS zone), you have to apply this : http://www.xenocafe.com/tutorials/linux/redhat/change_hostname_without_reboot/index.php

Finally, to resolve the problem please check the following steps:

  1. You have to verify that your Linux server is reachable from your RMS server. So you have either to add an entry into the host file or to create a GlobalNames zone in your DNS (if you are running at least a 2008  forest). The problem with this solution is that your certificate will include “.globalnames” suffix. In this case, you have to modify your hostname. The best solution is the host file when the IP addresses are static.
  2. You can correct the certificate content by running the following command :  /opt/microsoft/scx/bin/tools/scxsslconfig -f -v. In my case, that could not be executed. So I had simply to remove the content (the certificates and the keys) of the /etc/opt/microsoft/scx/ssl/ directory and run the agent installation process again.
  3. If you have the issuer error, you have to check the DNS addresses of your Linux server and try to resolve the name of the issuer by using the nslookup or simply the ping tool. If you have a DNS problem, you have just to add the correct entry in the hosts file (/etc/hosts)
Categories: MS Technologies, SCOM Tags: , ,