question

AsokaChang-1495 avatar image
1 Vote"
AsokaChang-1495 asked BWO-5297 commented

SCOM 2019 Linux agent push fail when enable FIPS mode

We have fix Redhat 8.5 same Ciphers and enable update-crypto-policies --set FIPS, and then to push Linux agent from SCOM 2019 MS.

Redhat Ciphers are:
sed -i '27a Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com' /etc/ssh/sshd_config
sed -i '28a KexAlgorithms diffie-hellman-group-exchange-sha256,curve25519-sha256@libssh.org' /etc/ssh/sshd_config

and setup FIPS and enable it:
update-crypto-policies --set FIPS
fips-mode-setup --enable

when to push Linux agent, it is still to get error from push process:

Failed to install kit. Exit code: 1
Standard Output: Sudo path: /usr/bin/
Extracting...
Installing cross-platform agent ...
----- Installing package: omi (omi-1.6.8-1.ulinux.x64) -----
----- Installing package: scx (scx-1.6.8-1.universal.x64) -----
----- Removing package: scx -----
----- Removing package: omi -----
----- Installing package: omi (omi-1.6.8-1.ulinux.x64) -----
Install failed

Standard Error: package omi-1.6.8-1.x86_64 does not verify: no digest

Please hellp to solve this trouble, Thanks

msc-operations-manager
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

AlexZhu-MSFT avatar image
0 Votes"
AlexZhu-MSFT answered AsokaChang-1495 commented

Hi,

It seems this version of CentOS has already reached its end of life on 31 December 2021. And all the download links are broken now.

http://isoredirect.centos.org/centos/8/isos/x86_64/

For the current supported versions, we can download it and have a try with FIPS.

http://isoredirect.centos.org/centos/7/isos/x86_64/
http://isoredirect.centos.org/centos/8-stream/isos/x86_64/
Note: the above links are from CentOS, not Microsoft.

Regards
Alex

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AsokaChang-1495 avatar image AsokaChang-1495 ·

Sorry, I don't understand your mean. We just only used Redhat not CentOS.

0 Votes 0 ·
AlexZhu-MSFT avatar image AlexZhu-MSFT AsokaChang-1495 ·

Hi,

Sorry for the misreading. I have only ubuntu server in hand, and I will download RHEL 8.5 to see if the problem can be reproduced and report back later. Thanks for your kind understanding.

Regards
Alex

1 Vote 1 ·
AsokaChang-1495 avatar image AsokaChang-1495 AlexZhu-MSFT ·

Thanks a lot, waiting for your report. :)

0 Votes 0 ·
AlexZhu-MSFT avatar image
0 Votes"
AlexZhu-MSFT answered BWO-5297 commented

Hi,

Thank you for the patience. Here's some update.

If we set system crypto policy to FIPS, it seems it will break the SSH connection. During my test, I encoutered similar problem. When FIPS is enabled, the Linux agent discovery is broken, after it is disabled, the discovery works the subsequent deploying, installing continues.

I will do more research to check if the problem relates to specific distribution or something else and report back once there is any findings.

179977-scom-rhel85-01.jpg

discovery failed due to ssh error
180027-scom-rhel85-05-ssh-error.png

after disabling FIPS, discovery succeeds
179979-scom-rhel85-07.png


Regards
Alex

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



scom-rhel85-01.jpg (263.6 KiB)
scom-rhel85-05-ssh-error.png (11.4 KiB)
scom-rhel85-07.png (25.7 KiB)
· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AsokaChang-1495 avatar image AsokaChang-1495 ·

Yes, I have already disable FIPS on my test site, It can be push agent to succeeds.
But, the production Linux current was set to FIPS enable mode, so... I can't to solve this case.
May I get your help to get document to for SCOM and FIPS issue.
Thanks your help.

0 Votes 0 ·
AlexZhu-MSFT avatar image AlexZhu-MSFT AsokaChang-1495 ·

Hi,

Thank you very much for the reply.

For the FIPS issue, unfortunately, it seems there is no existing ducomentation we can find at present. I've tried to ask in the internal discusstion group, it is said "This should be supported in SCOM 2019 UR4 and 2022 UR1."

Regards
Alex

If the answer is helpful, please click "Accept Answer" and kindly upvote it.

0 Votes 0 ·
BWO-5297 avatar image BWO-5297 AlexZhu-MSFT ·

Any news on this? We are on 2022 and urgently need FIPS support on RHEL 8! According the doc (https://docs.microsoft.com/en-us/system-center/scom/plan-supported-crossplat-os?view=sc-om-2022) this should work but doesn't. Please help!

0 Votes 0 ·