Authentication and Data Encryption for UNIX and Linux Operating Systems

Applies To: Operations Manager 2007 R2, Operations Manager 2007 SP1

With Operations Manager 2007 R2, you can deploy agents to UNIX-based or Linux-based computers. In such an environment, Kerberos authentication is not possible. Therefore, certificates are used between the management server and the UNIX-based or Linux-based computers. In this scenario, the certificates are self-signed by the management server. (Although it is possible to use third-party certificates, they are not needed.)

There are two methods you can use to deploy agents. You can use the Discovery Wizard or you can manually install an agent. Of these two methods, manually installing an agent is the more secure option. When you use the Discovery Wizard to push agents to UNIX-based or Linux-based computers, you trust that the computer that you are deploying to is really the computer that you think it is. When you use the Discovery Wizard to deploy agents, it involves greater risk than when you deploy to computers on the public network or in a DMZ. In this section of the Security Guide, we will discuss how to manually deploy an agent to a UNIX-based or Linux-based computer.

When you use the Discovery Wizard to deploy an agent, the Discovery Wizard performs the following functions:

Deployment

The Discovery Wizard copies the agent package to the UNIX-based or Linux-based computer and then starts the installation process.

Certificate Signing

Operations Manager retrieves the certificate from the agent, signs the certificate, deploys the certificate back to the agent, and then restarts the agent.

Discovery

The Discovery Wizard discovers the computer and tests to see that the certificate is valid. If the Discovery Wizard verifies that the computer can be discovered and that the certificate is valid, the Discovery Wizard adds the newly discovered computer to the Operations Manager database.

When you manually deploy an agent, you perform the first two steps that are typically handled by the Discovery Wizard, deployment and certificate signing. Then, you use the Discovery Wizard to add the computer to the Operations Manager database.

If there are existing certificates on the system, they are reused during agent installation. New certificates are not created. Certificates are not automatically deleted when you uninstall an agent. You must manually delete the certificates that are listed in the /etc/opt/microsoft/scx/ssl folder. To regenerate the certificates at install, you must remove this folder before agent installation.

Hash values for the agent binaries are available in Appendix B - List of Hash Values for UNIX and Linux Agents in this guide.

For instructions on how to manually deploy an agent, see the “Manually Installing Cross-platform Agents” topic in the Operations Manager 2007 R2 Operations Guide (https://go.microsoft.com/fwlink/?LinkID=146211), and then use the following procedure to install the certificates.

UNIX and Linux Firewall Considerations

If you have a firewall on your UNIX-based or Linux-based computer, you must open port 1270 (inbound). This port number is not configurable. If you are deploying agents in a low security environment and you use the Discovery Wizard to deploy and sign the certificates, you must open the SSH port. The SSH port number is configurable. By default, SSH uses inbound TCP port 22.