管理 UNIX 和 Linux 電腦的憑證Managing certificates for UNIX and Linux computers

重要

已不再支援此版本的 Operations Manager,建議升級至 Operations Manager 2019This version of Operations Manager has reached the end of support, we recommend you to upgrade to Operations Manager 2019.

使用 System Center Operations Manager,您可以將代理程式部署到 UNIX 或 Linux 電腦。With System Center Operations Manager, you can deploy agents to UNIX or Linux computers. 您無法使用 Kerberos 驗證。Kerberos authentication is not possible. 因此,管理伺服器和 UNIX 或 Linux 電腦之間會使用憑證。Therefore, certificates are used between the management server and the UNIX or Linux computers. 在此案例中,憑證是由管理伺服器自我簽署In this scenario, the certificates are self-signed by the management server. (您可以使用第三方憑證,但這並不需要)。(Although it is possible to use third-party certificates, they are not needed.)

有兩種方法可以用來部署代理程式。There are two methods you can use to deploy agents. 您可以使用探索精靈或手動安裝代理程式。You can use the Discovery Wizard or you can manually install an agent. 在這兩種方法中,手動安裝代理程式是較安全的選項。Of these two methods, manually installing an agent is the more secure option. 當您使用探索精靈將代理程式推入 UNIX 或 Linux 電腦時,表示您相信要部署的目標電腦確實是您所認為的電腦。When you use the Discovery Wizard to push agents to UNIX or Linux computers, you trust that the computer that you are deploying to is really the computer that you think it is. 當您使用探索精靈部署代理程式時,風險會比部署到公用網路或周邊網路的電腦高。When you use the Discovery Wizard to deploy agents, it involves greater risk than when you deploy to computers on the public network or in a perimeter network.

當您使用探索精靈部署代理程式時,探索精靈會執行下列功能:When you use the Discovery Wizard to deploy an agent, the Discovery Wizard performs the following functions:

  • 部署:探索精靈會將代理程式封裝複製到 UNIX 或 Linux 電腦,然後開啟安裝程序。Deployment - The Discovery Wizard copies the agent package to the UNIX or Linux computer and then starts the installation process.

  • 憑證簽署:Operations Manager 會從代理程式擷取憑證、簽署憑證、將憑證重新部署到代理程式,然後重新啟動代理程式。Certificate Signing - Operations Manager retrieves the certificate from the agent, signs the certificate, deploys the certificate back to the agent, and then restarts the agent.

  • 探索:探索精靈會探索電腦,並測試憑證是否有效。Discovery - The Discovery Wizard discovers the computer and tests to see that the certificate is valid. 如果探索精靈確認可以探索電腦,而憑證也有效,探索精靈會將新探索到的電腦新增到 Operations Manager 資料庫。If the Discovery Wizard verifies that the computer can be discovered and that the certificate is valid, the Discovery Wizard adds the newly discovered computer to the Operations Manager database.

當您手動部署代理程式時,會執行通常由探索精靈處理的前兩個步驟:部署和憑證簽署。When you manually deploy an agent, you perform the first two steps that are typically handled by the Discovery Wizard: deployment and certificate signing. 接著,您會使用探索精靈將電腦新增到 Operations Manager 資料庫。Then, you use the Discovery Wizard to add the computer to the Operations Manager database.

如果系統上有現有憑證,會在代理程式安裝期間重複使用,If there are existing certificates on the system, they are reused during agent installation. 而不會建立新憑證。New certificates are not created. 當您解除安裝代理程式時,不會自動刪除憑證。Certificates are not automatically deleted when you uninstall an agent. 您必須手動刪除 /etc/opt/microsoft/scx/ssl 資料夾中所列的憑證。You must manually delete the certificates that are listed in the /etc/opt/microsoft/scx/ssl folder. 若要在安裝時重新產生憑證,您必須在代理程式安裝之前移除此資料夾。To regenerate the certificates during instalation, you must remove this folder before agent installation.

如需如何手動部署代理程式的指示,請參閱 Install Agent and Certificate on UNIX and Linux Computers Using the Command Line,然後使用下列程序安裝憑證。For instructions on how to manually deploy an agent, see Install Agent and Certificate on UNIX and Linux Computers Using the Command Line, and then use the following procedure to install the certificates.

UNIX 和 Linux 防火牆考量UNIX and Linux firewall considerations

如果 UNIX 或 Linux 電腦上有防火牆,您必須開啟連接埠 1270 (輸入)。If you have a firewall on your UNIX or Linux computer, you must open port 1270 (inbound). 此連接埠號碼無法設定。This port number is not configurable. 如果您在低安全性環境中部署代理程式並使用探索精靈部署並簽署憑證,則必須開啟 SSH 連接埠。If you are deploying agents in a low security environment and you use the Discovery Wizard to deploy and sign the certificates, you must open the SSH port. SSH 連接埠號碼可以設定。The SSH port number is configurable. 根據預設,SSH 使用輸入 TCP 連接埠 22。By default, SSH uses inbound TCP port 22. 如需 Operations Manager 防火牆設定的詳細資訊,請參閱 Configuring a Firewall for Operations Manager (設定 Operations Manager 的防火牆)。For more information about firewall configuration for Operations Manager, see Configuring a Firewall for Operations Manager

後續步驟Next steps