Deprecating SHA1 Certificates in System Center Operations Manager for UNIX/Linux Monitoring

 

The communication between System Center Operations Manager Management Server and the UNIX/Linux agents are secured with TLS/SSL. UNIX and Linux agents employ Server Authentication certificates (i.e. “agent certificates”) for the TLS/SSL channel and these certificates are signed by an Operations Manager Management Server’s “signing certificate.” As of System Center 2016 RTM, both agent certificates and signing certificates are generated with the sha1WithRSAEncryption signing algorithm. With System Center 2012 R2 Operations Manager UR12 and System Center 2016 Operations Manager UR2, use of SHA1 certificate would be deprecated with a default preference for SHA 256 certificate. Customers can now update and sign their certificates on currently deployed agents by following the below procedure.

  1. Install SCOM 2012 R2 UR12 – https://support.microsoft.com/en-us/help/3209587/system-center-2012-r2-om-ur12 (or) SCOM 2016 UR2 – https://support.microsoft.com/en-us/help/3209591/update-rollup-2-for-system-center-2016-operations-manager
  2. Import the UNIX/Linux Management packs for SCOM 2012 R2/SCOM 2016 UR2 – https://www.microsoft.com/en-in/download/details.aspx?id=29696
  3. Certificate can be updated from SHA1 to SHA 256 in one of the following ways

Option1:

Use the powershell script UpdateXplatCertificates.ps1. This when used without any parameters will update the certificate for all the agents.

.\UpdateXplatCertificates.ps1

This script can be downloaded from here.

Option2:

To update the certificate for specific agents use the below command

.\UpdateXplatCertificates.ps1 -AgentsDisplayName “<Agent1>“,”<Agent2>”

Option 3:

Certificate can be updated through SCOM Console –

Console –> Monitoring –> UNIX/Linux Computers –> select the server.

 

On the right task pane under UNIX/Linux Computer Tasks there are two tasks that could be performed.

verifycertresult

 

  1. Verify Certificate Signature – This task is used to verify the Signature algorithm of the agent’s signed certificate. This can be helpful in identifying SHA1 certificates that requires an update.On clicking Verify Certificate Signature you would get the below screen and the results.

runtask

task-status

         2. UNIX/Linux Update Certificate Task – This task updates the certificate from SHA1 to SHA 256.Click the server you wish to update the certificate and click UNIX/Linux Update    Certificate Task in the task pane.     

runtask_updatecert

 

taskstatus_updatecert

 

Please note:

 Already existing certificate will not be invalidated or deleted. Once the customer updates the certificate for all their monitored servers, the old certificates should be manually deleted.

 Once SCOM 2012 UR12 or SCOM 2016 UR2 is installed, the SHA 256 certificate will be used by default for newly discovered servers.

 User would need to update the certificate the same way for high availably configuration too.