- Operations Manager 2007 R2
- System Center 2012 – Operations Manager
Operations Manager uses the WS-Management protocol over SSL/TLS to communicate with UNIX and Linux agents. A certificate used for SSL/TLS is generated on each UNIX and Linux computer during agent installation and signed by a Management Server during agent discovery. For all cases except for HP-UX PA-RISC computers, the certificate is generated with a 2048 bit key. By default, HP-UX PA-RISC computers use a 512 bit key to generate this certificate, due to increased CPU utilization that has been observed on HP-UX PA-RISC computers when establishing SSL/TLS connections with a larger key size.
A Windows update expected to release on August 14, 2012 will block the use of RSA keys less than 1024 bits in length for any Windows computer where the update is installed. More information about this Windows update can be found in the More Information section below. When this update is installed on Operations Manager Management Servers or Gateways that are managing HP-UX PA-RISC computers, the HP-UX computers will generate heartbeat and SSL certificate alerts, and all monitoring of the computers will be interrupted until remediation is performed.
Only HP-UX PA-RISC computers monitored by Operations Manager are affected by this Windows update. HP-UX Itanium and all other UNIX and Linux operating systems and architectures are not affected.
SymptomsFollowing installation of the Windows server update that requires certificates associated with keys greater than 1023 bits on Operations Manager Management Servers and Gateways, the following symptoms will occur:
· HP-UX PA-RISC computers (11iv2 and 11iv3) will generate heartbeat alerts and all Operations Manager monitoring of the computers will fail. An “SSL Certificate Error” will also be generated with the description: The SSL Certificate used by the Agent has a configuration error.
· Operations Manager will fail to discover new HP-UX PA-RISC computers due to a “signed certificate verification” error.
ResolutionThere are two options to restore monitoring communication between Operations Manager and HP-UX PA-RISC computers:
1. Allow RSA keys less than 1024 bits on each Management Server and Gateway that manages HP-UX PA-RISC computers
2. Creating and signing a new certificate with a 1024 bit key on HP-UX PA-RISC computers
Both of these options restore communication between Operations Manager and HP-UX PA-RISC computers. Allowing RSA keys less than 1024 bits on the Operations Manager server effectively disables the changes made by the Windows update. Creating and signing a new certificate with a 1024 bit key on HP-UX PA-RISC computers allows the changes made by the Windows update to stay in effect on Operations Manager servers, but may have some performance impact on HP-UX computers. We recommend that you try option #2 in a pilot environment to ensure that the additional CPU overhead on the HP-UX PA-RISC computer does not impact your production workloads.
Allowing RSA keys less than 1024 bits on Operations Manager serversOn each Operations Manager Management Server or Gateway that manages HP-UX PA-RISC computers, perform the following steps:
1. Launch a command prompt as administrator
2. In the command prompt, run the following command:
Certutil -setreg chain\minRSAPubKeyBitLength 512
Creating and signing a new certificate with a 1024 bit key on HP-UX PA-RISC computersFor each HP-UX PA-RISC computer monitored by Operations Manager, perform the following steps:
1. Establish a console session with the HP-UX computer, locally or via Secure Shell (ssh), as the root user
2. Change to the Operations Manager agent tools directory: cd /opt/microsoft/scx/bin/tools
3. Run the scxsslconfig utility to force certificate generation with a 1024 bit key:
./scxsslconfig –v –f –b 1024
where:
-v = verbose
-f = force overwrite of existing certificate
-b = number of key bits
The output of this command will display the Host Name , Domain Name , and Cert Length used in certificate generation. Confirm that the Cert Length value is 1024. Confirm that the Host Name and Domain Name are appropriate for the FQDN used by Operations Manager to reach the computer. These values can be explicitly specified when running the scxsslconfig command with –h and –d switches.
4. The new certificate must now be signed by the Operations Manager server. Using a secure file transfer protocol such as sftp or scp, copy the file: /etc/opt/microsoft/scx/ssl/scx-host-<hostname>.pem (where <hostname> is the hostname of the HP-UX computer) to the Operations Manager server that manages the HP-UX computer.
5. On the Operations Manager server, launch a command prompt as administrator
6. In the command prompt, change directories to the program directory for Operations Manager.
Default paths are:
a. Operations Manager 2007 R2: C:\Program Files System Center Operations Manager 2007
b. System Center 2012 – Operations Manager: C:\Program Files\System Center 2012\Operations Manager\Server
7. Run the scxcertconfig.exe command:
scxcertconfig -sign <path to certificate .pem file> scx_new.pem
Where <path to certificate .pem file> is the full path to the certificate file copied from the HP-UX PA-RISC computer
8. Using a secure file transfer protocol such as sftp or scp, copy the scx_new.pem file to the directory: /etc/opt/microsoft/scx/ssl on the HP-UX computer. Rename the scx_new.pem file in the /etc/opt/microsoft/scx/ssl directory to overwrite the existing: /etc/opt/microsoft/scx/ssl/scx-host-<hostname>.pem file
9. Restart the Operations Manager agent with the following command (executed in a console or ssh session on the HP-UX computer):
/opt/microsoft/scx/bin/tools/scxadmin -restart
Bringing new HP-UX PA-RISC computers under OpsMgr managementIf the second resolution approach is taken (Creating and signing a new certificate with a 1024 bit key on HP-UX PA-RISC computers), newly discovered HP-UX PA-RISC computers that are brought under management by OpsMgr will experience the same symptoms because the automatically generated certificate will have a 512 bit key. The steps outlined above must be taken on each new HP-UX PA-RISC computer to create and sign a new certificate with a 1024 bit key.
In the future, Microsoft will release an update to the OpsMgr agent for HP-UX PA-RISC computers. For HP-UX PA-RISC computers that are newly brought under OpsMgr management with this updated agent, the automatically generated certificate will have a 1024 bit key, and no additional resolutions steps will be needed. But for already managed computers, installing this updated agent does not automatically a new certificate, and the above outlined resolution steps must still be followed.
More InformationWindows PKI Blog posts about the Windows update:
http://blogs.technet.com/b/pki/archive/2012/07/13/blocking-rsa-keys-less-than-1024-bits-part-2....
http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx
.
J.C. Hornbeck | System Center & Security Knowledge Engineer
Get the latest System Center news on Facebook and Twitter :
App-V Team blog:
http://blogs.technet.com/appv/
ConfigMgr Support Team blog:
http://blogs.technet.com/configurationmgr/
DPM Team blog:
http://blogs.technet.com/dpm/
MED-V Team blog:
http://blogs.technet.com/medv/
Orchestrator Support Team blog:
http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog:
http://blogs.technet.com/momteam/
SCVMM Team blog:
http://blogs.technet.com/scvmm
Server App-V Team blog:
http://blogs.technet.com/b/serverappv
Service Manager Team blog:
http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog:
http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog:
http://blogs.technet.com/sus/
The Forefront Server Protection blog:
http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog :
http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog :
http://blogs.msdn.com/b/ms-identity- support/
The Forefront TMG blog:
http://blogs.technet.com/b/isablog/
The Forefront UAG blog:
http://blogs.technet.com/b/edgeaccessblog/