WS-Management Certificate Monitor
This monitor ensures that the SSL Certificate used by the WS-Management component of the Agent is valid. If the state is unknown, either monitoring has not begun for this object or there are no availability monitors defined.
An unhealthy state for this monitor indicates some problem with the certificate used for Agent communication that is installed on the Unix or Linux server.
Some of the problems that could affect the state of this monitor include:
The Certificate has Expired.
The Certificate common name (CN) does not match the hostname.
Check the "Alert Context" tab of the Alert Properties for more information.
View all current alerts from this object using this link:
Alerts
To verify that the SCX Agent on the remote system is running properly, try enumerating the SCX_Agent provider using the following command from the Operations Manager monitoring server:
winrm e http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_Agent?__cimnamespace=root/scx -r:https://<hostname>.<domain>:1270 -u:<username> -p:<password> -auth:basic -encoding:utf-8
substituting <hostname>.<domain> for the fully-qualified domain name of the host and <username>/<password> for some valid username and password combination on the remote system.
To verify the certificate on the remote system, log into the remote system and issue the following command:
openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates
To check if the certificate has expired, ensure that the current date falls between the notBefore and notAfter dates, and ensure that the date and time on the target server matches that of the Operations Manager Server.
If the Certificate common name does not match the hostname, you may change the name of your host system if necessary (check your operating system documentation for information on how to do that). Or, if the certificate is incorrect but your system's host hame is correct, regenerate the certificate by issuing the following commands from the 'root' account:
cd /etc/opt/Microsoft/scx/bin/tools
. setup.sh
scxsslconfig -f
scxadmin -restart cimom
After the above commands are issued, you'll need to re-sign the certificate via the Operations Manager Discovery Wizard.
Finally, be certain that the target computer's Fully Qualified Domain Name can be resolved from the Operations Manager Server.
Target | Microsoft.Unix.Computer | ||
Parent Monitor | System.Health.ConfigurationState | ||
Category | ConfigurationHealth | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | Microsoft.Unix.WSMan.Certificate.MonitorType | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default |
<UnitMonitor ID="Microsoft.Unix.WSMan.Certificate.Monitor" Enabled="true" Accessibility="Public" Target="Microsoft.Unix.Computer" TypeID="Microsoft.Unix.WSMan.Certificate.MonitorType" ParentMonitorID="SystemHealth!System.Health.ConfigurationState">
<Category>ConfigurationHealth</Category>
<AlertSettings AlertMessage="Microsoft.Unix.WSMan.Certificate.AlertMessage">
<AlertOnState>Error</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>Error</AlertSeverity>
</AlertSettings>
<OperationalStates>
<OperationalState HealthState="Success" MonitorTypeStateID="Available" ID="Valid"/>
<OperationalState HealthState="Error" MonitorTypeStateID="NotAvailable" ID="NotValid"/>
</OperationalStates>
<Configuration>
<Interval>300</Interval>
</Configuration>
</UnitMonitor>