WS-Management Certificate Health - Microsoft.Unix.WSMan.Certificate.Monitor (UnitMonitor)

Microsoft.Unix.WSMan.Certificate.Monitor (UnitMonitor)

WS-Management Certificate Monitor

Knowledge Base article:

Summary

This monitor ensures that the SSL Certificate used by the WS-Management component of the Agent is valid. If the state is unknown, either monitoring has not begun for this object or there are no availability monitors defined.

Causes

An unhealthy state for this monitor indicates some problem with the certificate used for Agent communication that is installed on the Unix or Linux server.

Some of the problems that could affect the state of this monitor include:

The Certificate has Expired.
The Certificate common name (CN) does not match the hostname.

Check the "Alert Context" tab of the Alert Properties for more information.

View all current alerts from this object using this link:

Alerts

Resolutions

To verify that the SCX Agent on the remote system is running properly, try enumerating the SCX_Agent provider using the following command from the Operations Manager monitoring server:

winrm e http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_Agent?__cimnamespace=root/scx -r:https://<hostname>.<domain>:1270 -u:<username> -p:<password> -auth:basic -encoding:utf-8

substituting <hostname>.<domain> for the fully-qualified domain name of the host and <username>/<password> for some valid username and password combination on the remote system.

To verify the certificate on the remote system, log into the remote system and issue the following command:

openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates

To check if the certificate has expired, ensure that the current date falls between the notBefore and notAfter dates, and ensure that the date and time on the target server matches that of the Operations Manager Server.

If the Certificate common name does not match the hostname, you may change the name of your host system if necessary (check your operating system documentation for information on how to do that). Or, if the certificate is incorrect but your system's host hame is correct, regenerate the certificate by issuing the following commands from the 'root' account:

cd /etc/opt/Microsoft/scx/bin/tools
. setup.sh
scxsslconfig -f
scxadmin -restart cimom

After the above commands are issued, you'll need to re-sign the certificate via the Operations Manager Discovery Wizard.

Finally, be certain that the target computer's Fully Qualified Domain Name can be resolved from the Operations Manager Server.

Element properties:

Target

Microsoft.Unix.Computer

Parent Monitor

System.Health.ConfigurationState

Category

ConfigurationHealth

Enabled

True

Alert Generate

True

Alert Severity

Error

Alert Priority

Normal

Alert Auto Resolve

True

Monitor Type

Microsoft.Unix.WSMan.Certificate.MonitorType

Remotable

True

Accessibility

Public

Alert Message

SSL Certificate Error

The SSL Certificate used by the Agent has a configuration error.

RunAs

Default

Source Code:

<UnitMonitor ID="Microsoft.Unix.WSMan.Certificate.Monitor" Enabled="true" Accessibility="Public" Target="Microsoft.Unix.Computer" TypeID="Microsoft.Unix.WSMan.Certificate.MonitorType" ParentMonitorID="SystemHealth!System.Health.ConfigurationState"> <Category>ConfigurationHealth</Category> <AlertSettings AlertMessage="Microsoft.Unix.WSMan.Certificate.AlertMessage"> <AlertOnState>Error</AlertOnState> <AutoResolve>true</AutoResolve> <AlertPriority>Normal</AlertPriority> <AlertSeverity>Error</AlertSeverity> </AlertSettings> <OperationalStates> <OperationalState HealthState="Success" MonitorTypeStateID="Available" ID="Valid"/> <OperationalState HealthState="Error" MonitorTypeStateID="NotAvailable" ID="NotValid"/> </OperationalStates> <Configuration> <Interval>300</Interval> </Configuration> </UnitMonitor>