Jayachandran PK http://pkjayan.wordpress.com P a g e 1 | 30

Configuring Cross Platform Monitoring Using System Centre Operation Manager 2007 R2 One of the more desirable features introduced in System Center Operations Manager 2007 R2 is the ability to monitor non-Windows servers. This indeed rose the System Center Operations Manager as one of the strongest monitoring tools for any heterogeneous environment. The total cost of ownership of maintain a centralized enterprise system monitoring solution became very low by the introduction of cross platform monitoring feature. However, we often noticed that many Microsoft solution experts have very little Unix/Linux experience and therefore configuration of the solution in always a nightmare. The objective of this post is to provide a step-by-step guide for configuring cross platform monitoring solution. Following are the high-level overview of tasks (not in any particular order) involved in configuring agents in cross platform environment.

Update SCOM with latest CU and Management pack for cross platform monitoring

Check communication port availability

DNS name resolution in both directions

SSH and sftp enabled

Certificates signature

Accounts with access rights on the cross platform system.

Define the required Run As Accounts and place them in the proper Run As Profiles

Pre-requisite software available cross platform machines, update the OS if any patch are missing.

Make sure to use the right installers when manually deploying agents.

Updating SCOM management server is very important to achieve the best features available in SCOM 2007 R2. There are list of cumulative updates released for Operations manager 2007 R2. There is no restriction on updating the cumulative updates, you can use the latest CU to update directly form RTM. The following link lists all the Cumulative Updates release for System Centre Operations Manager 2007 R2. http://support.microsoft.com/kb/2453149 Once the Management server is updated, make sure that proper TCP/IP routing is configured between

the SCOM Root Management Server (RMS Server) and the cross platform machine (Solaris box). Solaris

agent uses TCP port 1270 and 22 to communicate to the RMS server. You may use telnet to check the

port access between RMS and Solaris box.

Next, make sure you are able to resolve the host name with server IP address. If necessary, use host file

entry for name resolution. Try pinging the FQDN of the RMS server from Solaris box and vice versa.

Jayachandran PK http://pkjayan.wordpress.com P a g e 2 | 30

Run As Profiles:

SCOM 2007 R2 requires 2 run as accounts to be associated with their respective run as profiles in order

to install and monitor agent on the cross platform server.

Unix Action Account- this is a non-privileged user account used to remotely monitor the cross platform

servers.

Unix Privileged Account- this is a privileged account, must have root access and Sudo (kind of Run as

administrator in windows) access privilege is not supported. SCOM uses this account to deploy the agent

as well as to restart processes where privileged rights are required

Creating user in Solaris: we need to create a user in Solaris box with password aging disabled, this user

account will be added to Unix Action Account profile in SCOM management console.

1. Run following command on Solais Box with root privilege:

# useradd -u 2500 -g 10 -c “SCOM Monitor User” -d /export/home/scxmon -s /usr/bin/ksh -m scxmon

64 blocks

2. Set password for the newly created user scxmon:

# passwd scxmon

New Password:

Re-enter new Password:

passwd: password successfully changed for scxmon

3. Check the password aging policy applied to the user account:

# passwd -s scxmon

scxmon PS 12/05/12 7 49 28

4. Above figures show the password expiration set for MAXWEEKS, MINWEEKS and WARNWEEKS.

Run following command to disable password aging for scxmon user.

# passwd -x -1 scxmon

passwd: password information changed for scxmon

5. confirm the password aging policy applied to the user account:

# passwd -s scxmon

scxmon PS

Jayachandran PK http://pkjayan.wordpress.com P a g e 3 | 30

Now we have the account created in Solaris box and we need to define this account as Run As account

in the SCOM management server console. To do this, logon to the SCOM RMS server and open SCOM

management console. Click on the Administration view

In the navigation pane under Run As Configuration, select Accounts.

Jayachandran PK http://pkjayan.wordpress.com P a g e 4 | 30

Right-click in the results pane, and then select Create Run As Account from the context menu to start the Create Run As Account wizard.

In the Introduction page appears, click Next.

On the General page, select Basic Authentication from the Run As Account Type list. Notice that there are other options to choose from. The option selected depends on the type of account and authentication that is specified in the management pack guide.

Jayachandran PK http://pkjayan.wordpress.com P a g e 5 | 30

In the Display Name box, enter a name to identify the UNIX Action Account and then click Next.

On the credentials page, enter appropriate values in the Account Name, Password, and Confirm Password boxes (here we need to provide the non-privileged account created earlier in the Solaris server) and then click Next

Jayachandran PK http://pkjayan.wordpress.com P a g e 6 | 30

In the Distribution Security page, leave the default selected More Secure and click Create

This creates the Step by Step Run As UNIX Action Account object and maps it to the actual UNIX account credentials that will be used for non-privileged interaction with the UNIX-based computers that you will be monitoring. Click Close to close the Create Run As Account wizard.

Jayachandran PK http://pkjayan.wordpress.com P a g e 7 | 30

In the Accounts pane, double-click the account you just created.

In the Run As Account Properties dialog box, select the Distribution tab and choose the Distribute credentials to selected computers option. Click Add to open the Computer Search dialog box.

Jayachandran PK http://pkjayan.wordpress.com P a g e 8 | 30

From the Option list, choose Show management servers, and then click Search.

In the Available items text box, choose the management server that these credentials will be distributed to, and then click Add.

Jayachandran PK http://pkjayan.wordpress.com P a g e 9 | 30

Click OK to close the Computer Search dialog box.

Click Apply and OK to close the Run As Account Properties dialog box. Now we need to repeat the same steps to create Run As Account to associate the privileged account to SCOM management server. Right-click in the results pane, and then select Create Run As Account from the context menu to start the Create Run As Account wizard.

Jayachandran PK http://pkjayan.wordpress.com P a g e 10 | 30

In the Introduction page appears, click Next.

On the General page, select Basic Authentication from the Run As Account Type list. Notice that there are other options to choose from. The option selected depends on the type of account and authentication that is specified in the management pack guide. In the Display Name box, enter a name to identify the UNIX Privileged Account and then click Next.

Jayachandran PK http://pkjayan.wordpress.com P a g e 11 | 30

On the credentials page, enter the root account values in the Account Name, Password, and Confirm Password boxes and then click Next

In the Distribution Security page, leave the default selected More Secure and click Create

Jayachandran PK http://pkjayan.wordpress.com P a g e 12 | 30

This creates the Step by Step Run As UNIX Privileged Account object and maps it to the actual UNIX root account credentials that will be used for privileged interaction with the UNIX-based computers that you will be monitoring. Click Close to close the Create Run As Account wizard.

In the Accounts pane, double-click the Unix Privileged Account you just created.

Jayachandran PK http://pkjayan.wordpress.com P a g e 13 | 30

In the Run As Account Properties dialog box, select the Distribution tab and choose the Distribute credentials to selected computers option. Click Add to open the Computer Search dialog box.

From the Option list, choose Show management servers, and then click Search.

Jayachandran PK http://pkjayan.wordpress.com P a g e 14 | 30

In the Available items text box, choose the management server that these credentials will be distributed to, and then click Add.

Click OK to close the Computer Search dialog box.

Click Apply and OK to close the Run As Account Properties dialog box.

Jayachandran PK http://pkjayan.wordpress.com P a g e 15 | 30

Now we need to associate the Run As Accounts with their respective Run As Profiles so that the SCOM management server can use these assigned accounts to perform privileged and non-privileged tasks on cross platform servers. To associate the Run As Accounts with their respective Run As Profiles, from the navigation pane under Run As Configuration, select Profiles. Type UNIX in the Look for window and click Find now. This will list only Unix related Frofiles.

In the results pane, double-click the UNIX Action Account profile, and click next on the Introduction page

Jayachandran PK http://pkjayan.wordpress.com P a g e 16 | 30

Click next on the General Properties page

Notice that there are no Run As Account associated with this profile.

Click Add to associate a Run As Account with this profile and from the pulled down selection, select the Unix Action Account.

Jayachandran PK http://pkjayan.wordpress.com P a g e 17 | 30

After selecting the appropriate Action Account, select the radio button next to A Selected class, group or object and then click Select to choose your option Select Class from the List

In the Filter by window, type UNIX and click Search. Select UNIX computers from the available items listed under. Click OK to select the item.

Jayachandran PK http://pkjayan.wordpress.com P a g e 18 | 30

If you are planning to have different Unix Action Account for each Solaris box, you need to create separate Run As Account for each servers and select the respective computer as target (select object instead of class and Look for UNIX Computer and the select the respective Solaris sever listed under available items). I am having same root password on all servers so I will use UNIX Computer Group as target.

UNIX computers is listed as target class for the selected Run As Account. Click OK to close the windows.

Verify the Account and class listed in the Unix Action Account profile and click Save to close the Wizard.

Jayachandran PK http://pkjayan.wordpress.com P a g e 19 | 30

We need to associate the Unix Privileged Account with its profile. To do this, double-click the UNIX Privileged Account profile, from the profile list and click next on the Introduction page

Jayachandran PK http://pkjayan.wordpress.com P a g e 20 | 30

Click next on the General Properties page

Jayachandran PK http://pkjayan.wordpress.com P a g e 21 | 30

Notice that there are no Run As Account associated with this profile.

Click Add to associate a Run As Account with this profile and from the pulled down selection, select the Unix Privileged Account.

After selecting the appropriate Action Account, select the radio button next to A Selected class, group or object and then click Select to choose your option

Jayachandran PK http://pkjayan.wordpress.com P a g e 22 | 30

Select Class from the List

In the Filter by window, type UNIX and click Search. Select UNIX computers from the available items listed under. Click OK to select the item.

Jayachandran PK http://pkjayan.wordpress.com P a g e 23 | 30

UNIX computers is listed as target class for the selected Run As Account. Click OK to close the windows.

Verify the Account and class listed in the Unix Action Account profile and click Save to close the Wizard.

Jayachandran PK http://pkjayan.wordpress.com P a g e 24 | 30

If the root account passwords are different in each Solaris servers, normally this will be the case in production servers. You need to create separate Run As Account for each servers and select the respective computer as target (select object instead of class and Look for UNIX Computer and the select the respective Solaris sever listed under available items). You will have to associate all the Unix privileged accounts created for each Solaris serves to Unix Privileged Account profile. I am having same root password on all servers so I will use UNIX Computer Group as target. The following two slides shows selecting separate Action account for each Solaris Server

Installing agents on Solaris Servers using Discovery wizard. Before proceeding with discovery wizard, make sure that the required Run As accounts are created and latest cross platform monitoring management packs are imported into the SCOM Management server. To discover and deploy agents on Solaris Server, Logon to the SCOM Management server and Open the SCOM console (make sure the account is a member of the Operations Manager 2007 R2 Administrator profile). Select the Administration view.

Jayachandran PK http://pkjayan.wordpress.com P a g e 25 | 30

Right click on Administration root and then select Discovery Wizard

Discovery Wizard opens and on the Discovery Type, select Unix/Linux computers then click next

Jayachandran PK http://pkjayan.wordpress.com P a g e 26 | 30

On the Discovery Method page, click Add to specify criteria for discovering Solaris based system on your network. On the Define discovery criteria page, type the IP Address or DNS name (you can specify an IP range also) Provide the credentials (root account of the target Server) and necessary information to locate the computer you want to discover, and then click OK.

Jayachandran PK http://pkjayan.wordpress.com P a g e 27 | 30

On the Discovery Method page, click Add to add more computers to the Discovery Scope list. You can also click Edit or Remove to modify or delete computers from the Discovery Scope list. In the Discovery Scope column, select the computer that you want to find. In the Management Server list, select the management server that will monitor the agents. Select Enable SSH based discovery if you want to push the agent installation instead of having the discovered system pull the agent from the management server.

Jayachandran PK http://pkjayan.wordpress.com P a g e 28 | 30

Click Discover to initiate system discovery. If there is an invalid certificate on the discovered system or systems, the Certificate status page appears. Select the systems that you want new certificates issued to, and then click Sign. On the Discovery results page, from the Select the systems you want to manage: select the check box for the system or systems that you want to manage, or click Select All to include all discovered systems.

Jayachandran PK http://pkjayan.wordpress.com P a g e 29 | 30

If any systems listed under the Select the systems you want to manage list was unable to discover, you can click Details to get more details about why the discovery was failed. Correct the problem and repeat the discovery step. Once you have selected the systems you want to manage, click Next to start the deployment, and to close the Discovery results page.

On the Deployment is in progress page, the Computer and Device Management Wizard displays the agent deployment status under the Status menu.

Jayachandran PK http://pkjayan.wordpress.com P a g e 30 | 30

The agent deployment status will cycle through Deploying, Validating, Signing and finally Successful. Once you see the nice successful Status, click done to close the computer and Device Management wizard.

Congratulations! You have successfully discovered Solaris computer to monitor through System Centre Operations Manager 2007 R2. To verify the same, you may go to Administration Section on the SCOM console and then expand Device Management. Then select Unix/Linux Server and you will see the newly discovered Solaris computer listed.

Hope this step by step installation guide was useful for someone who wanted to monitor Solaris (or any cross platform) computer through System Centre Operations Manager 2007 R2.