Hello all- I am getting certificate errors when I try to discover a Sun server in my environment. We had to perform the agent installation manually, but everything seems fine and the service is running on the Sun machine. When I trry to discover it from the RMS we get SSH certificate errors and cannot sign the certificate remotely. So we followed the procedure here to sign the certificate file on the RMS and copy it back to the Sun server but still get the cert errors during discovery. I desparately need to get this working as proof of concept for a host of Sun machines that we just inherited. Any and all help will be greatly appreciated! Regards, Mike.

Hi Mike, Have you checked inside the certificate to see what the name of the Sun box is according to the certificate? make sure it is exactly the same name as the one you are discovering!! otherwise you will get errors. Also in cases you might see the name of the server but not the FQDN name and you are perhaps discovering on fqdn name. If that is not reflected in the certificate that might give a problem. It is possible to adjust the name in the certificate manually as well - I think I saw a Sun colleague do that not too long ago to get one of the Sun boxes into monitoring. Also check http://www.bictt.com/blogs/bictt.php/2010/07/26/scom-troubleshoot-cross-platform-agent-discovery-and-installation-part-1 for troubleshooting purposes (there are three parts in that series). My guess is that the first place where you run into trouble might be the name on the certificate.Bob Cornelissen - BICTT (My BICTT Blog)

Bob, thank you for the information. I've checked to make sure the name is the same across the board, and it appears to be correct (wwe are using the FQDN). When i attempt the discovery, this is the exact error we get: The server certificate on the destination computer (servername) has the following errors: The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable. So I wonder, does this indicate that the Sun box cannot reach a machine to check for revocation? And how do I find out what machine it is trying to check for revocation? In the certificate itself, the issuer is listed as my RMS, so does that mean the Sun mahcine cannot reach the RMS to check the revocation list? I am sorry in advance that I do not have much granular cert/CA knowledge so I appreciate everyone bearing with me to work through this if possible.

Hi Mike, In this case try to generate the certificate again: Login to the linux server and run this command as root: /opt/microsoft/scx/bin/tools/scxsslconfig -v -f I think this will also show the Sun box server name and make sure it is correct and the same as what your rms is using. Make sure it can resolve the name in both directions! (so from sun box resolve the fqdn of the rms as well), make sure the right ports are open. Next bring that pem certificate to the management server again (or RMS if thats what you are using) and countersign it using the procedure in my blog post. Transfer the file back to the Sun box. Restart the scxadmin. Try to discover again. Never open these files with notepad (especially do not save it with notepad of wordpad!!). Be carefull with moving files back and forth between machines, as even here a file can get corrupted.Bob Cornelissen - BICTT (My BICTT Blog)

Hi, As Bob mentioned, regenerating the certifications on client should help. The following thread also discussed a similar issue, please check if information on it will help: http://social.technet.microsoft.com/Forums/en-US/crossplatformgeneral/thread/69e82c79-a8cd-4382-8e4b-9f58dc1f1db4/Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for both responses. We've re-generated the certificate, verified that everyone/all machines involved are using the same FQDN's, and we still get an error. Until now, nothing was actually showing up in the Operations Manager event log, but something finally came through. The error we're getting is this: Certificate signing module called with an empty certificate. Check that the remote host can be accessed over SSH. So do this mean I'm not even opening an SSH session on the Sun box? Or does the empty certificate part mean something else? As usual, thanks in advance for your input.

Could still point to a few different things. SO in what stage of the process are you now? You created a new cert on the Sun box. You transferred the .pem file from the Sun box to the management server using winscp or whatever method, right? SO are you now trying to sign the cert at the MS or have you already done that and moved it back to the Sun box and restarted the agent there? In the first case your management server action account might not have enough rights on the management server. In the second case.. that would be strange. Could be that it is not able to get a ssh connection. Always try to make an ssh connection from the MS machine to the Sun box and check that you are using ssh.Bob Cornelissen - BICTT (My BICTT Blog)