Deploying SCOM 2012 SP1 in FIPS Enabled Environment (pt2)

Part 1 was more how to detect if FIPS is enabled and fixing the problem encountered by SSRS, this post will be more on SCOM Management Servers and how to resolve it.

Assuming that SSRS is now successfully fix, where you are able to browse the reports via the browser, and you proceed to bring up the SCOM server, after a while, your SCOM server will have a Warning, indicating that the XML for the configurations cannot be loaded due to some FIPS complaints issue.

Well, you should be able to resolve the issue, with the solutions posted in this article, and it should work nicely.

If you are installing SCOM MS in Windows Server 2012, you might probably need to install Windows SDK or Visual Studio Command prompts to execute the gacutil.exe, another way to proceed without installing the additional stuff is to use the remotegscutil, from http://remotegacutil.codeplex.com/, which allows install the dll required easily, and the only requirement for this tool to work, is the installation of .Net 3.5

Deploying SCOM 2012 SP1 in FIPS Enabled Environment (pt1)

One of my earliest post on SCOM Installation checklist, on of the items to do is to check if the deployment environment is enabled with FIPS (Federal Information Processing Standards). (You can know more about FIPS here).

As time goes by, i stumbled upon yet another SCOM deployment where FIPS is enabled as part of the client’s security hardening. What i did was, to first install the SQL Server and Reporting Services, and then verifying that the SSRS webpage is accessible, before building up my SCOM servers. What was least expected, was the report page is completely blank. Set IE not to display any friendly error messages too, did not show any error on the page. i got stuck,  and after a few searching here and there, it might be due to the enabling of FIPS in the environment.

In order to know if FIPS is enabled, what we need to do is to launch the registry editor and locate the following key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy

If it is enabled, the value will be 1.

First, fix the SSRS blank page issue, you may want to browse <driver>:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\LogFiles. Open the log files and search for FIPS. If it is a FIPS related issue, you will see something similar like this.

 

 

 

When you see the error message above, do the following.

1. In a text editor such as Notepad, open the Report Manager Web.config file which is located in the default path: <driver>:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportManager.
2. In the Web.config file, locate the <system.web> section.
3. Add the following <machineKey> section to in the <system.web> section:
   <machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
4. Save the Web.config file.
5. Once done, restart the Reporting Services, and try to access the Reports page again, by now, you should be able to access the page.

 

Exchange MP and PowerShell 2.0

Normally after you imported the Management Pack, once all the discoveries had completed, you will begin to see the health status begin to appear in the SCOM console, following by SCOM periodically executing the scripts defined within the MP to capture performance data and this includes the Exchange MP.

In a particular assignment, after the Exchange 2007 MP has been imported, servers with the Exchange roles are successfully discovered, but lacking on certain information and one of the them is the number of mailbox for each of the mailbox servers. At first i thought it might be due to MS is still collecting the data but after some time (or even days) the value is still not out yet.

With the help from the SCOM guru and checking on the mailbox servers, only we found that there are quite a number of errors in the OperationsManager event log, with the following message.

Checked further from the net only to deduce that the servers hosting the Exchange roles (which is running on windows server 2003) needs to be installed with PowerShell 2.0. Fortunately there is a DR server which we can try to prove our point. Once PowerShell 2.0 was installed, things just started to work as expected.

Monitoring Java EE Application Servers

We all know that with SCOM is fantastic in monitoring Microsoft roles and services with the relevant Management Packs, but what about those from non-windows platform ?

I had recently deployed a SCOM agent to monitor an Ubuntu server (and the Ubuntu server is hosted pretty much well in a Windows 2012 host) , and the server was installed with Apache Tomcat and MySQL.

We are able to monitor the service availability of Tomcat server via a simple service monitor, but what if we are required to perform a deeper monitoring in terms of the availability of the applications hosted and also the performance of the Tomcat ?

You can either purchase a third party MP or you can actually download the JAVA EE MP from the Microsoft website to do the same.

The JAVA EE management packs can be downloaded from the official website http://www.microsoft.com/en-us/download/details.aspx?id=29270, and for the first time users, it will be useful to go through the SC2012OM_JEE_Readme.txt included at the MP download page.

For a start, i am testing on Tomcat Apache 6.0 web server. During the MP is imported, things were not automatically discovered even after i had deployed the BeanSpy.

Next, what needs to be done is to copy the following powershell scripts and put it in a single folder, and run the NewJEEAppServer.ps1

JEEAppServerLibrary.ps1
NewJEEAppServer.ps1
RemoveJEEAppServer.ps1  (optional as i am not removing any server)

If everything goes smoothly, it should display you the response as above. and when discovery is done, some of the views (state and performance) are what you should be able to see.

SCOM Cross Platform monitoring

Based on one of my SCOM assignments which requires Ubuntu to be monitored, we all know that with the previous SCOM 2012, this might not possible (well, we can still use SNMP to monitor whether the server is up or down, but nothing further than that i guess)

With the release of System Center SP1, which monitoring of the version and variants of cross platform OS has been extended, i am quite eager to see how this is possible.

What i have in the lab is a virtual Ubuntu 12.04 server hosted in a Windows Server 2012 server, with apache Tomcat and MySQL services installed. First is to install the SCOM Agent and to make things easier, i have been using root account for the agent installation.

Some of the screen from the monitoring are as below.

Stay tuned to my upcoming posts on monitoring Apache Tomcat Web Server via Microsoft JEE Application Server MP.

Error in installing additional SCOM Management Server

Not to say an expert, even though I had been working with SCOM for quite some time, error below was the first time I encountered during a recent engagement. Error below occurred when I tried to install a third SCOM management server which was totally unexpected, since the installation for the first and the second MS was done successfully without much hiccup.

Tried to repeat the installation again but the failure rate was 100%. Check out the internet and it seems that this might have something to do with the SQL connection time out, while the installation was trying to connect to the SCOM DB server to register the new Management Server.

One of the way you could possibly try is to extend the duration before the connection is timed out, and this requires updating the registry key of the server before the installation is re-started. Following will be the key that needs to be created.

Once created, reboot the server and try to reinstall the SCOM Management Server again. It should work this time (well at least it worked for me )

note: one thing to take note about before you reinstall the MS is that, you must remove that particular server from the management server list via the Operations Console. If not, you will not able to select the OpsMgr database during the MS installation.