none
Unix/Linux Universal Agent and FIPS Compliance

    Question

  • I have a number of FIPS compliant Oracle Linux servers that I am unable to monitor due to this. It seems like the agent install quits as soon as it discovers the machine is FIPS:

    ```

    Line 7047 - clone() invoked PID 7601.

    Line 7070 - PID 7601 execve() /opt/microsoft/scx/bin/omiserver

    Line 7080 - PID 7601 open() /opt/microsoft/scx/lib/libssl.so.1.0.0

    Line 7087 - PID 7601 open() /opt/microsoft/scx/lib/libcrypto.so.1.0.0

    Line 7231 - PID 7601 open() /lib64/libselinux.so.1 Line 7303 - PID 7601 open() /usr/lib64/libcrypto.so.1.0.1e

    Line 7309 - PID 7601 open() /proc/sys/crypto/fips_enabled Line 7310 - PID 7601 read() /proc/sys/crypto/fips_enabled (It's 1/enabled.) Line 7311 - PID 7601 close()/proc/sys/crypto/fips_enabled

    Line 7312 - PID 7601 write() the fips.c error to STDERR.

    ```

    The next four lines process a SIGABRT that PID 7601 sends itself. The STDOUT/STDERR of the start attempt were

    ```

    [root@???????x ~]# service scx-cimd start Starting Microsoft SCX CIM Server: fips.c(143): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE

    /bin/bash: line 1: 17626 Aborted                 /opt/microsoft/scx/bin/omiserver -d

                                                               [FAILED] ```

    The error gets written as soon as the fips_enabled file gets read? Is this an automatic "can't do FIPS" failure, maybe? I don't see any indication that a read() of /usr/lib64/libssl.so.1.0.1e is even attempted. Are these libraries FIPS compliant? What's happening here?


    • Edited by HS Brown Wednesday, June 22, 2016 10:09 PM
    Wednesday, June 22, 2016 10:08 PM

Answers

  • Well, this took us far too long to resolve.  We chased our tail for quite a while, but ultimately discovered what the real problem is.  The really good news is that problem has an easy fix, and can be easily worked around before Microsoft releases a fix.

    The failure is due to the OMI executables being unable to locate some auxiliary files that go with libssl.so and libcrypto.so.  These auxiliary files are needed only when operating in FIPS mode, so that's why the problem only crops up when FIPS is enabled.  The solution is to create two additional symlinks so that the OMI executables can find these auxiliary files.

    For RHEL/CentOS/Oracle Linux version 6.x (64-bit version) running OpsMgr 2012 R2, the links for locating libssl.so and libcrypto.so are in /opt/microsoft/scx/lib.  To solve the problem, go to this directory as 'root', and run the following two shell command lines:

    # ln -s /usr/lib64/.libssl.so.10.hmac .libssl.so.1.0.0.hmac

    # ln -s /usr/lib64/.libcrypto.so.10.hmac .libcrypto.so.1.0.0.hmac

    These links will enable the OMI executable to find the hmac files that are needed in FIPS mode.  That's all there is to it, and OMI should now work in FIPS mode.

    If you are running a different Linux distro or version, or OpsMgr 2016, the symlinks might be slightly different or in a different location, but the issue is the same -- finding the hmac files. 

    Separately, we will work on updating the OpsMgr agent installer so that in a future Update Rollup, it will automatically create these symlinks in addition to the two main symlinks for libssl and libcrypto that it already creates.


    Michael Kelley, Lead Program Manager, Open Source Technology Center

    Friday, December 2, 2016 6:07 PM
    Moderator
  • My suggestion is to install our kit, and let the installation fail.  At this point, you should see something like:

    fips.c(143): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE/var/tmp/rpm-tmp.kSP7C1: line 341: 24795 Aborted                /opt/microsoft/scx/bin/tools/scxsslconfig
    warning: %post(scx-1.5.1-184.x86_64) scriptlet failed, exit status 1

    At this point, two things have happened:

    1. We failed to generate a certificate because of the FIPS issue, and
    2. We failed to start the server.

    At this point, you should go to /opt/microsoft/scx/lib and set up the links. Here's a log of what I did:

    [root@os64-ora67-01 ~]# rpm --install scx-1.5.1-184.universalr.1.x64.rpm 
    Checking existence of /lib64/libssl.so.1.0.1e-fips and /lib64/libcrypto.so.1.0.1e-fips ...
    Checking existence of /lib64/libssl.so.1.0.1- and /lib64/libcrypto.so.1.0.1- ...
    Checking existence of /lib64/libssl.so.1.0.1e and /lib64/libcrypto.so.1.0.1e ...
    Checking existence of /lib64/libssl.so.1.0.1 and /lib64/libcrypto.so.1.0.1 ...
    Checking existence of /lib64/libssl.so.1.0.0 and /lib64/libcrypto.so.1.0.0 ...
    Checking existence of /usr/lib64/libssl.so.1.0.1e-fips and /usr/lib64/libcrypto.so.1.0.1e-fips ...
    Checking existence of /usr/lib64/libssl.so.1.0.1- and /usr/lib64/libcrypto.so.1.0.1- ...
    Checking existence of /usr/lib64/libssl.so.1.0.1e and /usr/lib64/libcrypto.so.1.0.1e ...
      Found /usr/lib64/libssl.so.1.0.1e and /usr/lib64/libcrypto.so.1.0.1e ...
    fips.c(143): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE
    /var/tmp/rpm-tmp.SxPhxm: line 341:  2736 Aborted                 (core dumped) /opt/microsoft/scx/bin/tools/scxsslconfig
    warning: %post(scx-1.5.1-184.x86_64) scriptlet failed, exit status 1
    [root@os64-ora67-01 ~]# 
    [root@os64-ora67-01 ~]# pushd /opt/microsoft/scx/lib
    /opt/microsoft/scx/lib ~
    [root@os64-ora67-01 lib]# ln -s /usr/lib64/.libssl.so.10.hmac .libssl.so.1.0.0.hmac
    [root@os64-ora67-01 lib]# ln -s /usr/lib64/.libcrypto.so.10.hmac .libcrypto.so.1.0.0.hmac
    [root@os64-ora67-01 lib]# popd
    ~
    [root@os64-ora67-01 ~]# 
    [root@os64-ora67-01 ~]# /opt/microsoft/scx/bin/tools/scxsslconfig -f
    Generating certificate with hostname="os64-ora67-01", domainname="scx.com"
    [root@os64-ora67-01 ~]# /etc/init.d/scx-cimd start
    Starting Microsoft SCX CIM Server:                         [  OK  ]
    [root@os64-ora67-01 ~]# ps -ef | grep omi
    root     22421     1  0 15:15 ?        00:00:00 /opt/microsoft/scx/bin/omiserver -d
    root     22423  2348  0 15:15 pts/0    00:00:00 grep omi
    [root@os64-ora67-01 ~]# 

    Let me know if you have further questions, and I'll do my best to help you out.

    /Jeff

    Monday, December 12, 2016 11:18 PM
    Moderator

All replies

  • Looks like openSSL is what is barfing which is what the agent depends on. What version of openssl is installed?

        openssl version

    What version of Oracle Linux is this?

    What version of the agent are you running [scxadmin -v] ?

    What happens if you run the following as root?   

          /opt/microsoft/scx/bin/omiserver

    Regards,

    -Steve

    Wednesday, June 22, 2016 11:40 PM
    Moderator
  • Oracle Linux 6.x (This has occurred on 4 servers, and only 4 out of ~100, and only the four that are FIPS, configured per Red Hat doc here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html

    OpenSSL = 1.0

    Our glibc is 2.12-1.192, so we’re well ahead of minimum there.
    Our pam is 1.1.1-20, so we’re well ahead of minimum there, too.

    Agent versions being deployed are 1.5.1-184 (Latest)

    We are successfully push installing all agents (save these) which don't want to install either via push nor manually. They fail before the certificate generation/signing process, so it doesn't seem to be that.

    Thursday, June 23, 2016 12:01 AM
  • Trying to repro in our test environment. I'll reply soon.

    -Steve

    Thursday, June 23, 2016 12:06 PM
    Moderator
  • I can reproduce this in our lab and we do not currently support FIPS and there is no workaround without disabling FIPS on the system. If this is something you want supported with the SCOM UNIX/Linux agents, please open a ticket with Microsoft support and have them create a 'Design Change Request' [DCR] so that it gets escalated and pushed back to our team.

    I will also pass this post on to our management so they have reference but the DCR will be your quickest results.

    Regards,

    -Steve

    Friday, June 24, 2016 7:36 PM
    Moderator
  • Thanks, Steve, we're in the process of creating the DCR now. However, I do want to call out that if non-support for something isn't declared in the MP/Agent documentation, this qualifies as a bug. And I don't think that would mean there is a bug in the documentation, either. :D

    Hopefully we can get this resolved soon. This could reduce the MSFT footprint in the .gov space, and other orgs that need this kind of security. Cheers!

    Friday, June 24, 2016 8:38 PM
  • Well, this took us far too long to resolve.  We chased our tail for quite a while, but ultimately discovered what the real problem is.  The really good news is that problem has an easy fix, and can be easily worked around before Microsoft releases a fix.

    The failure is due to the OMI executables being unable to locate some auxiliary files that go with libssl.so and libcrypto.so.  These auxiliary files are needed only when operating in FIPS mode, so that's why the problem only crops up when FIPS is enabled.  The solution is to create two additional symlinks so that the OMI executables can find these auxiliary files.

    For RHEL/CentOS/Oracle Linux version 6.x (64-bit version) running OpsMgr 2012 R2, the links for locating libssl.so and libcrypto.so are in /opt/microsoft/scx/lib.  To solve the problem, go to this directory as 'root', and run the following two shell command lines:

    # ln -s /usr/lib64/.libssl.so.10.hmac .libssl.so.1.0.0.hmac

    # ln -s /usr/lib64/.libcrypto.so.10.hmac .libcrypto.so.1.0.0.hmac

    These links will enable the OMI executable to find the hmac files that are needed in FIPS mode.  That's all there is to it, and OMI should now work in FIPS mode.

    If you are running a different Linux distro or version, or OpsMgr 2016, the symlinks might be slightly different or in a different location, but the issue is the same -- finding the hmac files. 

    Separately, we will work on updating the OpsMgr agent installer so that in a future Update Rollup, it will automatically create these symlinks in addition to the two main symlinks for libssl and libcrypto that it already creates.


    Michael Kelley, Lead Program Manager, Open Source Technology Center

    Friday, December 2, 2016 6:07 PM
    Moderator
  • This is WONDERFUL news. We will hopefully be able to implement and test in production some time next week, and I will respond with results here (negative or positive).

    Thanks very much!

    Friday, December 2, 2016 6:15 PM
  • OK... We're still running into some issues here. We've conducted three tests, and I'll post the results here in order, with identifying information marked by [REDACTED]

    ###

    ### STRAIGHT INSTALLATION

    ###

    [root@[REDACTED] ~]# rpm -qa | grep scx

    scx-1.5.1-184.x86_64

    [root@[REDACTED] ~]# rpm -e scx-1.5.1-184.x86_64 Shutting down Microsoft SCX CIM Server: [FAILED]

    rm: cannot remove `/opt/microsoft/scx/lib': Is a directory

    warning:    erase unlink of /var/opt/microsoft/scx/tmp failed: No such file or directory

    warning: /etc/opt/microsoft/scx/conf/scxrunas.conf saved as /etc/opt/microsoft/scx/conf/scxrunas.conf.rpmsave

    [root@[REDACTED] ~]# rpm -qa | grep scx || echo "Not found"

    Not found

    [root@[REDACTED] ~]# rm -rfv /etc/opt/microsoft/ /var/opt/microsoft /opt/microsoft/ removed `/etc/opt/microsoft/scx/conf/scxrunas.conf.rpmsave'

    removed directory: `/etc/opt/microsoft/scx/conf'

    removed directory: `/etc/opt/microsoft/scx'

    removed directory: `/etc/opt/microsoft'

    removed `/opt/microsoft/scx/lib_openssl_1.0.0/libcrypto.so.1.0.0'

    removed `/opt/microsoft/scx/lib_openssl_1.0.0/libssl.so.1.0.0'

    removed directory: `/opt/microsoft/scx/lib_openssl_1.0.0'

    removed `/opt/microsoft/scx/lib/lib_openssl_1.0.0'

    removed `/opt/microsoft/scx/lib/.libcrypto.so.1.0.0.hmac'

    removed `/opt/microsoft/scx/lib/.libssl.so.1.0.0.hmac'

    removed directory: `/opt/microsoft/scx/lib'

    removed directory: `/opt/microsoft/scx'

    removed directory: `/opt/microsoft'

    [root@[REDACTED] ~]# rpm -i /var/www/html/yum/scom/scom/scx-1.5.1-184.universalr.1.x64.rpm

    Checking existence of /lib64/libssl.so.1.0.1e-fips and /lib64/libcrypto.so.1.0.1e-fips ...

    Checking existence of /lib64/libssl.so.1.0.1- and /lib64/libcrypto.so.1.0.1- ...

    Checking existence of /lib64/libssl.so.1.0.1e and /lib64/libcrypto.so.1.0.1e ...

    Checking existence of /lib64/libssl.so.1.0.1 and /lib64/libcrypto.so.1.0.1 ...

    Checking existence of /lib64/libssl.so.1.0.0 and /lib64/libcrypto.so.1.0.0 ...

    Checking existence of /usr/lib64/libssl.so.1.0.1e-fips and /usr/lib64/libcrypto.so.1.0.1e-fips ...

    Checking existence of /usr/lib64/libssl.so.1.0.1- and /usr/lib64/libcrypto.so.1.0.1- ...

    Checking existence of /usr/lib64/libssl.so.1.0.1e and /usr/lib64/libcrypto.so.1.0.1e ...

      Found /usr/lib64/libssl.so.1.0.1e and /usr/lib64/libcrypto.so.1.0.1e ...

    fips.c(143): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE

    /var/tmp/rpm-tmp.i2H8Mk: line 341: 21314 Aborted                 /opt/microsoft/scx/bin/tools/scxsslconfig

    warning: %post(scx-1.5.1-184.x86_64) scriptlet failed, exit status 1

    [root@[REDACTED] ~]# cd /opt/microsoft/scx/lib

    [root@[REDACTED] lib]# ls -al

    total 6312

    drwxr-xr-x. 2 root root    4096 Dec  7 11:07 .

    drwxr-xr-x. 6 root root    4096 Dec  7 11:07 ..

    lrwxrwxrwx. 1 root root      26 Dec  7 11:07 libcrypto.so.1.0.0 -> /usr/lib64/libcrypto.so.10

    -rwxr-xr-x. 1 root root  869764 Jan 28  2016 libmicxx.so -rwxr-xr-x. 1 root root 1006044 Jan 28  2016 libomiclient.so -rwxr-xr-x. 1 root root  223347 Jan 28  2016 libomiidentify.so -rwxr-xr-x. 1 root root 4347721 Jan 28  2016 libSCXCoreProviderModule.so

    lrwxrwxrwx. 1 root root      23 Dec  7 11:07 libssl.so.1.0.0 -> /usr/lib64/libssl.so.10

    ###

    ### INSTALLATION AFTER CREATING LINKS

    ###

    [root@[REDACTED] ~]# rpm -qa | grep scx

    scx-1.5.1-184.x86_64

    [root@[REDACTED] ~]# rpm -e scx-1.5.1-184.x86_64

    Shutting down Microsoft SCX CIM Server: /etc/init.d/scx-cimd: line 78: 21148 Aborted                 $SCX_CIMD_BIN -s > /dev/null 2>&1

    [FAILED]

    warning:    erase unlink of /var/opt/microsoft/scx/tmp failed: No such file or directory

    warning: /etc/opt/microsoft/scx/conf/scxrunas.conf saved as /etc/opt/microsoft/scx/conf/scxrunas.conf.rpmsave

    [root@[REDACTED] ~]# rpm -qa | grep scx || echo "Not found"

    Not found

    [root@[REDACTED] ~]# rm -rfv /etc/opt/microsoft/ /var/opt/microsoft /opt/microsoft/ removed `/etc/opt/microsoft/scx/ssl/.libssl.so.1.0.0.hmac'

    removed `/etc/opt/microsoft/scx/ssl/.libcrypto.so.1.0.0.hmac'

    removed directory: `/etc/opt/microsoft/scx/ssl'

    removed `/etc/opt/microsoft/scx/conf/scxrunas.conf.rpmsave'

    removed directory: `/etc/opt/microsoft/scx/conf'

    removed directory: `/etc/opt/microsoft/scx'

    removed directory: `/etc/opt/microsoft'

    removed `/opt/microsoft/scx/lib_openssl_1.0.0/libcrypto.so.1.0.0'

    removed `/opt/microsoft/scx/lib_openssl_1.0.0/libssl.so.1.0.0'

    removed directory: `/opt/microsoft/scx/lib_openssl_1.0.0'

    removed directory: `/opt/microsoft/scx'

    removed directory: `/opt/microsoft'

    [root@[REDACTED] ~]# mkdir -p /opt/microsoft/scx/lib

    [root@[REDACTED] ~]# cd /opt/microsoft/scx/lib/

    [root@[REDACTED] lib]# ln -s /usr/lib64/.libssl.so.10.hmac .libssl.so.1.0.0.hmac

    [root@[REDACTED] lib]# ln -s /usr/lib64/.libcrypto.so.10.hmac .libcrypto.so.1.0.0.hmac

    [root@[REDACTED] lib]# ls -al

    total 8

    drwx------. 2 root root 4096 Dec  7 11:03 .

    drwx------. 3 root root 4096 Dec  7 11:03 ..

    lrwxrwxrwx. 1 root root   32 Dec  7 11:03 .libcrypto.so.1.0.0.hmac -> /usr/lib64/.libcrypto.so.10.hmac

    lrwxrwxrwx. 1 root root   29 Dec  7 11:03 .libssl.so.1.0.0.hmac -> /usr/lib64/.libssl.so.10.hmac

    [root@[REDACTED] lib]# cd

    [root@[REDACTED] ~]# rpm -i /var/www/html/yum/scom/scom/scx-1.5.1-184.universalr.1.x64.rpm

    Checking existence of /lib64/libssl.so.1.0.1e-fips and /lib64/libcrypto.so.1.0.1e-fips ...

    Checking existence of /lib64/libssl.so.1.0.1- and /lib64/libcrypto.so.1.0.1- ...

    Checking existence of /lib64/libssl.so.1.0.1e and /lib64/libcrypto.so.1.0.1e ...

    Checking existence of /lib64/libssl.so.1.0.1 and /lib64/libcrypto.so.1.0.1 ...

    Checking existence of /lib64/libssl.so.1.0.0 and /lib64/libcrypto.so.1.0.0 ...

    Checking existence of /usr/lib64/libssl.so.1.0.1e-fips and /usr/lib64/libcrypto.so.1.0.1e-fips ...

    Checking existence of /usr/lib64/libssl.so.1.0.1- and /usr/lib64/libcrypto.so.1.0.1- ...

    Checking existence of /usr/lib64/libssl.so.1.0.1e and /usr/lib64/libcrypto.so.1.0.1e ...

      Found /usr/lib64/libssl.so.1.0.1e and /usr/lib64/libcrypto.so.1.0.1e ...

    /opt/microsoft/scx/bin/tools/.scxsslconfig: error while loading shared libraries: libssl.so.1.0.0: cannot open shared object file: No such file or directory

    warning: %post(scx-1.5.1-184.x86_64) scriptlet failed, exit status 1

    [root@[REDACTED] ~]# cd /opt/microsoft/scx/lib/

    [root@[REDACTED] lib]# ls -al

    total 8

    drwx------. 2 root root 4096 Dec  7 11:04 .

    drwxr-xr-x. 7 root root 4096 Dec  7 11:04 ..

    lrwxrwxrwx. 1 root root   32 Dec  7 11:03 .libcrypto.so.1.0.0.hmac -> /usr/lib64/.libcrypto.so.10.hmac

    lrwxrwxrwx. 1 root root   17 Dec  7 11:04 lib_openssl_1.0.0 -> lib_openssl_1.0.0

    lrwxrwxrwx. 1 root root   29 Dec  7 11:03 .libssl.so.1.0.0.hmac -> /usr/lib64/.libssl.so.10.hmac

    ###

    ### INTERPRETATION

    ###

    Linking the HMAC files by hand seems to eliminate the fips.c ASSERT. However, it looks like the scripted process of linking libssl and libcrypt into /opt/microsoft/scx/lib fails when the directory and/or .hmac files already exist.

    Additionally, I noticed that the default installation created hmac files (links?) in /etc/opt/microsoft/scx/ssl/, where the suggestion for manual symbolic links recommended they go in /opt/microsoft/scx/lib.

    ###

    ### END

    ###

    And here's the third test. It still fails with the fips.c ASSERT. I think the failure in the tests with symlinks in /opt/Microsoft/scx/lib happens before the script gets to the point of testing fips.c.

    ###

    ### ADD SYMBOLIC LINKS IN /etc/opt/microsoft/ssl ###

    [root@[REDACTED] ~]# rpm -qa | grep scx

    scx-1.5.1-184.x86_64

    [root@[REDACTED] ~]# rpm -e scx-1.5.1-184.x86_64

    Shutting down Microsoft SCX CIM Server: /etc/init.d/scx-cimd: line 78: 24714 Aborted                 $SCX_CIMD_BIN -s > /dev/null 2>&1

    [FAILED]

    warning:    erase unlink of /var/opt/microsoft/scx/tmp failed: No such file or directory

    warning: /etc/opt/microsoft/scx/conf/scxrunas.conf saved as /etc/opt/microsoft/scx/conf/scxrunas.conf.rpmsave

    [root@[REDACTED] lib]# rm -rfv /etc/opt/microsoft/ /var/opt/microsoft /opt/microsoft/ removed `/etc/opt/microsoft/scx/conf/scxrunas.conf.rpmsave'

    removed directory: `/etc/opt/microsoft/scx/conf'

    removed directory: `/etc/opt/microsoft/scx'

    removed directory: `/etc/opt/microsoft'

    removed `/opt/microsoft/scx/lib_openssl_1.0.0/libcrypto.so.1.0.0'

    removed `/opt/microsoft/scx/lib_openssl_1.0.0/libssl.so.1.0.0'

    removed directory: `/opt/microsoft/scx/lib_openssl_1.0.0'

    removed directory: `/opt/microsoft/scx'

    removed directory: `/opt/microsoft'

    [root@[REDACTED] ~]# mkdir -p /etc/opt/microsoft/scx/ssl

    [root@[REDACTED] ~]# cd /etc/opt/microsoft/scx/ssl

    [root@[REDACTED] ssl]# ln -s /usr/lib64/.libssl.so.10.hmac .libssl.so.1.0.0.hmac

    [root@[REDACTED] ssl]# ln -s /usr/lib64/.libcrypto.so.10.hmac .libcrypto.so.1.0.0.hmac

    [root@[REDACTED] ssl]# ls -al

    total 8

    drwx------. 2 root root 4096 Dec  7 11:37 .

    drwx------. 3 root root 4096 Dec  7 11:36 ..

    lrwxrwxrwx. 1 root root   32 Dec  7 11:37 .libcrypto.so.1.0.0.hmac -> /usr/lib64/.libcrypto.so.10.hmac

    lrwxrwxrwx. 1 root root   29 Dec  7 11:37 .libssl.so.1.0.0.hmac -> /usr/lib64/.libssl.so.10.hmac

    [root@[REDACTED] ssl]# rpm -i /var/www/html/yum/scom/scom/scx-1.5.1-184.universalr.1.x64.rpm

    Checking existence of /lib64/libssl.so.1.0.1e-fips and /lib64/libcrypto.so.1.0.1e-fips ...

    Checking existence of /lib64/libssl.so.1.0.1- and /lib64/libcrypto.so.1.0.1- ...

    Checking existence of /lib64/libssl.so.1.0.1e and /lib64/libcrypto.so.1.0.1e ...

    Checking existence of /lib64/libssl.so.1.0.1 and /lib64/libcrypto.so.1.0.1 ...

    Checking existence of /lib64/libssl.so.1.0.0 and /lib64/libcrypto.so.1.0.0 ...

    Checking existence of /usr/lib64/libssl.so.1.0.1e-fips and /usr/lib64/libcrypto.so.1.0.1e-fips ...

    Checking existence of /usr/lib64/libssl.so.1.0.1- and /usr/lib64/libcrypto.so.1.0.1- ...

    Checking existence of /usr/lib64/libssl.so.1.0.1e and /usr/lib64/libcrypto.so.1.0.1e ...

      Found /usr/lib64/libssl.so.1.0.1e and /usr/lib64/libcrypto.so.1.0.1e ...

    fips.c(143): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE

    /var/tmp/rpm-tmp.kSP7C1: line 341: 24795 Aborted                 /opt/microsoft/scx/bin/tools/scxsslconfig

    warning: %post(scx-1.5.1-184.x86_64) scriptlet failed, exit status 1

    --

    Wednesday, December 7, 2016 9:11 PM
  • My suggestion is to install our kit, and let the installation fail.  At this point, you should see something like:

    fips.c(143): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE/var/tmp/rpm-tmp.kSP7C1: line 341: 24795 Aborted                /opt/microsoft/scx/bin/tools/scxsslconfig
    warning: %post(scx-1.5.1-184.x86_64) scriptlet failed, exit status 1

    At this point, two things have happened:

    1. We failed to generate a certificate because of the FIPS issue, and
    2. We failed to start the server.

    At this point, you should go to /opt/microsoft/scx/lib and set up the links. Here's a log of what I did:

    [root@os64-ora67-01 ~]# rpm --install scx-1.5.1-184.universalr.1.x64.rpm 
    Checking existence of /lib64/libssl.so.1.0.1e-fips and /lib64/libcrypto.so.1.0.1e-fips ...
    Checking existence of /lib64/libssl.so.1.0.1- and /lib64/libcrypto.so.1.0.1- ...
    Checking existence of /lib64/libssl.so.1.0.1e and /lib64/libcrypto.so.1.0.1e ...
    Checking existence of /lib64/libssl.so.1.0.1 and /lib64/libcrypto.so.1.0.1 ...
    Checking existence of /lib64/libssl.so.1.0.0 and /lib64/libcrypto.so.1.0.0 ...
    Checking existence of /usr/lib64/libssl.so.1.0.1e-fips and /usr/lib64/libcrypto.so.1.0.1e-fips ...
    Checking existence of /usr/lib64/libssl.so.1.0.1- and /usr/lib64/libcrypto.so.1.0.1- ...
    Checking existence of /usr/lib64/libssl.so.1.0.1e and /usr/lib64/libcrypto.so.1.0.1e ...
      Found /usr/lib64/libssl.so.1.0.1e and /usr/lib64/libcrypto.so.1.0.1e ...
    fips.c(143): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE
    /var/tmp/rpm-tmp.SxPhxm: line 341:  2736 Aborted                 (core dumped) /opt/microsoft/scx/bin/tools/scxsslconfig
    warning: %post(scx-1.5.1-184.x86_64) scriptlet failed, exit status 1
    [root@os64-ora67-01 ~]# 
    [root@os64-ora67-01 ~]# pushd /opt/microsoft/scx/lib
    /opt/microsoft/scx/lib ~
    [root@os64-ora67-01 lib]# ln -s /usr/lib64/.libssl.so.10.hmac .libssl.so.1.0.0.hmac
    [root@os64-ora67-01 lib]# ln -s /usr/lib64/.libcrypto.so.10.hmac .libcrypto.so.1.0.0.hmac
    [root@os64-ora67-01 lib]# popd
    ~
    [root@os64-ora67-01 ~]# 
    [root@os64-ora67-01 ~]# /opt/microsoft/scx/bin/tools/scxsslconfig -f
    Generating certificate with hostname="os64-ora67-01", domainname="scx.com"
    [root@os64-ora67-01 ~]# /etc/init.d/scx-cimd start
    Starting Microsoft SCX CIM Server:                         [  OK  ]
    [root@os64-ora67-01 ~]# ps -ef | grep omi
    root     22421     1  0 15:15 ?        00:00:00 /opt/microsoft/scx/bin/omiserver -d
    root     22423  2348  0 15:15 pts/0    00:00:00 grep omi
    [root@os64-ora67-01 ~]# 

    Let me know if you have further questions, and I'll do my best to help you out.

    /Jeff

    Monday, December 12, 2016 11:18 PM
    Moderator
  • Looks like we missed a step:

    [root@os64-ora67-01 ~]# /opt/microsoft/scx/bin/tools/scxsslconfig -f

    Once this step had been performed, agents are now green (so far) and everything is working, many thanks for the assistance!!

    Friday, December 16, 2016 6:40 PM