|The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager.|
Use the information in the following sections to help you plan to deploy the Configuration Manager client for Linux and UNIX.
- Prerequisites for Client
Deployment to Linux and UNIX Servers
- Planning for Communication
across Forest Trusts for Linux and UNIX Servers
- Planning for
Security and Certificates for Linux and UNIX Servers
- About Linux and
UNIX Operating Systems That do not Support SHA-256
Planning for Client Deployment to Linux and UNIX Servers
Before you deploy the Configuration Manager client for Linux and UNIX, review the information in this section to help you plan for a successful deployment.
Prerequisites for Client Deployment to Linux and UNIX Servers
Use the following information to determine the prerequisites you must have in place to successfully install the client for Linux and UNIX.
Dependencies External to Configuration Manager:
Planning for Communication across Forest Trusts for Linux and UNIX Servers
Linux and UNIX servers you manage with Configuration Manager operate as workgroup clients and require similar configurations as Windows-based clients that are in a workgroup. For information about communications from computers that are in workgroups, see the Planning for Communications Across Forests in Configuration Manager section in the Planning for Communications in Configuration Manager topic.
Service Location by the client for Linux and UNIX
Planning for Security and Certificates for Linux and UNIX Servers
For secure and authenticated communications with Configuration Manager sites, the Configuration Manager client for Linux and UNIX uses the same model for communication as the Configuration Manager client for Windows.
When you install the Linux and UNIX client, you can assign the client a PKI certificate that enables it to use HTTPS to communicate with Configuration Manager sites. If you do not assign a PKI certificate, the client creates a self-signed certificate and communicates only by HTTP.
Clients that are provided a PKI certificate when they install use HTTPS to communicate with management points. When a client is unable to locate a management point that supports HTTPS, it will fall back to use HTTP with the provided PKI certificate.
When a Linux or UNIX client uses a PKI certificate you do not have to approve them. When a client uses a self-signed certificate, review the hierarchy settings for client approval in the Configuration Manager console. If the client approval method is not Automatically approve all computers (not recommended), you must manually approve the client.
For information about how to use certificates in Configuration Manager, see PKI Certificate Requirements for Configuration Manager.
About Certificates for use by Linux and UNIX Servers
Configuring Certificates for Linux and UNIX Servers
About Linux and UNIX Operating Systems That do not Support SHA-256
The following Linux and UNIX operating systems that are supported as clients for Configuration Manager were released with versions of OpenSSL that do not support SHA-256:
- Red Hat Enterprise Linux Version 4
- Solaris Version 9 (SPARC) and Solaris Version
- SUSE Linux Enterprise Server Version 9
- HP-UX Version 11iv2 (PA-RISH/IA64)
To manage these operating systems with Configuration Manager, you must install the Configuration Manager client for Linux and UNIX with a command line switch that directs the client to skip validation of SHA-256. Configuration Manager clients that run on these operating system versions operate in a less secure mode than clients that support SHA-256. This less secure mode of operation has the following behavior:
- Clients do not validate the site server
signature associated with policy they request from a management
- Clients do not validate the hash for packages
that they download from a distribution point.
|The ignoreSHA256validation option allows you to run the client for Linux and UNIX computers in a less secure mode. This is intended for use on older platforms that did not include support for SHA-256. This is a security override and is not recommended by Microsoft, but is supported for use in a secure and trusted datacenter environment.|
When the Configuration Manager client for Linux and UNIX installs, the install script checks the operating system version. By default, if the operating system version is identified as having released without a version of OpenSSL that supports SHA-256, the installation of the Configuration Manager client fails.
To install the Configuration Manager client on Linux and UNIX operating systems that did not release with a version of OpenSSL that supports SHA-256, you must use the install command line switch ignoreSHA256validation. When you use this command line option on an applicable Linux or UNIX operating system, the Configuration Manager client will skip SHA-256 validation and after installation, the client will not use SHA-256 to sign data it submits to site systems by using HTTP. For information about configuring Linux and UNIX clients to use certificates, see Planning for Security and Certificates for Linux and UNIX Servers in this topic. For information about requiring SHA-256, see the Configure Signing and Encryption section in the Configuring Security for Configuration Manager topic.
|The command line option ignoreSHA256validation is ignored on computers that run a version of Linux and UNIX that released with versions of OpenSSL that support SHA-256.|