OpsMgr: UNIX/Linux Heartbeat Failures After Applying KB2585542
January 12, 2012 10 Comments
The OpsMgr UNIX/Linux monitoring team at Microsoft is currently investigating an issue that results in heartbeat failures on Operations Manager UNIX/Linux agents after the security update KB2585542 is applied to a Management Server or Gateway. This update fixes a vulnerability in SSL/TLS1.0, but appears to cause WS-Management connections to UNIX/Linux agents to fail.
The vulnerability is described in bulletin MS12-006, and more information can be found in the KB article. While we continue to investigate options for resolving this issue, there are two viable workarounds (which must be applied to all Mgmt Servers and Gateways that manage UNIX/Linux agents):
- Uninstall the update KB2585542
- Make a registry modification to disable the SecureChannel changes implemented in the update
Note: the registry modification described here and in the KB article effectively disables the security fix that the update implements, so the modified system is subject to the same vulnerability as an unpatched system.
Modifying the registry to disable the SecureChannel changes:
- A “FixIt” package is available in the KB article under the Known Issues section that can be used to disable the security update
- Alternatively, you can add the 32bit DWORD value:
SendExtraRecord = 2
These changes take effect immediately and do not require a reboot.