After opensource PowerShell core 6 for linux was available to download, I wrote an article on it - How to Install and Use Microsoft PowerShell on Linux. This is just an addition to same guide. Few of my linux servers were installed with PowerShell core and they were installed with few PS modules for management purpose. I was looking for remote solution to access those modules using windows powershell by remotely connecting them, This is a step by step guide to configure powershell remoting on Linux, My linux distribution is CentOS version 7, All the required RPMs are downloaded from below 3 links, I have selected stable versions and it should be installed in below given orders. My linux is a plain vanilla deployment.
1) https://github.com/powershell/powershell
From this link I have downloaded powershell-x.x.x-rhel.x.x86_64.rpm. The main Powershell core rpm package bundle for linux.
2) https://github.com/Microsoft/omi/releases/tag/v1.6.0
This is an Open Management Infrastructure (OMI) is an open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards. The OMI CIMOM is also designed to be portable and highly modular. Hompage is https://github.com/Microsoft/omi. Filename format is omi-x.x.x-x.ssl_xxx.ulinux.x64.rpm. While selecting this package run openssl version and choose the matching version of OMI package.
3) https://github.com/PowerShell/psl-omi-provider
This is last rpm package must be installed psrp-x.x.x-xx.universal.x64.rpm. PowerShell Remoting Protocol: PSRP communication is tunneled through the Open Management Infrastructure (OMI) using this OMI provider.
Part 1: Configure PowerShell remoting between Windows and Linux
Part 2: Getting started with Powershell Desired State Configuration (DSC) on Linux
All the 3 RPM packages are uploaded on Linux using WinSCP to /root home folder.
Use ssh putty to connect linux system, use below command to change directory location.
cd /root
running ls shows the all uploaded rpm files, their color must be red means they it will not get installed as there is no execute permission.
Change permission of rpm files allow execute.
chmod 777 *.rpm
running ls again show files are good to execute and color change to green.
I need internet to update yum repository, which help me to auto resolve and install required dependencies from internet while installation for RPMs (if any), for this purpose I am configuring proxy on linux, this is temporary proxy setting.
export http_proxy="http://server:port"
export https_proxy="http://server:port"
export ftp_proxy="http://server:port"
Run command yum update to start update, I just want metadata to be updated and don't need complete packages to install.
I will go ahead with installation of RPM files one by one. I am installing first major software package PowerShell core.
yum install powershell-6.2.0-1.rhel.7.x86_64.rpm
Type y to proceed with installation. It will show complete! message in the last.
Next package is omi. Note down the certificate location while installation which will require later. Start installation by using below cmd.
yum install omi-1.6.0-0.ssl_100.ulinux.x64.rpm
This is last package and should be always installed last after OMI package.
yum install psrp-1.4.1-28.universal.x64.rpm
As by default PSRemoting is enabled on linux server after powershell core installation, it uses https port 5986, there is no http connection available. I can verify the same. using below command from windows system by using telnet.
Test-NetConnection -Computername 192.168.34.13 -Port 5986
On the first run you will see WARNING: TCP connection to server:port failed, and TcpTestSucceeded with False status. This is Because firewall on linux is blocking connection. Disable and Stop firewall on linux with below commands.
systemctl disable firewalld
systemctl stop firewalld
Check telnet second time, this should show port 5986 is opened now.
Use below 3 lines of code to connect Linux server from Windows system over pssession.
#Linux username and password (root)
$credential = Get-Credential root
#Powershell session options skip several checks ie: certificate authority, revocation and common name of certificate
$options = New-PSSessionOption -SkipCACheck -SkipRevocationCheck -SkipCNCheck
#Connect to Linux server using SSL with basic authentication.
Enter-PSSession -ComputerName 192.168.34.13 -Credential $credential -Authentication basic -UseSSL -SessionOption $options
It will end up with below error. To resolve it you will need to use your own SSL certificate, I suspect the certificate file generated while OMI installation is older version and doesn't works well. To resolve it follow further steps.
Enter-PSSession : Connecting to remote server 192.168.34.13 failed with the following error message : The server certificate on the destination computer (192.168.34.13:5986) has the following errors:
The SSL certificate is expired. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName 192.168.34.13 -Credential $credential - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (192.168.34.13:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
I am using self signed certificate generated on windows using OPENSSL, here is my configuration template download ssl.cnf file here. For more on openssl configuration on your windows system check and follow my one of the article Generate new self-signed certificates for ESXi using OpenSSL. Run below commands to process with selfsigned cert.
openssl genrsa -out omikey.pem 2048
openssl req -new -key omikey.pem -out Request.csr -config ssl.cnf
openssl x509 -req -days 365 -signkey omikey.pem -in Request.csr -out omi.pem -extensions v3_req -extfile ssl.cnf
I have generated my new pem self signed certificate files. On the linux omi pem are location under /etc/opt/omi/ssl. I will take backup of existing certificate files first.
mv /etc/opt/omi/ssl/omikey.pem /etc/opt/omi/ssl/omikey.pem.bak
mv /etc/opt/omi/ssl/omi.pem /etc/opt/omi/ssl/omi.pem.bak
mv /etc/opt/omi/ssl/ssl.cnf.pem /etc/opt/omi/ssl/ssl.cnf.bak
Use WinSCP to upload newly windows openssl generated omi.pem, omikey.pem, ssl.cnf on linux server to folder location /etc/opt/omi/ssl.
Verify on putty, that files are successfully copied, using ls /etc/opt/omi/ssl, next step restart omiserver and omiengine daemons (services), just for your information purpose locate processes using ps -A | grep omi. To take effect of new SSL certificate, restart services use sudo /opt/omi/bin/service_control restart
Running below command again this time will be successful without any error.
Enter-PSSession -ComputerName 192.168.34.13 -Credential $credential -Authentication basic -UseSSL -SessionOption $options
Useful articles
POWERSHELL PS REMOTING BETWEEN STANDALONE WORKGROUP COMPUTERS
POWERSHELL DSC XACTIVEDIRECTORY ERROR - A NETBIOS DOMAIN NAME MUST BE SPECIFIED
DSC (DESIRED STATE CONFIGURATION) : DEPLOYING ACTIVE DIRECTORY
THE POWERSHELL XACTIVEDIRECTORY PROVIDER DOES NOT EXIST AT THE POWERSHELL MODULE PATH NOR IS IT REGISTERED AS A WMI PROVIDER
PowerShell remoting over HTTPS using self-signed SSL certificate
Configure Powershell WinRM to use OpenSSL generated Self-Signed certificate
Powershell WinRM HTTPs CA signed certificate configuration
Powershell Generate Self-signed certificate with Self-Signed Root CA Signer