Certificates in SCOM How to work with certificates in

Certificates

in SCOM 07

How to work with certificates in SC Operations Manager 2007

(Gateway server setup)





Published : 27.2.2007

Document revision : 1.0

Author:

Ondrej Vysek – Microsoft MVP – Windows Server System MOM

How to work with certificates in SC Operations Manager





Introduction............................................................................................................................................. 3

Standalone Root CA................................................................................................................................. 3

Configuring Standalone root CA to support Operations Manager 2007 certificates .......................... 3

Submitting certificate request to the CA............................................................................................. 3

Enterprise Root CA .................................................................................................................................. 4

Configuring Enterprise Root CA to support SCOM certificates ........................................................... 4

Submitting certificate request to the CA............................................................................................. 6

Move certificate from the “user private store” to the “computer private store” .................................. 7

Configure SC OpsMgr 2007 for using certificates.................................................................................... 7

Exporting certificate from the computer private store ................................................................... 7

Importing certificate using momcertimport tool ............................................................................ 7

Use Gateway approval tool on the RMS ......................................................................................... 8

Installing agents behind Gateway server ................................................................................................ 8

Additional resources................................................................................................................................ 8

Feedback ................................................................................................................................................. 8

Many thanks ............................................................................................................................................ 9









SCOM 2007 http://management.infinity.cz http://momresources.org Page 2

How to work with certificates in SC Operations Manager





Introduction

An Operations Manager 2007 Gateway Server allows Operations Manager 2007 to discover target

computers across untrusted domains and provides communication between the target computer and

the Root Management Server or Management Server. Certificates are used to encrypt the data

between the Root Management Server or Management Server and the Gateway Server.

Mutual authentication between an agent and either a Gateway Server, Management Server, or Root

Management Server, or between a Gateway Server and either a Management Server or Root

Management Server can be achieved if certificates are installed on both sides of the connection.

For the successful authentication between computers you need certificate that ensures these types

of authentication represented by specific object identifiers (OIDs):



 Server Authentication – (OID 1.3.6.1.5.5.7.3.1)

 Client Authentication – (OID 1.3.6.1.5.5.7.3.2)



To proper functions of Operations Manager 2007 Gateway server or stand alone agent you need to

have those certificates :

 Certificate for the RMS where Name (CN) of the certificate must be FQDN (Fully qualified

domain name)

 Certificate for the Gateway server (or standalone agent) where Name (CN) of the certificate

must be FQDN (Fully qualified domain name)

 Imported CAs root certificate on both computers



Configuration of the CAs differs on CA you have implemented in your environment. Following

chapters describes how to configure and use Standalone or Enterprise Root CA.





Standalone Root CA



Configuring Standalone root CA to support Operations Manager 2007 certificates

You don’t need any special configuration of the CA



Submitting certificate request to the CA

1. Click Start, click Run, and then type http:///certsrv.

2. Enter the Domain Admins account name and password if prompted.

3. On the Certificate Services Web page, under Select a task, click Request a certificate.

4. Click Advanced certificate request.

5. Click Create and submit a request to this CA.

6. In the combo box „Type of certificate needed:“ select other

7. In the name type FQDN of the RMS server (or Gateway server)

8. In the OID type “1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2” without quotation marks

a. 1.3.6.1.5.5.7.3.1 – means Server Authentication

b. 1.3.6.1.5.5.7.3.2 – means Client Authentication

9. Select “Mark key as exportable” check box (see fig.1)

10. Select “Submit button” to submit your request to the CA and follow instructions on the screen

11. After submission you get link to the certificate – click on this link and install certificate and follow

instructions on the screen

12. You can verify certificate by following these steps :



SCOM 2007 http://management.infinity.cz http://momresources.org Page 3

How to work with certificates in SC Operations Manager





a. Click Start, click Run, type mmc, and then press ENTER.

b. On the File menu, click Add / Remove Snap-in.

c. Click Add.

d. Select “Certificates” snap-in and click Add.

e. Select “My user account” and click Finish.

f. Select “Local computer” and click Finish, click Close to close the snap-in list, click OK to close

“Add/remove snap-in window”

g. Expand “Certificates – current user” > “Personal” > “Certificates” and select your server certificate









h. Double click on the certificate and select “Details tab”

i. In the scroll down find and select “Enhanced key usage” lower you have to see

i. Client Authentication (1.3.6.1.5.5.7.3.2)

ii. Server Authentication (1.3.6.1.5.5.7.3.1)





You have to repeat all these steps to get certificates for RMS and Gateway server – just only change

FQDN to the server specific name.





Fig 1







Enterprise Root CA



Configuring Enterprise Root CA to support SCOM certificates

Configuring of the Enterprise Root CA requires more steps to be done before you can get

certificates for SCOM



1. Log on to the enterprise subordinate CA server with Domain Admins credentials.





SCOM 2007 http://management.infinity.cz http://momresources.org Page 4

How to work with certificates in SC Operations Manager





2. Click Start, click Run, type mmc, and then press ENTER.

3. On the File menu, click Add / Remove Snap-in.

4. Click Add.

5. In Add Standalone Snap-in, click Certificate templates, and then click Add.

6. Click Certification Authority, and then click Add.

7. In Certification Authority, accept the default option: Local computer (the computer this console is

running on).

8. Click Finish.

9. Click Close and then click OK.

10. In the Certification Authority MMC, in the console pane, verify that the Certificate Templates and

Certification Authority snap-ins appear.

11. Click Certificate Templates.

12. In the details pane, right-click Computer, click Duplicate Template.

13. On the General tab, change the template name to a meaningful name for your organization (eg.

OpsMgr2007).

In Validity period, verify that the validity period meets your organization’s requirements.

14. Click the Request Handling tab, and click Allow private key to be exported.

15. Click the Subject name tab, and then click Supply in the Request option.

16. Click the Security tab.

17. Grant Enroll and Auto enroll permissions for the following groups in all domains: Authenticated

users, Domain Admins, Domain Computers, and Enterprise Admins.

18. Click Apply, and then click OK.

19. To verify settings expand Certificate Templates.

20. In the details pane, right-click the template that you configured, click Properties, verify your

settings, and then click OK.

21. Expand Certification Authority (local), and expand your CA.

22. In the console tree, right-click Certificate Templates, point to New, and then click Certificate

Template to Issue.

23. Select the new template and then click OK.

24. Verify that the new template appears in the details pane and under Intended Purpose, verify that

Server Authentication, Client Authentication appears.

25. Close the MMC snap-in.

26. Click Start, click Run, and type gpupdate /force, and then press ENTER.

27. This forces an update of the Group Policy on the domain controller and replicates these

changes throughout the forest.



28. Click Start, click Run, and then type http:///certsrv.

29. Enter the Domain Admins account name and password if prompted.

30. On the Certificate Services Web page, under Select a task, click Request a certificate.

31. Click Advanced certificate request.

32. Click Create and submit a request to this CA.

33. Verify that your new certificate template appears in the Certificate template list.









SCOM 2007 http://management.infinity.cz http://momresources.org Page 5

How to work with certificates in SC Operations Manager





Submitting certificate request to the CA

1. Click Start, click Run, and then type http:///certsrv.

2. Enter the Domain Admins account name and password if prompted.

3. On the Certificate Services Web page, under Select a task, click Request a certificate.

4. Click Advanced certificate request.

5. Click Create and submit a request to this CA.

6. In the combo box „Certificate Template“ select template name which you configured in the

previous chapter

7. In the name type FQDN of the RMS server (gateway server)

8. Select “Mark key as exportable” check box (see fig.2)









Fig 2







9. Select “Submit button” to submit your request to the CA and follow instructions on the screen

10. After submission you get link to the certificate – click on this link and install certificate and follow

instructions on the screen

11. You can verify certificate by following these steps :

a. Click Start, click Run, type mmc, and then press ENTER.

b. On the File menu, click Add / Remove Snap-in.

c. Click Add.

d. Select “Certificates” snap-in and click Add.

e. Select “My user account” and click Finish.

f. Select “Local computer” and click Finish, click Close to close the snap-in list, click OK to close

“Add/remove snap-in window”

g. Expand “Certificates – current user” > “Personal” > “Certificates” and select your server certificate

h. Double click on the certificate and select “Details tab”



SCOM 2007 http://management.infinity.cz http://momresources.org Page 6

How to work with certificates in SC Operations Manager





i. In the scroll down find and select “Enhanced key usage” lower you have to see

i. Client Authentication (1.3.6.1.5.5.7.3.2)

ii. Server Authentication (1.3.6.1.5.5.7.3.1)

You have to repeat all these steps to get certificates for RMS and Gateway server – just only change

FQDN to the server specific name.





Move certificate from the “user private store” to the “computer private

store”

1. Click Start, click Run, type mmc, and then press ENTER.

2. On the File menu, click Add / Remove Snap-in.

3. Click Add.

4. Select “Certificates” snap-in and click Add.

5. Select “My user account” and click Finish.

6. Leave “Certificates” selected and click Add.

7. Select “Computer Account” and click Finish.

8. Select “Local computer” and click Finish, click Close to close the snap-in list, click OK to close “Add/remove

snap-in window”

9. Expand “Certificates – current user” > “Personal” > “Certificates” and select your server certificate

10. Expand “Certificates (local computer)” > “Personal” > “Certificates” and use drag and drop to move certificate

from the user store to the computer store

11. To verify Expand “Certificates (local computer)” > “Personal” and select “Certificates” and you must see

certificate you copied.









Configure SC OpsMgr 2007 for using certificates

Exporting certificate from the computer private store

1. Click Start, click Run, type mmc, and then press ENTER.

2. On the File menu, click Add / Remove Snap-in.

3. Click Add.

4. Leave “Certificates” selected and click Add.

5. Select “Computer Account” and click Finish.

6. Select “Local computer” and click Finish, click Close to close the snap-in list, click OK to close

“Add/remove snap-in window”.

7. Expand “Certificates (local computer)” > “Personal” > “Certificates” and select proper certificate.

8. Right click on the certificate select “All tasks” and “Export”

9. Click next.

10. Select “Do not export private key” and click next.

11. Select “DER encoded binary X.509 (.cer)” and click next.

12. Type filename (eg. C:\RMS.cer) and click next

13. Click Finish.

14. Repeat all these steps for RMS and Gateway server



Importing certificate using momcertimport tool

Momcertimport tool is used to put serial number of the specific certificate to the registry



1. On the Windows desktop, click Start, and then click Run.



SCOM 2007 http://management.infinity.cz http://momresources.org Page 7

How to work with certificates in SC Operations Manager





2. In the Run dialog box, type cmd and then click OK.

3. At the command prompt, type : (where is the drive where the

Operations Manager 2007 installation media is located) and then press ENTER.

4. Type cd\SupportTools\i386 and then press ENTER.

5. Type the following:

6. MOMCertImport

7. Press ENTER.

8. Restart OpsMgr Health service.

9. Repeat all these steps for RMS and Gateway server



Use Gateway approval tool on the RMS

1. Log on to the computer with an account that is a member of the Administrators group.

2. On the Windows desktop, click Start, and then click Run.

3. In the Run dialog box, type cmd and then click OK.

4. At the command prompt, type cd\ and then press ENTER.

5. Type the following:

Microsoft.EnterpriseManagement.GatewayApprovalTool

/ManagementServerName=FQDN_name /GatewayName=gateway_server_FQDN_name

6. Press ENTER.







Installing agents behind Gateway server

Installation of agents which communicates with Operations Manager 2007 via gateway server is

similar as usual installation (MSI file installation only).



When installing agent software from the msi file type gateway server FQDN as the management

server. In the Operations Manager 2007 console you will see Gateway server as the management

server.



Gateway role has a dependency on access to Active Directory, so stand-alone servers cannot function

in gateway role. The Operations Manager 2007 agent is the only component that can be installed

without the AD dependency.



If the agent computer is not part of any domain or if you have a small amount of the computers in

the untrusted domain you can use certificates (mutual authentication) on the agent computers and

RMS to start monitoring without Gateway server. In that case connect computers directly to the

RMS.





Additional resources

LCS 2005 Certificate Configuration :



http://office.microsoft.com/search/redir.aspx?AssetID=DC011586001033&CTT=5&Origin=HA011526

621033



Operations Manager 2007 help file





Feedback

I hope you find this article helpful. Your feedback is always welcome and appreciated at



SCOM 2007 http://management.infinity.cz http://momresources.org Page 8

How to work with certificates in SC Operations Manager





Ovysek (at) infinity.cz





Many thanks

To Pete Zerger and Anders Bengtsson for reviews and notes









SCOM 2007 http://management.infinity.cz http://momresources.org Page 9