Share via


How to Configure Certficates for ACS Collector and Forwarder

 

Updated: May 13, 2016

Applies To: System Center 2012 R2 Operations Manager, System Center 2012 - Operations Manager, System Center 2012 SP1 - Operations Manager

When the Audit Collection Service (ACS) Forwarder is located in a domain separate from the domain where the ACS Collector is located, and no two-way trust exists between the two domains, certificates must be used so that authentication can take place between the ACS Forwarder and the ACS Collector.

Before you configure certificates, ensure that the following actions have been completed:

The following is a high-level overview of the steps that need to be performed to use certificates with ACS.

Important

Certificates used on various components in Operations Manager (for example, ACS Collector, ACS Forwarder, agent, gateway server, or management server) must be issued by the same CA.

On the computer hosting the ACS Collector:

  • Run ADTServer -c.

  • Map the ACS Forwarder Certificate in Active Directory.

  • In the Operations console, enable ACS.

On the computer hosting the ACS Forwarder:

  • Export the certificate to a disk, USB flash drive, or network share.

  • Run ADTAgent -c.

To assign a certificate to the ACS Collector

  1. On the Windows desktop, click Start, and then click Run.

  2. In the Run dialog box, type cmd, and then click OK.

  3. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the operating system is installed), and then press ENTER.

  4. Type cd %systemroot%, and then press ENTER.

  5. Type cd system32\security\adtserver, and then press ENTER.

  6. Type net stop adtserver, and then press ENTER.

  7. Type adtserver -c, and then press ENTER.

  8. In the numbered list of certificates, find the certificate used for Operations Manager, type the number in the list (should be 1), and then press ENTER.

  9. Type net start adtserver and then press ENTER.

To configure named mapping to the certificate

  1. Log on to the computer hosting Active Directory.

  2. On the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. Expand the domain name, right-click Computers, point to New, and then click Computer.

  4. In the New Object - Computer dialog box, enter the NetBIOS name of the computer that is hosting the ACS Forwarder, and then click Next. Repeat this step for every computer that hosts an ACS Forwarder.

  5. In the Managed dialog box, ensure that This is a managed computer is not selected, and then click Next.

  6. In the New Object - Computer dialog box, click Finish.

  7. In Active Directory Computers and Users, in the right pane, right-click the computer (or computers) you added, and then click Name Mappings.

  8. In the Security Identity Mapping dialog box, click X.509 Certificates, and then click Add.

  9. In the Add Certificate dialog box, click the Look in menu, select the location where the exported certificate is located, and then click Open.

  10. In the Add Certificate dialog box, ensure that Use Subject for alternate security identity is selected, and then click OK.

  11. In the Security Identity Mapping dialog box, click OK.

  12. Repeat steps 4–11 for each computer you have added.

After you complete these procedures, you need to enable the ACS Forwarders. For more information, see How to Enable Audit Collection Services (ACS) Forwarders.

To export the certificate

  1. On the Windows desktop, click Start, and then click Run.

  2. In the Run dialog box, type mmc, and then click OK.

  3. On the File menu, click Add/Remove Snap-in.

  4. In the Add/Remove Snap-in dialog box, click Add.

  5. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.

  6. In the Certificates snap-in dialog box, select Computer account, and then click Next.

  7. In the Select Computer dialog box, select Local computer (the computer this console is running on), and then click Finish.

  8. In the Add Standalone Snap-in dialog box, click Close.

  9. In the Add/Remove Snap-in dialog box, click OK.

  10. In the Console Root\Certificates (Local Computer) pane, expand Certificates (Local Computer), expand Personal, and then click Certificates.

  11. In the results pane, right-click the certificate you are using for Operations Manager, point to All Tasks, and then click Export.

  12. In the Certificate Export Wizard, on the Welcome page, click Next.

  13. On the Export Private Key page, select No, do note export the private key, and then click Next.

  14. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click Next.

  15. On the File to Export page, click Browse.

  16. On the Save As page, select a folder and file name for the certificate, ensure that the Save as type is set to DER Encoded Binary X.509 (*.cer), and then click Save.

    Note

    You will need to copy this certificate to the computer hosting the ACS Collector, so choose a location that the ACS Collector can read from, or consider saving the certificate to a disk, USB flash drive, or network share. In addition, it is recommended that you include the computer name in the file name if you are exporting certificates from more than one computer.

  17. On the File to Export page, ensure that the path and file name are correct, click Next, and then click Finish.

To run the adtagent command

  1. On the Windows desktop, click Start, and then click Run.

  2. In the Run dialog box, type cmd, and then click OK.

  3. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operating System is installed), and then press ENTER.

  4. Type cd %systemroot% and then press ENTER.

  5. Type cd system32 and then press ENTER.

  6. Type adtagent -c and then press ENTER.

  7. You will see a numbered list of certificates. Find the certificate used for Operations Manager, type the number in the list (should be 1), and then press ENTER.

  8. Type exit to close the command window.