Monitoring machines using Certificates with Operations Manager 2007 R2 - Part 2
In part 1, we discussed scenarios where we can use certificates to monitor SCOM. Also we configure certificate template for SCOM. In this part we will use certificates for gateway servers and deploy it. At the end we will also have steps to monitor machines in WORKGROUP.
Download and Import trusted Root (CA) Certificate
Open browser https://<servername>/certsrv where <servername> is name of server running certificate services. On welcome page click download a CA Certificate, certificate chain, or CRL
Save the certificate. Now to import it open MMC. From File, select Add/Remove Snap-in. Add certificates snap-in and select Computer Account.
Expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. Use All tasks to Import the trusted root (CA) certificate.
We already covered on configuring template for SCOM in part 1.
Request a certificate for SCOM/Gateway server
1) Open browser with https://<servername>/certsrv again. In Select a task page click Request a certificate.
2) In request a Certificate page , select advanced certificate request.
3) In Advanced Certificate request , select Create and Submit a request to this CA
4) In Certificate template, from the drop down, select the certificate template that we configured in Part 1 of the series.
5) At the bottom of the page in Friendly Name, give the FQDN for SCOM Server/ Gateway server.
We need to install certificate both on SCOM server and gateway server.
Installation of Gateway server
On gateway server, open the media of SCOM. Click Install Operations Manager 2007 R2 Gateway. Enter the management group name, Management server.
Select Gateway Action Account and we have two options from Local System or Domain account
Click next and wait for installation to get complete.
Registering Gateway server with Management group using gateway approval tool
Copy the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe from the installation media to the Operations Manager 2007 installation directory.
Open a Command Prompt window, and navigate to the \Program Files\System Center Operations Manager 2007 directory.
Syntax of command is Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN> /Action=Create
Importing Certificates with the MOMCertImport.exe Tool
We need to import certificate both on management and gateway server.
On Command prompt Navigate to \SupportTools\<platform> (i386 or ia64).
Run momcertimport.exe /SubjectName <certificate subject name>.
With this, I was able to monitor machines in non-trusting domain using gateway server and certificates. To confirm everything is good, you can check one thing.
Open the certificate that you install on management/gateway server. Click on Details Tab and check the Serial Number.
Now navigate to HKLM\Software\Microsoft\Microsoft Operations Manager\3.0\Machine Settings and check the value of ChannelCertificateSerialNumber. Serial number of certificate should be listed backwards here in registry.
Further I can configure multiple gateway servers for agents to fail over. Also I can configure multiple SCOM servers for my gateways to fail over. This can be done using Power shell and is covered in the blog.
Monitoring Workgroup machines using certificates
Now, we will discuss about how we can monitor machines which are in workgroup. I have outlined this in few steps:
Name resolution between SCOM server and workgroup server can be done by host files which are located at C:\Windows\System32\drivers\etc
Make sure TCP port 5723 is opened for communication. You can telnet to confirm same.
You can manually install SCOM agent on workgroup server and later use certificates. Copy the AGENT folder from SCOM media. Based on 32/64 bit OS, run the MSI. Specify the management group and SCOM server name and complete the installation.
Check the Download and Import trusted Root (CA) Certificate in beginning of this blog. Perform that to download and import CA certificate on local computer. CA certificate should be imported in Trusted Root Certification Authorities store. Here I am assuming you can connect to https://<servername>/certsrv through your browser.
Next step is to get certificate for workgroup server. We already discussed in part 1 on how to configure certificate template for SCOM. Check Request a certificate for SCOM/Gateway server section at top of the blog to request certificate from workgroup server. You need to have permissions in domain of SCOM server for this. Also while requesting certificate, in FRIENDLY NAME give name of workgroup server.
Certificate will by default get installed in personal store of Current user. Open MMC and export that certificate from current user store to some location. Later import it in Personal section of Local computer.
Importing Certificates with the MOMCertImport.exe Tool
Copy MOMCertImport from SCOM support tools on workgroup server.
On Command prompt Navigate to \SupportTools\<platform> (i386 or ia64).
Run momcertimport.exe /SubjectName <certificate subject name>.
Process Manual Agent Installations in Operations Manager 2007
On your SCOM server configure the security settings for manually installed agent. It should be Review new manual agent installations in pending management view with/without Auto-approve new manually installed agents depending upon your security settings. Refer to the article for more details.
Thanks for reading!!
Comments
Anonymous
January 01, 2003
Hi Rohit, thanks for the second part! Peter Forster, Microsoft MVP 2002-2011Anonymous
August 29, 2014
how to renew the trusted Root (CA) Certificate if it going to expired