Operations Manager - Certificates from Concept to Deployment
The following is a "mini-guide" I developed to help understand, obtain and troubleshoot OpsMgr communication using certificates. This information is based on my experience(+struggle!) and understanding of the use of certificates to authenticate and process data flow for OpsMgr 2007 and 2012. This guide contains information about:
- OpsMgr Certificates Overview and Concepts
- How to obtain an OpsMgr certificate from Win2008 Enterprise CA
- Gateway approval process to initiate communication from MS to Gateway (OpsMgr 2012 only)
- Sample screenshot of a valid OpsMgr certificate
-------------------------------------------------------------------------------------------------------------------
OpsMgr Communication using Certificate Overview
Overview
Communication between OpsMgr servers (MS, GTW, Agents) in untrusted domains is done through certificates. So computers need its own OpsMgr certificates. OpsMgr uses 2 certificates on each computer, only one must be provided by a trusted authority
OpsMgr Certificate X.509 (generated by a trusted authority)
This certificate is located in the Local Computer / Personal / Certificates Container
OpsMgr Self-Signed Certificate (auto-generated by MOMCertImport or agent restart)
This certificate is located in the Local Computer / Operations Manager / Certificates Container
OpsMgr Certificate Requirements
All servers involve in the authentication using a certificate must trust the certificate authority where the certificate originate. They must have the CA root chain of the CA in their trusted root authorities. (Does not have to be same Root CA, but Root CA must be trusted by source and target)
Each computer must have its own certificate loaded in the Local Computer Personal store. (See sample screenshot in Appendix)
Must include the Private Key
Subject Name must match computer FQDN (CN=<ServerName> )
Must be trusted all the way to the root (Chain)
Certificates configuration options:
Hash Algorithm does not need to be same between source and target. (Ex. SHA1 on MS and SHA256 on GTW works)
Key size can be 2048 and 4096
Does not appear to validate with CRL. Even if CRL distribution point is not available, Cert load successfully. (Also tried Clearing CRL Cert Cache)
OpsMgr Self-Signed Certificate Requirements
If OpsMgr Self-Signed Cert (MOMCertImport) is not there, data flow is not being process
OpsMgr Self-Signed certificate is not used for authentication.
MOMCerImport seems to be an optional task as restarting the agent also does generate the OpsMgr self-signed certificate
Obtaining a Certificate from Win2008 Enterprise CA
This section is based on the following TechNet article with some additional details to help simplify the process
How to Obtain a Certificate Using Windows Server 2008 Enterprise CA
https://technet.microsoft.com/en-us/library/hh467900.aspx
Create an OpsMgr Certificate Template (Enterprise CA)
Download and Import Trusted Root (CA) Certificate (and Sub CA)
Request OpsMgr Certificate
Import OpsMgr Certificate
Create an OpsMgr Certificate Template (Enterprise CA)
Note: A PKI Administrator privileges is required to perform the following steps.
To create a certificate template
On the computer that is hosting your enterprise CA, on the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
In the navigation pane, expand the CA name, right-click Certificate Templates, and then click Manage.
In the Certificate Templates console, in the results pane, right-click IPsec (Offline request) , and then click Duplicate Template.
In the Duplicate Template dialog box, select
- Windows Server 2008 Enterprise Edition
In the Properties of New Template dialog box, on the General tab, in the Template display name text box, type a new name for this template; for example, <OpsMgrCert> .
On the Request Handling tab, select Allow private key to be exported.
Click the Extensions tab, and in Extensions included in this template, click Application Policies, and then click Edit.
In the Edit Application Policies Extension dialog box, click IP security IKE intermediate, and then click Remove.
Click Add, and in the Application policies list, hold down the CTRL key to multi-select items from the list, click Client Authentication and Server Authentication, and then click OK.
In the Edit Application Policies Extension dialog box, click OK.
Click the Security tab and ensure that the Authenticated Users group has Read and Enroll permissions, and then click OK.
Close the Certificate Templates console.
To add the template to the Certificate Templates folder
On the computer that is hosting your Enterprise CA, in the Certification Authority snap-in, right-click the Certificate Templates folder, point to New, and then click Certification Template to Issue .
In the Enable Certificate Templates box, select the certificate template that you created
Ex: OpsMgrCert
Click OK.
Download and Import Trusted Root (CA) Certificate (and Sub CA)
To download the Trusted Root (CA) certificate
Log on to a host in the domain. (Any)
Start Internet Explorer, and connect to the computer hosting Certificate Services.
Ex.: https://<PKIServerName>/CertSrv
On the Welcome page, click Download a CA Certificate, certificate chain, or CRL.
On the Download a CA Certificate, Certificate Chain, or CRL page, click Encoding method, click Base 64, and then click Download CA certificate chain.
In the File Download dialog box, click Save and save the certificate
Ex.: TrustedRootCert.p7b
When the download has finished, close Internet Explorer.
To import the Trusted Root (CA) certificate
Logon to the host you want to import the Root CA.
Click Start, and then click Run.
In the Run dialog box, type mmc, and then click OK.
In the Console1 window, click File, and then click Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
In the Certificates snap-in dialog box, select Computer account, and then click Next.
In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
In the Console1 window, expand Certificates (Local Computer) , expand Trusted Root Certification Authorities, and then click Certificates.
Right-click Certificates, select All Tasks, and then click Import.
In the Certificate Import Wizard, click Next.
On the File to Import page, click Browse and select the location where you downloaded the CA certificate file, for example: TrustedRootCA.p7b, select the file, and then click Open.
On the File to Import page, select Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next.
On the Completing the Certificate Import Wizard page, click Finish.
Note: Perform for each computer that needs a certificate
Request OpsMgr Certificate
To create a setup information (.inf) file
Click Start, and then click Run.
In the Run dialog box, type Notepad, and then click OK.
Create a text file containing the following content: (Modify bold text)
[NewRequest]
Subject= " CN= <FQDN of computer you are creating the certificate, for example, the gateway server or management server.> "
Exportable=TRUE
KeyLength=2048
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2
Save the file with an .inf file name extension. Ex.: OpsMgrTemplate.inf
Close Notepad.
To create a request file to use with an enterprise CA
Note: The CertReq command MUST BE PERFORMED on the computer the certificate needs to be installed. (Each computer must have its own certificate (MS, GTW, Agent)
On the host you need a certificate for, copy the .inf file created in the previous section and update the subject.
In a command window, type:
CertReq –New –f OpsMgrTemplate.inf Server1.req
To submit a request to an enterprise CA
Note: Request can be submitted manually or using the Web Interface, choose the one you prefer from any host in the domain.
Manually submitting a request:
CertReq -submit -attrib certificatetemplate:OpsMgrCert Server1.req
Submitting a request using the Web interface:
Log on to a host in the domain. (Any)
Start Internet Explorer, and connect to the computer hosting Certificate Services.
Ex.: https://<PKI>/CertSrv
On the Microsoft Active Directory Certificate Services Welcome screen, click Request a certificate.
On the Request a Certificate page, click advanced certificate request.
On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
On the Submit a Certificate Request or Renewal Request page, in the Saved Request text box, paste the contents of the request file from the previous procedure. Ex.: Server1.req
In the Certificate Template select the certificate template that you created
Ex.: OpsMgrCert
Then click Submit.
On the Certificate Issued page, select Base 64 encoded, and then click Download certificate.
In the File Download – Security Warning dialog box, click Save, and save the certificate
Ex.: Server1.cer
Close Internet Explorer.
Note: Request a certificate for each MS, GTW and Agents(Untrusted) servers
Import OpsMgr Certificate
To import the certificate into the certificate store
On the computer hosting the Operations Manager role for which you are configuring the certificate, click Start, and then click Run.
In the Run dialog box, type mmc, and then click OK.
In the Console1 window, click File, and then click Add/Remove Snap-in .In the Add/Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
In the Certificates snap-in dialog box, select Computer account, and then click Next.
In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
In the Console1 window, expand Certificates (Local Computer) , expand Personal, and then click Certificates.
Right-click Certificates, select All Tasks, and then click Import.
In the Certificate Import Wizard, click Next.
On the File to Import page, click Browse and select the location where you downloaded the CA certificate file, for example: Server1.cer, select the file, and then click Open.
On the File to Import page, select Place all certificates in the following store and ensure that Personal appears in the Certificate store box, and then click Next.
On the Completing the Certificate Import Wizard page, click Finish.
Create the self-signed certificate into Operations Managers container using MOMCertImport
Log on to the computer where you installed the certificate with an account that is a member of the Administrators group.
Double-click on the MOMCertImport.exe tool
Select the Certificate imported earlier
Click OK.
Restart System Center Management Service.
Sample Validation of a Certificate on a Gateway server
Confirm an event 20053 in Operations Manager event log exist which says the certificate is loaded successfully.
Gateway Approval process to initiate communication from MS to Gateway Server
IMPORTANT: New in Operations Manager 2012, Management Server can initiate communication to the Gateway server, so no need to open port TCP 5723 in the Firewall from GTW to MS.
Follow the steps outline in the section How to Deploy a Gateway Server on TechNet, except during the gateway approval process, follow the step below.
To run the gateway approval tool
On the management server that was targeted during the gateway server installation, log on with the Operations Manager Administrator account.
Open a command prompt, and navigate to the Operations Manager installation directory or to the directory that you copied the Microsoft.EnterpriseManagement.gatewayApprovalTool.exe to.
At the command prompt, run:
Microsoft.EnterpriseManagement.gatewayApprovalTool.exe
/ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN>
/Action=Create
/ManagementServerInitiatesConnection=TrueIf the approval is successful, you will see the approval of server <GatewayFQDN> completed successfully.
If you need to remove the gateway server from the management group, run the same command, but substitute the /Action=Delete flag for the /Action=Create flag.
Open the Operations console to the Monitoring view. Select the Discovered Inventory view to see that the gateway server is present.
Sample Screenshot of a valid Operations Manager Certificate
This posting is provided "AS IS" with no warranties and confers no rights.
Comments
- Anonymous
January 01, 2003
Thanks for share Drougeau. - Anonymous
January 01, 2003
Thank you very much. - Anonymous
January 01, 2003
Thanks for sharing. - Anonymous
January 13, 2015
why we use certificate - Anonymous
January 12, 2016
It appears that using the option /ManagementServerInitiatesConnection=True causes an issue when the network connection between the GW and MS is interrupted - the MS does not reinitiate connection to the GW, and the GW remains grayed out unless the Health Service on the MS is restarted. This info should be tested and published.- Anonymous
August 10, 2016
The comment from "LP" is really interesting. I'm figuring this exact issue in an environment. I have a GW and 2 MS and sometimes the GW (and agents behind) simply goes gray and there are no failover between MS or retries...
- Anonymous
- Anonymous
February 22, 2016
Does SCOM 2007 R2 support SHA-256 certificate ? - Anonymous
September 07, 2016
Finally one that works. Only thing you may want to add is that the service on both the gateway and the other SCOM service needs to be restarted. Gateway last. It wouldn't connect until I did that. - Anonymous
April 13, 2018
I have been asked to update certificate SHA 1 to SHA 256 SCOM Gateway Servers which is running on Windows OSCould you please with a detailed process to do it. Nothing i can find on MS website or on blogs.