The “Monitoring Azure applications” series:
In this blog post I’m going to cover how to get the certificate pieces setup, which allow mutual authentication between Azure applications and your OpsMgr infrastructure. Since I primarily came from an OpsMgr background, I had very little experience with certificates and I definitely didn’t know what was involved in the Azure side.
The first thing that needs to be sorted out is authentication between your Azure application(s) and your OpsMgr manager infrastructure. Given that we’re talking about potentially sensitive data, which is being routed over the internet, it’s very important that this whole channel be as secure as possible. Since we can’t rely on a domain level-trust we have to use an approach not entirely unlike certificate based mutual authentication for agents, but since we’re working Azure, we’re going to be authenticating with the Windows Azure Service Management API instead of with one or more HealthServices. No need to worry though, all communication with the Service Management API is mutually authenticated over SSL.
Create a certificate to be used
As I mentioned, I’m not really a pro in this area, so I won’t run the risk of misinforming folks on how to get your hands on a certificate. Within Microsoft, we have a formalized process for requesting certificates from our central certificate authority, so that is what we did. Later, I found that Walter Myers gives some great instructions in his primer (starting about 1/3 of the way down) on how to create a certificate yourself with IIS, and that cleared up a lot of things for me. Following are the key (sorry, but I couldn’t resist) best practices we learned:
Add the public key (.CER) to your Azure subscriptions as a “Management Certificate”
Once we have the certificate we now need to configure the Azure subscriptions, so that they will accept communications signed with this certificate. We do this by uploading the public key portion of the certificate up to our subscription, as a managed certificate. Following are the steps involved:
Create the Run As Accounts required for certificate based authentication
Lastly, we need to create two RunAs accounts within Operations Manager, which contain the full certificate (binary authentication) and the password to access the full certificate (basic authentication) respectively. This too, is a relatively new concept, even for folks with an OpsMgr background, but fortunately you only have to set it up once.
Back at the Run As Account screen, we need to create a 2nd run as account. Right-Click on the right-hand pane, where the accounts are shown, and select Create Run As Account… to create the basic authentication run as account, which will hold the password that is used to access the private key within the certificate:
Note: The Run As Accounts and Run As Profiles topic gives an overview of the various types of accounts available, and how they relate to profiles. The Security Considerations section of the Azure MP guide, gives the specific details relevant to this MP.
So that’s it! Now we have the pieces in place between our Azure subscriptions and our monitoring infrastructure, to allow discovery and monitoring via the service management API.