How to configure AEM to use SSL in Operations Manager 2007 and 2012

How to configure AEM to use SSL in Operations Manager 2007 and 2012

  • Comments 2
  • Likes

~ R.B.Ganesh | Senior Support Escalation Engineer

imageHello everyone, I couldn't find this documented anywhere already so while we’re getting TechNet updated I thought I would go ahead and post this here now:

Agentless Exception Monitoring (AEM) is a component of the Client Monitoring feature in System Center Operations Manager 2007 (OpsMgr 2007) and System Center 2012 Operations Manager (OpsMgr 2012) that enables you to monitor operating systems and applications for errors within your organization. By default, when a Microsoft application encounters a severe error, it creates a report that can be sent to Microsoft to consolidate data that can lead to a reduction in errors. Using AEM, you can direct these reports to an Operations Manager management server which can then provide detailed views and reports on this consolidated error data. Using this data, you can determine how often an operating system or application experiences an error and the number of affected computers and users.

Please follow the steps in the below article to configure AEM using the Client Monitoring configuration wizard:
http://technet.microsoft.com/en-us/library/hh212833.aspx

For SSL to work with AEM we will need the following:

1. A certificate matching the name of the AEM server as seen in the Group policy template created by the configuration wizard. The certificate should be intended for Server and client Authentication with a private key associated with it.

2. The Certificate authority that issued the AEM server’s certificate should be trusted by the AEM clients that will be sending the error reports to the AEM server.

3. Windows Authentication should not be enabled while running the Client Monitoring configuration wizard.

4. An HTTPS Listener should be created for the AEM TCP port 51906.

How to create HTTPS Listener on the AEM server:

Open a command prompt on the AEM server and run the following command:

netsh http add sslcert IPport=0:0:0:0:51906 certhash=<ThumbPrint of the AEM server certificate> AppID={00000000-0000-0000-0000-000000000000}

In the command above we are associating the thumbprint of the certificate issued in Step 1 above with the TCP port 51906. The IPaddress 0.0.0.0 refers to all IP addresses on the AEM server. To retrieve the thumbprint of the certificate used by the AEM server please use the steps below:

1. Open the Microsoft Management Console (MMC) snap-in for certificates.

2. In the Console Root window's left pane, click Certificates (Local Computer).

3. Click the Personal folder to expand it.

4. Click the Certificates folder to expand it.

5. In the list of certificates, note the Intended Purposes heading. Find a certificate that lists Client Authentication as an intended purpose.

6. Double-click the certificate.

7. In the Certificate dialog box, click the Details tab.

8. Scroll through the list of fields and click Thumbprint.

9. Copy the hexadecimal characters from the box. If this thumbprint is used in code for the X509FindType, remove the spaces between the hexadecimal numbers. For example, the thumbprint "a9 09 50 2d d8 2a e4 14 33 e6 f8 38 86 b0 0d 42 77 a3 2a 7b" should be specified as "a909502dd82ae41433e6f83886b00d4277a32a7b" in code.

Once the Listener is created, please run this command using command prompt to confirm that the listener was created successfully:

Netsh http show sslcert

A sample output for the listener is below:

SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:51906
Certificate Hash : 68130ce3743a95bf35b6a0a5d06b3d814b7df9fa
Application ID : {00000000-0000-0000-0000-000000000000}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled

Once these configuration steps are completed the AEM server and client communication should work with SSL.

The article below has more information related to AEM feature in System center Operations Manager:

http://technet.microsoft.com/en-us/library/hh230748.aspx

R.B.Ganesh | Senior Support Escalation Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms- identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment