The System Center Operations Manager Support Team Blog

This is the OpsMgr 2007 blog for the Microsoft support team. If you were looking for the SCOM 2007 or MOM 2005 blog then you are in the right place.

Step by Step for using Certificates to communicate between agents and the OpsMgr 2007 server

Step by Step for using Certificates to communicate between agents and the OpsMgr 2007 server

  • Comments 12
  • Likes

TipSystem Center Operations Manager 2007 uses mutual authentication to communication with the agents. First the agent will try to communicate with Kerberos and when this is not possible certificates will be used for the secure communication.  If you happen to have agents that lie outside of your domain, such as in a DMZ, you’ll want to use certificates for agent to server communication

3

In order to configure certificates for this communication you will need to complete the steps below:

  1. Importing Trusted Root certificate - all servers
  2. Creating and installing Server (Client, Server) Certificates - OpsMgr servers
  3. Creating and installing Server (Client, Server) Certificates – Workgroup and/or DMZ servers
  4. Export the Server (Client, Server) Certificate
  5. Allow manual agent installation.
  6. Manual OpsMgr 2007 agent installation
  7. Running MOMcertimport on the servers - all servers
  8. Approve agent
  9. Create Run As Account
  10. Change default Action Account Run As profile

Additional steps:

  1. Issue new certificates from the Standalone Root CA

1. Importing Trusted Root certificate.

On all servers (RMS, Management server and all Workgroup servers):

  1. Logon to the Root Management Server with administrative privileges and navigate to the certificate server web site with http://standaloneCAroot/cersrv
  2. Click on “Download a CA certificate, certificate chain or CRL”
  3. Click on “Download Ca certificate chain”
  4. Save the “certnew.p7b” to the “c:\” (or some place you want)
  5. Click start run “MMC” and from the file menu “Add/remove Snap-in..” select
    1. Click “Add”
    2. Select “Certificates”
    3. Click “Add”
    4. Select “Computer account”
    5. Click “Next”
    6. Select “local computer”
    7. Click “Finish”
  6. Click “Close” and “Ok” to access the Certificates console.
  7. Navigate to the folder “Trusted Root Certification Authorities”
  8. Right kill the “Certificates” folder and select “All Tasks” and “Import”
    1. In the wizard kill “Next”
    2. Click “Browse” and browse to the “certnew.p7b” on the “c:\” (or some place you put it)
    3. Click “Next”
    4. Select “Place all certificates in the following store” and make sure the Certificate store is “Root Certification Authorities” and kill “Next”
    5. Click “Finish” to complete the import.
  9. Delete the “certnew.p7b”
  10. The import of the trusted root certificate is finished

2. Creating and installing Server (Client, Server) Certificates

For the root management server(RMS) and management server(MS):

  1. Logon to the Root Management Server with administrative privileges and navigate to the certificate CA server web site with http://standaloneCAroot/cersrv
  2. Click “Request a certificate”
  3. Click “advanced certificate request”
  4. Click “Create and submit a request to this CA”
  5. Use the following for the certification request:
    1. Name: Managementserver.domain.com
    2. Type: Other
    3. OID: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
    4. Select: Mark key as exportable
    5. Select: Store certificate in the local computer certificate store
    6. Friendly name: Managementserver.domain.com
    7. Click “Submit”
    8. Close Internet explorer
  6. Let the certificate be issued on the Standalone Root CA (see how to: 1. Issue new certificates from the Standalone Root CA).
  7. Navigate to http://standaloneCAroot/cersrv
  8. Click “View status of a pending certificate request”
  9. Click the Issued certificate
  10. Install the issued certificate

3. Creating an installing Server (Client, Server) Certificates

For workgroup and/or DMZ server:

  1. Logon to the workgroup server with administrative privileges and navigate to the certificate CA server web site with http://servername/certsrv
  2. Click “Request a certificate”
  3. Click “advanced certificate request”
  4. Click “Create and submit a request to this CA”
  5. Use the following for the certification request:
    1. Name: Server name
    2. Type: Other
    3. OID: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
    4. Select: Mark key as exportable
    5. Select: Store certificate in the local computer certificate store
    6. Friendly name: Server name
  6. Let the certificate be issued on the Standalone Root CA (see how to issue a certificate from a standalone Root CA).
  7. Navigate to http://standaloneCAroot/cersrv
  8. Click “View status of a pending certificate request”
  9. Click the Issued certificate
  10. Install the issued certificate

4. Export the Server (Client, Server) Certificate

This must be done on all Workgroup/DMZ servers, root management server(RMS) and management servers (MS):

  1. Logon to the Server with administrative privileges
  2. Click “Start => Run” “MMC” and from the file menu “Add/remove Snap-in..” select
    1. Click “Add”
    2. Select “Certificates”
    3. Click “Add”
    4. Select “Computer account”
    5. Click “Next”
    6. Select “local computer”
    7. Click “Finish”
  3. Click “Close” and “Ok” to access the Certificates console.
  4. Navigate to the folder “Certificates (Local Computer)\personal\Certificates”
  5. Select the new installed Client, Server certificate and right kill “All tasks => Export”
    1. In the new wizard kill “Next”
    2. Select “Yes , Export the private key”
    3. Click “Next”
    4. Select “Personal Information Exchange – PKCS #12 Certificates (PFX)”
    5. Select “Enable Strong protection (requires IE5.0, NT4 SP4 or above)”
    6. Click “Next”
    7. Type a password for the certificate twice and kill “Next”
    8. Select “Browse” c:\serverFQDN.pfx”
    9. Click “Next”
    10. Check the export information and if correct kill “Finish”
    11. Click “OK” to finish the export
  6. Close the MMC

5. Allow manual agent installation.

Before the first manual agent installation, the global setting must be changed from reject to “Review new manual agent installation in pending management view” in the operations console of OpsMgr 2007:

  1. Open a Operations Console with OpsMgr administrative privileges
  2. Navigate to “Administration => Settings => Server”
  3. In the right pane click “Security”
  4. On the “General” tab select “Review new manual agent installation in pending management view”
  5. Click “OK” to finish

6. Manual OpsMgr 2007 agent installation

On the workgroup and/or DMZ servers:

  1. Logon to the Server with administrative privileges
  2. On the Operations Manager 2007 installation media, double-click the SetupOM.exe file.
  3. On the Start page, select Install Operations Manager 2007 Agent.
  4. On the Welcome page, click “Next”.
  5. On the Destination Folder page leave the installation folder set to the default click “Next”.
  6. On the Management Group Configuration page leave the Specify Management Group information check box selected, and then click “Next”.
  7. On the Management Group Configuration page, do the following:
    1. Type the Management Group Name
    2. Type the Management Server name.
    3. Leave the default 5273.
    4. Click Next.
  8. When the Agent Action Account page displays leave it set to the default of Local System and then click Next.
  9. On the Ready to Install page, review the settings and then click Install to display the Installing Systems Center Operations Manager Agent page.
  10. When the Completing the Systems Center Operations Manager Agent Setup Wizard page displays, click Finish.

7. Running MOMcertimport.exe on the servers.

This must be done on all servers.  Also make sure the exe which you use is of the same version (for 32-bit and 64 bit we have separate exe’s) and also make sure the files from the same version dump of the SCOM server \ agent you are running on the system):

  1. On the start menu kill “Start” and “Run”
  2. Type “cmd”
  3. Navigate to > cd “program files\System Center Operations Manager 2007\Supportools\i386”
  4. Type >MOMcertimport.exe “c\:servername.domain.com.pfx” or “c:\servername.pfx”
  5. Type the asked password for the certificate import and press “Enter”.
  6. The certificate is now imported in OpsMgr 2007.
  7. Restart the “OpsMgr Health Service” on the server.

8. Approve agent

In the System Center Operations Manager Console, after every manual agent installation the new agent must be approved in the operations Console of OpsMgr 2007:

  1. Open the Operations console as an OpsMgr Admin member.
  2. Navigate to “Administration => Pending Management”
  3. Right-click “Approve”
  4. Click “Approve”

To check if the agent is successfully approved look in the “Agent Managed” folder for the approved agent to see if the agent is there.

9. Create Run As Account

In the System Center Operations Manager Console:

  1. Open a Operations Console with OpsMgr administrative privileges
  2. Navigate to “Administration => Security => Run As Account”
  3. Right-click “Run As Account” and select create run as account
  4. In the Create Run As Account Wizard click “Next”.
  5. Select “Action account” in the Run As Account type list
  6. Type a display name in the Display Name text box
  7. Click Next
  8. On the Account page, type:
    1. Server name\username
    2. Password
    3. The domain should be grayed out (Local machine account).
  9. Click Create to finish
  10. Change default Action Account Run As profile

10. Change default Action Account Run As profile

In the System Center Operations Manager Console:

  1. Open a Operations Console with OpsMgr administrative privileges
  2. Navigate to “Administration => Security => Run As Profiles”
  3. In the right pane double click the “Default Action Account”
  4. Click on the “Run As Account” tab
  5. Select “Run As Account: “dropdown menu and select the workgroup server local account
  6. Click “OK” and click “OK

That should be it, but in case you need more information please see Authentication and Data Encryption for Windows Computers in Operations Manager 2007.

Hope this helps,

Sudheesh Narayanaswamy | Operations Manager Support Engineer

Comments
  • I followed this to the letter (except the killing in point 1.8, 4.5 and 7.1...) and it finally enabled communication between my agents and server. I'm not sure where exactly I failed when doing this exact thing previously on my own, but the only things I know I did differently was not selecting "strong protection" on export and selecting the installed certificate from the momcertimport gui rather than specifying a pfx in command line...

  • Thanks for this!

    Why does step 7 have to be done all servers?  I just want 1-3 servers outside our domain for monitoring our hosted URLs, but I am not sure I follow why we have to touch all server within our network to do this.

  • what is  meant here by all servers is teh RMS\MS\Gateway and the clients ...Not all servers on your network.

  • Step 2.5.e which asks you to select the local computer store is not available.  Is it because of the CA type?  I am using Server 2008 R2 SP1.

  • For the DMZ servers, sometimes it expects the server names to in FQDN. You can find a similar event on your DMZ server:

    Event Type: Error

    Event Source: OpsMgr Connector

    Event Category: None

    Event ID: 20052

    Date: 5/17/2012

    Time: 1:18:06 PM

    User: N/A

    Computer: SERVER1

    Description:

    The specified certificate could not be loaded because the Subject name on the certificate does not match the local computer name

    Certificate Subject Name : SERVER1

    Computer Name            : SERVER1.CONTOSO.COM

  • In section 1. Importing Trusted Root certificate.

    It says "Kill" where I believe it should say "Click". In a few places this is the case.

    Thanks,

    Christopher McLaughlin

  • Does this procedure also work in OpsMgr 2012?

  • HI, I have this issue

    I have issue the certficate for non-domain server signed my AD CA, placed in local-personal folder. This cert have private key included.

    When I start MOMCertImport /SubjectName server.domain.local,  in Local-Operation Manager folder i receive selfsigned certificate server.domain.local.

    There is no signed with ma AD CA :-(

  • The port in the step 6 is wrong, it should be 5723

  • Another bit. In the steps 3.a and 3.f, it should be "full computer name", as I've just spent hours playing with a Lync edge server which has a computer name: servername and a full computer name: servername.domain.com. You guess, creating a cert and entering only the computer name didn't work, so I had to recreate it with the full comp name (servername.domain.com), even though the server is in a workgroup, and reimport the cert, and then it worked.

  • The correct steps mentioned above are 3.5.a and 3.5.f.

  • how to renew the Trusted Root certificate when it going to expired.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment