Sealing Management Packs

Sealing Management Packs

  • Comments 19
  • Likes

As we’ve blogged about in the past, management pack can take a dependency on each other.  To do this, you need to add a Reference element in the Manifest section of the management pack.

image

When a management pack (MP ‘A’) takes a references another management pack (MP ‘B’), you can then reference things in management pack ‘B’.  For example, you could create a new class in MP ‘A’ which derives from a class in MP' ‘B’.

In order for an MP to be referenced (in this example above: MP ‘B’) the MP must be “sealed”.  There are two primary reasons why the concept of “sealing” a MP exists:

1)  Sealing a management pack turns an MP from an .xml file to a .mp file which is a binary representation of the management pack instead of a human readable XML file.  This is not for the purpose of protecting intellectual property!  It is solely to make it possible to digitally sign the file.  Only binary files can be signed.  Signing a binary assures the receiver that the file was signed by the provider of the file and that it hasn’t been modified since then.

2) Sealing a management pack also makes the management pack “read only”.  Again, the primary reason for this is to prevent the file from being maliciously modified by someone in between the time the file was originally produced and when it was received by the customer.  It also has the benefit of creating a certain file version with a specific set of contents in it which other MPs can depend on.

We will likely make this process of signing MPs part of the authoring console, but for now you can use this command line utility to seal management packs.  It’s pretty simple – you can run fastseal.exe /? to see usage.  Basically, you just point fastseal.exe to a .xml MP file and a .snk key file.  It will generate a .mp binary file.  The management pack import wizard in the administrator console or the cmdlet Import-SCSMManagementPack will accept either a .mp, mpb (management pack bundle), or .xml file.

Keep these rules in mind when dealing with MP references:

  • A sealed management pack can reference another sealed management pack
  • An unsealed management pack can reference a sealed management pack
  • An unsealed management pack cannot reference another unsealed management pack
  • A sealed management pack cannot reference an unsealed management pack

Or in other words… only sealed management packs can be referenced.

In closing… a few best practices regarding sealed/unsealed MPs…

1) If you are moving an MP from pre-production to production and you don’t want the configuration to be modified in production without going through a formal change request/test/release cycle, then you may want to seal the MPs before you put them in production.

2) If you are a partner building solutions that you are delivering to customers – you should seal most if not all of your management packs.  This ensures a cleaner upgrade and also is a good security measure given the ability to sign the MPs.

3) Generally speaking, especially anything involved with modeling such as ClassTypes, RelationshipTypes, TypeProjections should be in a sealed MP so that they are not unexpected modified and so that they can be referenced by content in other MPs.

4) If you want to allow people to modify your MP after you have delivered it to them, then you should provide an unsealed version of the MP.  For example, all of the MPs that I provide on this site are unsealed so that they can be read and modified by you as needed.  Just keep in mind that if you put an unsealed MP out there you no longer have control over what is in that MP.

5) Management packs must be sealed in order to be syncronized from SCSM to the data warehouse.  More information on the MP sync workflow here: http://blogs.technet.com/servicemanager/archive/2009/03/28/data-warehouse-anatomy-of-management-pack-synchronization.aspx

Attachment: FastSeal.zip
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hello

    Is it possible to seal a management pack bundle? I want to seal a management pack with resource files.

    Thank you

  • @wima75

    First, seal the MP.  Then create an MP bundle from the .mp file just like you would from a .xml file.

  • Hi

    Once you have sealed a management pack can you unseal it again for later changes?

    Kind Regards

    Saffron

  • @Saffron

    When you seal a management pack it creates a *new* .mp file.  The original .xml (unsealed MP) file is still there for you to modify if needed.

  • Thanks - I did notice that I just wanted to be sure that there would be no issue.

    Kind Regards

  • Hi,

    Suppose you put some class extensions in a managament pack to, for example, add some extra properties to the incident class.

    Next, you seal this mp so it can be referenced in other mps.

    Later, you want to modify your sealed mp.

    How do you get around these problems:

    1. You can not reimport a sealed mp without deleting it first. You often can't delete the mp because it's referenced in other mps.

    2. When you reimport your sealed mp, it's guid and all of the class extension guids change. Therefore, any code or templates, etc that reference these no longer work.

    Thanks,

    Rob

  • And one thing I forgot to mention in my pevious question, what happens to the data that was stored in your class extensions?

  • @Rob -

    Re: question #1 - you just need to increment the version number of the MP and then import it on top of the existing MP to "upgrade" it.

    Re: question #2 - the GUIDs will not change because they are a hash of the MP element ID attribute and the MP ID attribute and the MP PublicKeyToken value.  As long as those remain constant the GUIDs will not change.

    Re: question #3 - if you delete a management pack the objects of the classes in that management pack will be deleted.  Similary, if you delete an MP that contains class property extensions the data stored in those properties will be deleted.

  • @Travis

    Thanks very much for answering my questions (especially in such an old post). Certain things that I had not understood regarding management packs have just clicked into place.

  • I used FastSeal to seal a custome Send Email MP that calls the sealed Send Email MP in SCSM. It seals fine, but I get an error when I try to import it into SCSM. Help! Whenever someone modifies this MP, my Send Email function stops working, so I need to make it Read Only!

  • @Audrey - what error message are you getting?

  • System.ArgumentException: The requested management pack is not valid. See inner exception for details.

    Parameter name: managementPack ---> : Verification failed with 1 errors:

    -------------------------------------------------------

    Error 1:

    : The Target attribute value is not valid. Element Category.32fb3f83167c441aaf5c3d0b2e9ab0ad references a Target element that cannot be found.

    -------------------------------------------------------

    The Target attribute value is not valid. Element Category.32fb3f83167c441aaf5c3d0b2e9ab0ad references a Target element that cannot be found.

      --- End of inner exception stack trace ---

      at Microsoft.EnterpriseManagement.ManagementPackManagement.ImportManagementPack(ManagementPack managementPack, IDictionary`2 resources)

      at Microsoft.EnterpriseManagement.ManagementPackManagement.ImportManagementPack(ManagementPack managementPack)

      at Microsoft.EnterpriseManagement.UI.SdkDataAccess.DataAdapters.ManagementPackWriteAdapter.WriteSdkObject(EnterpriseManagementGroup managementGroup, ManagementPack sdkObject, IDictionary`2 parameters)

      at Microsoft.EnterpriseManagement.UI.SdkDataAccess.DataAdapters.SdkWriteAdapter`1.WriteSdkObject(EnterpriseManagementGroup managementGroup, IList`1 sdkObjects, IDictionary`2 parameters)

      at Microsoft.EnterpriseManagement.UI.SdkDataAccess.DataAdapters.SdkWriteAdapter`1.DoAction(DataQueryBase query, IList`1 dataSources, IDictionary`2 parameters, IList`1 inputs, String outputCollectionName)

      at Microsoft.EnterpriseManagement.UI.DataModel.QueryQueue.StartExecuteQuery(Object sender, ConsoleJobEventArgs e)

      at Microsoft.EnterpriseManagement.ServiceManager.UI.Console.ConsoleJobExceptionHandler.ExecuteJob(IComponent component, EventHandler`1 job, Object sender, ConsoleJobEventArgs args)

  • @Aubrey -

    See the section of this blog post that talks about the PublicKeyToken:

    blogs.technet.com/.../tasks-part-2-custom-console-tasks-for-create-edit-delete.aspx

  • And when I go to the MP view in the console, I get this error...

    Date: 2/7/2012 1:04:22 PM

    Application: System Center Service Manager

    Application Version: 7.0.6555.128

    Severity: Error

    Message: The given key was not present in the dictionary.

    System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.

      at System.ThrowHelper.ThrowKeyNotFoundException()

      at System.Collections.Generic.Dictionary`2.get_Item(TKey key)

      at Microsoft.EnterpriseManagement.UI.ViewFramework.ListSupportAdapter.DoAction(DataQueryBase query, IList`1 dataSources, IDictionary`2 parameters, IList`1 inputs, String outputCollectionName)

      at Microsoft.EnterpriseManagement.UI.DataModel.QueryQueue.StartExecuteQuery(Object sender, ConsoleJobEventArgs e)

      at Microsoft.EnterpriseManagement.ServiceManager.UI.Console.ConsoleJobExceptionHandler.ExecuteJob(IComponent component, EventHandler`1 job, Object sender, ConsoleJobEventArgs args)

  • I meant to say - we did get it to seal and import - but now the email is not working and I get the above error in the console when switching to the MP view.