DefinIT

Requesting SCOM 2007 Gateway or Agent Certificates for Server 2008 from a Server 2003 Enterprise Certificate Authority

This is a pretty specific set of instructions for a specific environment:

  • If
  • you are using Microsoft System Center Operations Manager 2007
  • and
    • you have a Microsoft Certificate Services 2003 Certificate Authority on your domain
  • and
    • you have non-domain Windows Server 2008 servers you wish to monitor or set up as a gateway server.

     

    Getting a certificate for either a Gateway Server or remotely monitored Server can be a touch vexing. If you’re installing on the same domain as the SCOM management server the security settings take care of themselves, not so for non-domain servers, which require mutual certificate authentication. The Gateway must trust the Domain CA and identify itself as trusted to the Management Server. I have bashed my head against this several times now, so I thought I’d make a precise blog post to cover the steps required!

    In this scenario, we will have 2 servers CA01, the Windows 2003 Certificate Authority, and Gateway01, the SCOM 2007 gateway. The certificate template for Operations Manager has been created on CA01 as per the documentation and is called “OperationsManagerCert”. On Gateway01 I have copied the Gateway installer to c:\SCOM\Gateway and the SCOM Tools to c:\SCOM\Tools. SCOM01 is our SCOM collection server.

    CA01: Navigate to https://ca01/certsrv and download the CA Certificate.

    Gateway01: Copy the CA Certificate to the c:\SCOM folder by whatever means you have. Open mmc.exe and add the Certificates Snap-in for the local computer account. Right click the Trusted Root Certification Authorities store and Import the CA01 CA certificate.

    image

    Gateway01: Open notepad and create a new certificate request file with the contents below. Name the file Gateway01.inf and save in c:\SCOM

    [NewRequest]

    Subject="CN=<FQDN of Gateway01>"

    Exportable=TRUE

    KeyLength=2048

    KeySpec=1

    KeyUsage=0xf0

    MachineKeySet=TRUE

    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.5.5.7.3.1

    OID=1.3.6.1.5.5.7.3.2

    Gateway01: Open a command prompt as administrator and navigate to c:\SCOM, use certreq.exe to generate a certificate request:

    certreq –new –f Gateway01.inf Gateway01.req

    Gateway01: Open Gateway01.req in notepad and copy the contents to clipboard.

    CA01: Open https://ca01/certsrv and start a new advanced certificate request, create the certificate request using a base64 encoded CMC. Paste the data from Gateway01.req into the “Saved Request” box. Select your SCOM certificate template and click next. Save the response as a Base 64 encoded certificate.

    image

    Gateway01: Copy the certificate file over to c:\SCOM on Gateway01 by whatever method you have available. Open a command prompt with admin rights and approve the new certificate with certutil.

    certreq –accept Gateway01.cer

    Check that the certificate has been imported into the Computer/Personal store using mmc.exe.

    SCOM01: At this point you can either install your SCOM agent, or Gateway Server on Gateway01 if you are installing the Gateway Server like me, you need to first approve the Gateway using the Gateway Approval Tool. Open a command prompt as administrator and navigate to “c:\Program Files\System Center Operations Manager 2007” or wherever your SCOM install is. Copy the Microsoft.EnterpriseManagement.GatewayApproval.Tool.exe from Support Tools into the parent folder (it requires .dlls in that folder).

    Microsoft.EnterpriseManagement.GatewayApproval.Tool.exe ¬

    /ManagementServerName=SCOM01 /GatewayName=Gateway01

    Gateway01: Run the Gateway Server installer and enter the details of the Management Server and Management Group name. When that’s finished, you need to tell SCOM which certificate to use with the MOMCertImport.exe tool located in c:\SCOM\Tools

    MOMCertImport /SubjectName Gateway01.Domain.Lcl

    Give it a few minutes and you should be able to see the new gateway under Management Servers in the Administration console for SCOM. Remember to right-click, properties, security and allow the server to act as a proxy if it’s reporting for other servers.

    I use the same procedure to install Agents in my DMZ that don’t have access to the certificate services – likewise our production web servers isolated in their hosting environment.

    I hope this helps you, I know this is an article that I will be referring back to time and time again!