Introduction

System Center Operations Manager 2007 uses mutual authentication to communication with the agents. First the agent will try to communicate with Kerberos and when this is not possible certificates will be used for the secure communication.  If you happen to have agents that lie outside of your domain, such as in a DMZ, you’ll want to use certificates for agent to server communication

In order to configure certificates for this communication you will need to complete the steps below:

1. Importing Trusted Root certificate - all servers
2. Creating and installing Server (Client, Server) Certificates - OpsMgr servers
3. Creating and installing Server (Client, Server) Certificates – Workgroup and/or DMZ servers
4. Export the Server (Client, Server) Certificate
5. Allow manual agent installation.
6. Manual OpsMgr 2007 agent installation
7. Running MOMcertimport on the servers - all servers
8. Approve agent
9. Create Run As Account
10. Change default Action Account Run As profile

Additional steps:

1. Issue new certificates from the Standalone Root CA

On all servers (RMS, Management server and all Workgroup servers):

1. Logon to the Root Management Server with administrative privileges and navigate to the certificate server web site with http://standaloneCAroot/cersrv
2. Click on “Download a CA certificate, certificate chain or CRL”
3. Click on “Download Ca certificate chain”
4. Save the “certnew.p7b” to the “c:\” (or some place you want)
5. Click start run “MMC” and from the file menu “Add/remove Snap-in..” select
   1. Click “Add”
   2. Select “Certificates”
   3. Click “Add”
   4. Select “Computer account”
   5. Click “Next”
   6. Select “local computer”
   7. Click “Finish”
6. Click “Close” and “Ok” to access the Certificates console.
7. Navigate to the folder “Trusted Root Certification Authorities”
8. Right kill the “Certificates” folder and select “All Tasks” and “Import”
   1. In the wizard kill “Next”
   2. Click “Browse” and browse to the “certnew.p7b” on the “c:\” (or some place you put it)
   3. Click “Next”
   4. Select “Place all certificates in the following store” and make sure the Certificate store is “Root Certification Authorities” and kill “Next”
   5. Click “Finish” to complete the import.
9. Delete the “certnew.p7b”
10. The import of the trusted root certificate is finished

For the root management server(RMS) and management server(MS):

1. Logon to the Root Management Server with administrative privileges and navigate to the certificate CA server web site with http://standaloneCAroot/cersrv
2. Click “Request a certificate”
3. Click “advanced certificate request”
4. Click “Create and submit a request to this CA”
5. Use the following for the certification request:
   1. Name: Managementserver.domain.com
   2. Type: Other
   3. OID: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
   4. Select: Mark key as exportable
   5. Select: Store certificate in the local computer certificate store
   6. Friendly name: Managementserver.domain.com
   7. Click “Submit”
   8. Close Internet explorer
6. Let the certificate be issued on the Standalone Root CA (see how to: 1. Issue new certificates from the Standalone Root CA).
7. Navigate to http://standaloneCAroot/cersrv
8. Click “View status of a pending certificate request”
9. Click the Issued certificate
10. Install the issued certificate

3. Creating an installing Server (Client, Server) Certificates

For workgroup and/or DMZ server:

1. Logon to the workgroup server with administrative privileges and navigate to the certificate CA server web site with http://servername/certsrv
2. Click “Request a certificate”
3. Click “advanced certificate request”
4. Click “Create and submit a request to this CA”
5. Use the following for the certification request:
   1. Name: Server name
   2. Type: Other
   3. OID: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
   4. Select: Mark key as exportable
   5. Select: Store certificate in the local computer certificate store
   6. Friendly name: Server name
6. Let the certificate be issued on the Standalone Root CA (see how to issue a certificate from a standalone Root CA).
7. Navigate to http://standaloneCAroot/cersrv
8. Click “View status of a pending certificate request”
9. Click the Issued certificate
10. Install the issued certificate

This must be done on all Workgroup/DMZ servers, root management server(RMS) and management servers (MS):

1. Logon to the Server with administrative privileges
2. Click “Start => Run” “MMC” and from the file menu “Add/remove Snap-in..” select
   1. Click “Add”
   2. Select “Certificates”
   3. Click “Add”
   4. Select “Computer account”
   5. Click “Next”
   6. Select “local computer”
   7. Click “Finish”
3. Click “Close” and “Ok” to access the Certificates console.
4. Navigate to the folder “Certificates (Local Computer)\personal\Certificates”
5. Select the new installed Client, Server certificate and right kill “All tasks => Export”
   1. In the new wizard kill “Next”
   2. Select “Yes , Export the private key”
   3. Click “Next”
   4. Select “Personal Information Exchange – PKCS #12 Certificates (PFX)”
   5. Select “Enable Strong protection (requires IE5.0, NT4 SP4 or above)”
   6. Click “Next”
   7. Type a password for the certificate twice and kill “Next”
   8. Select “Browse” c:\serverFQDN.pfx”
   9. Click “Next”
   10. Check the export information and if correct kill “Finish”
   11. Click “OK” to finish the export
6. Close the MMC

Before the first manual agent installation, the global setting must be changed from reject to “Review new manual agent installation in pending management view” in the operations console of OpsMgr 2007:

1. Open a Operations Console with OpsMgr administrative privileges
2. Navigate to “Administration => Settings => Server”
3. In the right pane click “Security”
4. On the “General” tab select “Review new manual agent installation in pending management view”
5. Click “OK” to finish

6. Manual OpsMgr 2007 agent installation

On the workgroup and/or DMZ servers:

1. Logon to the Server with administrative privileges
2. On the Operations Manager 2007 installation media, double-click the SetupOM.exe file.
3. On the Start page, select Install Operations Manager 2007 Agent.
4. On the Welcome page, click “Next”.
5. On the Destination Folder page leave the installation folder set to the default click “Next”.
6. On the Management Group Configuration page leave the Specify Management Group information check box selected, and then click “Next”.
7. On the Management Group Configuration page, do the following:
   1. Type the Management Group Name
   2. Type the Management Server name.
   3. Leave the default 5273.
   4. Click Next.
8. When the Agent Action Account page displays leave it set to the default of Local System and then click Next.
9. On the Ready to Install page, review the settings and then click Install to display the Installing Systems Center Operations Manager Agent page.
10. When the Completing the Systems Center Operations Manager Agent Setup Wizard page displays, click Finish.

7. Running MOMcertimport.exe on the servers.

This must be done on all servers.  Also make sure the exe which you use is of the same version (for 32-bit and 64 bit we have separate exe’s) and also make sure the files from the same version dump of the SCOM server \ agent you are running on the system):

1. On the start menu kill “Start” and “Run”
2. Type “cmd”
3. Navigate to > cd “program files\System Center Operations Manager 2007\Supportools\i386”
4. Type >MOMcertimport.exe “c\:servername.domain.com.pfx” or “c:\servername.pfx”
5. Type the asked password for the certificate import and press “Enter”.
6. The certificate is now imported in OpsMgr 2007.
7. Restart the “OpsMgr Health Service” on the server.

In the System Center Operations Manager Console, after every manual agent installation the new agent must be approved in the operations Console of OpsMgr 2007:

1. Open the Operations console as an OpsMgr Admin member.
2. Navigate to “Administration => Pending Management”
3. Right-click “Approve”
4. Click “Approve”

To check if the agent is successfully approved look in the “Agent Managed” folder for the approved agent to see if the agent is there.

In the System Center Operations Manager Console:

1. Open a Operations Console with OpsMgr administrative privileges
2. Navigate to “Administration => Security => Run As Account”
3. Right-click “Run As Account” and select create run as account
4. In the Create Run As Account Wizard click “Next”.
5. Select “Action account” in the Run As Account type list
6. Type a display name in the Display Name text box
7. Click Next
8. On the Account page, type:
   1. Server name\username
   2. Password
   3. The domain should be grayed out (Local machine account).
9. Click Create to finish
10. Change default Action Account Run As profile

In the System Center Operations Manager Console:

1. Open a Operations Console with OpsMgr administrative privileges
2. Navigate to “Administration => Security => Run As Profiles”
3. In the right pane double click the “Default Action Account”
4. Click on the “Run As Account” tab
5. Select “Run As Account: “dropdown menu and select the workgroup server local account
6. Click “OK” and click “OK

That should be it, but in case you need more information please see Authentication and Data Encryption for Windows Computers in Operations Manager 2007.

Note: This information was originally contributed by Sudheesh Narayanaswamy, Operations Manager Support Engineer, on the Operations Manager Support Team blog:

http://blogs.technet.com/operationsmgr/archive/2009/09/10/step-by-step-for-using-certificates-to-communicate-between-agents-and-the-opsmgr-2007-server.aspx