Thursday, April 21, 2011

Using Public Certificates With SCOM Part 3

In Part 1 and Part 2 of this series, I have explained how to configure your SCOM servers to accept manual agent installations and also how to manually install these agents onto your untrusted servers and clients.

In this part of the series, I will demonstrate what is needed to create a custom Certificate Template that will be used to create the Certificate Request to the Public 3rd Party Certificate Authority (this Certificate Template could also be used for an Internal CA too) and I will also go through the process of bringing the newly issued certificate into SCOM.

Certificate Request Process for SCOM RMS / MS and Untrusted Servers / Clients

First up, logon to your SCOM server as an Administrator, open Notepad and copy the text below into a new page and save it onto the root of the C drive of the server as a .INF file named something similar to catemplate.inf

[Version]
Signature= "$Windows NT$"
[NewRequest]
Subject = "CN=YourFullComputerNameHere,OU=MyOU,O=MyOrg,L=MyCity,S=MyState,C=US"
KeySpec= 1
KeyLength = 2048
KeyUsage = 0xa0
ProviderName = "Microsoft RSA Schannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
Exportable = TRUE
MachineKeySet = TRUE
UseExistingKeySet = FALSE
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1
OID = 1.3.6.1.5.5.7.3.2

Change my text in RED ITALICS to your actual computer name making sure that you specify the ‘Full Computer Name’ of your server or computer. This name could be simply a NETBIOS name or an FQDN.
(This is a crucial setting to note as it is going to be used again later on in determining the Certificate Subject Name.)

To get the exact full computer name of the server you are working on, follow this simple procedure:

Windows Server 2003
Click Start, Click Run, type ‘sysdm.cpl’ (without the quotations)
Go to the ‘Computer Name’ tab and take a note of the full computer name

Windows Server 2008
Click Start, Click on ‘Search Programs and Files’, type ‘sysdm.cpl’ (without the quotations)
From the ‘Computer Name’ tab, take a note of the full computer name

Now, open up a command prompt ensuring you select ‘Run As Administrator’ so you have the proper permissions to continue

Type cd\ and press ‘Enter’ to take you back to the root of the C drive


Type the following to create the certificate request using the catemplate.inf file that we created earlier:

certreq –new c:\catemplate.inf mycert.req




This will create a file on the root of your C drive called ‘mycert.req’. This file will now need to be sent to your external CA provider to create a new externally secured trusted certificate with the subject name of the certificate being the same as the ‘Full Computer Name’ of your server

Once you have the certificate back from the external CA, copy it to the root of the C drive so the certificate template, request file and issued certificate are all in the same location
(I have found that although this seems irrelevant, if these files are not in the same location, sometimes the next step doesn’t work!)

Open back up your command prompt ensuring again that you ‘Run As Administrator’

Type the following to install the certificate into the Local Computers Personal Certificate Store, substituting the certificate name below with the full name and extension of your newly issued certificate, then press ‘Enter’ to accept the certificate:

certreq -accept mynewlyissuedcertificate.cer


Now, you need to use the command prompt to browse to the ‘MOMCertImport.exe’ utility on the SCOM installation media (make sure you browse to the correct architecture folder i.e. AMD64 or i386) and using the /subjectname switch you need to specify the certificate name exactly as you see it (substituting my.fullcomputername.com in the example below) when you open up the ‘Certificates’ MMC snapin and select the ‘Local Computer’ option.

From the 'Local Computer Certificates' MMC, you need to browse to the ‘Personal\Certificates’ subfolder to see (and make a note of) the full name of the certificate that you would have imported using the certreq utility earlier.

Your command should look something similar to this:

MOMCertImport.exe /subjectname my.fullcomputername.com


Make sure that this process is repeated on all SCOM RMS/MS and untrusted server and clients.

Once the above commands have been carried out on all SCOM and untrusted servers and clients, it is a good idea to restart the Health Service on the untrusted clients first and then if needed, you will need to restart the Health Service on the SCOM RMS/MS servers too.

Restarting the Health Service will then kick-start the Agent discovery and authentication and if all is configured the way it should be, then you will see your untrusted server show up in the 'Pending Management' section of the 'Administration' tab within the SCOM Console Wunderbar.

From here and once you see your server listed, simply click on the 'Approve' option in the 'Actions' window on the right hand side to complete the final step to bring your untrusted server into your SCOM monitoring environment.


13 comments:

  1. Excellent post Kevin. Thanks for making this post easy to read for people who have not done this before.

    For the cert requests, just to make sure, I have to do the following;

    1a. Generate a cert req on all untrusted clients and on the SCOM MS (if this is the MS which will communicate with these untrusted clients).

    1b. Change each line in the catemplate.inf file;
    "CN=YourFullComputerNameHere,OU=MyOU,O=MyOrg,L=MyCity,S=MyState,C=US"
    to actually reflect each individual computer's name.
    I.e. "CN=comp01.acme.com,OU=servers,O=acme,L=Walawala,S=Washington,C=US"
    ...
    "CN=comp99,OU=servers,O=acme,L=Walawala,S=Washington,C=US"

    2. Send each of these cert reqs away to a 3rd party site and get the certs back from them.

    3. Install the certs to each of the requesting computers, i.e. certreqcomp01.req goes on comp01...certreqcomp99.req goes on comp99.

    4. Register them with MOMcertimport.exe using each comp FQDN;
    i.e. MOMCertImport.exe /subjectname my.fullcomputername.com comp01.acme.com

    5. Restart Health service and wait.

    I do not have to do any sort of cross importing of certificates to other machines involved as the certificate encrypts the communication from one comp to another using Kerberos and Public/Private key method.

    Thanks again!

    ReplyDelete
  2. Hi Phil,

    Apologies about the delay on getting back to you on your query - crazy busy at the moment!

    I will answer your queries just in case you didn't find the answer previously.

    Your Steps 1 - 5 are correct, just follow through the steps I have outlined in my posts and you won't go wrong.

    You do not have to do any cross importing of certificates to other machines involved as the scom management servers and the scom agent servers communicate directly with each other using the same two certs between them.

    A point to note though:

    As manual certificate creation is painful and time consuming, I would always recommend that if you have a large number of servers in an untrusted domain (or even 5+ servers), you are better off deploying a SCOM Gateway server in the untrusted domain and then you only have to modify the certificate on the gateway server and the scom management server once. All the other scom clients would report directly to the gateway server using standard agent deployment as in a normal installation.

    Hope this helps!

    ReplyDelete
  3. Hi Kevin,
    Thanks for this wonderful post. I have a challenge in configuring the monitoring of our TMG server. Checking the OpsMgr event, i see only one error which the certificates cannot mutually authenticate as they in the untrusted domain. I have 1 RMS and no gateway implemetation as there are only a couple of server in the DMZ. the tcp ports 5723 is already open from the TMG to the RMS, I know because I can telnet from it. My question is, from RMS to the TMG, what ports should be open? I cannot PING nor run, nbtstat the TMG from my RMS. Hope you could enlighten me.

    Thank you.

    Anon

    ReplyDelete
  4. HI there,thanks for the comments!

    I would say your problem lies with the name of either the certificate or the actual server name itself.

    If you are using an FQDN for the subjectname on the certificate and you have specified the FQDN of your SCOM management server when manually installing the agent on the TMG server, then double check that the TMG server is not using a NETBIOS name instead - i.e. if it's in a workgroup you wont have an FQDN, just a single NETBIOS name.

    Kevin

    ReplyDelete
  5. Hi Kevin,

    Nice blog! Although it is a very difficult thing to understand, you make it pretty clear, and understandable.
    There is only one thing I can't seem to understand.

    I have installed a gateway, requested a certificate at a third-party CA and managed to accept the certificate.pem file at the gateway.
    Also the MOMCertImport worked fine.

    Now, when I try to do exactly the same thing at the RMS, I get an error when trying to "certreq -accept".
    The erros is: Cannot find object or property.
    What I did, is copy the three "certificate-files" from the gateway to the RMS and tried to take the same steps as on the Gateway-server.

    What am I doing wrong? Any suggestions?

    Thanks in advance!

    Erik.

    ReplyDelete
  6. Hi Erik,

    Thanks for the comments!

    In relation to the RMS not accepting the certificate from the 3rd party CA, it is worth noting that the 'certreq- accept' option will only work if you have created an associated certificate request from the RMS that can then have a certificate generated by the CA and ultimately accepted again on the same server.

    Hope this helps!

    ReplyDelete
  7. Kevin, just stumbled across great post while trying to do this using an external authority. What I just want to confirm if possible.. Do you create an INF on both the MS AND the gateway and put the unique FDQN of that server in and therefore submit TWO (REQ) requests to the external authority or just one that contains the name of the MS?

    ReplyDelete
    Replies
    1. Hi Jarv,

      Just one that contains the name of the MS is all that's required. Treat the Gateway server as a single untrusted agent if you like. Same process.

      Kevin.

      Delete
    2. Thanks Kevin. Not being a certificate guru could you explain why if I am using an internal CA I have to create two certificates (one request from the MS and one from the gateway) that do contain the unique FDQN of the MS AND gateway in the request but only one when using an external CA?

      Delete
  8. Hi Kevin:

    If I need to renew the public-certificate, is there easy way of doing this without redoing the whole thing? Thx.

    ReplyDelete
    Replies
    1. Hi there,

      As the new certificate has a new thumbnail value associated with it, you must unfortunately go through these steps again each time. I'd recommend that if you're manually authenticating a large number of untrusted devices with certificates, then you should deploy a SCOM Gateway server to manage them all as this means you'll only have to carry out the update process once.

      HTH!

      Kevin.

      Delete
  9. Good day Guys,

    I have a 2 different domains with no trust.

    I have installed the Gateway on the other domain and I am trying to get it to authenticate to the main domain that has Ops-Mgr Infrastructure.

    Since the client dose not have the CA internally I created the cert request inf file and sent them the provider, which thy signed brought back.
    However when I try to run the accept command I get the following error.

    I accepted it on the same SCOM RMS Emulator where I had initially did my request.

    Cannot find object or property.

    Certificate Request Processor: Cannot find object or property. 0x80092004 (-2146885628)"

    I have goggled this error and it mostly point to the request not having the export private key option enabled.

    Has any one came across this issue?
    On the inf file, is there more I can do to get the private key to be exportable?
    Is there a way to get the the Certificate Vendor - to allow this Export private key option to be opened.

    I ran this command: and could not get any results.

    dir cert:\currentuser\my | Where-Object { $_.hasPrivateKey }


    it then made me suspect that the problem is still with the private key being exportable , but I am not sure with this.

    Please assist me with this, been stuck for 3 weeks now.

    Thanks



    ReplyDelete
  10. Good day Guys,

    I have a 2 different domains with no trust.

    I have installed the Gateway on the other domain and I am trying to get it to authenticate to the main domain that has Ops-Mgr Infrastructure.

    Since the client dose not have the CA internally I created the cert request inf file and sent them the provider, which thy signed brought back.
    However when I try to run the accept command I get the following error.

    I accepted it on the same SCOM RMS Emulator where I had initially did my request.

    Cannot find object or property.

    Certificate Request Processor: Cannot find object or property. 0x80092004 (-2146885628)"

    I have goggled this error and it mostly point to the request not having the export private key option enabled.

    Has any one came across this issue?
    On the inf file, is there more I can do to get the private key to be exportable?
    Is there a way to get the the Certificate Vendor - to allow this Export private key option to be opened.

    I ran this command: and could not get any results.

    dir cert:\currentuser\my | Where-Object { $_.hasPrivateKey }


    it then made me suspect that the problem is still with the private key being exportable , but I am not sure with this.

    Please assist me with this, been stuck for 3 weeks now.

    Thanks

    ReplyDelete