Friday, October 31, 2014

System Center Operations Manager 2012 - Installing Certificates on an Agent


In order to monitor servers not in a trusted domain, System Center Operations Manager uses certificates to authenticate agent communication.  Therefore, you'll need a certificate authority server to submit the certificate request and then download the certificate. You can use either a domain Certificate Authority (CA) server or a standalone CA if your environment already has that in place.  I used a standalone.

Requirements
Certificate Authority Server
Port 5723 open from Server01 to the Management Server


  1. Create the request *.inf file.
  2. From the command prompt (server01) create the request file. *Must be done on the computer the certificate is for

    certreq -new -f server01.inf server01.req
  3. Copy the request file to the CA server and submit request file

    certreq -submit -f server01.req
    1. Click OK to the dialogue box that pops up.
    2. Take note of the RequestId
  4. On the CA Server - launch the Certificate Authority MMC (certsrv.msc) - Select Pending Requests, right-click the certificate request with the RequestId from the previous step select All Tasks - Issue
  5. Retrieve the certificate (CA Server)

    certreq -retrieve -f 4 server01.cer
    1. Click OK
    2. Copy the certificate file (server01.cer) to the server you are installing the agent on (server01)
  6. On Server01 - Install the certificate in the Local Computer - Personal Certificate store
  7. On Server01 - Export the certificate you just imported with the Private Key (server01-exported.pfx)
  8. Retrieve the CA certificate - This certificate will need to be installed in the Trusted Root Certification Authorities store on the Agent computer (server01)
    1. On the CA Server navigate to http://localhost/certsrv/
    2. Click on Download a CA certificate, certificate chain, or CRL
    3. Click on Download CA certificate
    4. Save this file (cacert.cer) and copy it over to the server the agent will be installed on (server01)
  9. On Server01 - Install the CA Certificate in the Trusted Root Certification Authorities
    1. Launch an MMC console and add the Certificates snap-in| for the local computer
    2. Right-click the Certificates folder under Trusted Root Certification Authorities select All Tasks -> Import
    3. Browse to the CA certificate saved from the previous step (cacert.cer)
    4. Click on Next, Next, and Finish
  10. Install the System Center Operations Manager Agent
    1. The files can be found on the Management folder
      C:\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server\AgentManagement\
      64 bit agent - amd64 folder
      32 bit agent - x86 folder
    2. Run the MOMCertImport.exe to import the certificate from step 7

      MOMCertImport.exe server01-exported.pfx
    3. Enter the password set from step 7
    4. If you're updating the certificate run the remove command first

      MOMCertImport.exe /Remove
  11. Restart the Microsoft Monitoring Agent service
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)