You can do it the easy way by deploying a gateway server on the untrusted domain, but then again you can always spend hours trying to manage certificates between individual agent machines and your RMS. The following scenario is if you wish to deploy certificates using standalone CA, so that your AD schema is left untouched. So it can also be used if you wish to monitor your clients servers and donot have access to their AD.
Prereq:
1. You have a CA authority that can issue you a standalone CA. If you donot have one, please create one using the following link:
http://technet2.microsoft.com/windowsserver/en/library/36d03e33-c9e8-4eca-b948-addab1e22c531033.mspx?mfr=true
2. Gateway Server can telnet into RMS server on port 5723
3. Both servers can resolve each other names, if not place an entry in the hosts file.
1) Install root CA
i)From the RMS open the certificate authority (see prereq 1)http://certificateserver/certsrv
ii)Click the Download a CA certificate, certificate chain, or CRL link.
iii)Click the Download CA certificate chain link.
iv) Save certnew.p7b locally
v) open mmc
vi) Once the MMC console is opened, click Add/Remove Snap-In, click Add, and then click on Certificates located in available Standalone Snap-ins.
vii) Click Computer account-> next
viii) Click Finish->Close
ix) Navigate to Trusted Root Certificate Authorities->Certificates
x) Click Import and point to certnew.p7b from step iv)
Repeat the same steps for Gateway Server
2)Install Client and Server certificates
i) From the RMS open the certificate authority (see prereq 1)http://certificateserver/certsrv
ii) Click the Request a Certificate link.
iii) Click the advanced certificate request link.
iv) Click Create and Submit a request to this CA link.
v) In the Name field, enter the FQDN of RMS.
vi) In the Type of Certificate Needed field, select Other.
vii) In the OID field, enter the following: 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
viii) Click the Mark keys as exportable check box.
ix) Click the Store certificate in the local computer certificate store check box.
x) Click Submit
xi) Since we are installing standalone CA certificates, log back to certificate server.
xii) in Certificate Authority, browse to Pending Request folder, and approve the requested certificate.
xiii) From the RMS open the certificate authority (see prereq 1)http://certificateserver/certsrv
xiv) Click view status of pending request. Click on the certificate and install it.
Repeat for gateway Server
3.Tell SCOM to use certif on RMS
i) open mmc
ii) Once the MMC console is opened, click Add/Remove Snap-In, click Add, and then click on Certificates located in available Standalone Snap-ins.
iii) Click Computer account-> next
iv) Click Finish->Close
v) In the Certificate Tree on the left hand side, click Personal and the click Certificates.
vi) Right click on the certificate and Export
vii) Export with "Yes, export the private key", and select "Personal Information Exchange – PKCS #12" format.
viii) Save it locally as cert.pfx (give it a password if it asks for one)
ix) open cmd
x) browse to the directory containing momcertimport.exe
xi) type the command momcertimport.exe "certpath", where certpath is where cert.pfx was stored in step
xii). type the password entered in the previous step
xiii) Restart the health service
4. Approve the Gateway Server
i) Open cmd
ii)Browse to folder containing the gateway approval tool GatewayApprovalTool.exe
iii) run the following command:
Microsoft.EnterpriseManagement.GatewayApprovalTool.exe /ManagementServerName=scomsvr02.fightclub.local /GatewayName=scomsvr01.untrusted.local /Action=Create
5.Install gateway Server
i) To start the install process for the Operations Manager 2007 Gateway Service, run MOMGateway.msi in the \Gateway\i386 folder of the OpsMgr2007 distribution on the gateway server.
ii) Enter the Management Group Name, Management Server, and Management Server Port.
iii) Enter the gateway Action Account, best to keep a local untrusted domain account especially for this purpose. This account should have local administration rights on the Gateway Server.
6.Import Certificate on the gateway Server
i) open mmc
ii) Once the MMC console is opened, click Add/Remove Snap-In, click Add, and then click on Certificates located in available Standalone Snap-ins.
iii) Click Computer account-> next
iv) Click Finish->Close
v) In the Certificate Tree on the left hand side, click Personal and the click Certificates.
vi) Right click on the certificate and Export
vii) Export with "Yes, export the private key", and select "Personal Information Exchange – PKCS #12" format.
viii) Save it locally as cert.pfx (give it a password if it asks for one)
ix) open cmd
x) browse to the directory containing momcertimport.exe
xi) type the command momcertimport.exe "certpath", where certpath is where cert.pfx was stored in step
xii). type the password entered in the previous step
xiii) Restart the health service
Thats it, all done. Check the health on the RMS console (it takes a while for it to show as healthy). If it does not check event log on Gateway Server and RMS Server
Unquoted – Combining vuln data with processes
10 months ago
No comments:
Post a Comment