Aug 29

Certificate-based agents are a no brainer, better think again

MOM, OpsMgr Add comments

UPDATED! 

The following are the steps we took today to implement certificate-based management of OpsMgr 2007 agents in a workgroup environment for a hosted datacenter customer: 

Start 4:20PM

  • Install MS-XML 6.0 on target agent, as this is a requirement for the installation and may not be present on your intended agents. Also, on some systems we found that WMI was not installed which later impacted some of the discovery methods used by some management packs.

  • Update hosts file on the agent with the target management server address

  • Update hosts file with agent server name on on the management server

  • Install the agent using the MSI file through a network share

  • Import the certificate (PFX) from the CA will issue the certificate on the agent, in the Trusted Root Certification Authority node of the Certificates (Local Computer) MMC console.

  • Issue a certificate request from the stand-alone certificate authority (CA) from the target agent by connecting to http://<servername>/certsrv

  • From the Certificate Authoring MMC snap-in issue the requested certificate for the target agent

  • Install the issued certificate on the target agent by reconnecting to the CA website and clicking the link to view the satus of a pending certificate request. From there you will select the pending certifcate, and choose the option to install the certificate.

  • From the target agent, export the agent certificate using the Certificates MMC snap-in

  • Import the agent certificate by using the MOMCertImport.exe on the agent. This will appropriately place the certificate in the Operations Manager container.

  • Restart OpsMgr Health Service on the target agent

  • Verify OpsMgr recognizes the agent in the Operations Console

Stop 4:41

As you can see, it took over 20 minutes to fully configure a single agent for mutually authenticated certificate-based management. While that is not a long time for one agent, multiply it by several hundred and you’re now talking a couple weeks just to deploy agents. While I’m grateful that we have a workable means of managing these disjoined environments, I’m not very pleased with the number of steps required to get to a ready state. Needless to say, I’m anxiously awaiting to see what Certificate Lifecycle Manager will do to help in this regard.

Leave a Reply

You must be logged in to post a comment.

WP Theme & Icons by N.Design Studio
Entries RSS Comments RSS Log in