The Operations Manager 2007 Security Guide has been released to accompany the other documentation released so far. See http://www.microsoft.com/downloads/details.aspx?FamilyID=d826b836-59e5-4628-939e-2b852ed79859&DisplayLang=en
There is an error in the Security Guide I wanted to mention which is in the process of being corrected. Unfortunately it was too late to catch before the document went live.
The error/omission is in the steps for importing the Trusted Root CA certificate both in the section on How to Obtain a Certificate Using an Enterprise CA in Operations Manager 2007 and How to Obtain a Certificate Using a Stand-Alone CA in Operations Manager 2007. The step missed is the requirement that the Trusted Root CA certificate be copied to the Trusted Root Ceritication Authorities node in the Local Computer certificate store on the Agent or Gateway server. The original steps and the addition is included below.
Import the CA certificate
1. Log on to the computer where you installed a certificate (for example, Gateway Server or Management Server).
2. Start Internet Explorer, and connect to the computer hosting Certificate Services (for example, http://<servername>/certsrv).
3. On the Welcome page, click Download a CA Certificate, certificate chain, or CRL.
4. On the Download a CA Certificate, Certificate Chain, or CRL page, click install this CA certificate chain.
5. On the Potential Scripting Violation dialog box, click Yes.
6. When the CA Certificate Installation page is displayed, close Internet Explorer.
The additional steps required are:
- Launch a copy of MMC.msc on the Agent or Gateway server you imported the Trusted CA certificate on.
- Add the Certificates snap-in twice, once for the current user and one for the local computer
- In the Certificates – Current User snap-in locate the node entitled Trusted Root Certification Authorities\Certificates and locate the trusted root certificate, right click on it and select Copy.
- In the Certificates (Local Computer) snap-in locate the node entitled Trusted Root Certification Authorities\Certificates and click Paste
A useful additional tip:
There are also a couple of ways to register the Client\Server auth intended purpose certificate for use by the Healthservice on the Gateway Server or Agent. Rather than exporting the certificate as a .PFX file for use with MOMCertImport, instead note the certificate subject ie. the FQDN machine.domain.com etc and then run MOMCertImport /Subjectname machine.domain.com
This will extract the Certificate Serial number from the Computer certificate store and place it in the registry key location HKLM\Software\Microsoft\Microsoft Operations Manager\3.0\Machine Settings\ChannelCertificateSerialNumber