none
SCOM 1807 - Certificate Mutual Authentication RRS feed

  • Question

  • Hi,

    Setup Description.

    2x MS within All Management servers resource Pool - with certificates for Windows agents and setup as primary and fail over for all windows agents. 

    2x MS in a separate Resource pool for Linux monitoring

    1x MS in a separate Resource Pool for Web Application Monitoring. 

    I am in the process of changing the CA currently used for SCOM with another one. My Plan was to have one of the 2x MS servers certificates changed and migrate all agents, and once done replace the certificate for the other MS. 

    The problem i faced was that during testing, i have issued a certificate from the new CA to the MS serving the Web Application Monitoring and as soon as i imported it with momcertimport the resource pools served by that MS went unavailable, and all websites went grey. All was resumed to normal as soon as i removed the cert. 

    I am still unaware of what might have caused such behavior, but i think it might be that the MS is not within the All management server resource pool. Any ideas ?

    Wednesday, October 16, 2019 8:05 AM

All replies

  • HI,

     

    For mutual certificate, certificates are present on both ends of the communications channel. Could you confirm if the other end is with certificate before? If yes, we need request and import new certificates for them as well.

     

    Meanwhile, please check the Event Log to see if there’s any error for our issue.

     

    If there’s any update, please let us know.

     

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 17, 2019 1:49 AM
  • Hi,

    Whether the agent has a certificate or not is irrelevant at this point, since with importing a new Cert to the MS made the MS unresponsive and all resources polled by it went grey. In my case i was using an MS responsible for the web application monitoring. 

    Could not capture a specific event log which might shed light on the matter, although a large number were triggered. 

    Something abnormally happened.

    Thanks

    Thursday, October 17, 2019 1:54 PM
  • Seems that through documentation (below) i am able to determine what went wrong. Since i had 3x MS with Certificates imported, 2x with old CA and 1x with New CA, communication between them could not be performed since Certificates are not from the same CA. 

    "Between Management Servers, Communication begins with mutual authentication. If certificates are present on both ends of the communications channel, then certificates will be used for mutual authentication; otherwise, the Kerberos version 5 protocol is used.

    If thats the culprit, i need to find a way how to migrate all agents towards the new CA, without any disruption. 

    Thursday, October 17, 2019 2:28 PM
  • Hi,

     

    I think we can reduce the downtime by importing the certificates in a batch by using GPO or script. Or schedule a non-business time to do the migration operation.

     

    Hope it can help.

     

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 18, 2019 2:32 AM
  • Hi,

     

    I think we can reduce the downtime by importing the certificates in a batch by using GPO or script. Or schedule a non-business time to do the migration operation.

     

    Hope it can help.

     

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    The problem is that you cannot have 2x MS with a different CA, because communication between the actual MSs will be lost. In my case i have 2x MS with certificates for quite a number of agents and having a GW is not an option as it would not be feasible. Changing the certs on all agents would take quite a while as GPOs and scripts are not an option. I was more willing on a phased approach, so that not all certs end up expiring on the same day neither.
    Friday, October 18, 2019 12:19 PM
  • Hi,

     

    From our phenomenon, it seems we need to change the certificates for all the three MS at the same to avoid the communication issue between them.

     

    Before doing this, one thing need to be double confirmed. Was the MS we replaced the new certificate in a separate resource pool but in the same management group with other MS? Are all the Web application monitoring on agent which are workgroup?

     

    Thanks for your confirmation.

     

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 21, 2019 7:00 AM
  • Hi,

    The problem with changing certs on all MS is that all agents which currently communicate through CA with SCOM will fail to communicate until certs have been updated. 

    As per design i have 2x MS with Certs for all Windows Agent and in All management servers resource pool

    The other MS i tested the new cert on is on a different Resource pool and used for polling websites availability. 

    Monday, October 21, 2019 12:06 PM
  • Hi,

     

    Thanks for your information,

     

    Need to do one test, if we replace the new certificate for the MS in Resource Pool for Web Application Monitoring and one Web application server at the same time, will this agent be monitored successfully. Did other agent or MS in other resource pool will be affected.

     

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 22, 2019 7:33 AM
  • Hi,

    I have imported a new cert on the 1x MS in Resource Pool for Web Application Monitoring, and immediately lost communication with the other management servers and MS reported as grey.

    Tuesday, October 22, 2019 11:26 AM
  • Hi,

    Just want to confirm if only one MS is affected. Check the Event Viewer->Applications and Services logs->Operations Manager when we imported to see what error we get. We can filter the log by choosing "Filter Current log" on the right pane.

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 23, 2019 7:02 AM
  • Hi,

    The only MS which was affected was the one which i imported the new cert on. Its like lost connectivity to the rest of the MSs. Then i read in the documentation that if Management servers have a cert imported, communication would be through Certs, and in my case since the cert in this MS is not from the same CA communication was lost.

    i need a way to migrate to the new CA in a phased approach. i have around 200 agents which communicate with certs. If i update the certs on the management servers i will loose communication with all 200. 

    Wednesday, October 23, 2019 8:13 AM
  • Hi,

     

    Totally understand your feeling. If the MS communication will be affected after importing the new certificate, based on my experience, for SCOM, downtime is needed when migrate to a new CA.

     

    How about adjusting the order of the certificate changed in MS? We can firstly update the MS certificate in All Management servers resource Pool . before doing this, change all the agents’ Primary management Server to one and updating the other MS’s certificate. After the MS is updated successfully, updating the agents’ certificates. Then the other MS certificate in the resource pool. Next, we can do the same action on the MS in the resource poor to monitor Linux. At last, we do it on the MS in resource pool for Web Application Monitoring,

     

    If it is still unacceptable, as another option, you can contact our Premier support to see fi more help we can get.

     

    Thanks and have a nice day>

     

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 24, 2019 5:02 AM