You can use certificates as an alternative to the Kerberos protocol for mutual authentication and encryption between an agent and the Essentials 2007 management server.
Essentials 2007 includes a utility, MOMCertImport, that configures Essentials 2007 to use a certificate. For more information, see How to Import Certificates in Essentials 2007.
When you obtain and install certificates for use with Operations Manager 2007, consider the following:
- Certificates used on various components in Essentials 2007
(for example, agent, remote console, or management server) must be
issued by the same certification authority (CA).
- Each computer requires its own unique certificate.
- Each computer must also contain the root certification
authority certificate in its Trusted Root Certification Authorities
store and any intermediate certification authorities in the
Intermediate Certification Authorities store.
- The Subject Name field for the certificate must contain
the DNS fully qualified domain name (FQDN) of the host
computer.
- The certificates need to support the following two extended key
usage fields, server authentication and client authentication,
which are represented by the two OIDs 1.3.6.1.5.5.7.3.1 and
1.3.6.1.5.5.7.3.2.
NoteWhen entering OIDs, separate each OID by a comma. For example, enter 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 exactly as shown.
The basic order of operations for installing a certificate is as follows:
- Obtain the certificate for each Essentials 2007
component.
- Use the MOMCertImport tool specifying the certificate in the
certificate store.