Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

How to configure the Operations Manager Connector Framework to use Security Sockets Layer (SSL) functionality in System Center Operations Manager 2007

Search KbAlertz

Advanced Search

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]











Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks
Article ID: 957562 - Last Review: January 16, 2009 - Revision: 1.0

How to configure the Operations Manager Connector Framework to use Security Sockets Layer (SSL) functionality in System Center Operations Manager 2007

View products that this article applies to.

INTRODUCTION

This article describes how to configure the Operations Manager Connector Framework (OMCF) to use Security Sockets Layer (SSL) functionality.

MORE INFORMATION

  1. Install Microsoft System Center Operations Manager 2007, and make sure that the following link loads correctly in Windows Internet Explorer on the Root Management Server (RMS):
    http://localhost:51905/connectorframework
  2. Create a server certificate to use for the Manager Connector Framework (MCF) endpoint to enable SSL.

    Note This certificate must be trusted by clients.
  3. Import this certificate into the Local Machine store on the Root Management Server.
  4. Set up the Operations Manager Connector Framework (OMCF) endpoint to use SSL. To do this, you must use the Httpcfg.exe tool to run the following command:
    HttpCfg.exe set ssl -i 0.0.0.0:51905 -h 82e8471434ab1d57d4ecf5fbed0f1ceeba975d8d -n LOCAL_MACHINE -c MY -f 2
    Note In Windows Server 2003, this tool is the SupportTools folder on the installation CD.

    Port 51905 is the port that you are using in the configuration file. The thumbprint of the certificate that you want to use is 82e8471434ab1d57d4ecf5fbed0f1ceeba975d8d. This thumbprint can be found on the Details tab of the certificate snap-in after you view the certificate. The -f 2 switch enables the server to accept client certificates.
  5. Update the Microsoft.Mom.Sdk.ServiceHost.exe.config file so that its contents appear similar to the following:
    <?xml version="1.0" encoding="utf-8"?>
<configuration>
 <system.diagnostics />
    <runtime> 
        <gcServer enabled="true"/> 
    </runtime> 
    <appSettings>
<!-- use appSetting to configure base address provided by host -->
<add key="baseAddressMcfV3" value="https://static-9-180-209-92.hursley.ibm.com:51905/ConnectorFramework" />
    </appSettings>
    <system.serviceModel>
<bindings>
      <wsHttpBinding>
          <binding name="McfDefaultBinding" maxReceivedMessageSize="2147483647">
              <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
                  maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
              <security mode="Transport">
                  <transport clientCredentialType="Certificate" />
              </security>
          </binding>
      </wsHttpBinding>
  </bindings>
        <behaviors>
            <serviceBehaviors>
                <behavior name="ConnectorFrameworkServiceBehavior">
                    <serviceDebug httpHelpPageEnabled="true" includeExceptionDetailInFaults="true" />
                    <serviceMetadata httpGetEnabled="true" httpGetUrl="http://static-9-180-209-92.hursley.ibm.com:51906/ConnectorFramework"
                        httpsGetEnabled="true" />
                    <serviceThrottling maxConcurrentSessions="1000" />
                    <serviceCredentials>
                        <clientCertificate>
                            <authentication mapClientCertificateToWindowsAccount="true" />
                        </clientCertificate>
                    </serviceCredentials>
                </behavior>
            </serviceBehaviors>
        </behaviors>
        <services>
            <service behaviorConfiguration="ConnectorFrameworkServiceBehavior"
                name="Microsoft.EnterpriseManagement.ConnectorFramework.ServiceDataLayer.ConnectorFrameworkDataAccess">
                <endpoint address="" binding="wsHttpBinding" bindingConfiguration="McfDefaultBinding"
                    name="Main" contract="Microsoft.EnterpriseManagement.ConnectorFramework.IConnectorFramework" />
            </service>
        </services>
    </system.serviceModel>
</configuration>
  6. Restart the Omsdk (OpsMgr Sdk Service) service.
  7. Make sure that the following link loads correctly in Internet Explorer:
    https://localhost:51905/connectorframework
  8. Generate a client certificate.
  9. Use the client certificate in the request.

If the client certificate does not work, recheck all the certificate usage parameters. Then, use one of the following methods to enable logging:
  • Enable SChannel logging.
  • Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
    322756  (http://kbalertz.com/Feedback.aspx?kbNumber=322756/ ) How to back up and restore the registry in Windows
    Enable verbose logging by setting the EventLogging registry entry to 7, as follows:
    EventLogging=dword:00000007
    Note The EventLogging registry entry is located under the following subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
    Then, restart the computer.
  • Enable Indigo/WCF logging by editing the .config file so that its contents appear similar to the following:
    <?xml version="1.0" encoding="utf-8"?>
<configuration>
 <system.diagnostics>
  <sources>
   <source name="System.ServiceModel" switchValue="Information, ActivityTracing"
    propagateActivity="true">
    <listeners>
     <add type="System.Diagnostics.DefaultTraceListener" name="Default">
      <filter type="" />
     </add>
     <add name="McfTracing">
      <filter type="" />
     </add>
    </listeners>
   </source>
   <source name="System.ServiceModel.MessageLogging" switchValue="Information, ActivityTracing">
    <listeners>
     <add type="System.Diagnostics.DefaultTraceListener" name="Default">
      <filter type="" />
     </add>
     <add name="McfTracing">
      <filter type="" />
     </add>
    </listeners>
   </source>
  </sources>
  <sharedListeners>
   <add initializeData="c:\Microsoft.Mom.Sdk.ServiceHost_tracelog"
    type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
    name="McfTracing" traceOutputOptions="LogicalOperationStack, DateTime, Timestamp, ProcessId, ThreadId, Callstack">
    <filter type="" />
   </add>
  </sharedListeners>
 </system.diagnostics>
    <runtime> 
        <gcServer enabled="true"/> 
    </runtime> 
    <appSettings>
	<!-- use appSetting to configure base address provided by host -->
	<add key="baseAddressMcfV3" value="https://9.180.209.92:51905/ConnectorFramework" />
    </appSettings>
    <system.serviceModel>
<diagnostics>
    <messageLogging logEntireMessage="true" logMalformedMessages="true"
        logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" />
</diagnostics>
<bindings>
      <wsHttpBinding>
          <binding name="McfDefaultBinding" maxReceivedMessageSize="2147483647">
              <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
                  maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
              <security mode="Transport">
                  <transport clientCredentialType="Certificate" />
              </security>
          </binding>
      </wsHttpBinding>
  </bindings>
        <behaviors>
            <serviceBehaviors>
                <behavior name="ConnectorFrameworkServiceBehavior">
                    <serviceDebug httpHelpPageEnabled="true" includeExceptionDetailInFaults="true" />
                    <serviceMetadata httpGetEnabled="true" httpGetUrl="http://9.180.209.92:51906/ConnectorFramework"
                        httpsGetEnabled="true" />
                    <serviceThrottling maxConcurrentSessions="1000" />
                    <serviceCredentials>
                        <clientCertificate>
                            <authentication mapClientCertificateToWindowsAccount="true" />
                        </clientCertificate>
                    </serviceCredentials>
                </behavior>
            </serviceBehaviors>
        </behaviors>
        <services>
            <service behaviorConfiguration="ConnectorFrameworkServiceBehavior"
                name="Microsoft.EnterpriseManagement.ConnectorFramework.ServiceDataLayer.ConnectorFrameworkDataAccess">
                <endpoint address="" binding="wsHttpBinding" bindingConfiguration="McfDefaultBinding"
                    name="Main" contract="Microsoft.EnterpriseManagement.ConnectorFramework.IConnectorFramework" />
            </service>
        </services>
    </system.serviceModel>
</configuration>
    Then, open the C:\Microsoft.Mom.Sdk.ServiceHost_tracelog log file, and search for errors.
APPLIES TO
  • Microsoft System Center Operations Manager 2007
Back to the top
Keywords: 
kbhowto kbexpertiseinter kbsurveynew kbinfo KB957562
        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting