How to configure the Operations Manager Connector Framework to use Security Sockets Layer (SSL) functionality in System Center Operations Manager 2007

Article translations Article translations
Article ID: 957562 - View products that this article applies to.
Expand all | Collapse all

INTRODUCTION

This article describes how to configure the Operations Manager Connector Framework (OMCF) to use Security Sockets Layer (SSL) functionality.

MORE INFORMATION

  1. Install Microsoft System Center Operations Manager 2007, and make sure that the following link loads correctly in Windows Internet Explorer on the Root Management Server (RMS):
    http://localhost:51905/connectorframework
  2. Create a server certificate to use for the Manager Connector Framework (MCF) endpoint to enable SSL.

    Note This certificate must be trusted by clients.
  3. Import this certificate into the Local Machine store on the Root Management Server.
  4. Set up the Operations Manager Connector Framework (OMCF) endpoint to use SSL. To do this, you must use the Httpcfg.exe tool to run the following command:
    HttpCfg.exe set ssl -i 0.0.0.0:51905 -h 82e8471434ab1d57d4ecf5fbed0f1ceeba975d8d -n LOCAL_MACHINE -c MY -f 2
    Note In Windows Server 2003, this tool is the SupportTools folder on the installation CD.

    Port 51905 is the port that you are using in the configuration file. The thumbprint of the certificate that you want to use is 82e8471434ab1d57d4ecf5fbed0f1ceeba975d8d. This thumbprint can be found on the Details tab of the certificate snap-in after you view the certificate. The -f 2 switch enables the server to accept client certificates.
  5. Update the Microsoft.Mom.Sdk.ServiceHost.exe.config file so that its contents appear similar to the following:
    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
     <system.diagnostics />
        <runtime> 
            <gcServer enabled="true"/> 
        </runtime> 
        <appSettings>
    <!-- use appSetting to configure base address provided by host -->
    <add key="baseAddressMcfV3" value="https://static-9-180-209-92.hursley.ibm.com:51905/ConnectorFramework" />
        </appSettings>
        <system.serviceModel>
    <bindings>
          <wsHttpBinding>
              <binding name="McfDefaultBinding" maxReceivedMessageSize="2147483647">
                  <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
                      maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
                  <security mode="Transport">
                      <transport clientCredentialType="Certificate" />
                  </security>
              </binding>
          </wsHttpBinding>
      </bindings>
            <behaviors>
                <serviceBehaviors>
                    <behavior name="ConnectorFrameworkServiceBehavior">
                        <serviceDebug httpHelpPageEnabled="true" includeExceptionDetailInFaults="true" />
                        <serviceMetadata httpGetEnabled="true" httpGetUrl="http://static-9-180-209-92.hursley.ibm.com:51906/ConnectorFramework"
                            httpsGetEnabled="true" />
                        <serviceThrottling maxConcurrentSessions="1000" />
                        <serviceCredentials>
                            <clientCertificate>
                                <authentication mapClientCertificateToWindowsAccount="true" />
                            </clientCertificate>
                        </serviceCredentials>
                    </behavior>
                </serviceBehaviors>
            </behaviors>
            <services>
                <service behaviorConfiguration="ConnectorFrameworkServiceBehavior"
                    name="Microsoft.EnterpriseManagement.ConnectorFramework.ServiceDataLayer.ConnectorFrameworkDataAccess">
                    <endpoint address="" binding="wsHttpBinding" bindingConfiguration="McfDefaultBinding"
                        name="Main" contract="Microsoft.EnterpriseManagement.ConnectorFramework.IConnectorFramework" />
                </service>
            </services>
        </system.serviceModel>
    </configuration>
  6. Restart the Omsdk (OpsMgr Sdk Service) service.
  7. Make sure that the following link loads correctly in Internet Explorer:
    https://localhost:51905/connectorframework
  8. Generate a client certificate.
  9. Use the client certificate in the request.

If the client certificate does not work, recheck all the certificate usage parameters. Then, use one of the following methods to enable logging:
  • Enable SChannel logging.
  • Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
    322756 How to back up and restore the registry in Windows
    Enable verbose logging by setting the EventLogging registry entry to 7, as follows:
    EventLogging=dword:00000007
    Note The EventLogging registry entry is located under the following subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
    Then, restart the computer.
  • Enable Indigo/WCF logging by editing the .config file so that its contents appear similar to the following:
    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
     <system.diagnostics>
      <sources>
       <source name="System.ServiceModel" switchValue="Information, ActivityTracing"
        propagateActivity="true">
        <listeners>
         <add type="System.Diagnostics.DefaultTraceListener" name="Default">
          <filter type="" />
         </add>
         <add name="McfTracing">
          <filter type="" />
         </add>
        </listeners>
       </source>
       <source name="System.ServiceModel.MessageLogging" switchValue="Information, ActivityTracing">
        <listeners>
         <add type="System.Diagnostics.DefaultTraceListener" name="Default">
          <filter type="" />
         </add>
         <add name="McfTracing">
          <filter type="" />
         </add>
        </listeners>
       </source>
      </sources>
      <sharedListeners>
       <add initializeData="c:\Microsoft.Mom.Sdk.ServiceHost_tracelog"
        type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
        name="McfTracing" traceOutputOptions="LogicalOperationStack, DateTime, Timestamp, ProcessId, ThreadId, Callstack">
        <filter type="" />
       </add>
      </sharedListeners>
     </system.diagnostics>
        <runtime> 
            <gcServer enabled="true"/> 
        </runtime> 
        <appSettings>
    	<!-- use appSetting to configure base address provided by host -->
    	<add key="baseAddressMcfV3" value="https://9.180.209.92:51905/ConnectorFramework" />
        </appSettings>
        <system.serviceModel>
    <diagnostics>
        <messageLogging logEntireMessage="true" logMalformedMessages="true"
            logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" />
    </diagnostics>
    <bindings>
          <wsHttpBinding>
              <binding name="McfDefaultBinding" maxReceivedMessageSize="2147483647">
                  <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
                      maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
                  <security mode="Transport">
                      <transport clientCredentialType="Certificate" />
                  </security>
              </binding>
          </wsHttpBinding>
      </bindings>
            <behaviors>
                <serviceBehaviors>
                    <behavior name="ConnectorFrameworkServiceBehavior">
                        <serviceDebug httpHelpPageEnabled="true" includeExceptionDetailInFaults="true" />
                        <serviceMetadata httpGetEnabled="true" httpGetUrl="http://9.180.209.92:51906/ConnectorFramework"
                            httpsGetEnabled="true" />
                        <serviceThrottling maxConcurrentSessions="1000" />
                        <serviceCredentials>
                            <clientCertificate>
                                <authentication mapClientCertificateToWindowsAccount="true" />
                            </clientCertificate>
                        </serviceCredentials>
                    </behavior>
                </serviceBehaviors>
            </behaviors>
            <services>
                <service behaviorConfiguration="ConnectorFrameworkServiceBehavior"
                    name="Microsoft.EnterpriseManagement.ConnectorFramework.ServiceDataLayer.ConnectorFrameworkDataAccess">
                    <endpoint address="" binding="wsHttpBinding" bindingConfiguration="McfDefaultBinding"
                        name="Main" contract="Microsoft.EnterpriseManagement.ConnectorFramework.IConnectorFramework" />
                </service>
            </services>
        </system.serviceModel>
    </configuration>
    Then, open the C:\Microsoft.Mom.Sdk.ServiceHost_tracelog log file, and search for errors.

Properties

Article ID: 957562 - Last Review: January 16, 2009 - Revision: 1.0
APPLIES TO
  • Microsoft System Center Operations Manager 2007
Keywords: 
kbhowto kbexpertiseinter kbsurveynew kbinfo KB957562

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com