I have been answering plenty of questions about Gateways and certificates, as well as dealing with some fairly complex environments that involve Certs and Gateways lately. There’s a lot of information out there to help troubleshoot problems and give advice, so I thought I would add my two cents.
Here are my simple steps for making Gateways and or Certificate Authentication for single servers work:
This assumes you have a PKI infrastructure already and all the servers trust the Issuing Certificate Authority.
1. Verify there is name resolution between the Management Server and the Gateway (or the server you are using certificate auth for) **YOU HAVE TO HAVE IT**
a. If there isn’t name resolution add an entry to the hosts file on both the Mgt server and Gateway (or server you need to authenticate with)
2. Verify that port 5723 is open in the firewall (Telnet to port 5723 from the GW to the Mgt Server, and from the Mgt Server back to the GW to test it)
3. Request a Certificate
a. An Advance Cert Request
b. Create and Submit a Request
c. Make sure you use the FQDN of the server you are going to put the cert on in the Name Field and the Friendly name field
d. Type of Cert needed is Other
i. Copy the existing OID then put a 1 at the end of it followed by a coma (,) then paste the OID you just copied and put a 2 after it.
e. Mark it as Exportable
f. Mark the store cert in the local cert store check box
4. Approve the Cert (in the Cert Authority MMC)
5. On the Certsrv website (where you just requested the cert) view your pending request and “Install the certificate”
6. Go to the Certificates MMC snap-in, look under Personal - Certificates, right click and Export the cert (give it a password and a .pfx extension).
7. Copy that cert to the Mgt Server.
a. On the Mgt server Right Click and Install the Cert (you will need to enter the password you just gave it)
8. After you installed the Cert copy the MOMCertImportTool.exe from the install media to the directory you put the cert in
a. Open a cmd prompt and cd to the folder that contains the cert and certimport tool. (make sure you are using the correct version of the tool, amd64 for x64 machines, i386 of 32bit machines).. been there made that mistake Type the following command
MOMCERTIMPORTTOOL.exe NAME-OF-YOUR-CERT.pfx
You should be prompted to enter the password for the cert
Once you have successfully completed that…
FOLLOW ALL THE ABOVE STEPS AGAIN ONLY SUBSTITUTE THE FQDN OF THE GATEWAY SERVER (or server you need to authenticate with) FOR THE MGT SERVER FQDN IN THE NAME SECTIONS OF THE CERT REQUEST
You need two certs, one for the Mgt Server and One for the GW server
Once you have installed the cert, then used the MOMCertimporttool on the GW (or server you need to authenticate with), then go back to the Mgt server for one last step
Once you are back on the Mmgt server:
1. Copy the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe from the install media to the folder where you installed SCOM (C:\Program Files\System Center Operations Manager 2007 is the default)
2. Open a Cmd prompt and browse to the folder where you installed SCOM (and subsequently copied the GW Approval Tool). If you skip this step and run the tool from the media you will get a bunch of strange errors… see been there done that
3. Type the following command:
Microsoft.EnterpriseManagement.GatewayApprovalTool /ManagementServerName=FQDN_name
/GatewayName=gateway_server_FQDN_name /Action=create
When you get the success message you can open your Operations Manager Console, go to the Administration pane, look under management servers (for gateways) or Agent managed (for single servers you are managing without a gateway) and you should see your newly added certificate authenticated servers.
***IMPORTANT NOTE***
It may take up to 5 to 10 minutes for your gateway server to show up as monitored.
Here are some great links with loads more information…
Gateway Server and PKI Scenarios Guide
SystemCenterForum.org Gateways the fastway
systemcenterforum.org Gateway scenarios
Technet Gateways
