6 Enabling SSL for Enterprise Manager

This section contains information used in configuring the SCOM connector to use the HTTPS protocol.

The following sections are described:

• Configuring Enterprise Manager to Use SSL

• Installing a Self-Signed Certificate

• Installing a Certificate from a Certificate Authority

• Importing the Web Service Certificate into Enterprise Manager

Note:

Unless otherwise noted, these instructions apply to the SCOM 2012 connector and to the SCOM 2007 connectors. Instructions specific to the SCOM 2007 connectors are available in Microsoft SCOM 2007 Connector.

6.1 Configuring Enterprise Manager to Use SSL

If the SCOM web service was configured to run using the HTTPS protocol, you must perform the following steps to set up SSL:

1. Install a SSL certificate in the SCOM web service keystore. You must either install a self-signed certificate or install a certificate obtained from a Certificate Authority (CA):
   • To install a self-signed certificate, perform the steps specified in Installing a Self-Signed Certificate.
   • To install a certificate from a CA, perform the steps specified in Installing a Certificate from a Certificate Authority.

   Restart the SCOM web service to pick up the certificate changes.

2. Import the SSL certificate from the SCOM web service keystore into the Enterprise Manager keystore as specified in Importing the Web Service Certificate into Enterprise Manager.

6.2 Installing a Self-Signed Certificate

Perform the following steps to generate and install a self-signed SSL certificate for the SCOM web service:

1. Open a command prompt window and change the working directory to the adapters/conf directory in the SCOM web service installation directory.
2. Execute the following command to delete the default SSL entry from the SCOM web service keystore:

   • UNIX

     $JAVA_HOME/bin/keytool -delete -alias iwave -keypass iwavepw -storepass iwavepw -keystore keystore.jks
     

   • Windows

     "%JAVA_HOME%\bin\keytool" -delete -alias iwave -keypass iwavepw -storepass iwavepw -keystore keystore.jks
     

3. Enter the following command to generate a new certificate and place it in the SCOM web service keystore. You will need to replace <hostname> with the host name or IP address of the system where the SCOM web service is installed.

   Note:

   The host name in the certificate must match the host name or IP address used by the web service. If they do not match, a failure will occur when Enterprise Manager tries to invoke the web service.

   • UNIX

     $JAVA_HOME/bin/keytool -genkey -alias iwave -keyalg RSA -keysize 1024 -dname "CN=<hostname>, OU=Development, O=iWave Software, L=Frisco, ST=TX, C=US" -keypass iwavepw -storepass iwavepw -keystore keystore.jks
     

   • Windows

     "%JAVA_HOME%\bin\keytool" -genkey -alias iwave -keyalg RSA -keysize 1024 -dname "CN=<hostname>, OU=Development, O=iWave Software, L=Frisco, ST=TX, C=US" -keypass iwavepw -storepass iwavepw -keystore keystore.jks
     

6.3 Installing a Certificate from a Certificate Authority

Perform the following steps to request and install a signed SSL certificate for the SCOM web service:

1. Request a certificate for the SCOM web service from a Certificate Authority, such as VeriSign.

   Note:

   In the certificate request, make sure to specify the host name or IP address of the system where the SCOM web service is installed. The host name in the certificate must match the host name or IP address used by the web service. If they do not match, a failure will occur when Enterprise Manager tries to invoke the web service.

2. After you obtain the certificate from the Certificate Authority, perform the following steps to install the certificate:
   1. Open a command prompt window and change the working directory to the adapters/conf directory in the SCOM web service installation directory.
   2. Enter the following command to install the certificate, where <certificateFile> is the full path name of the file provided by the Certificate Authority:

      • UNIX

        $JAVA_HOME/bin/keytool -importcert -alias iwave -file <certificateFile> -keypass iwavepw -storepass iwavepw -keystore keystore.jks
        

      • Windows

        "%JAVA_HOME%\bin\keytool" -importcert -alias iwave -file <certificateFile> -keypass iwavepw -storepass iwavepw -keystore keystore.jks
        

6.4 Importing the Web Service Certificate into Enterprise Manager

Perform the following steps to import the SCOM web service SSL certificate into the Enterprise Manager keystore (for multi-OMS environments, repeat for each OMS):

1. Open a command prompt window and change the working directory to the adapters/conf directory in the SCOM web service installation directory.
2. Issue the following command to extract the SSL certificate from the SCOM web service keystore and place in the SCOMws.cer certificate file:

   • UNIX:

     $JAVA_HOME/bin/keytool -exportcert –rfc -alias iwave -file SCOMws.cer -keystore keystore.jks -storepass iwavepw
     

   • Windows:

     "%JAVA_HOME%\bin\keytool" -exportcert –rfc -alias iwave -file SCOMws.cer -keystore keystore.jks -storepass iwavepw
     

3. Transfer the certificate file SCOMws.cer to the system where Enterprise Manager is installed.
4. Append the contents of the SCOMws.cer file to:
   $INSTANCE_HOME/sysman/config/b64LocalCertificate.txt
5. Ensure that only the following is appended to the b64LocalCertificate.txt file (that is, do not include blank lines or comments or any other special characters):

   -----BEGIN CERTIFICATE-----
   <<<Certificate in Base64 format>>>
   -----END CERTIFICATE-----
   

6. Restart OMS by running the following commands:

   emctl stop oms
   emctl start oms
   

   Note:

   Do not run the emctl secure oms/agent command after adding the external certificate to the b64LocalCertificate.txt file. If you run the emctl secure command later, then repeat steps 4 through 6 to make sure the external certificate exists in the b64LocalCertificate.txt file.