Microsoft has two flavors of certificate services, known as the Stand-alone Certificate Authority (CA) and Enterprise CA. It is important to know the advantages and disadvantages of each, and some other higher level considerations to bear in mind. While we can’t dive deep into all the details of Public Key Infrastructure (PKI), here are a just a couple of tidbits

Your PKI should not be planned only around your Operations Manager 2007 deployment, as it can play a role in a number of areas, including content management, IPSec policies, VPN authentication, etc.. If you do not have PKI in your environment today, make this a project and deploy with other current and future needs in mind.

The Enterprise CA

The Enterprise CA requires Active Directory. Additionally, you can deploy certificates automatically through group policy. From an Operations Manager perspective, this does not matter much, as you will not usually use certificate-based authentication unless the Kerberos authentication of Active Directory is not available for some agents.

It’s also important to note that the certificate template required for issuing of Operations Manager certificates must be created before you can issue certificates from an Enterprise CA for use in mutual authentication in Operations Manager 2007. For details on how to make this happen, see “How to Obtain a Certificate Using an Enterprise CA in Operations Manager 2007″ in the Operations Manager 2007 Security Guide.

The Stand-alone CA

The Stand-alone CA does not require Active Directory, and can serve as a certificate server for purposes from an Operations Manager perspective. You may find this a necessary solution (whether interim or permanent) if your organization has no PKI.

Agent Authentication Behavior

You may be interested to know the Operations Manager 2007 agent first attempts Kerberos authentication and then certificate-based authentication. Since this only takes a fraction of a second anyway, this behavior cannot be modified. So, if you see packets on port 389 (LDAP) or port 88 (Kerberos) in a packet capture or your firewall logs between agent and Gateway or Management Server, there is no cause for concern or alarm.

For a detailed HOW-TO on gateway and certificate-based authentication scenarios in Operations Manager 2007, see our recently updated Gateway and PKI Scenarios Guide.

This entry was posted on Friday, November 2nd, 2007 at 6:00 am and is filed under News, Operations Manager 2007. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.