PKI Certificate Management Pack Update V1.0.1.15

After having had very helpful feedback by various users, I was able to incorporate some enhancement requests for the PKI Certificate Management Pack.

Version 1.0.1.15 will deal correctly specific certificates that have somewhat unusual ‘Issued to’ and ‘Issued By’ properties. Furthermore it will only monitor CA certificates if they haven’t been superseded. Download from SystemCenterCentral.com. You need to register but registration is free.

Changes in version 1.0.1.15
  • Improved discovery of Issued to and Issued by properties: Will use Subject Alternative Name if certificate doesn’t have a subject and will correctly extract the subject if CN= isn’t encountered on the first line of the subject string.
  • Additional certificate property: CA Version (based on extension szOID_CERTSRV_CA_VERSION). If this property holds a value, that certificate is a Windows CA one.
  • Does no longer discover superseded CA certificates. Evaluation is based on the CA Version property. Additional override to change that behavior if required.
  • Monitors will not mark superseded CA certificates as expired if their discovery is enabled.
  • Expose script timeout as an overridable parameter
  • Changed alert priority to ‘Low’.
  • Broke upgrade path to avoid potential agent stale issues when upgrading from V 1.0.0.280 or earlier.

Please study the included release notes and the MP guide carefully, especially when you’re planning to update from a previous version. I did deliberately break upgrade compatibility after some users had reported stale agent conditions during test cycles. You will need to remove any previous version of the MP from your Management Group before importing the latest one.

Geeky background information

The issues after upgrades were caused by moving the overridable timing parameters from the certificate object workflows to the parent certificate store’s properties. This left already discovered certificate objects’ workflows without any timing information until their parents were re-discovered and got their default timing properties added. During my own test all the agents recovered after that and re-enabled the certificate workflows.

Other users had less luck and ended up with a partly stale agent population that could only be corrected by removing the MP from the Management Group. To avoid issues I simply decided to break the upgrade path and force everyone upgrading to remove the previous MP. Breaking was easy by the way. It only took altering the caption of a property on a public class.

I do apologize for having to make go through the process of removing the MP (and it’s override MPs) before being able to upgrade. On the other hand I wouldn’t want anyone to experience stale agent conditions due to that.

Lesson learned: There are indeed rare conditions under which an MP author may write an upgradeable MP that would pass MPVerify and will import without complaints but still causing upgrade issues on the Management Group. Watch out for those! Test, test, test – then test once more.

Advertisements

PKI Certificate Verification Management Pack

PKI certificates are used to provide SSL encryption for web sites, to secure cross-server traffic (for example to join security gateways or agents in untrusted domains on OpsMgr), to guarantee the identity of the sender of a message and so on. What all certificates have in common is that their destiny often means to be forgotten after having been requested and installed. Until a certificate becomes invalid that was vital to a service. Mostly because it has expired.

To avoid service interruptions or embarrassment due to SSL warning messages displayed to users, the PKI Certificate Verification Management Pack was born. It discovers certificates and certificate revocation lists stored locally on computers and alerts you when:

  – a certificate’s lifetime is about to expire (by default 21 days in advance)
  – a certificate’s lifetime has ended
  – a certificate has become invalid because of a different reason
  – a CRL has not been updated in a timely manner

The MP also includes a series of inventory reports, which help keeping up with all those certificates in your environment. You will find more details in the comprehensive MP guide.

PKI_Certificate_Screenshot

Certificate Verification Screen Shot
Download

The MP and the guide are available for download at the SystemCenterCentral.com site:

Download from SystemCenterCentral.com MP Catalog

I wrote the MP in close collaboration with Pete Zerger and Jaime Correia of the SCC community. Without their help and the support of everyone testing the MP, it wouldn’t be here today.

MP Creation Zen

And there’s more! For everyone interested in learning how to author MPs: Have a look at the 6 part series MP Creation Zen. The articles will walk you through the process of writing an MP, carefully clarifying everything you need to know. Whenever possible, all authoring examples are explained using the new and much improved OpsMgr 2007 R2 Authoring Console, telling you how the PKI Certificate Verification MP was written. I recommend the documents to everyone planning to write a Management Pack by themselves without being application developers.

Community written Multi-Host Ping Management Pack V3

Summary

Over the last few weeks the Multi-Host Ping Management Pack developed as a joint work by the System Center Community has seen a major update from version 2.0 to 3.0. The new Management Pack is class based and represents the health of each Ping Target (address being pinged)  as seen by one or more Ping Watchers (agent issuing the ping).

Great care has been taken to increase the scalability and keep the performance impact on the Ping Watchers low. Other than the discovery process, all datasources rely on native Operations Manager modules instead of VBScripts. Furthermore all monitors and rules of the management pack incorporate ‘cookdown’ resulting in just a single ICMP ping per cycle for all circuits.

Multi-Host Ping Scrren Shot

Neale Brown, Jaime Correia, Pete Zerger any myself have teamed up to write the management pack, documentation and test the solution. A great experience.

Download

The sealed Management Pack and the documentation can be downloaded from the System Center Forum: Download Multi-Host Ping 3.0 Management Pack
Be sure to study the documentation before you implement the Management Pack as there is some required configuration work to be performed.

SCOM 2007 Web Console and Reporting Server Scale-Out Deployment

Scaling-out Operations Manager Web Interfaces

Currently there are several documented ways to install Operations Manager 2007 to fulfill the needs of a high availability environment. Clustering Root Management Server and databases and configuring agent fail-over are options covered in the product documentation.

However; there was no description about how to deploy the product’s web interfaces in a load-balanced web farm. So I wrote a guide which fills the gap by guiding through the configuration of the Web Console and the Reporting Manager web interfaces as a network load balanced web server farm. This is commonly referred to as a scale-out deployment.

When combining the traditional methods of clustering and fail-over with running Operations Manager’s web interfaces in a server farm, a redundancy throughout all components of the product’s infrastructure is achieved.

The document Scale-out deployment of Operations Manager 2007 web interfaces is available for download at the System Center Forum site.

load-balancing
Fully redundant and scaled-out Operations Manager set up

Windows Scheduled Tasks Management Pack now does Windows Server 2008

August 12, 2014 – link to latest update: https://rburri.wordpress.com/2014/08/12/scheduled-task…pack-1-2-0-500/

Some people asked if I could update the Scheduled Task Management Pack for Windows Server 2008. So here it is: Scheduled Task Management Pack now does W2K8 .

Windows Server 2008 Task Scheduler 2.0 brings some exciting new features. From the MP author’s point of view the most significant are:

  • Full support for scripting: msdn reference
  • Very detailed event logging

So for Windows Server 2008 the MP does no longer have to parse the output of a command which makes it much more reliable. And since I was at it, I attempted to make the MPs less power consuming on the agents and the management servers. So I highly recommend upgrading should you still be using an older version.

Task Scheduler 2.0 Health Explorer

Thanks everyone who provided valuable feedback during the testing phase.