Professional Documents
Culture Documents
Operations Manager
Version 3.0.5
Reference Guide
December 31, 2010
SC23-8843-02
Tivoli Netcool/OMNIbus Probe for Microsoft System Center
®
Operations Manager
Version 3.0.5
Reference Guide
December 31, 2010
SC23-8843-02
Note
Before using this information and the product it supports, read the information in “Notices and Trademarks,” on page 45.
Edition notice
This edition applies to version 3.0.5 of IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations
Manager 2007 (SC23-8843-02) and to all subsequent releases and modifications until otherwise indicated in new
editions.
This edition replaces SC23-8843-01.
© Copyright IBM Corporation 2006, 2010.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Document control page . . . . . . . . v Exporting a client certificate for the probe . . . 22
Configuring and running the probe . . . . . . 22
IBM Tivoli Netcool/OMNIbus Probe for Configuring the probe properties and probe hosts
file . . . . . . . . . . . . . . . . 22
Microsoft System Center Operations Configuring the probe for scom_tool.pl . . . . 23
Manager 2007 . . . . . . . . . . . . 1 Internationalization support . . . . . . . . 23
Summary . . . . . . . . . . . . . . . 1 Data acquisition . . . . . . . . . . . . 24
Obtaining the required patches and libraries . . . . 3 Properties and command line options . . . . 27
Installing probes . . . . . . . . . . . . . 3 Running the probe . . . . . . . . . . . 29
Configuration . . . . . . . . . . . . . . 4 Elements . . . . . . . . . . . . . . 31
Setting environment variables . . . . . . . 4 Error messages . . . . . . . . . . . . 33
Setting-up the HTTPS communication . . . . . 6 ProbeWatch messages . . . . . . . . . . 36
Creating SSL certificates . . . . . . . . . . 6 Desktop and webtop tools . . . . . . . . 37
Creating and using an OpenSSL CA . . . . . 7 Troubleshooting . . . . . . . . . . . . . 38
Creating and using a stand-alone Microsoft CA 10 Probe Java debug logging . . . . . . . . 39
Creating and using an Enterprise Microsoft CA 14
Managing CA certificates . . . . . . . . . . 17 Appendix. Notices and Trademarks . . 45
Installing trusted certificates on Windows . . . 17
Notices . . . . . . . . . . . . . . . . 45
Configuring OMCF to use the server certificate 19
Trademarks . . . . . . . . . . . . . . 47
Configuring SCOM SDK Web service . . . . . 20
Importing CAs into the trusted CAs of the JRE 21
The IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations
Manager 2007 documentation is provided in softcopy format only. To obtain the
most recent version, visit the IBM® Tivoli® Information Center:
http://publib.boulder.ibm.com/infocenter/tivihelp/v8r1/index.jsp?topic=/
com.ibm.tivoli.nam.doc/welcome_ptsm.htm
Table 1. Document modification history
Document Publication Comments
version date
00 December 07, First IBM publication.
2007
01 February 1, Summary section updated.
2009
Installing the probe section updated.
vi IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System
Center Operations Manager 2007
Microsoft System Center Operations Manager 2007 is an event and performance
management tool for Windows Server System. It provides system diagnostic
functionality that includes indicating potential problems in applications and
recommending possible resolutions.
The Probe for Microsoft System Center Operations Manager 2007 uses the SCOM
Connector Framework and receives and acknowledges events from the SCOM
server. The probe can also resolve alerts in the SCOM server.
Summary
Each probe works in a different way to acquire event data from its source, and
therefore has specific features, default values, and changeable properties. Use this
summary information to learn about this probe.
The following table provides a summary of the Probe for Microsoft System Center
Operations Manager 2007.
Table 2. Summary
Probe target Microsoft System Center Operations Manager (SCOM)
2007
Probe executable name nco_p_scom2007
Package version 3.0
http://publib.boulder.ibm.com/infocenter/tivihelp/
v8r1/index.jsp?topic=/com.ibm.netcool_OMNIbus.doc/
Supported_Platforms.htm
Properties file %OMNIHOME%\probes\arch\scom2007.props
Rules file %OMNIHOME%\probes\arch\scom2007.rules
Requirements A currently supported version of IBM Tivoli
Netcool/OMNIbus.
probe-command-port-3
probe-nonnative-base-10
JAXWS-RI 2.1.1
WSIT 1.0
%OMNIHOME%\probes\win32
Connection method HTTPS Web Service
Remote connectivity The Probe for Microsoft System Center Operations
Manager 2007 can connect to a remote device. Details of
the remote device are specified using the HostsFile
property.
Licensing Electronic licensing was deprecated with the release of
IBM Tivoli Netcool V7.2.0. All IBM Tivoli Netcool V7.2.0
(and later) products use the IBM software licensing
process.
Internationalization Available
Peer-to-peer failover functionality Not available
IP environment IPv4 and IPv6
2 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
Table 2. Summary (continued)
Federal Information Processing IBM Tivoli Netcool/OMNIbus V7.2.1 and 7.3.0 use the
Standards (FIPS) FIPS 140-2 approved cryptographic provider: IBM
Crypto for C (ICC) certificate 384 for cryptography. This
certificate is listed on the NIST website at
http://csrc.nist.gov/groups/STM/cmvp/documents/
140-1/1401val2004.htm For details about configuring
Netcool/OMNIbus for FIPS 140-2 mode, see IBM Tivoli
Netcool/OMNIbus Installation and Deployment Guide
(SC23-6370).
https://jax-ws.dev.java.net/2.1.1/JAXWS2.1.1_20070501.jar
https://jax-ws.dev.java.net/files/documents/4202/55930/wsit-1_0-fcs-bin-b14-
09_apr_2007.jar
To install the jar files on the probe host, entrer the following command:
Installing probes
All probes are installed in a similar way. The process involves downloading the
appropriate installation package for your operating system, installing the
appropriate files for the version of Netcool/OMNIbus that you are running, and
configuring the probe to suit your environment.
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 3
http://publib.boulder.ibm.com/infocenter/tivihelp/v8r1/index.jsp?topic=/
com.ibm.netcool_OMNIbus.doc/probes/install/wip/out-html/reference/
install_install_intro.html
3. Configuring the probe.
This guide contains details of the essential configuration required to run this
probe. It combines topics that are common to all probes and topics that are
peculiar to this probe. For details about addition configuration that is common
to all probes, see the IBM Tivoli Netcool/OMNIbus Probe and Gateway Guide
(SC23-9684).
Configuration
After installing the probe, you need to make various configuration settings to suit
your environment.
After installing the Probe for Microsoft System Center Operations Manager 2007
and the various required patches, you must perform the following configuration
tasks:
v “Setting environment variables”
v “Setting-up the HTTPS communication” on page 6
The probe also requires the following files from WSIT 1.0
v webservices-api.jar
v webservices-extra-api.jar
v webservices-extra.jar
v webservices-rt.jar
v webservices-tools.jar
v wstx-services.war
You must include the paths both sets of files explicitly in the CLASSPATH
environment variable.
4 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
The following shows an example setting for the CLASSPATH environment
variable:
CLASSPATH=%JAVA_HOME%\lib\endorsed\activation.jar:%JAVA_HOME%\lib\endorsed\
jaxb-api.jar:%JAVA_HOME%\lib\endorsed\jaxb-impl.jar:%JAVA_HOME%\lib\
endorsed\jaxb-xjc.jar:%JAVA_HOME%\lib\endorsed\jsr173_api.jar:%JAVA_HOME%\
lib\endorsed\sjsxp.jar:%JAVA_HOME%/lib\endorsed\webservices-api.jar:
%JAVA_HOME%\lib\endorsed\webservices-extra-api.jar:%JAVA_HOME%\lib\
endorsed\webservices-extra.jar:%JAVA_HOME%\lib\endorsed\webservices-rt.jar:
%JAVA_HOME%\lib\endorsed\webservices-tools.jar:%CLASSPATH%
export CLASSPATH
Note: The explicit paths to the files must be specified, not just the folder in which
they reside.
You must include the following jar files in the SCOM_INCLUDES environment
variable:
v activation.jar
v jaxb-api.jar
v jaxb-impl.jar
v jaxb-xjc.jar
v jsr173_api.jar
v sjsxp.jar
v wstx-services.war
v webservices-api.jar
v webservices-extra-api.jar
v webservices-extra.jar
v webservices-rt.jar
v webservices-tools.jar
SCOM_INCLUDES=C:\D\activation.jar;C:\D\jaxb-api.jar;C:\D\jaxb-impl.jar;C:\
D\jaxb-xjc.jar;C:\D\jsr173_api.jar;C:\D\sjsxp.jar;C:\D\webservices-
api.jar;C:\D\webservices-extra.jar;C:\D\webservices-api-extra.jar;C:\D\
webservices-rt.jar;C:\D\webservices-tools.jar
Important: You should not set SCOM_INCLUDES explicitly when the following
command installs the probe as a Windows service:
%OMNIHOME%\probes\nco_p_scom2007.bat /INSTALL
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 5
Setting-up the HTTPS communication
You can use client authentication only when a server requests a certificate from a
client. In client authentication the server requests a certificate from the client to
verify that the claim of the client is reliable. The certificate must be an X.509
certificate and must be signed by a certificate authority (CA) trusted by the server.
Note: Setting up of the SSL requires accessing the CA, server, and client
directories that are in the same level, and generating related certificates from those
directories. So, the command line argument examples given for each section to
create a particular certificate also include arguments to access the related directory.
Tip: If you think the self-signed certificate provides adequate security, you can use
it permanently.
The client and server certificates accepted by the CA that you created become valid
and trusted in the self-signed SSL environment. This enables the probe to use the
trusted client certificate, and make a successful SSL handshake with the SCOM
server.
The following topics describe how to create the different types of the CA that the
probe supports:
v “Creating and using an OpenSSL CA” on page 7
v “Creating and using a stand-alone Microsoft CA” on page 10
6 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
v “Creating and using an Enterprise Microsoft CA” on page 14
Note: As a precaution, you must securely backup all certificates and key pairs.
The following topics describe how to create and use OpenSSL CA:
v “Generating a CA using OpenSSL”
v “Generating a server certificate using OpenSSL” on page 8
v “Generating a client certificate using OpenSSL” on page 9
To generate a certificate authority and select a password for the private key using
OpenSSL, use the following steps:
1. Generate CA certificate and its private key using the following command:
openssl req -out CA.pem -new -x509
Note: By default, when you create certificates using OpenSSL, they have a life
of 30 days. You can create certificates with a longer life by using the -days
argument at the end of the openssl command. For example, to create a
certificate with a life of 365 days, use the following command:
Note: For the probe to use a different CA certificate file without changing the
existing java keystore of the JRE, specify the path to this certificate in the
CACertTrustStore property.
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 7
Generating a server certificate using OpenSSL
A server certificate authenticates the server to which the probe connects.
OpenSSL commands expect to receive a file named: server.cnf. This file stores
information that helps generate extension fields to the certificate. You must create
the server.cnf file with the following information:
[dir_sect]
keyUsage=digitalSignature,keyEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
extendedKeyUsage=serverAuth
Note: The OpenSSL commands also require the file.srl file. This file contains a
serial number starting with "00". Each generation of a certificate by the CA
increments this serial number.
Generate an RSA private key for the server using the following command:
Enter all the distinguished name information required to create a certificate request
using the following command:
Note: For the Common Name field of the server certificate, enter the Fully Qualified
Host Name of the server to which the probe connects.
Sign the generated RSA private key using the following commands:
8 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
Assigning the private key of the certificate
Enter the password of the private key, and then export the server key onto the
generated server certificate using the following command:
OpenSSL commands expect to receive a file named: client.cnf. This file stores
information that help generate extension fields to the certificate. You must create
the client.cnf file with the following information:
[dir_sect]
keyUsage=digitalSignature,keyEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:xyz@ibm.com,
email:xyz@ibm.com
Where the xyz@ibm.com is the UPN of the user that the probe uses for the telnet
connection. The user must be part of the SCOM Administrator Group and must be
a domain user.
extendedKeyUsage=msEFS,emailProtection,clientAuth
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 9
Note: The OpenSSL commands also require the file.srl file. This file contains a
serial number starting with "00". Each generation of a certificate by the CA
increments this serial number.
Note: To authenticate the user, the user must be an Active Directory user, and the
SCOM server must be a member of the AD domain.
Generate the RSA private key for the client using the following command:
Enter all the distinguished name information required to create a certificate request
using the following command:
Note: For the Common Name field of the client certificate, enter the user name that
the probe will use to connect to the server.
Sign the generated RSA private key using the following command:
Enter the password of the private key, and then export the client key onto the
generated client certificate using the following command:
Note:
Use the ClientCertificate property to specify the path to this generated client
certificate.
The Export Password field should not be blank. The same value must be specified
in the ClientCertificatePassword property in encrypted format.
The following topics describe how to create and use stand-alone Microsoft CAs:
v “Installing a Microsoft Stand-alone CA” on page 11
v “Enabling the use of the Subject Alternative Name field for the CA” on page 11
v “Importing the CA certificate into the Enterprise NTAuth store” on page 11
10 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
v “Installing the client certificate” on page 12
v “Installing the server certificate” on page 13
v “Configuring OMCF to use the server certificate” on page 19
Note: Make sure that the Windows Server 2003 setup files are available and that
IIS is installed on the server. To simplify OMCF configuration, you should install
the CA on the RMS. However, you can install the CA on any Windows Server 2003
computer that is running IIS.
Enabling the use of the Subject Alternative Name field for the CA
To enable the use of the Subject Alternative Name field for the CA, run the
following commands on the CA server pressing Enter after each command:
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 11
Where filename is the path and filename for the CA certificate file that you
downloaded in Step 3.
7. On the RMS, run the following command:
gpupdate /force
8. Open the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\
Certificates
9. Under the Certificates key, verify that you have a sub-key with a name that
matches the thumbprint of the CA certificate.
Note: To check the role of the user, use the following steps:
a. Open the SCOM 2007 Console.
b. Go to Administration.
c. Select User Roles.
d. Double-click Operations Manager Adminstrators.
The user account must be a member of this role, either explicitly or
through membership in a security group that is a role member.
2. Start Internet Explorer and access the following URL:
http://localhost/certsrv
Note: If you installed the CA on server remote from RMS, replace localhost
in the URL with the name of the CA.
3. Select Request a certificate.
4. Select Advanced certificate request.
5. Select Create and submit a request to this CA.
6. In the Name field, type the user name.
7. Under Type of Certificate Needed, make sure that Client Authentication
Certificate is selected.
8. Under Key Options, select Mark keys as exportable. This allows the client
certificate to be exported with the private key later.
9. Under Additional Options, type the following in the Attributes box:
san:upn=username@DomainFQDN.local
Where username@DomainFQDN.local is the User Principal Name (UPN) for the
user in Active Directory.
12 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
Note: To determine the correct UPN, open the properties for the user in
Active Directory Users and Computers and click the Account tab. The UPN is
listed under User logon name.
10. Click Submit.
11. Click Yes if prompted with a security warning in Internet Explorer.
12. Leave the Internet Explorer window open; you will use it in a later step.
13. Select Administrative Tools → Certification Authority .
14. Click Pending Requests.
15. Right-click the pending request, point to All Tasks and click Issue.
16. Leave the Certification Authority snap-in open.
17. In Internet Explorer, return to the Certificate Services Home page.
18. Click View the status of a pending certificate request.
19. Select the certificate request.
20. Click Install this certificate.
21. If you are prompted with a security warning in Internet Explorer, click Yes.
22. In the Certification Authority snap-in, click Issued Certificates.
23. Double-click the client certificate.
24. Click the Details tab.
25. Click Copy to File.
26. Click Next in the Certificate Export Wizard.
27. Select a location and filename for the client certificate file and click Next.
28. Click Finish.
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 13
18. Select Install this certificate.
19. If you are prompted with a security warning in Internet Explorer, click Yes.
The following topics describe how to create and use Enterprise Microsoft CAs:
v “Generating a user template”
v “Generating a client certificate using a template” on page 15
v “Generating a server template” on page 15
v “Generating a server certificate using a template” on page 16
14 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
– Key Usage
v Security (add enroll):
– Add the probe user to the list of Group and User names
– The assigned user (scomuser) must have read, write, and enroll
permissions.
8. Click Apply and then OK.
9. Create the template option in the Issuing CA server by performing the
following steps:
a. Select the Certificate Templates in the Certificate Authority Window .
b. Select New.
c. Select Certificate Template.
d. Select the newly created template.
e. Click OK.
10. Force the propagation of the template by performing the following steps:
a. At the root of the window Certification Authority, select the Issuing CA.
b. Right-click and select All Tasks → Stop Service.
c. Restart the Issuing CA service by right-clicking on the Issuing CA and
selecting All Tasks → Start Service.
d. Run the following on the command line:
gupdate /force
The certificate will then appear in the Certificate snap-in under Local User.
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 15
6. Specify a name for the new template, for example SDK Web Server.
7. Select the following options under the tabs indicated:
v General:
– Keep all the default values.
v Request Handling (allow export):
– Purpose is Signature and encryption.
– Minimum Key size is 1024.
– Allow private key to be exported.
v Subject Name :
– Supply in the request.
v Issuance Requirements: nothing
v Superseded Templates: nothing
v Extensions: the following extensions are included
– Application Policies (Server Authentication)
– Certificate Template Information
– Issuance Policies
– Key Usage
v Security (add enroll):
– Add the probe user to the list of Group and User names
– The SDK Service user (scomuser) should have read, write, and enroll
permissions.
– The hostname of the SDK service server (SCOMA) must have
read/enroll permissions.
8. Click Apply, then Ok
9. Create the template option in the Issuing CA server using the following steps:
a. Select Certificate Templates in the Certificate Authority Window.
b. Select New → Certificate Template .
c. Select the newly created template (for example, SDK Service Web Server).
d. Select Ok.
10. Force the propagation of the template using the following steps:
a. At the root of the Certification Authority window, select the Issuing CA.
b. Right-click and select All Tasks → Stop Service.
c. Restart the Issuing CA service, by right-clicking on the Issuing and
selecting All Tasks → Start Service.
d. Run the following command as a domain administrator:
un : gupdate /force
This pushes the CA certificate from the SCOM host to the domain
controller in the PKI environment, so that all hosts and domain controllers
have an updated trusted CA issuers list. This allows each host within the
domain in the enterprise environment (for example, the probe host and
SCOM host), to allow the CA certificate to issue and trust any certificates it
has created. When the probe needs to authenticate using that client
certificate, the CA will trust the certificate.
16 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
1. Log on to the probe server (or other computer within the CA’s domain) as the
user to issue the certificate.
2. Start Internet Explorer and access the Issuing CA’s URL; for example:
http://scom1.scomad.bobdns/certsrv
3. Select Request a certificate.
4. Select Advanced certificate request.
5. Select Create and submit a request to this CA.
6. In the Advanced Certificate Request window, select the newly created
certificate template, (for example, SDK Web Server).
7. Select the following options :
v Specify the Identifying information for offline template (for example,
FQDN) and user mail address.
v Under Key Options, click Store certificate in local computer.
v Under Additional options, specify the FQDN (DNS) attribute in the
Attributes field.
8. Click Submit.
The certificate is then installed in the Certificate snapin under Local Computer.
Managing CA certificates
You can make the generated PKI certificates as trusted, and import them into their
host machines for the probe and the SCOM server to use. You also need to set up
the SCOM SDK connector framework to use the SSL and the SCOM SDK Web
service.
The management of the certificates themselves is the same regardless of how you
created them. There may be small differences in the screens used depending on
which patch level of Microsoft .Net3.0 Service Pack1 you have installed on the
SCOM RMS host.
To import the PKI objects and create trusted certificates, perform the following
steps using the Microsoft certificate console on the SCOM server:
1. Add user and computer accounts.
2. Import the CA as a trusted authority.
3. Import the client certificate.
4. Import the server certificate.
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 17
Adding user and computer accounts
To create user and computer accounts using the Microsoft certificate console,
perform the following steps:
1. Open the certificates console window by entering mmc in the Run dialog.
2. Select File → Add/Remove Snap-in....
3. In the Add/Remove Snap-in window, select Add.
4. In the Add Standalone Snap-in window, select Certificates.
5. In the Certificates snap-in window, select My user account, and then click
Finish.
6. In the Add/Remove Snap-in window, select Add.
7. In the Add Standalone Snap-in window, select Certificates .
8. In the Certificates snap-in window, select Computer account, and then click
Next.
9. Select the local computer running the Microsoft certificate console that you
are using.
10. Click Finish.
11. Click OK on the Add/Remove Snap-in window.
The Microsoft certificate console window now lists the available certificates.
18 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
7. Click Browse ->Trusted Root Certification Authorities store -> Ok.
8. Click Next.
9. Click Finish.
The certificate now appears in the main window under Certificates - Current User
/ Personal / Certificates.
The certificate now appears in the main window under Certificates (Local
Computer) - Current User / Personal / Certificates.
Note: Due to a limitation in the SCOM design, updates to the RepeatCount and
the LastModifiedTime fields are notified to the OMCF.
Note: To obtain the server certificate's thumbprint, use the following steps:
a. Select Administrative Tools → Certification Authority.
b. Click Issued Certificates.
c. Double-click the server certificate.
d. Click the Details tab.
e. Click Thumprint in the list of fields.
The thumbprint is displayed in the box below.
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 19
f. Highlight the thumbprint and press Ctrl+C.
g. Paste the thumbprint into the text editor.
6. In the text editor, remove all spaces from the certificate thumbprint.
7. At a command prompt, run the following command:
httpcfg query ssl
Note: The hash value for this entry must match the thumbprint of the server
certificate. Some instances of 0 may appear as blanks.
13. Ensure that the SDK service account is a member of the Operations Manager
Administrators User Role.
14. Restart the OpsMgr SDK service.
15. In Internet Explorer, access the following URL:
https://RMSFQDN:51905/ConnectorFramework?wsdl
Where RMSFQDN is the FQDN of the RMS.
16. If you are prompted to choose a digital certificate, select the client certificate
and click OK.
17. Click the Lock icon in Internet Explorer and click View certificates.
The server certificate should be displayed.
20 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
<add key="baseAddressMcfV3" value="https://FQDN:port/
ConnectorFramework"/>
where FQDN (fully qualified domain name) and port are the values on your
target SCOM RMS. The dafault https port is 51905.
3. Add the following section within the <readerQuotas> </binding> section:
<security mode="Transport"> <transport
clientCredentialType="Certificate"/> </security>
4. Update the service metadata element as below:
<serviceMetadata httpGetEnabled="true" httpGetUrl="http://FQDN:port
+1/ConnectorFramework" httpsGetEnabled="true"/>
where FQDN (fully qualified domain name) and port are the values on your
target SCOM RMS. The dafault https port is 51906.
5. Add the serviceCredentials section after <serviceThrottling
maxConcurrentSessions="1000"/> tag:
<serviceCredentials>
<clientCertificate>
<authentication mapClientCertificateToWindowsAccount="true"/>
</clientCertificate>
</serviceCredentials>
The SSL certificate used by the SCOM Connector Framework must be a certificate
trusted by the Java VM that runs the probe. If the certificate is not already in the
list of those trusted, you can add a Trusted Authority using the following method:
To import the CA certificate on the probe host, use the following steps:
1. Copy the CA.cer certificate file from the SCOM server to the probe server.
Note: This is the file copied to the active directory domain controller and
added to the NTAuth store.
2. Import the CA.cer file into the keystore using the following comand:
keytool -import -trustcacerts -keystore java_keystore_path -alias SCOM
-file SSL_certificate_file_path
Where java_keystore_path is the CA certificate file of the JRE 1.5, and
SSL_certificate_file_path is the path to the SSL certificate used by SCOM.
Note: The file to import into cacerts is CA.pem and the default password of this
files is changeit.
3. Enter keystore password.
4. At the prompt Trust this certificate? [no]: enter yes.
The certificate has been added to keystore.
Note: For the probe to use a different CA certificate file without changing the
existing CA certificate file of the JRE, specify the path to this certificate in the
CACertTrustStore property.
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 21
Exporting a client certificate for the probe
For the probe to be used either locally, or on a remote host, the client certificate
must be exported into a .PFX file.
Note: You must specify this file name in the ClientCertificate property of the
probe.
Note: The details that you specify must match the name and port configured in
the SCOM server file Microsoft.Mom.Sdk.ServiceHost.exe.config
22 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
4. Edit the probe properties file (the default location is $OMNIHOME/probes/
arch/scom2007.props). As a minimum, set the following properties:
a. CACertTrustStore
Note: Make sure that the CA certificate is correctly imported into the
$JAVA_HOME\lib\security\cacerts file in the probe host for the Java to trust
the client certificate
b. ClientCertificate
c. ClientCertificatePassword
Note: The client certificate must have a valid password. It cannot function
with a null value.
d. Server
e. HostsFile. Modify hosts file (scom2007.hosts) to include FQDN:port for the
SCOM2007 SDK.
Note: For a full description of the properties, see “Properties and command
line options” on page 27.
For details about the configuration that you need to do within Netcool/OMNIbus
and how to run the script, see the README.scom_tool file supplied with the probe.
Internationalization support
The probe supports multibyte character sets (for example, Japanese) and character
sets that contain individual multibyte characters (for example German, French, and
Spanish). To view the character sets correctly, you must configure the locale
settings on the host machine correctly.
If you are using a language that contains multibyte characters, you must set the
LANG environment variables to the name of your character set, and export the
LC_ALL environment variable. For example, if you are using Japanese, set these
environment variables to ja_JP.UTF-8; if you are using German, set these
environment variables to de_DE.UTF-8. This will enable the probe to recognise the
multibyte characters used by your character set when they occur in any network
events.
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 23
Table 3. Supported language locales (continued)
Languages AIX HP-UX Solaris Linux
French fr_FR fr_FR fr fr_FR
(standard)
German de_DE de_DE de de_DE
(standard)
Hungarian hu_HU hu_HU hu hu_HU
Italian (standard) it_IT it_IT it it_IT
Japanese ja_JP ja_JP ja ja_JP
Korean ko_KR ko_KR ko ko_KR
Polish pl_PL pl_PL pl pl_PL
Portuguese pt_BR pt_BR pt pt_BR
(Brazilian)
Russian ru_RU ru_RU ru ru_RU
Spanish es_ES es_ES es es_ES
Data acquisition
Each probe uses a different method to acquire data. Which method the probe uses
depends on the target system from which it receives data.
The Probe for Microsoft System Center Operations Manager 2007 acquires data by
creating and subscribing a connector to receive events from the HTTPS Web service
running on the SCOM server.
$OMNIHOME/bin/nco_g_crypt password
You must then set the ClientCertificatePassword property to the encrypted string
that the command generates.
24 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
Secure sockets layer (SSL) authentication
You use SSL authentication service to provide Secure Sockets Layer (SSL)
authentication with the SCOM server. The probe connects to the SSL authentication
service using the port specified in the hostsfile.
Acknowledging alerts
The SCOM server keeps sending alerts until the connector acknowledges their
receipt. For each event received, the connector immediately acknowledges the alert
with the time when the alert was last modified.
The Probe for Microsoft System Center Operations Manager 2007 is supplied with
a Command Line Interface (CLI). This interface allows you to perform commands
using the probe (for example, to acknowledge an alarm, or resolve alerts on the
SCOM server).
When the probe starts, it opens a command port that the IBM Tivoli Netcool tools
use to send requests to the probe to perform the following actions:
v Acknowledge an alert - you can change the state of an alert on the SCOM server
to Acknowledged by opening a telnet session with the probe and issuing the
command:
acknowledge_alarm alarmID
Where alarmID is the identifier of the alert within SCOM.
v Resolve an alert - you can change the state of an alert in SCOM to Resolved by
opening a telnet session with the probe and issuing the following command:
resolve_alarm alarmID
Where alarmID is the identifier of the alert within SCOM.
v Update the TicketId field - you can change the value set for the TicketId field of
an alert on the SCOM server by opening a telnet session with the probe and
issuing the following command:
set_ticket_id alertID newTicketId
Where alertID is the identifier of the alert within SCOM to be updated, and
newTicketId is the new value for the TicketId field of the alert.
v Update any field - you can change the value set for several fields in one or more
alerts in SCOM by opening a telnet session with the probe and issuing the
following command:set_field alertID(fieldName=value) alertId(fieldName=
value)alertId(fieldName=value)...
Where alertID is the identifier of an alert within SCOM and the value is the
new value for the specified fieldName field.
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 25
v customFieldn
Where n is a value between 1 and 10.
v Owner
v ResolutionState
v TicketId
Note: Use the recommended command syntax which includes parentheses and the
equals signs (=).
The Probe for Microsoft System Center Operations Manager 2007 needs a hosts file
in order to connect to multiple hosts. The HostsFile property specifies from which
file the probe gets host information. The probe reads through the hosts file and
attempts to connect to each host at a given time.
If the HostsFile property is defined, the probe attempts to open the specified file.
This file should contain the required connection information for the probe in the
following format:
FQDN:port
Modes of operation
Note: If there are multiple connectors, only one connector with an existing
subscription receives events from SCOM at any given time.
By default, the probe uses the poll period defined by the PollInterval property to
retrieve only those events that are subscribed in the SCOM server. It parses these
alerts and sends them to the ObjectServer.
If the CleanUpOnShutdown property is set to true, the probe deletes its connector
if it has no subscriptions when the probe disconnects from the SCOM server. The
SCOM server can no longer use the connector created for the probe.
26 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
Tip: You can remove a connector that has lost its registration ID manually. For
more information, refer to “Troubleshooting” on page 38.
If the CleanUpOnShutdown property is set to false, the probe does not delete its
connector when it disconnects from the SCOM server.
The probe uses this connector with its next connection to the SCOM server, and
receives all events generated since it was shut down.
The following table describes the properties and command line options specific to
this probe. For information about default properties and command line options, see
the IBM Tivoli Netcool/OMNIbus Probe and Gateway Guide, (SC23-6373).
Table 4. Properties and command line options
Property name Command line option Description
CACertTrustStore string -cacerttruststore string Use this property to specify a
different CA keystore without
changing the existing CA keystore
of the JRE.
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 27
Table 4. Properties and command line options (continued)
Property name Command line option Description
ClientCertificatePassword -clientcertificatepassword Use this property to specify the
string string password to access certificates in
the ClientCertificate file.
28 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
Table 4. Properties and command line options (continued)
Property name Command line option Description
PeerCommandPort string -peercommandport string Use this property to specify the
port of the peer probe to which
users can telnet to send
commands to the SCOM server
using the Command Line Interface
(CLI).
The default is
%OMNIHOME%\\var\\
scom2007.reco
Retry string -noretry (This is Use this property to specify
equivalent to Retry with a whether the probe retries the
value of false.) connection to the SCOM server if
there is an error while attempting
-retry (This is equivalent a connection:
to Retry with a value of
true.) false: The probe does not retry the
connection.
Set the SCOM_INCLUDES environment variable to include the following jar files
from JAXWS 2.1.1 and WSIT 1.0 patches:
%OMNIHOME%\probes\win32\nco_p_scom2007
If you want to run the probe as a service, run the following command:
%OMNIHOME%\probes\win32\nco_p_scom2007 /INSTALL
This command installs the probe as a service, which you can then run as any other
Windows service.
Note: When installing the probe as a service, set the CLASSPATH environment
variable before running the /INSTALL command.
Tip:
If you want to run the Probe for Microsoft System Center Operations Manager
2007 as a Windows service, set all property values in the properties file and not by
using the command line.
Due to a known issue with nco_p_nonnative, the log file does not contain all the
information required. To remedy this, set the following environment variables:
v Set NDE_DEFAULT_LOG_LEVEL to the value set for the MessageLevel
property.
v Set NDE_FORCE_LOG_MODULE to the value set for the MessageLog property.
To remove the service corresponding to the probe, run the following command:
%OMNIHOME%\probes\win32\nco_p_scom2007 /remove
Note: The Windows service must be run in the same network domain as the
probe.
For details about the command line options available for ClientCertificate and
ClientCertificatePassword properties, see “Properties and command line options”
on page 27.
30 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
Elements
The probe breaks event data down into tokens and parses them into elements.
Elements are used to assign values to ObjectServer fields; the field values contain
the event details in a form that the ObjectServer understands.
The following table describes the elements that the Probe for Microsoft System
Center Operations Manager 2007 generates. Not all the elements described are
generated for each event; the elements that the probe generates depends upon the
event type.
Table 5. Elements
Element name Element description
$alertParams This element indicates whether the method
parameters is declared for the alarm.
$category This element shows the category of the alarm.
$connectorId This element contains the connector ID that the
probe registered with the SCOM server.
$connectorStatus This element identifies the status of the
Connector ID created in the SCOM server.
$context_tagName This element shows the context of the alarm with
a field name. The field name denotes the content
of $context field.
$customFieldn This element contains data from a user-defined
field.
$description This element shows the description of the alarm.
$displayString This element contains the string for display.
$id This element identifies the unique identifier of
the event.
$isMonitorAlert This element indicates whether the event can be
monitored.
$languageCode This element indicates the language of the code
in which the events are presented.
$lastModified This element shows the time of the latest update
on the event.
$lastModifiedBy This element contains the User ID of the last
person to modify the event.
$lastModifiedByNonConnector This element shows the time when the latest
update on the alert is done through the CLI.
$lastTimeStateModified This element shows the time at which the state of
the alert was last modified.
$maintenanceModeLastModified This element shows the time when the
maintenance mode was last modified.
$managementGroupId This element shows the identifier of the
management group.
$managementGroupName This element contains the name of the
management group.
$managementPackCategoryType This element indicates the category type of the
management pack.
$modifiedBy This element shows name of the user who
modified the alert.
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 31
Table 5. Elements (continued)
Element name Element description
$monitoringClassId This element contains the identifier of the
monitoring class.
$monitoringObjectDisplayName This element shows the name displayed for the
monitoring object.
$monitoringObjectFullName This element contains the full name of the
monitoring object.
$monitoringObjectHealthState This element shows status of the monitoring
object.
$monitoringObjectId This element contains the ID of the monitoring
object.
$monitoringObjectInMaintenanceMode This element identifies whether the monitoring
object is in maintenance mode.
$monitoringObjectName This element shows the name of the monitoring
object.
$monitoringObjectPath This element contains the path to the monitoring
object.
$monitoringRuleId This element contains the identifier of the rule set
for the monitoring object.
$name This element shows the name of the element.
$netbiosComputerName This element contains the NetBios computer
name of the Windows Server 2003 Service Pack1
computer.
$netbiosDomainName This element contains the domain name of the
NetBios computer.
$owner This element shows the User ID of the owner of
the event. The user ID is usually a user account.
$ownerName This element shows the name of the owner of the
alert.
$principalName This element contains the principle name.
$priority This element indicates the priority as defined by
the SCOM server.
$problemId This element contains the identifier of the
problem.
$repeatCount This element shows number of times this alert
has occurred.
$resolutionState This element identifies the resolution state of the
alert.
$resolvedBy This element shows the name of the user account
responsible for resolving the alert; appears when
the alert is resolved.
$severity This element indicates the severity of the alert.
$siteName This element shows the name of the site where
SCOM is installed as given in the header of the
alarm buffer display.
$stateLastModified This element contains the name of the user
account last modified the alert.
32 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
Table 5. Elements (continued)
Element name Element description
$ticketID This element shows the identifier of the ticket in
which the alert is described.
$timeAdded This element contains the time at which the alert
was added to the SCOM system.
$timeCreated This element contains the time at which the
SCOM system has created the alarm.
$timeCreatedUTC This element contains the time (in UTC format) at
which the SCOM system has created the alarm.
$timeLastModified This element contains the time at which the
details of the alert were last modified.
$timeRaised This element contains the time when the alert
was raised.
$timeResolutionStateLastModified This element contains the time when the
resolution state of the alert last modified.
Error messages
Error messages provide information about problems that occur while running the
probe. You can use the information that they contain to resolve such problems.
The following table describes the error messages specific to this probe. For
information about generic error messages, see the IBM Tivoli Netcool/OMNIbus
Probe and Gateway Guide, (SC23-6373).
Table 6. Error messages
Error Description Action
Failed to acknowledge Either the alarm received Check that the SCOM server
alert: ackId from the SCOM server is running correctly.
contained corrupt data or the
Failed to acknowledge wrong identifier was sent for
discovery event:ackId acknowledgement.
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 33
Table 6. Error messages (continued)
Error Description Action
Failed to read There was a problem reading Check that the permissions
registration ID from the recovery file. have been set correctly on the
recovery file file specified by the
RegistrationIdRecoveryFile
Failed to write property.
registration ID
registrationId to
recovery file
Command_Port Failed to There was a problem Check that you have specified
close client socket communicating with the a valid command port using
SCOM server using the the CommandPort property.
Command_Port Failed to command port of the probe. Check the connection to the
get CommandPortLimit SCOM server.
property - using 10
Command_Port Failed to
open listening socket
Command_Port host_name
Failed to close command
socket
Command_Port host_name
Failed to get socket IO
Command_Port host_name
Failed to read command
Command_Port host_name
Failed to set socket
timeout
Command_Port host_name
Failed to write to client
34 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
Table 6. Error messages (continued)
Error Description Action
Failed to clean up There was a problem creating Check whether the resolution
resolution state the new resolution state. state already exists on the
SCOM server.
Failed to get alerts
Failed to uninitialize
connector
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 35
Table 6. Error messages (continued)
Error Description Action
Failed to clean up The probe could not clean up Check that the connector is
connector the existing connector ID at properly created, or the
the beginning or end of the SCOM server is running
connection to the server. correctly.
Exception while calling The probe found an exception Check whether the alert IDs
update MonitoringAlerts while updating the alerts. specified in the update
command exist in the SCOM
All the requested alerts server.
haven't been found
ProbeWatch messages
During normal operations, the probe generates ProbeWatch messages and sends
them to the ObjectServer. These messages tell the ObjectServer how the probe is
running.
The following table describes the raw ProbeWatch error messages that the probe
generates. For information about generic ProbeWatch messages, see the IBM Tivoli
Netcool/OMNIbus Probe and Gateway Guide, (SC23-6373).
Table 7. ProbeWatch messages
ProbeWatch message Description Triggers/causes
Failed to open listening The probe failed to open a The port specified by the
socket socket on that command port. CommandPort property is
already in use. Specify a
different port in the properties
file.
36 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
Table 7. ProbeWatch messages (continued)
ProbeWatch message Description Triggers/causes
Received connection from The command port has A user logged onto the
hostname received a connection to its command port specified by
CLI. the CommandPort property
to send a request to the
SCOM server.
Failed to connect to SCOM The probe failed to connect to An authentication problem
interface the SCOM interface. occurred. Check your SSL
settings.
Connected to SCOM The probe has connected The probe was started and
interface successfully. successfully connected to the
SCOM server.
To install the Desktop tools into the database, run the following command:
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 37
The tools for Windows use a script that requires the DLL
netcool_tivoli_socket.dll, which is included with the probe. This script must be
registered by the operating system before you can run the tools. To do this, run the
following command:
%SYSTEMROOT%\system32\regsvr32 C:\Progra~1\Netcool\OMNIbus\probes\nt351\
netcool_tivoli_socket.dll
To install the Desktop tools into the database, run the following command:
The tools for Windows use a script that requires the DLL netcool_tivoli_socket.dll,
which is included with the probe. This script must be registered by the operating
system before you can run the tools. To do this, run the following command:
%SYSTEMROOT%\system32\regsvr32 C:\Progra~1\Micromuse\netcool\omnibus\
probes\win32\netcool_tivoli_socket.dll
To install the Webtop tools into the database, use the following steps:
1. Replace instances of win32 with nt351 in the file WindowsSCOMTools.sql to
reflect differences in the IBM Tivoli Netcool/OMNIbus V7.0 directory structure.
2. Run the following command:
To install the Webtop tools into the database, run the following command:
Troubleshooting
This section contains troubleshooting information and details about known issues.
38 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
3. Locate the lost connector ID within the list displayed.
To find and remove a connector whose registration ID is lost, use the following
steps:
1. Create a file with the name removeConnector.txt. The file must contain the
following commands:
use OperationsManager
execute [dbo].[p_ConnectorDelete] ’3C4111C1-E3E5-4415-B3CF-
7A61056F5EF2’
2. Replace the connector ID 3C4111C1-E3E5-4415-B3CF-7A61056F5EF2 in the
removeConnector.txt file with the lost connector ID.
3. Use the following command to remove the specified connector ID:
C:\>Sqlcmd -i C:\removeConnector.txt
Note:
You can also remove a connector using the Microsoft System Center Operations
Manager GUI.
An HTTP 403 Forbidden error is usually due to a problem with the user certificate.
It could be that the user cannot be mapped to a domain user on the Windows box,
see “Installing the client certificate” on page 12.
User errors usually happen when the probe tries to call getGlobalConfig() just
after retrieving successfully the ConnectorFramework object. If this is the case, put
the SDK in debug mode and run the probe again.
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 39
exec $OMNIHOME/probes/$ARCH/nco_p_nonnative java
-Djavax.net.debug=ssl:handshake:verbose $NCO_JPROBE_JAVA_FLAGS -cp
$CLASSPATH $NCO_JPROBE_JAVA_XFLAGS -DOMNIHOME="$OMNIHOME" $PROGRAM "$@"
----------------------------
4. Set the following environment variables to enable nonnative debug output as
well as Java debug output:
NCO_P_NONNATIVE_TRANSCRIPT=\tmp\debug.txt
NDE_DEFAULT_LOG_LEVEL=debug
NDE_FORCE_LOG_MODULE=\tmp\MOM_FORCED.log
5. Run the probe and generate the required debug log files.
To obtain the testing tool (MCF.exe), you must contact Microsoft Support.
Note: The client certificate is the .cer file that you exported using the SCOM
administration console
4. Run the following command:
mcf RMSFQDN client.cer
Where RMSFQDN is the FQDN of the RMS and client.cer is the name of the client
certificate file.
This indicates that the client certificate is valid and will work with the probe when
installed as such.
If the message does not display Global Configuration, then this indicates that the
client certificate is not valid and will not work with the probe.
If the MCF test tool cannot connect, this indicates that there is a client certificate
issue in the relevant type being used, that must be fixed first before the probe can
attempt a succesful connection using the same type of client certificate when
presented.
40 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
For issues relating to the creation commands of the OpenSSL certificates, contact
IBM Software Support.
If the service pack for Net3.0 is present on the SCOM host, you must perform the
following steps to get the CA certificate to trust the client certificate, other wise all
client certificates will fail:
1. Determine whether the service pack for Net3.0 has been installed on the SCOM
host by using the following steps:
a. Select Windows → Start Menu → Control Panel → Add remove programs →
Windows Components .
b. b. Select Show updates ticked.
c. c. Verify whether the patch is present on the SCOM host.
If the service pack is present, you must add the CA certificate to the trusted
issuers list on the Underlying Domain Controller in active directory.
2. Enable use of the Subject Alternative Name field for the Standalone/Enterprise
Microsoft CA by running the following commands on the CA server, pressing
Enter after each command:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc
3. Import the CA certificate into the Enterprise NTAuth store using the following
steps:
a. Open Internet Explorer on the CA and access the following URL:
http://localhost/certsrv (or relevant OpenSSL certificate previously
created).
b. Select Download a CA certificate, certificate chain, or CRL.
c. Select Download CA certificate.
d. Click Save.
e. Copy the CA certificate file to a domain controller.
f. On the domain controller, run the following command:
certutil -dspublish -f filename NTAuthCA
Where filename is the path and filename for the CA certificate file that you
downloaded in Steps b to d.
g. On the RMS, run the following command:
gpupdate /force.
This command pushes the CA certificate from the local registry onto the
relevant domain controller, making the CA certificate become an Enterprise
CA certificate.
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 41
h. Open the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\EnterpriseCertificates\NTAuth\Certificates
i. Under the Certificates key, verify that you have a sub-key with a name that
matches the thumbprint of the CA certificate.
j. Use the following steps to determine the CA certificate’s thumbprint:
1) Double-click the CA certficate file.
2) Click the Details tab.
3) Click Thumprint in the list of fields.
The thumbprint is displayed in the box below. This number must match one
of the sub-keys under HKLM\SOFTWARE\Microsoft\
EnterpriseCertificates\NTAuth\Certificates. You must do this for all CA
certificates.
In this case, the Probe for Microsoft System Center Operations Manager 2007
cannot receive these updated alerts as they are not available at the connector. This
results in a mismatch in the LastModifiedTime and the Count of the same alert
between the OpsMgr and the ObjectServer.
Additional references
This section contains a list of links to useful information about SSL and CA
certificates.
http://technet2.microsoft.com/windowsserver/en/library/c22a4d3d-6335-4b9b-
b344-bbae041203b41033.mspx?mfr=true
http://support.microsoft.com/kb/295663
Certificates used for authentication require CRL - 281245 (see section 5):
http://support.microsoft.com/kb/281245
Subject Alternative Name field needs to contain the UPN of the user from Active
Directory.
http://support.microsoft.com/kb/931351
http://support.microsoft.com/kb/931351
42 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
How to import third-party certification authority (CA) certificates into the
Enterprise NTAuth store:
http://support.microsoft.com/kb/295663
http://publib.boulder.ibm.com/infocenter/tivihelp/v8r1/topic/
com.ibm.netcool_OMNIbus.doc/probes/msopman07/msopman07-pdf.pdf
http://blogs.msdn.com/jakuboleksy/archive/2007/04/02/mcf-from-non-windows-
clients.aspx
http://technet.microsoft.com/en-us/library/cc135718.aspx
OpenSSL commands:
http://www.openssl.org/docs/apps/openssl.html
http://shib.kuleuven.be/docs/ssl_commands.shtml
http://www.slproweb.com/products/Win32OpenSSL.html
http://technet2.microsoft.com/windowsserver/en/library/3f5fdc52-8623-4336-
840d-e90b2399c8541033.mspx?mfr=true
http://technet2.microsoft.com/WindowsServer/en/Library/0e4472ff-fe9b-4fa7-
b5b1-9bb6c5a7f76e1033.mspx?mfr=true
IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager 2007 43
44 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
Appendix. Notices and Trademarks
This appendix contains the following sections:
v Notices
v Trademarks
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
Software Interoperability Coordinator, Department 49XA
3605 Highway 52 N
Rochester, MN 55901
U.S.A.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject
to change without notice. Dealer prices may vary.
This information is for planning purposes only. The information herein is subject to
change before the products described become available.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
46 IBM Tivoli Netcool/OMNIbus Probe for Microsoft System Center Operations Manager: Reference Guide
COPYRIGHT LICENSE:
Each copy or any portion of these sample programs or any derivative work, must
include a copyright notice as follows:
© (your company name) (year). Portions of this code are derived from IBM Corp.
Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rights
reserved.
If you are viewing this information softcopy, the photographs and color
illustrations may not appear.
Trademarks
IBM, the IBM logo, ibm.com®, AIX®, Tivoli, and Netcool® are trademarks of
International Business Machines Corporation in the United States, other countries,
or both.
Adobe, Acrobat, Portable Document Format (PDF), PostScript, and all Adobe-based
trademarks are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, other countries, or both.
Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation
in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the
United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Printed in USA
SC23-8843-02