Agents are initially authenticated via Kerberos, or Certificates. Then that same protocol is used for encryption of the channel - per:
https://technet.microsoft.com/en-us/library/bb735408.aspx >From the agent to the gateway server, the Kerberos security package is used to >encrypt the data, because the gateway server and the agent are in the same >domain. The alert is decrypted by the gateway server and re-encrypted using >certificates for the management server. After the management server receives >the alert, the management server decrypts the message, re-encrypts it using >the Kerberos protocol, and sends it to the RMS where the RMS decrypts the >alert. Some communication between the RMS and the agent may include credential information; for example, configuration data and tasks. The data channel between the agent and the management server adds another layer of encryption in addition to the normal channel encryption. No user intervention is required. So - the "normal" channel is encrypted via the same process used for mutual authentication. The "other" layer mentioned above is for runas account decryption - which is detailed below: Then - there is another dynamic certificate key exchange used to encrypt some of the traffic. You can see this certificate under the certificates view of the computer account of every agent or MS - in the "Operations Manager" folder: [cid:[email protected]] This cert has nothing to do with authentication - it is used for encryption/decryption of the config file for runas account distribution in config. It is totally dynamic and the cert gets regenerated when necessary automatically. If you delete it - it will regenerate on the next health service restart. You will see this event in the log: Log Name: Operations Manager Source: HealthService Date: 12/3/2015 8:23:12 AM Event ID: 7006 Task Category: Health Service Level: Information Keywords: Classic User: N/A Computer: WINS2012R2.dmz.corp Description: The Health Service has published the public key [4A A8 71 8B 0D 3F 9E 9D 4A 59 44 D8 EE BC B1 42 ] used to send it secure messages to management group OMMG1. This message only indicates that the key is scheduled for delivery, not that delivery has been confirmed. The thumbprint of this message matches the cert in that location. The certificate is solely used to protect RunAs account credentials in the transmission from the management server to the agent. It doesn't have any impact on how they are stored on the agent itself, and is not used for authentication. On the agent RunAs accounts are stored in the registry and protected using DPAPI. RunAs accounts are sent to the agent as part of the OpsMgrConnector.Config.xml file. In that file the RunAs accounts are encrypted, base64 encoded and placed in the Message/State/SecureData element. The encryption key is the agent self-signed certificate. When the agent starts up it creates or gets the existing certificate and publishes the public key to its management server, which then submits it to the database via the SDK service. When the configuration service generates configuration for an agent, it looks up the public key for that agent, and then uses that key to encrypt the SecureData part of the configuration XML. The agent has a cert lifetime set of 1 year and will generate and transmit a new certificate when it is getting near expiration. From: [email protected] [mailto:[email protected]] On Behalf Of Pete Hakesley Sent: Thursday, December 3, 2015 5:24 AM To: MSMOM ([email protected]) <[email protected]> Subject: [msmom] Agent to MS Traffic Encyption Hi all, Had an interesting question yesterday. We know the requirement for certificates and that the agent initiates the comms to the GW/MS for attack vector reasons etc. But the question is the data between the agent and the GW/MS encrypted in any way. We are bidding for a contract for a financial organisation [SCOM2012 R2 multi-Tenant] and they need to know - Microsoft literature eludes to yes but I cannot find a definitive statement. Can anyone help? Peter Hakesley | Monitoring & Automation Technical Lead Engineer, Data Centre Services t: +44(0)845 155 6556 ext: 4006 e: [email protected]<mailto:[email protected]> | w: www.scc.com<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.scc.com%2f&data=01%7c01%7ckevin.holman%40microsoft.com%7cad0c76d226884601f5ea08d2fbd4ce4b%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=VtgZxxc7BXQdJBsrbj3WwEpkBy3bjqhjCYhmCeE8cog%3d> a: SCC, CV1, Cole Valley, 20 Westwood Avenue, Tyseley, Birmingham B11 3RZ
