Configuration Manager Management Point Interface Security

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

In Microsoft System Center Configuration Manager 2007, the management point interfaces can work with Configuration Manager 2007 native and mixed site nodes and makes extensive use of certificates for client authentication and message signing. The ISmsMessage4 Interface interfaces provides configuration methods for security settings.

Warning

The security of communication between the ISV clients and the ISV proxy is the responsibility of the ISV software.

Certificate Usage

In either mode, the use of certificates is an integral part of communication between the management point interfaces and the management point.

In the ISV proxy scenario, a single certificate for the ISV proxy is used to sign messages for all clients that are managed through the proxy. The ISV proxy certificate has to be registered with Configuration Manager before it can be trusted.

Note

Registration is achieved by manually importing the certificate's public key into Configuration Manager using the Configuration Manager console. For more information, see Configuring an ISV Proxy Application in Configuration Manager

For the highest security, certificates should be used for communication between the clients and the ISV proxy. These certificates however, are not be used by the ISV Proxy to communicate with the management point.

In the single client scenario, each client has its own unique certificate that is used to sign messages that are sent from the management point interfaces to management point.

Native Mode

Native mode provides a high level of security through the use of a public key infrastructure (PKI) for client to server communication. It is required for Internet-based communication.

In native mode, an application that is using the management interfaces must use the appropriate PKI certificates.

To use the Configuration Manager management point interfaces in native mode, you must do the following:

• Get the SHA1 Certificate Thumbprint hash that is used to locate the client certificate. The buffer that is used to contain the thumbprint must be allocated by using CoMemTaskAlloc.

• Set the security flags for the message by using ISmsMessage::SetSecurityFlags. The flags you set depend on the target endpoint. For more information about the flags that are required for specific endpoints, see Configuration Manager Management Point Message Schema. For information about the available flags, see MPAPI_SECURITY_FLAGS Enumeration.

• Set the HTTP port that is used for communication.

• Verify the signature of the management point.

For an example, see How to Register a Client with Configuration Manager.

Mixed Mode

Mixed mode provides a supported site mode for networking environments that do not have an existing PKI infrastructure and backward compatibility with SMS 2003.

In mixed mode, an application that is using the management interface must to create its own self-signed certificate by using CertCreateSelfSignedCertificate or an equivalent function. Using the created certificate, the client signs its own messages in mixed mode. Typically, this happens when the ISV proxy application is installed. The only requirements for self-signed certificates are that they are self-signed, have permissions to be accessed by the management point API, and are capable of signing and encrypting data. For more information, see the MSDN documentation for CertCreateSelfSignCertificate Function.

To securely send data, such as the network access account that is sent in policy body messages, mixed mode supports encryption of sensitive data being sent. The ISV proxy, or single client, uses its public key to read the encrypted data. In mixed mode, the management point interface encrypts inventory and state messages sent up to the management point.

Note

Because native mode is required for Internet based clients, any messages that are received from Internet-based clients in a mixed mode environment are discarded.

To use the Configuration Manager management point interfaces in mixed mode you must do the following:

• Set the security flags for the message by using ISmsMessage4::SetSecurityFlags Method. The flags you set depend on the target endpoint. For more information about the flags that are required for specific endpoints, see Configuration Manager Management Point Message Schema. For information about the available flags, see MPAPI_SECURITY_FLAGS Enumeration.

• Set the HTTP port that is used for communication.

• Verify the signature of the management point.

For an example, see How to Register a Client with Configuration Manager.

See Also

Concepts

About Configuration Manager Management Point Interface Messages
Configuration Manager Management Point Interface Architecture
Configuration Manager Management Point Interface Workflow