Most Popular Posts

Tuesday, 19 June 2012

Configuring SCUP 2011, Shavlik/VMware Vcenter Protect Update Catalog With PKI

In-case you were unaware VMware acquired Shavlik technologies some time last year, that means the product formally known as Shavlik SCUPdates is now known as VMware vcenter protect update catalog.

The function of this product is to provide update management of third party apps such as flash, Java etc directly from the ConfigMgr 2007/2012 console.

This blog post assumes you already have WSUS and Config Mgr 2012 running on the same server although I'm sure the process will be no different for Config Mgr 2007.

This post will guide you through the following:

  • Installing SCUP & required hotfix
  • Creating a certificate template for WSUS
  • Requesting a certificate from the root CA
  • Installing the certificate in SCUP and configuring Config Mgr integration
  • Exporting the certificate with the public Key
  • Importing the certificate into the correct stores
  • Adding the Shavlik catalog to SCUP
  • Creating a GPO to distrubte your certificate and update settings

Installing SCUP 2011 & required hotfix

First off download SCUP 2011 from here and this hotfix

Install the hotfix first which should take no more than a few seconds and then run though the SCUP 2011 install, accepting all of the defaults and skipping the hotfix (since you already did this).

Creating a certificate template for WSUS

Once installed connect up to your root CA and open the certsrv MMC snap-in (typing certsrv.msc from run is the quickest way to find it)

Now right click on certificate templates and click Manage

In the new window that opens, find the computer template, right click and Duplicate Template

In the dialog box that launches select Windows Server 2003 Enterprise

On the general tab enter a name, up the validity period if you wish (I did since this is in my testlab) and tick the box Publish certificate in Active Directory

On the request handling tab change the minimum key size to 2048 and tick Allow private key to be exported

On the subject Name tab select Common name for the subject name format, and leave DNS name ticked

Then on the extensions tab, highlight Application Policies and click edit. Remove both the client and server authentication and press ok

Now on the security tab add the computer account of your SCCM server and give it read and enroll acess and press ok

 Now back in the certsrv console right click on Certificate Templates and select New-> Certificate Template to issue

 Select your WSUS Certificate from the list and press Finish

Requesting a certificate from the root CA

Back on your SCCM/SCUP/WSUS server open the certificates mmc snap-in, when asked choose computer account and local computer. Once open right click on personal and click All Tasks-> Request New Certificate

Press Next

You should see your certificate template in the list, select it and press Enroll

Once complete it should give you a nice healthy green tick, press Finish

Now right click on the certificate and click All Tasks ->Export

Hit Next...

Tick Yes, export the private key

Leave defaults as shown below

Enter a password to protect the certificate and press Next

Select a location to save it and hit Next

Now click Finish

 Installing the certificate in SCUP and configuring Config Mgr integration

Launch the SCUP console as administrator for this part, if you don't you WILL get an error at some point during this process.

Once open click the ribbon icon top left and select Options

On the update server tab tick Enable publishing to an update server, select Connect to a local update server, click browse and select your exported certificate, press Test Connection and then input your certificate password. Once done Click OK.

I found a bug with this dialog box,  even if you have local update server selected but have removed the values from the remote update server box it will display red exclamation marks and OK will be greyed out until you put something in the box, so watch out for that one!

Now select the ConfigMgr Server tab and tick Enable Configuration Manager Integration, enter the details as shown below and press ok once done.

The threshold values you see define how many clients must have requested a package and how big it can be. This ONLY applies when you select automatic as your publication type for updates (as opposed to metadata or full content)

It is also a very good idea to go into advanced options and select the checkbox Add timestamp when signing updates (requires Internet connectivity) to allow software updates to remain usable after their signing certificate expires. The updates will remain valid as long as they were signed and time stamped when the signing certificate is valid. By default, software updates cannot be deployed after their signing certificate expires.

 Exporting the certificate with the public Key

Now, still on your SCCM/SCUP/WSUS server switch back to your certificate console and refresh, you will see a new WSUS node on the left hand side, you if you expand it you will see the certificate we imported. Right click on it, All Tasks -> Export

This will launch the export wizard, click Next

Select No, do not export the private key

Select as shown below, and press Next

Click browse and give the certificate a name and location, then click Next

Click Finish

Keep this certificate safe, we need to distribute it to our clients in order that they trust the updates SCUP has signed with it.

Importing the certificate into the correct stores

Now you need to import this certificate into 2 stores. Still in the certificate console right click on trusted publishers -> All Tasks -> Import

Press Next

Browse to the location of the certificate we just exported and click Next

Verify the location is as shown and click Next

Click Finish

If you are NOT using PKI you need to do the same for trusted root certification authorities. If you are using PKI then you can skip this step as your Root CA is already trusted by your SCUP/WSUS server and the clients

Same again, right click -> All tasks -> Import

Click Next

Browse to the location of the certificate we just exported and click Next

Verify the location is as shown and click Next

Click Finish

Adding the Shavlik catalog to SCUP
First you need to download your Shavlik cab file straight from Shavlik/VMware.
Then this part is as easy as opening the console, clicking import and selecting your cab file and pressing next

Wait for the cab file to import and click Next

Verify it was successful and click Close

Creating a GPO to distrubte your certificate and update settings

The last thing you need to do is distribute the certificate that was used to sign your updates to your client machines. The easiest way to do this is to create a GPO.

Inside the GPO you need to import your certificate into trusted publishers as shown below:

In addition to importing the certificate, your clients also need to trust signed updates coming from a location other than Microsoft. Here is the location to enable this. Computer Configuration -> Administrative Templates -> Windows Components ->Windows Update.
In the details pane, click Allow signed content from intranet Microsoft update service location, and click Enabled.
Link the GPO to an OU containing your machines and that's it for this post!
I will post some more around using the console and no doubt some other bits as soon as I can.

EDIT: 2nd post here on how to publish 3rd party updates from SCUP through to SCCM clients

No comments:

Post a comment