EV Observe - Configure WinRM over HTTPS Monitoring Prerequisites (WinRMS)

Last modified on 2023/11/07 16:25

WinRM (Windows Remote Management) is the remote management protocol for Windows servers.

  • It may be required by certain plugins in order to collect monitoring data.
  • It can communicate securely using the HTTPS protocol to encrypt data sent over the network.
     

To use service templates based on WinRM over HTTPS (WinRMS), specific prerequisites must first be met.

  • You configure these prerequisites once only.
  • This is done in several steps:
    • Authorize network traffic to port 5986 (HTTPS) via the Windows firewall
    • Create a certificate to encrypt network traffic and associate it with port HTTPS
    • Configure the Box to use the certificate

Notes

  • By default, WinRM over HTTPS is configured to use port 5985.
  • The certificate can be self-signed or publicly signed (CA).

     Open url.png See also Configure WinRM Monitoring Prerequisites.

Procedure: How to configure WinRM over HTTPS (WinRMS)

   You must be in admin mode.

Step 1: Create a firewall rule to authorize connections for HTTPS port, 5986

1. Open the Windows firewall on the Windows server to be monitored and click Advanced settings.

2. Select Inbound Rules > New Rule.

The New Inbound Rule Wizard will appear.

3. Specify the values below and click Next after each step.

  • Type of rule: Port
  • Rule applied to: TCP
  • Rule applied to specific local ports: 5986

4. Click Allow the connection and select all the checkboxes in the profile page.

5. Enter the name of the rule, WinRM HTTPS.

6. Click Finish.
 

Step 2: Create a self-signed certificate on the Windows server

1. Log in to the Windows server to be monitored.

2. Run the PowerShell command below.

  • Replace <your_server_dns_name_or_whatever_you_like> with the values of your environment.

New-SelfSignedCertificate -DnsName <your_server_dns_name_or_whatever_you_like> -CertStoreLocation Cert:\LocalMachine\My

The certificate will be generated in the local certificate store.

3. Copy the thumbprint of the new certificate returned by the command and paste it in your text editor in order to store it temporarily.
 

Step 3: Create the WinRM over HTTPS port

1. Run the PowerShell command below.

  • Replace <your_server_dns_name_or_whatever_you_like> with the values of your environment.
  • Replace <certificate_thumbprint_from powershell> with the certificate thumbprint you copied and stored in your text editor.

   Enter the entire command in one line.

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="<your_server_dns_name_or_whatever_you_like>"; CertificateThumbprint="<certificate_thumbprint_from powershell>"}

Step 4: Configure the Box to use the certificate

1. Retrieve the certificate you just created.

   If you are using a publicly signed CA certificate, you should retrieve the root certificate.

2. Copy the contents of the <YOUR_CERTIFICATE.crt> file.

  • Change the extension of the <YOUR_CERTIFICATE.crt> file to <YOUR_CERTIFICATE.txt>.
  • Open the <YOUR_CERTIFICATE.txt> file.
  • Copy the contents of the TXT file.

3. Update the <YOUR_CERTIFICATE.crt> file on the Box.

  • Log in to the Box.
  • Run the command below to open the <YOUR_CERTIFICATE.crt> file in the vi text editor.

vi <YOUR_CERTIFICATE.crt>

  • Paste the certificate contents you copied and stored in your text editor.
  • Press <Esc>.
  • Run the command below to save the file.

wq

4. Run the command below to copy the <YOUR_CERTIFICATE.crt> file to the local folder, /usr/local/share/ca-certificates/.

sudo cp <YOUR_CERTIFICATE.crt> /usr/local/share/ca-certificates/<YOUR_CERTIFICATE.crt>

5. Run the command below to update the certificate store.

sudo update-ca-certificates

Step 5: Check that WinRMS works correctly in the Box

1. Run the PowerShell command below to log in to the client workstation.

  • Replace <ip_address_or_dns_name_of_server> with the IP address of your server or the DNS of your environment.
  • Replace <local_admin_username> with the name of the local administrator.

$so = New-PsSessionOption –SkipCACheck -SkipCNCheck

Enter-PSSession -ComputerName <ip_address_or_dns_name_of_server> -Credential <local_admin_username> -UseSSL -SessionOption $so

You can now run commands on your remote server.

Tags:
Powered by XWiki © EasyVista 2024