Security for Upgrades
This section discusses the security implications for upgrading MOM 2000 SP1 to MOM 2005.
Preparing for Upgrade
Because MOM 2005 uses multiple security contexts for components that ran under the either the DAS or CAM accounts in MOM 2000 SP1, you must create a new Action Account for the Management Server (i.e. DCAM) prior to upgrading to MOM 2005. For more information about the Action Account, see the "Management Server Security - Action Account" section of this guide.
The MOM setup will prompt you for the DAS account credentials to use in MOM 2005. You can either create another account for MOM 2005 or use the same DAS account used in MOM 2000. For more information about what access privileges to give the DAS account, see the "Data Access Service (DAS)" section or Table 3 later in this guide.
Mixed Mode
While you are upgrading your environment from MOM 2000 SP1 to MOM 2005 it will temporarily be in a "mixed mode" where there are both MOM 2005 and MOM 2000 SP1 agents reporting to MOM 2005 Management Servers, and, possibly, to MOM 2000 SP1 DCAMs. Table 1 shows the compatibility between the agents and the Management Server (or DCAM):
Table 2 Agent To Management Server/DCAM Compatibility
Agent |
Server |
Compatibility |
|---|---|---|
MOM 2000 SP1 |
MOM 2000 SP1 |
Full Compatibility |
MOM 2000 SP1 |
2005 |
Full Compatibility |
2005 |
2005 |
Full Compatibility |
2005 |
MOM 2000 SP1 |
Requires transitional Management Pack for compatibility if the agent is multi-homed to a MOM 2000 SP1 server as well. If not, then this configuration has Full Compatibility. |
Mutual Authentication Disabled During Upgrade
Because mutual authentication in MOM 2005 requires that both the Management Server and the agent on the managed computer be running MOM 2005, this security feature is disabled by default during the upgrade process. Mutual authentication provides a higher level of security and can greatly mitigate man-in-the-middle attacks in your MOM environment. You can enable mutual authentication only after all DCAMs are upgraded to MOM 2005 Management Servers and all agents are upgraded to MOM 2005 agents in the management group (i.e. configuration group).
Communications Port Retained
The communications port, 1270, is retained during the update process. This is a management group-wide setting.
Unencrypted Port No Longer Supported
The unencrypted port 51515 is disabled during upgrade and is not used by MOM 2005. During the upgrade process, any MOM 2000 SP1 agents configured to use only the unencrypted port 51515, will not be able to communicate with the MOM 2005 Management Server. These agents must be either configured to use the secure communications port 1270, or upgraded to MOM 2005. MOM 2000 SP1 agents configured to use either port can communicate with the Management Server without further configuration (as long as mutual authentication is disabled).
Block Legacy Agents
During upgrade the Block Legacy Agents setting is disabled.