Sealing a Management Pack

Management packs are sealed by using the MPSeal tool that is located in the SupportTools folder of the Operations Manager 2007 R2 distribution media. This is a command line tool that creates a sealed MP file from an unsealed XML file. After performing the sealing process, you can install the sealed management pack into your management group.


If you created the management pack in the Operations console, then you must export it to an XML file prior to performing the sealing process. You must then uninstall the management pack before installing the sealed version.

MPSeal Syntax

MPSeal.exe uses the following syntax:

MPseal.exe Management Pack Filename [/IInclude Path]* /KeyfileKeyfile Path**/CompanyCompany Name[/Outdir**Output Directory] [/DelaySign] [/CopyrightCopyright text]

Each of the command line options are described in the following table:

Option Details

Management Pack Filename

The full name of the XML file to seal. If the file is not in the current directory, then this must include the full path to the file. If this includes a space, it must be enclosed in quotes.

Include Path

Path to a directory containing MP files referenced by the management pack that you are sealing. Further detail is provided below in Management Pack References.

Keyfile Path

File containing the private and public key. Further detail is provided below in Key File.

Company Name

The name of your company. If this includes a space, it must be enclosed in quotes.

Output Directory

The directory to store the output file. If not specified, the current directory will be used.


If this switch is used, then only the public key is used. Further detail is provided below in Delayed Signing.

Copyright text

Text to include for copyright information. While this option is functional, the text is not currently accessible from Operations Manager.


The following example seals a management pack file named Contoso.MyApp.xml. It creates a file called in the current directory.

mpseal Contoso.MyApp.xml /I c:\mp /Keyfile contoso.snk /Company "Contoso"

Management Pack References

In addition to sealing the management pack, MPSeal verifies the management pack and will report any errors that would keep it from installing. All of these errors must be corrected before the sealing will complete successfully. This is the same verification performed by the MPVerify tool. In order to perform this function, MPSeal requires access to any management packs referenced by the management pack being sealed. These must be the sealed versions of the files with an MP extension and must be at least the version specified by the management pack being sealed.

You specify a directory to search MP files with the /I command line option. You can use multiple /I options if the required files are in multiple directories. You can obtain the standard library management pack files included with Operations Manager 2007 R2 from the installation directory on the management server. You must obtain other management pack files separately. If you imported a management pack directly into your management group from the management pack catalog, then you will need to download it separately in order to obtain the MP file.


If you are unsure of the management packs referenced by the management pack you are sealing, you can run MPSeal using any directory. A list of the required management packs will be returned.

For further information on management pack references, see the Management Pack References section of this guide.

Key File

Sealing requires a key file that contains a private and public key. This validates the identity of the signing party and ensures that a malicious user cannot provide a sealed management pack impersonating someone else. This is the same key pair used for signing .NET assemblies and can be created with the Strong Name Tool (sn.exe) included with the Microsoft Windows SDK.


You should take care to protect any key file that is used to seal a management pack. If someone else were to obtain this key file, then they could seal a management pack impersonating the original author.

For the complete usage of the Strong Name Tool you should refer to its documentation at The following example is sufficient for most management packs and will create a key file called contoso.snk in the local directory.

sn –k contoso.snk

Delayed Signing

For added security of their private key, organizations will implement a delayed process for signing assemblies. This allows access to the private key to be limited to only a few individuals. Using this process, you sign the assembly with only the public key and then complete the signing with the private key just prior to shipping.

If your organization has an existing process for performing delayed signing of assemblies then you should use this process to seal your management pack for production. You can perform the initial partial sealing of the management pack using the /DelaySign option.

Further information on delayed signing of assemblies is available at

See Also


Management Pack Formats
Management Pack References