Management Agent for Certificate and Smart Card Management

  • Article

Use the management agent for Certificate and Smart Card Management to create profiles based on existing Certificate Lifecycle Manager (CLM) Profile Templates that you can then use to manage the lifecycle of both software and smart card-based certificates.

Important

The Microsoft .NET Framework 3.0 must be installed on the Windows server running ILM 2007 FP1 to successfully run the management agent for Certificate and Smart Card Management.

Properties

Available in Identity Integration Feature Pack for Microsoft® Windows Server™ Active Directory® (IIFP)

No

Management agent type

Call-based

Supported connected data source versions
  • Microsoft Certificate Lifecycle Manager Version 1.0 and greater.

MIIS 2003 features supported
  • Full import

  • Delta import

  • Export

Schema Information

The schema is generated based on a fixed schema that models the database structure. Refresh schema is not available for this management agent because it uses a static schema that cannot be changed.

Remarks

  • The management agent imports the following object types from CLM:

    • Requests (clmRequest)

    • Profiles (clmProfile)

    Note

    In addition, a third object, clmConfig holds various configuration settings from CLM.

  • Objects in CLM are identified by GUIDs. Profile objects and request objects each have GUIDs assigned to them. Users in CLM are not assigned new GUIDs; they use the objectGUID attribute from the corresponding Active Directory user object. Joining objects from CLM to the metaverse (MV) is done using the objectGUID attribute from Active Directory. This requires the management agent for Active Directory to have an import attribute flow rule that sends the objectGUID attribute to the metaverse as a binary attribute. This can be done using direct import attribute flow with the management agent for Active Directory.

    Important

    The objectGUID attribute is not part of the metaverse schema by default. The objectGUID attribute must be added as a custom attribute, of type binary (indexed), to the person object type in the metaverse before you can create a management agent for Certificate and Smart Card Management.

  • The management agent for Certificate and Smart Card Management must match the version of the CLM server that it is connecting to. For example, if you have upgraded the CLM server to Feature Pack 1 (FP1), then you must reinstall the management agent for Certificate and Smart Card Management from the FP1 media.

  • When creating and configuring an instance of the management agent for Certificate and Smart Card Management, the only configuration changes that are supported are those in Configure Connection Information and in Configure Additional Parameters pages in Management Agent Designer. You must not make any changes to any of the other configuration pages.

  • For a specified profile template, the management agent for Certificate and Smart Card Management supports the following management policies:

    • Enroll Policy

    • Reinstate Policy

    • Recover On Behalf Policy

    • Duplicate Policy

    • Disable Policy (Smart card profile templates only)

    • Retire Policy (Smart card profile templates only)

    • Temporary Cards Policy (Smart card profile templates only)

  • To run the management agent for Certificate and Smart Card Management, the MIIS service account must have access to the following registry keys:

    Registry key Minimum access required

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

    Read/Write

    HKLM\Software\Microsoft\EnterpriseCertificates

    Read

    HKLM\Software\Microsoft\SystemCertificates

    Read

    HKLM\Software\Policies\Microsoft\SystemCertificates

    Read

Important

By adding the MIIS service account to the local administrators group, the account will obtain all the necessary registry key permission listed above. However, this is not recommended as a security best practice.

  • The user account specified in the Configure Connection Information page in Management Agent Designer must be assigned the correct permissions at the following locations:

    • Service Connection Point (SCP) - SCP permissions determine whether a user is assigned a management role within the CLM deployment. For example, if a user must initiate requests for other users, the user is assigned the CLM Request Enroll permission at the SCP.

    • Profile template object - The profile template permissions determine whether a user can read the profile template’s contents (to execute management policy workflows within the profile template) or receive certificates based on the profile template’s management policies. If a user is required to enroll certificates based on the profile template, the user must be assigned the CLM Enroll permission on the profile template.

    • Users or groups - A user or group that is assigned a CLM management role must have permissions on the user or group objects they manage within the environment. For example, if you want to enable a manager to recover certificates issued to members of the EFSUsers group, you must assign the manager, or a group containing the manager, the CLM Request Recover permission on the EFSUsers group object.

    • Within a management policy - A user or group must be assigned the management role within the management policy. For example, if a user is tasked with approving enrollment requests, you must assign that user permission to approve enrollment requests within the Enroll management policy. Management policies are stored in the Profile template objects and are configured using the CLM Web portal.

      Note

      For more information on CLM permissions, see the CLM online help.

    • CLM SQL tables - If you have configured CLM to use Windows Authentication for access to the CLM SQL database, the user account specified when creating the management agent for Certificate and Smart Card Management requires the db_datareader role on the Profiles and Requests tables in the CLM SQL database.

    • Registry key - For the SQL connection string to be read from the registry on the server running CLM, the account specified in the management agent for Certificate and Smart Card Management must be granted Read access to the following registry key on the server running CLM:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CLM\v1.0\Server\WebUser

      Note

      If you are missing any of the required permission assignments, you receive an "Access Denied" error message when you attempt to run the management agent.

  • The management agent installation program installs the Microsoft.CLM.ClmMaProxy.DLL in the %ProgramFiles%\Microsoft Certificate Lifecycle Manager\web\bin folder on all connected servers running CLM.

  • The CLM web.config file (%ProgramFiles%\Microsoft Certificate Lifecycle Manager\web\web.config) must be updated before running the management agent for Certificate and Smart Card Management. In the “<!-- REMOTING SECTION (BUILT-IN) ++++++++++++++++++++++++++++++++++++++++++-->” section, between the <service></service> tags, add the following line:

    <wellknown mode="Singleton" type="ExtensibleWfMA.ClmMaProxy, Microsoft.Clm.ClmMaProxy" objectUri="clmManagementAgent.rem"/>

  • Each server running CLM requires its own management agent. However, if you have multiple servers running CLM that share a single SQL database, for example in a load balancing environment, you have to create only one management agent.

  • The management agent for Certificate and Smart Card Management supports the use of Delta imports; however, if you use failover for the CLM SQL database, in the event that a failover of the database occurs, you must perform a Full Import run of the management agent after the failover event. You must also perform a Full Import run of the management agent if you subsequently fail back to the original SQL database.

  • During provisioning of a request, ILM 2007 FP1 sets the originator of the request as the user account name specified in Configure Connection Information in Management Agent Designer. ILM 2007 FP1 uses the user account attribute to prevent a situation in which ILM 2007 FP1 attempts to reprovision an existing request. If the account ILM 2007 FP1 uses to connect to the server running CLM has changed, previously provisioned requests might be reprovisioned.

  • To run the management agent for Certificate and Smart Card Management, the MIIS Server Account must be a member of the MIISJoiners security group.

  • The management agent for Certificate and Smart Card Management must be configured to run in a separate process.

Configure Additional Parameters

The following additional parameters can be configured in Management Agent Designer.

Parameter Values Notes

ignoreCertWarnings
  • True

  • False (default)

The management agent for Certificate and Smart Card Management supports SSL for connecting to the server running CLM. In a development environment it may be useful to ignore warnings when trying to use a server certificate. This parameter should not be used in a production environment because it introduces a security risk.

authenticationType
  • negotiate (default)

  • basic

  • digest

  • kerberos

  • ntlm

The management agent for Certificate and Smart Card Management authenticates through IIS on the server running CLM. The authentication types available in IIS are available for use on the management agent for Certificate and Smart Card Management. You can do this by adding this configuration parameter and providing one of the above values. By default the management agent for Certificate and Smart Card Management will use NTLM.

defaultRequestComments
  • Default comes from the cs object attribute "req_comments"

Comments can be added to Requests in CLM. This can be done in the metaverse extension by setting the "req_comments" attribute. Adding the defaultRequestComments configuration parameter will cause all Requests to use the value supplied in the configuration parameter as the Request comment.

defaultRequestPriority
  • Default comes from the cs object attribute "req_priority"

A Priority can be added to Requests in CLM. This can be done in the metaverse extension by setting the "req_priority" attribute. Adding the defaultRequestPriority configuration parameter will cause all Requests to use the value supplied in the configuration parameter as the Request priority.

typeOfReqToSubmitOnProfileDelete
  • Disable

  • Retire

  • Suspend

  • TemporaryCardDisable

  • TemporaryCardRetire

If the management agent deprovisioning rule is configured to stage deletions, then the management agent for Certificate and Smart Card Management will submit a Request to CLM. The type of request can be configured using the typeOfReqToSubmitOnProfileDelete configuration parameter. If the configuration parameter is missing or empty then no Request will be submitted.

useSQLAuth
  • True

  • False (default)

The connection to the database on the server running CLM can be configured to use SQL authentication. Adding the "useSqlAuth" configuration parameter allows the management agent for Certificate and Smart Card Management to connect to the database on the server running CLM using SQL login credentials. The credentials are configured using the "sqlUserName" and "sqlPassword" configuration parameters.

sqlUserName

(only used if "useSqlAuth" == true)

sqlPassword

(only used if "useSqlAuth" == true)
  • N/A

Configure this parameter to use encryption. The value will be hidden from the user interface and stored in the database on the server running ILM 2007 FP1 in encrypted form available only to the MIIS 2003 service account.

connectionString

Default is to use the connection string ILM 2007 FP1 receives from CLM.

The connection string used for connecting to the database on the server running CLM is read from the server running CLM by default during imports. This configuration parameter can be used to override that connection string.

See Also

Concepts

Management Agents in MIIS 2003