Configuring Profile Templates

  • Article

Microsoft® Identity Lifecycle Manager "2" Certificate Management Service (ILM CMS) is an identity-assurance management system that helps organizations provision and manage digital certificates and smart cards. ILM CMS integrates with standard enterprise infrastructure components such as Active Directory® domain service, Microsoft SQL Server™ database software, and Microsoft Windows Server® 2003 Certificate Services to provide a centralized administrative interface for both certificate managers and certificate subscribers. A server that runs ILM CMS is known as a CLM server.

At the center of all ILM CMS management activities are configurable profile templates that organize certificate templates, profile template details, and management policies:

  • Certificate templates define certificate content and certification authorities (CAs). A single CLM profile template can include multiple certificate templates.

  • Profile templates provide information, such as which certificates you issue for a particular user community, whether you store the certificates in software or on a smart card, and which certificate templates you include in the profile template.

  • Management policies define workflows for tasks such as enrollment, recovery, and revocation. Management policies also define who performs tasks such as request initiation and approval.

The following topics describe how to configure CLM profile templates:

  • Using the MMC with CLM 2007

  • Creating a Certificate Template with the MMC

  • Software-Based Certificates and Smart Cards

  • Creating a Profile Template

  • Assigning Permissions on a Profile Template

  • Configuring a Profile Template for Software-Based Certificates

  • Configuring a Profile Template for Smart Card Certificates

  • Appendix A: Certificate Template Configuration

  • Appendix B: Regular Expresssions

  • Appendix C: Document Printing

  • Appendix D: Smart Card Printing

  • Appendix E: Assigning Approval Permissions Using Active Directory Permissions

Using the MMC with CLM 2007

ILM CMS provides a Web-based user interface (CLM Web site) for creating and managing subscriber certificates. Although you can perform most profile template configuration tasks by using a Web browser, you must use the Microsoft Management Console (MMC) with the appropriate snap-ins to complete the following tasks that are specific to Active Directory:

  • Create users, groups, and certificate templates.

  • Assign CLM permissions.

  • Modify permissions on certificate or profile templates.

Before you configure CLM profile templates, you must configure the MMC for these ILM CMS administrative tasks.

To configure the MMC for CLM 2007

  1. Click Start, click Run, type mmc, and then click OK.

  2. In the MMC, click File, and then click Add/Remove Snap-in.

  3. In Add/Remove Snap-in, click Add.

  4. In Add Standalone Snap-in, click Active Directory Users and Computers, and then click Add.

  5. To add the other snap-ins, repeat steps 3 and 4 of this procedure.

    The other snap-ins are Active Directory Sites and Services, Certificate Templates, and Certification Authority.

  6. After you add all four snap-ins, click Close.

  7. In Add/Remove Snap-in, click OK.

  8. In the MMC, click File, and then click Save As.

  9. In Save As, type a unique name for the snap-in, for example, CLMAdminSnapin.msc, and then click Save.

Note

To access a MMC snap-in later, click Start, click Run, type the name of the snap-in, and then click OK.

Creating a Certificate Template with the MMC

Before you configure CLM profile templates, you must use Windows Server 2003 to configure certificate templates and deploy them to your enterprise CAs. Certificate templates define the format and content of a certificate, and enable you to define specific attributes for certificates that meet the needs of your organization. For example, you can use certificate templates to do the following tasks:

  • Define whether a user can export the private key associated with a certificate.

  • Define what cryptographic service providers (CSPs) a certificate template supports.

  • Define issuance and application policies for issued certificates.

ILM CMS uses the version 2 certificate templates in Windows Server 2003. You can use these templates to customize most settings in the template. Several preconfigured, version 2 templates are supplied in the default configuration of Windows Server 2003, and you can add more as necessary.

Note

Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition support both version 1 and version 2 certificate templates; however, ILM CMS requires version 2 templates. Certificates based on version 2 templates can be issued only by an enterprise CA running Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition.

You can use Certificate Templates in the MMC to create and configure certificate templates. To create a new certificate template, you copy an existing template that is similar in function to the required certificate template, and then modify it.

To create a certificate template with the MMC

  1. Click Start, click Run, in Open, type certtmpl.msc, and then click OK.

  2. Right-click the template that you want to copy, and then click Duplicate Template.

  3. Type a new name for the certificate template.

  4. Make any necessary changes, and then click OK.

Note

To create a certificate template, you must be a member of the Enterprise Admins group or the Domain Admins group of the root domain for the forest in Active Directory.

For more information about configuring certificate templates, see Appendix A: Certificate Template Configuration and Implementing and Administering Certificate Templates in Windows Server 2003.

Software-Based Certificates and Smart Cards

You can use ILM CMS to manage both software-based certificates, which reside on a user’s computer, and certificates on smart cards. The certificate manager view of the CLM Web site provides sample profile templates for software-based and smart card. Table 1 shows these certificates.

Table 1   Software-based certificates and smart cards

Sample profile template Description

CLM Sample Profile Template

You can use this template to create software-based certificate profiles.

CLM Samples Smart Card Logon Profile Template

You can use this template to create smart card profiles.

A single CLM profile template cannot support both smart cards and software-based certificates. If you deploy both smart cards and software-based certificates, you must create separate profile templates for them.

Creating a Profile Template

You can use the CLM Web site to create and configure profile templates. To create a new profile template, you copy an existing profile template or one of the sample profile templates, and then modify its certificates and policies as necessary.

Note

You must have appropriate Active Directory permissions to create and administer profile templates. If a profile template is marked Read Only, you do not have the necessary Active Directory permissions to create profile templates. To configured Read permissions on certificate templates and Read and Write permissions on profile templates, you can open the MMC and use the ILM CMS administration snap-in. For information about configuring CLM permissions in Active Directory, see Using the MMC with CLM 2007.

To create a profile template

  1. Log on to ILM CMS as an administrator.

  2. On the Home page, in Administration, click Manage profile templates.

  3. In Profile Template List, select the check box next to an existing profile template or one of the sample CLM profile templates, and then click Copy a selected profile template.

  4. On the Duplicate Profile page, type the name for the new template, and then click OK.

  5. On the Edit Profile Template page, review the profile template settings.

Assigning Permissions on a Profile Template

When you copy a profile template, you also copy the permissions associated with the original template. To change the permissions on the new profile template, open Active Directory Sites and Services and configure permissions on the new profile template object.

To assign permissions on a profile template

  1. Log on to a Windows Server 2003 computer as a domain administrator.

  2. Open the MMC for ILM CMS that you created earlier.

    If you did not create the MMC, you can use Active Directory Sites and Services to edit the CLM profile template.

  3. On the View menu, click Show Services Node.

  4. In the console tree, expand Active Directory Sites and Services, expand Services, and then expand Public Key Services.

  5. In the console tree, click Profile Templates.

  6. In the details pane, right-click the profile template that you want to edit, and then click Properties.

  7. In the [Profile Template Name] Properties dialog box, click the Security tab.

  8. Select the user or group that you want to configure permissions for, and then apply the permission. When you are finished, click OK.

Important

You must assign all ILM CMS users, including certificate managers, Read permissions on each profile template object.

Note

The CLM Enroll extended permission only applies to profile templates. If you want to use the Microsoft Certificate Lifecycle Manager 2007 Service (CLM Service) to process External API requests, you must assign this extended permission to the user account that you use to run the CLM Service. (The CLM Service is an administrative service that performs workflow tasks for ILM CMS.)

Configuring a Profile Template for Software-Based Certificates

After you create a profile template, you must configure its general settings and management policies. The default view of the Edit Profile Template page is Profile Details, as indicated in the navigation area on the left side of the page. Table 2 shows the sections in this view of the Edit Profile Template page.

Table 2   Sections in the Profile Details view of the Edit Profile Template page

Section Description

General Settings

Defines parameters common to all workflow items in the profile template.

Certificate Templates

Lists the certificate templates associated with the profile template.

Smart Card Configuration

Defines smart card options.

You cannot use Smart Card Configuration for software-based profiles.

Management policy list

Provides links to all management policies associated with the profile template. This list is under Select a view.

The following topics describe how you can configure these settings for software-based certificate profiles. For information about configuring smart card profile templates, see Configuring a Profile Template for Software-Based Certificates.

General settings: software-based certificate profile templates

After you create a profile template for software-based certificates, you must configure its general settings.

To configure general settings for a profile template

  1. Log on to ILM CMS as an administrator.

  2. On the Home page, in Administration, click Manage profile templates.

  3. In Profile Template List, click the name of the profile template that you want to edit.

  4. On the Edit Profile Template page, click Change general settings.

  5. Under General Settings, there are four sections that have settings you can configure.

    Table 3 shows these sections and their settings.

Table 3   General settings for software-based certificate profiles

Section Description

Name and Description

Names the profile template and provides a description for it. You can change the Active Directory common name for the template only when you copy the profile template; afterward, you cannot change the template.

Key Generation

Requires that encryption keys for a certificate are generated on the server, rather than on a smart card or client computer. When you select the server key generation setting, you can use the default server key generator or specify a custom key generator. If you must implement newer hashing algorithms that are not supported natively by ILM CMS or Windows Server 2003, use a custom key generator.

If you use a custom key generator, specify the following information:

  • Custom server key generator type – This must be a fully-qualified Microsoft .NET connection software type name implementing the IServerKeyGenerator interface.

  • Custom server key generator data – This is a free text field for data that ILM CMS passes as a string to the server key generator object when ILM CMS starts.

External Certificates

Associates external certificates with a profile template. A CLM profile template can contain certificates that were issued outside the ILM CMS environment, such as certificates that were issued during automatic enrollment, by the MMC Certificates snap-in, or by a custom application. If you associate external certificates with a profile template, specify the maximum number of external certificates that ILM CMS allows.

Smart Card Support

Enables smart card support. Although you can enable the profile template to support smart cards, a profile template cannot support both smart cards and software certificates. Enabling smart card support makes the profile template unusable for software-based certificates. To deploy both smart cards and software-based certificates, you must create separate profile templates for them.

Certificate templates: software-based certificate profile templates

On the Edit Profile Template page, you can use the Certificate Templates section to assign certificate templates to a profile template. Each profile template must have at least one certificate template associated with it.

If you copied a profile template that already had certificate templates associated with it, those certificate templates are listed in the new profile template.

Important

Because each profile template must have at least one certificate template associated with it, we recommend that you add new certificate templates before you delete unwanted ones.

To assign certificate templates to a profile template

  1. On the Edit Profile page, in Certificate Templates, click Add new certificate template.

  2. Configure the general options for the certificate templates that you want to add.

    Table 4 shows these options.

  3. In Certificate Authorities, select a CA from the list of all available CAs.

  4. In Certificate Templates, select certificate templates that you want to add to the profile template.

    Certificate Templates lists all certificate templates published by the selected CA.

  5. To add certificate templates from a different CA, repeat steps 3 and 4 of this procedure.

  6. Click Add.

Table 4   General options for software certificate templates

Setting Description

Show advanced options

Defines that the user who requests the certificate can define certificate parameters, including the CSP for the certificate and options for the certificate store, key size, key set, and key container name.

Allow raw request

Allows you to paste the contents of a PKCS #10 file or a CMC certificate request file into the subscriber view of the CLM Web site. You typically use this setting to create certificates for Web servers.

To delete certificate templates from a profile template

  1. On the Edit Profile page, in Certificate Templates, select the certificate templates that you want to delete.

  2. Click Delete selected certificate templates.

Management policies: software-based certificate profile templates

Each CLM profile template contains a group of configurable management policies. These policies define the workflow, data collection, and principals who participate in the certificate management process for that profile template. Table 5 shows these options.

Table 5   Management policy options

Option Description

Who can initiate a request

Defines that the initiator is the user referenced in the subject field for the issued certificate or define a designated proxy acting on behalf of the user.

Whether a request requires approval

Defines whether a request requires manager approval and who may approve it.

What data is collected during the workflow

Defines what data is collected, who performs data collection, and how data is validated during collection, if necessary.

Whether one-time passwords are distributed

Defines that ILM CMS distribute one-time passwords to the subscriber, the subscriber’s manager, or the request originator. You can also define how these passwords are generated and transmitted.

What documents are printed

Defines whether to distribute instructions to the certificate subscriber. You can print these instructions as part of the workflow, either from a client computer or from the CLM server.

To access management policies for a profile template

  1. Log on to ILM CMS as an administrator.

  2. On the Home page, in Administration, click Manage profile templates.

  3. On the Profile Template Management page, click the link for the profile template that has the policy you want to access.

  4. Under Select a view, click the link for the policy that you want to access.

All management policies associated with a profile template are listed under Select a view. Table 6 shows these policies.

Table 6   Management policies for software-based certificate profiles

Policy Description

Duplicate

Controls the workflow for duplicating an existing profile template. The original profile template is known as the primary profile template; copies of it are known as duplicate profile templates. If the profile template has encryption certificates, and if key archival is enabled in the certificate template, ILM CMS can recover the original encryption certificate and private key from the CA database. For signing certificates, ILM CMS always generates a new certificate and key pair for the duplicate profile template.

Enroll

Controls the workflow for enrolling a user with a new certificate. In most cases, you define the other management policies to reflect the Enroll policy workflow settings.

Online Update

Controls the workflow for updates to deployed certificates. These updates can include certificate renewals, updates to certificate content, updates to certificate templates in the profile template, and (for smart cards only) smart card application updates.

Recover

Controls recovery of profiles if you inadvertently delete or lose a user profile, for example, if a profile was stored on a computer that has been rebuilt or stolen). The Recover policy issues new signing certificates and reissues encryption certificates archived in the CA database. Optionally, you can issue new versions of encryption certificates and thereby revoke the archived encryption certificates.

Recover on Behalf

Controls the recovery of encryption certificates and their private keys in a profile or smart card that is assigned to another user. You typically implement this setting after a user leaves a company to access data encrypted by that user. The Recover on Behalf policy only recovers encryption certificates; it never signs certificates.

Renew

Controls the renewal of certificates in an issued profile when a certificate expires. ILM CMS renews the certificates with new keys, and maintains key history.

Suspend and Reinstate

Controls the workflow for revoking a profile or smart card temporarily, and then returning it to active status. ILM CMS adds the certificate to the delta certificate revocation list (CRL), and then deletes its serial number from the base CRL at its next publication. The reason for adding the certificate to the CRL is Remove from CRL.

Revoke

Controls the revocation of all certificates in a profile. You can configure a standard revocation reason, such as Change of Affiliation, or allow a user who issues a revocation request to designate the reason for the request while issuing it.

Management policy workflows: software-based certificate profile templates

Each management policy has settings that you can configure to define the workflow for that policy. Each policy has general settings, such as whether the policy is enabled and whether an enrollment agent is required. In addition, depending on how you configure the general settings, you might have specific workflow settings, such as who can initiate and approve requests, and what data items ILM CMS collects. The following topics describe specific management policy workflow settings and are titled to match the text displayed in the management policy.

Workflow: General

Each management policy has several general workflow settings. Table 7 shows these settings. However, no management policy has all of these settings; the available settings vary from policy to policy.

Table 7   General workflow settings

Setting Description

Enable policy

Enables or disables the policy for the current profile template.

Use self serve

Configures whether a user with sufficient rights can initiate a request. If this setting is cleared, a user cannot initiate a request; a certificate manager must initiate the request for the user.

Require enrollment agent

Requires an enrollment agent for this policy. The designated enrollment agent submits the request to the CLM server for another user. ILM CMS uses the certificate of the enrollment agent to sign the request. This allows ILM CMS to place the name information for the designated user in the subject field for the issued certificate.

Reissue archived certificates

Reissues encryption certificates archived in the certification authority (CA) database.

Allow comments to be collected

Collects comments at each request operation. If you select this setting, ILM CMS displays a comments box on the page when a request is created or approved and stores comments in the request history. You can view comments on the Request Details page.

Allow request priority to be collected

Uses a request priority for each policy that ILM CMS retrieves when it processes that policy. The lower the number, the higher the priority. Specifying a request priority does not prioritize requests; it simply helps you group similar requests, for example, requests that ILM CMS submitted through the External API.

Number of approvals

Specifies the number of certificate managers who must approve a request. If the number is 0 (zero), a user can generate requests without certificate manager approval under two conditions:

  1. The user must select the Use self serve check box.

  2. The user must have membership in a group with appropriate permissions.

Number of active or suspended profiles/smart cards allowed

Limits the number of active software-based or smart card profiles that a user can have based on that template, for a specified profile template.

Workflow: Initiate [Policy Name] Requests

This setting is available for the following policies:

  • Duplicate

  • Enroll

  • Online Update

  • Recover

  • Recover on Behalf

  • Renew

  • Suspend and Reinstate

  • Revoke

You can use this setting to allow a user other than the user needing a certificate to initiate a request. For example, you can allow help desk personnel to initiate a recover request for a certificate when a subscriber phones the help desk.

Note

If you configured Use self serve in general workflow settings for a policy, you do not have to assign Initiate Request permissions. Any user or group can initiate a request under that policy.

A request initiator can be a user or a group. A group must be global or universal because the CLM server only resolves global and universal group memberships, not domain local group memberships.

To initiate Enroll, Renew, or Online Update requests, the user or group must be assigned Read permission and CLM Request Enroll permission on the profile template object. If the request is initiated by a user other than the subscriber, the initiator must be assigned Read permission and any necessary ILM CMS permissions. The permissions must be assigned at the service connection point and on the subscriber or a group that contains the subscriber.

To configure which users or groups can initiate requests

  1. On the Edit Profile Template page, in Workflow: Initiate [Policy] Requests, click Add new principal for [policy] request initiation.

  2. In Permission, type the name of the new principal (user or group), and then select the permission that you want.

    You can click Lookup in Active Directory to search for users or groups.

  3. Click OK.

Workflow: Approve [Policy Name] Requests

The Approve Requests policy setting is available for the following policies:

  • Duplicate

  • Enroll

  • Online Update

  • Recover

  • Recover on Behalf

  • Renew

  • Suspend and Reinstate

  • Revoke

If you configure general workflow settings for a management policy to require one or more approvals, you must designate one or more groups to approve pending requests. Requests remain in a pending state until ILM CMS collets the required number of approvals for those requests.

If a request requires only one approval, and a user has permission both to initiate and approve a request, the approval takes place automatically. If you do not designate a user or group to approve requests, the CLM agent account approves the requests.

To configure which users or groups can approve requests

  1. On the Edit Profile Template page, in Workflow: Approve [Policy] Requests, click Add new principal for [policy] request approval.

  2. In Permission, type the name of the new principal (user or group), and then select the permission that you want.

    You can click Lookup in Active Directory to search for users or groups.

  3. Click OK.

Workflow: Enroll Agent for [Policy Name]

The Enroll Agent for [Policy Name] policy setting is available for the following policies:

  • Duplicate

  • Enroll

  • Recover

  • Recover on Behalf

  • Renew

If you configure general workflow settings for a management policy to require an enrollment agent, the designated enrollment agent submits the request to the CLM server for another user. The CLM server uses the certificate of the CLM Enrollment Agent to sign the certificate request. ILM CMS can then place the name information for the designated subscriber in the subject field for the issued certificate.

An enrollment agent can be a user or a group. A group must be global or universal because the CLM server resolves only global and universal group memberships, not domain local group memberships.

If initiating Enroll or Renew requests, both the subscriber and the enrollment agent accounts must be assigned Read permission and CLM Request Enroll permission on the profile template object. The enrollment agent must be assigned Read permission, CLM Enrollment Agent permission, and CLM Request Enroll permission. The permissions must be assigned at the service connection point and on the subscriber or a group that contains the subscriber.

Note

If you are a manager and your permissions at the service connection point have been revoked, you will not be able to run commands even though you may still be able to view the manager pages.

To specify an enrollment agent for requests

  1. On the Edit Profile Template page, in the Workflow: Enroll Agent for Duplicate Requests section, click Add new principal for enrollment agent.

  2. In Permission, type the name of the new principal (user or group), and then select the permission that you want.

    You can click Lookup in Active Directory to search for users or groups.

  3. Click OK.

Workflow: Revocation Settings

Revocation policy settings are available for the following policies:

  • Recover

  • Renew

  • Suspend and Reinstate

  • Revoke

You must define Revocation policy settings for a management policy that recovers, revokes, disables, retires, reinstates, or replaces an existing certificate. The Revocation policy settings in a management policy only affect the primary profile template. If duplicates of the profile exist, the Revocation policy settings do not affect the duplicate profile templates.

Note

The Online Updates policy has its own set of Revocation policy settings. For information about these settings, see Workflow: Settings for the [Revocation Reason] Reason.

To configure Revocation policy settings

  1. On the Edit Profile Template page, in Workflow: Revocation Settings, click Change revocation settings.

  2. In Workflow Options for Revocation, configure the Revocation policy settings, and then click OK.

    Table 8 shows these settings.

Table 8   Revocation policy settings

Setting Description

Set the old profile or smart card to disabled

Disables the previously issued profile or smart card.

Revoke old certificates

Revokes any certificates that you previously issued that are associated with the profile.

Revocation delay

Configures revocation to occur after a specified period (in hours) has passed.

Revocation reason

Selects a standard revocation reason, such as Affiliation Changed.

Publish base CRL

Requires the CA to publish a full CRL at the time of each update.

Publish delta CRL

Requires the CA to publish a delta CRL at the time of each update.

Workflow: Duplicate Revocation Settings

Duplicate Revocation policy settings are available for the Recover policy. These policy settings are similar to Revocation policy settings in that they define the type of revocation that takes place when a management policy executes. However, duplicate revocation settings define the Revocation policy only for duplicate profiles, not for the primary profile on which the duplicates are based.

To configure Duplicate Revocation policy settings

  1. On the Edit Profile Template page, in Workflow: Duplicate Revocation Settings, click Change duplicate revocation settings.

  2. In Workflow Options for Duplicate Revocation, configure the Revocation policy settings, and then click OK.

    Table 9 shows these settings.

Table 9   Duplicate Revocation policy settings

Setting Description

Set the old profile or smart card to disabled

Disables the previously issued profile or smart card.

Revoke old certificates

Revokes any certificates that you previously issued that are associated with the profile.

Revocation delay

Configures revocation to occur after a specified period (in hours) has passed.

Revocation reason

Selects a standard revocation reason, such as Affiliation Changed.

Publish base CRL

Requires the CA to publish a full CRL at the time of each update.

Publish delta CRL

Requires the CA to publish a delta CRL at the time of each update.

Workflow: Settings for the [Revocation Reason] Reason

These settings are available for the Online Update policy. The Online Update policy provides settings for three categories of certificate updates. Table 10 shows these settings.

Table 10   Online Update setting categories

Setting Description

Certificate content change

Modifies an extension in a certificate template when an update occurs.

Certificate template list change

Adds a new certificate template to the profile template when an update occurs, and then propagates the new certificate to any existing deployed profiles.

Certificate expiration

Renews a certificate when an update occurs.

You can configure Revocation policy settings for all three of these update categories. In addition, for updates involving certificate content changes or certificate expiration, you can specify whether to revoke archived certificates, if your profile template contains archived certificates. And, for certificate content change updates, you can choose whether to update all certificates or allow the request initiator to select a certificate.

To configure Online Update policy settings

  1. On the Edit Profile Template page, select the appropriate update workflow category, and then click Change revocation settings.

    Available categories are Certificate Content Change, Certificate Template List Change, or Certificate Expiry.

  2. Configure the settings for the selected update category, and then click OK.

    Table 11 shows these settings.

Important

You must specify a revocation reason for all online update requests. If a profile template or smart card has duplicates, all of the duplicates also require the online update. If one or more profile templates or smart cards in the group do not require an online update, then CLM does not perform the online update.

Table 11   Revocation policy settings for online updates

Setting Description

Revocation delay

Configures revocation to occur after a specified period (in hours) has passed.

Revocation reason

Selects a standard revocation reason, such as Affiliation Changed.

Publish base CRL

Requires the CA to publish a full CRL at the time of each update.

Publish delta CRL

Requires the CA to publish a delta CRL at the time of each update.

Data Collection

You can configure each management policy in a profile template to collect required data items from either the subscriber or the ILM CMS manager. For example, to document that photo identification for an employee has been verified, you can configure a management policy to require that the certificate manager submit two data collection items: the form of identification, such as a driver’s license, and an identifying characteristic, such as the license number.

To configure Data Collection policy settings

  1. On the Edit Profile Template page, in Data Collection, click Add new data collection item.

  2. On the data collection page that opens, configure the policy settings for each data item.

    Table 12 shows these settings.

Table 12   Data collection policy settings

Setting Description

Name

Details the name the data item that you want to collect. The CLM Web site displays that name to the user.

Description

Describes the data item that you want to collect. The CLM Web site displays that name to the user.

Type

Defines the type of data that you want to collect. The data type must be a string, date, or number. Indicate whether the data item is required, and provide the default value of the data type, if applicable.

Information provided by

Specifies who must provide the data. Managers can provide data when they initiate or approve requests. Subscribers can provide data when they initiate a self-service request or when they complete a request.

Validation type

Validates the data that the user provides against the specified type by using the following rules:

  • String – Any string is valid.

  • Date – The value must have a correct date format as specified in the Locale settings for the server.

  • Number – The value must be numeric.

ILM CMS validates this data by default. Alternatively, you can configure ILM CMS to validate data against either a provided regular expression or a custom, fully-qualified Microsoft .NET assembly. If you validate data against a custom Microsoft .NET assembly, the assembly must include a class that implements the ICustomItemValidator interface.

Important

Before deleting a custom Microsoft .NET assembly from the system, be sure to remove any references to it in the CLM configuration.

Store data in

Specifies where ILM CMS stores the data. The options are as follows:

  • In the CLM database

  • In the subject of the certificate, in a specific Relative Distinguished Name (RDN) object identifier (also known as OID)

  • In an X.509v3 extension of the certificate

The Subject and Extension options require a custom add-in to the CLM policy module. If you select the Database setting, you can specify whether the data is stored as clear text or encrypted.

ILM CMS uses regular expressions for data item validation. A regular expression is a text pattern that consists of ordinary characters, such as the letters A through Z, and special characters, which are known as metacharacters. The pattern describes one or more strings to match when searching text. For more information on regular expressions used by ILM CMS, see Appendix B: Regular Expressions.

One-Time Passwords

You can configure each management policy in a profile template to require that a subscriber provide a one-time password to complete a request. You can require up to two passwords, which you can use the ILM CMS default password provider or a custom provider to generate.

To configure one-time passwords

  1. On the Edit Profile Template page, in One-Time Passwords, click Change password provider settings.

  2. In Password Provider, select and configure one of the options.

    Table 13 shows these options.

Table 13   Password provider options

Setting Description

Default password provider

Generates random, alphanumeric passwords. Password length depends on the number of passwords you specify:

  • One password – A single 12-character password

  • Two passwords – One 12-character password and one 6-character password

All passwords generated by the default password provider include a four-character cyclic redundancy check (CRC) code, and expire in 10 days.

Custom password provider

Implements the password provider for your organization or implements a customized version of the default password provider.

To implement the password provider for your organization, its type must be a fully-qualified Microsoft .NET assembly name, and its data is initialization data that ILM CMS passes to the Initialize method of any class that implements the ISecretProvider interface.

To customize the default password provider

  1. On the Edit Profile Template page, in One-Time Passwords, click Change password provider settings.

  2. In Password Provider, select and configure one of the options.

  3. For Password provider type, type Microsoft.CLME2.BusinessLayer.DefaultSecretProvider.

  4. For Password provider data, type the string corresponding to one of the rules shown in Table 14.

Table 14   Custom password settings

Setting Description

1

Generates one password that has the default length and expiry date.

1,x

Generates one password that has a length of x using the default expiry date.

1,x,y

Generates one password that has a length of x and expiry date in y days.

2

Generates two passwords that have the default length and expiry date.

2,x1,x2

Generates two passwords. The first has length x1; the second has length x2. Both use the default expiry date.

2,x1,x2,y

Generates two passwords. The first has length x1; the second has length x2. Both passwords expire in y days.

Passwords Distribution

ILM CMS can display a one-time password on the computer screen for the user, send the passwords in e-mail, or not distributed the password at all.

To configure one-time password distribution methods

  1. On the Edit Profile Template page, in Passwords Distribution, click the distribution method that you want.

    The default method for new passwords is Display on screen.

  2. In One-Time Password Distribution, in Distribution method, select a method.

    Table 15 shows these methods.

  3. If you select an e-mail option, in From, type the account or user name that you want, create the e-mail subject line, and then create the message text.

    Table 16 shows the dynamic text fields that you can use to insert dynamic text from ILM CMS and Active Directory into the message.

Table 15   One-time password distribution methods

Distribution Method Description

Display on screen

Displays the password on the screen to the user executing the request.

Email subscriber

E-mails the password to the user.

Email subscriber’s manager

E-mails the password to the user’s manager, as specified in Active Directory.

Email originator

E-mails the password to the request originator.

Do not distribute

The configured password is not displayed or distributed.

Table 16   Dynamic e-mail fields

Field Description

{Secret1}

Replaced by the value of the first password.

{Secret2}

Replaced by the value of the second password.

{User}

Replaced by the value of the user who was issued the profile template. This value appears as DOMAIN\UserName.

{Manager}

Replaced by the value of the manager for the user, as specified in Active Directory. This value appears as DOMAIN\UserName.

{Originator}

Replaced by the value of the request originator. This value appears as DOMAIN\UserName.

{User!attribute}

Replaced by the value of the user who was issued the profile template and followed by the value of the specified attribute. For example, if you configured the field to {User!mail}, the result is the e-mail address for the user. For example, syedabbas@contoso.com.

{Manager!attribute}

Replaced by the value of the manager for the user, as specified in Active Directory, followed by the value of the attribute specified.

{Originator!attribute}

Replaced by the value of the originator of the request followed by the value of the specified attribute.

{SCSerialNumber}

Replaced by the smart card serial number.

{SCPIN}

Replaced by the smart card personal identification number (PIN).

{SCSequence}

Replaced by the smart card sequence.

{LongDate}

Displays the current date using the long-date format that you specified in the Regional and Language Options for the CLM server.

{ShortDate}

Displays the current date using the short-date format that you specified in the Regional and Language Options for the CLM server.

{LongTime}

Displays the current time using the long-time format that you specified in the Regional and Language Optionss for the CLM server.

{ShortTime}

Displays the current time using the short-time format that you specified in the Regional and Language Options for the CLM server.

Note

The attribute name that ILM CMS uses to reference a user, manager, or originator attribute is case-sensitive and must match the capitalization in the schema for the attribute. For example, to display the first name for the user, you must use the following dynamic tag: {User!givenName}.

If you give a user a URL that opens the one-time password page in the subscriber view of the CLM Web site, you can configure the URL so that the page displays the correct number of text boxes for entering one-time passwords. (The default view has two text boxes.) To change the number of text boxes that ILM CMS displays, you add the following HTML query to the end of the one-time password page URL:

https://www.contoso.com/clm/content/sm/auth/Authorization.aspx?PasswordCount=1

The PasswordCount value determines the number of text boxes that ILM CMS displays. Supported values are 1 and 2.

Document Printing

As part of the workflow for a specific policy, ILM CMS might have to distribute printed instructions to a user. ILM CMS can print these documents from the CLM server or from a client computer as part of the workflow. PIN cover letters, which include the PIN and instructions for using it, are typically printed from the server. Other documents, such as confirmation letters and instructions for installing the Microsoft Certificate Lifecycle Manager Client, are often printed from client computers.

For more information about document printing, see Appendix C: Document Printing.

To configure document printing

  1. On the Edit Profile Template page, in Document Printing, click Add new document to be printed.

  2. In Printed Document Information, type a name for the document that you want to print.

    Use a friendly name that a user can understand easily.

  3. Type a description that a user will see for the document that you want to print. Type the full path to the document template.

  4. Type the Multipurpose Internet Mail Extension (MIME) type for the document.

  5. In Document Print Location, click Print on Client or Print on Server.

Configuring a Profile Template for Smart Card Certificates

As with profiles for software-based certificates, after you create a smart card profile template, you must configure its general settings and management policies. The default view of the Edit Profile Template page is Profile Details, as indicated in the navigation area. Table 17 shows the sections that are available in this view of the Edit Profile Template page.

Table 17    Smart card profile template sections

Setting Description

General Settings

Defines parameters common to all workflow items in the profile template.

Certificate Templates

Lists the certificate template(s) associated with the profile template.

Smart Card Configuration

Define smart card options.

Management policy list

Links to all management policies associated with the profile template.

The following topics describe how to configure these settings for smart card certificate profiles. For more information about configuring software-based certificate profiles, see Configuring a Profile Template for Software-Based Certificates.

General settings: smart card profile templates

To configure general settings for smart card profile templates

  1. To configure settings in General Settings of the Edit Profile Template page, click Change general settings.

  2. Under General Settings, configure settings for the profile template.

    There are four sections that have settings than an administrator can configure. Table 18 shows these settings.

Table 18   General settings for smart card profile templates

Section Description

Name and Description

Names the profile template and provides a description for it. You can change the Active Directory common name for the template only when you copy the profile template; afterward, you cannot change the template.

Key Generation

Requires that ILM CMS generate encryption keys for a certificate on the server, rather than on a smart card or client computer. When you select the server key generation setting, you can use the default server key generator or specify a custom key generator. If you must implement newer hashing algorithms that are not supported natively by ILM CMS or Windows Server 2003, use a custom key generator.

If you use a custom key generator, specify the following information:

  • Custom server key generator type – This must be a fully-qualified Microsoft .NET type name implementing the IServerKeyGenerator interface.

  • Custom server key generator data – This is a free text field for data that is passed as a string to the server key generator object when ILM CMS starts.

External Certificates

Associates external certificates with a profile template. A CLM profile template can contain certificates that were issued outside the ILM CMS environment, such as certificates that were issued through automatic enrollment, by the MMC Certificates snap-in, or by a custom application. If you associate external certificates with a profile template, specify the maximum number of external certificates that ILM CMS allows.

Smart Card Support

Enables the profile template to support smart cards. To do this, you select the Supports smart cards check box. A profile template cannot support both smart cards and software-based certificates; enabling smart card support makes the profile template unusable for software-based certificates. If you deploy both smart cards and software-based certificates, create separate profile templates for them.

Certificate templates: smart card profile templates

On the Edit Profile Template page, you can assign certificate templates to a profile template in the Certificate Templates section. Each profile template must have at least one certificate template associated with it.

If you copy a profile template that has certificate templates associated with it already, ILM CMS lists those certificate templates in the new profile template.

Important

Because each profile template must have at least one certificate template associated with it, we recommend that you add new certificate templates before you delete unwanted ones.

To assign certificate templates to a profile template

  1. On the Edit Profile page, in Certificate Templates, click Add new certificate template.

  2. Configure the general options for the certificate templates that you want to add.

    Table 19 shows the options.

  3. In Certificate Authorities, select a CA from the list of all available CAs.

  4. In Certificate Templates, select certificate templates that you want to add to the profile template.

    Certificate Templates lists all certificate templates published by the selected CA.

  5. To add certificate templates from a different CA, repeat steps 3 and 4 of this procedure.

  6. Click Add.

Table 19   General options for smart card certificate templates

Setting Description

Show advanced options

Defines that the user who requests the certificate can define certificate parameters, including the CSP for the certificate and options for the certificate store, key size, key set, and key container name.

Allow raw request

Allows you to paste the contents of a PKCS #10 file or a CMC certificate request file into the subscriber view of the CLM Web site. You typically use this setting to create certificates for Web servers.

To delete certificate templates from a profile template

  1. On the Edit Profile page, in Certificate Templates, select the certificate templates that you want to delete.

  2. Click Delete selected certificate templates.

Smart card configuration settings

To change smart card settings for a profile template

  • On the Profile Details page, in Smart Card Configuration, click Change settings to modify the smart card settings for the profile template.

    Table 20 shows these options.

Table 20   Smart card configuration settings (grouped by section)

Section Description

Provider information

Defines the name of the smart card provider.

Processing details

Configures how ILM CMS processes smart cards as part of management policy workflows. The following settings are available:

  • Initialize new card prior to use – Deletes any existing certificates from a smart card prior to enrollment.

  • Reuse retired card – Issues a retired smart card to a new user.

  • Use secure key injection – Securely transmits and injects encryption keys that were generated on the CLM server onto a smart card using cryptographic methods.

  • Install CA certificate(s) –Installs the keys for the CA on a smart card during an operation in which ILM CMS writes certificates to the smart card. For example, during enrollment, renewal, or recovery operations.

  • Certificate label text: Defines that the certificate label can use dynamic data when a certificate is processed. The following fields are available for dynamic data:

    • {User} – Replaced with the user name of the person for whom the certificate is being issued.

    • {User!attribute} – Replaced with the Active Directory data for the user of the certificate. For example: {User!mail}returns the e-mail address of the user of the certificate.

    • {Template!attribute} – Replaced with the Active Directory data for the certificate template object. For example: {Template!cn} returns the common name for the certificate temple associated with the certificate.

  • Maximum number of certificates: Limits the total number of certificates that ILM CMS allows on a smart card.

Settings specific to the Microsoft Base Smart Card CSP

Configures settings specifically for the Microsoft Base Smart Card CSP. The following settings are available:

  • Diversify Admin Key – Requires that all smart cards that are compliant with Microsoft Base Smart Card CSP and managed by ILM CMS have diversified administrative keys.

  • Admin key initial value (hex) – Configures a 3DES hexadecimal value. Type a 3DES value, and then configure it as the initial admin keys for blank Microsoft Base Smart Card CSP compliant smart cards.

  • Smart Card Initialization Provider – Defines the provider type. ILM CMS has a default smart card initialization provider. Alternatively, you can customize the smart card initialization functionality using a custom smart card initialization plug-in. Use this setting to enter the custom initialization provider type.

  • Smart card initialization provider data – Defines a custom smart card initialization provider. If you use a provider, enter the custom plug-in initialization data.

Administrative and user PINs

If you are using a legacy CSP, which is a PKCS #11 file with smart card-specific middleware, you can configure settings to administer and use PINs for a smart card. The following settings are available:

  • Admin pin rollover – Automatically writes a new administrative PIN to the smart card each time a smart card management action is performed, such as unblock. ILM CMS stores the current administrative PIN for each smart card.

  • Admin PIN length – Defines a value for the number of administrative PIN characters.

  • Admin PIN character set – Specifies the character set that is appropriate for the administrative PIN policy for the smart card.

  • Admin PIN initial value – Defines the administrative PIN that the smart card manufacturer originally configured.

  • User PIN policy – Specifies how ILM CMS generates and distributes user PINs. The following settings are available:

    • Randomized – Generates a random user PIN that ILM CMS does not store on the CLM server. The smart card must be unblocked to configure the user PIN.

    • Server Distributed – Assigns a user PIN and stores the PIN for future reference. Use this setting if you send PIN letters to distribute user PINs.

    • User Provided – Requires the user to provide the user PIN. Use this setting for self-service enrollment.

    • Custom Server Distributed – Adds a custom PIN generator to ILM CMS.

  • User PIN character set – Defines the character set that is appropriate for the user PIN policy for the smart card.

Printing smart cards

Defines smart card printing options. The following settings are available:

  • Print project name – Lists the name of the project file as saved in ID Works.

  • Card Name – Lists the name of the smart card definition in the ID Works project file. The smart card name defines the layout of the printed smart card.

  • Print Project Field Mapping – Lists the fields that map in ID Works.

Note

Only configure these settings if you print smart cards, and have already used Datacard ID Works 5.1, Enterprise Edition identification software to configure smart card design and field mappings.

For more information about smart card printing, see Appendix D: Smart Card Printing.

To enable administrator key diversification for a smart card profile template

  1. On the Profile Template Management page, click a smart card profile template to manage.

  2. On Edit Profile Template page, under Smart Card Configuration, click Change settings.

  3. Under Microsoft Smart Card Base CSP, select the Diversify Admin Key check box, and then type an initial administrator key value in Admin key initial value (hex).

  4. Select the Default option for Smart Card Initialization Provider, and then enter the certificate thumbprint of the certificate that you want to use to create a hash value for the new administrator key.

    The certificate that you use to diversify the admin key must support SHA-256.

If you are using a hardware security module (HSM) to protect keys on your CA, you must modify the default CSP data for the certificate template.

To enable administrator key diversification using an HSM

  1. Log on to the CA as a user with the Manage CA permission.

  2. Click Start, click Run, type mmc, and then click OK.

  3. In the console tree, click Certificate Templates.

  4. In the details pane, right-click the CLM Agent user account certificate template, and then click Duplicate Template.

    The default certificate template for the CLM Agent user account is User.

    Note

    We recommend that you provide a user friendly name for this certificate that will make it easy to identify it for use with an HSM.

  5. Right-click the duplicate certificate template and then click Properties.

  6. In the Properties dialog box, click the Request Handling tab, and then click CSPs.

  7. In the CSP Selection dialog box, clear the check box for the HSM CSP, select the Microsoft Enhanced RSA and AES Cryptographic Provider check box, and then click OK.

  8. Click the General tab, select the Publish certificate in Active Directory check box, and then click OK.

  9. Log off the CA.

  10. Log on to a CLM server with the CLM Agent user account.

  11. Click Start, click Run, type mmc, and then click OK.

  12. In the File menu, click Add/Remove Snap-in.

  13. In the Add/Remove Snap-in dialog box, click Add.

  14. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.

  15. On the Certificates snap-in page, select My user account, and then click Finish.

  16. In the Add Standalone Snap-in dialog box, click Close.

  17. In the Add/Remove snap-in dialog box, click OK.

  18. In the console tree, expand Certificates - Current User, and then expand Personal.

  19. Right-click Certificates, point to All Tasks, and then click Request New Certificate.

  20. On the Welcome to the Certificate Request Wizard page, click Next.

  21. On the Certificate Types page, click User, select the Advanced check box, and then click Next.

  22. On the Cryptographic Service Provider page, select Microsoft Enhanced RSA and AES Cryptographic Provider, and then click Next.

  23. On the Certification Authority page, click Next.

  24. On the Certificate Friendly Name and Description page, type a friendly name and description, and then click Next.

  25. On the Completing the Certificate Request Wizard page, click Finish.

  26. In the details pane, double-click the new certificate, and then click the Details tab.

  27. On the Details tab, scroll through the available fields, click Thumbprint, and then click Copy to File or note the certificate thumbprint on paper for later use.

  28. Log on to CLM as an administrator.

  29. On the Home page, under Administration, click Manage profile templates.

  30. On the Profile Template Management page, click a smart card profile template to manage.

  31. On Edit Profile Template page, under Smart Card Configuration, click Change settings.

  32. Under Microsoft Smart Card Base CSP, select the Diversify Admin Key check box, and then type an initial administrator key value in Admin key initial value (hex).

  33. Select the Default option for Smart Card Initialization Provider, and then type the certificate thumbprint that you noted earlier in this procedure.

    The certificate that you use to diversify the admin key must support SHA-256.

Management policies: smart card profile templates

Each CLM profile template contains a group of management policies that you can configure. These policies define the workflow and data collection for that profile template, and the principals who participate in its certificate management process.

To access management policies for smart card profile templates

  1. Log on to ILM CMS as an administrator.

  2. On the Home page, in Administration, click Manage profile templates.

  3. On the Profile Template Management page, click the link for the profile template that has the policy that you want to access.

  4. Under Select a view, click the link for the policy that you want to access.

    All management policies associated with a profile template are listed under Select a view.

Smart card profile templates include the same management policies that are available for software-based certificate profiles:

  • Duplicate

  • Enroll

  • Online Update

  • Recover on Behalf

  • Renew

  • Suspend and Reinstate

For information about these six policies and their workflow settings, see Management policies: software-based certificate profile templates.

In addition, ILM CMS has the following additional management policies unique to smart card profiles:

  • Replace

  • Disable

  • Retire

  • Temporary Cards

  • Unblock

  • Offline Unblock

Table 21 shows these policies.

Table 21   Management policies specific to smart card profile templates

Policy Description

Replace

Enables profile recovery if a smart card is lost or stolen. The Replace policy issues new signing certificates and reissues encryption certificates that are archived in the CA database. Optionally, you can issue new versions of encryption certificates and thereby revoke the archived encryption certificates.

Disable

Disables all certificates on a smart card prior to their expirations.

Retire

Revokes all certificates on a smart card and defines whether a smart card may be used again after its retirement. You can also use this policy to perform administrative operations against the smart card during the retirement process; additional operations include erasing all user data on the smart card, blocking user and administrative PINs, and resetting the administrative PIN.

Temporary Cards

Issues temporary smart cards. You typically issue temporary smart cards as short-term replacements for misplaced or forgotten smart cards, or to provide a user with temporary access to the network without requiring existing certificates, such as a temporary employee or consultant. If a user has an existing smart card, you can temporarily revoke the signing certificates on that smart card, and then reinstate them when the temporary smart card expires.

Unblock

Defines who can initiate a request to unblock the user PIN for a smart card. You typically invoke this policy when a user forgets a PIN, or when a manufacturer ships a smart card with an initial PIN that the CLM server changes and must unblock prior to use.

Offline Unblock

Defines who can initiate a request to unblock the user PIN for a smart card of an offline user. You typically invoke this policy when a user forgets a PIN and does not have connectivity to the CLM server. This unblock process requires the manual intervention of a Help Desk operator.

Management policy workflows: smart card profile templates

As with profile templates for software-based certificates, each management policy in a smart card profile template has settings that you can configure to define the workflow for that policy. Most policy workflow settings for smart card profile templates are identical to those for software-based certificates. For more information, see Management Policy Workflows: software-based certificate profile templates.

The following topics describe the management policy workflow settings that are unique to smart card profiles.

Workflow: Smart Card Application Management

Smart cards might include applications in the form of Java applications, such as an application that maintains a credit balance for buying food at a company cafeteria. You can configure ILM CMS to manage smart card applications at the policy level in smart card profile templates. If you add a new application to a smart card or change an existing application, the Online Updates policy allows you to update or/add the smart card application.

To configure smart card application management

  1. On the specific management policy name, under Workflow: Smart Card Application Management, click Change smart card application management settings.

  2. To enable smart card application management, select the Enable personalization check box.

  3. Type the path to the smart card application management profile file.

  4. This file must be a valid XML file with the smart card application management settings. Smart card application management runs as part of the policy workflow, and it integrates into the workflow before ILM CMS invokes the Certificate Lifecycle Manager Client.

Temporary smart cards policy settings

The Temporary Cards policy has several general workflow settings unique to that policy. Table 22 shows these settings.

Table 22   Temporary Cards policy workflow settings

Setting Description

Number of temporary smart cards allowed

Defines the number of active profiles or smart cards that a user can have.

Validity period

Defines the period (in days) for which the certificates issued for a temporary smart card are valid.

Temporary card issuance prerequisites

Defines prerequisites that must be met before temporary smart cards are issued. The available settings include:

  • No permanent card required – A temporary smart card includes only an authentication certificate. The user must not have an existing smart card. You typically use this setting for visitors or temporary workers who require only authentication certificates.

  • Permanent card required – A temporary smart card includes new authentication certificates, and can also include archived encryption certificates from the existing smart card for the user. You can suspend the linked existing (linked) smart card temporarily.

Allow kiosk retirement

Defines whether a user with a temporary smart card is allowed to retire the smart card at a self-serve kiosk.

Erase user data from the smart card

Defines whether certificates and keys are erased for a user when you retire a temporary smart card.

Block smart card user PIN

Defines whether a user PIN is blocked when you retire a temporary smart card.

Block smart card admin PIN

Defines whether an administrator PIN is blocked when you retire a temporary smart card. Blocking an administrator PIN is irreversible and prevents anyone from reusing the associated smart card.

Reset smart card admin PIN

Defines whether an administrator PIN is reset to the value that is specified in the Smart Card Configuration section of the Profile Details page for this profile template.

Workflow: Unblock Agent for Offline Unblock Requests

The offline unblock policy requires a certificate manager or help desk operator assistance to be performed. In this section you configure which users and groups can assist the user in performing the operation. The users configured in this section will obtain the challenge characters from the end-user and enter them into the system. The system will compute the challenge response which the operator will communicate back to the end-user.

To configure unblock agent for offline unblock requests

  1. On the specific management policy name, under Workflow: Unblock Agent for Offline Unblock Requests, click Add new principal for unblock agent.

  2. In Permission, type the name of the new principal (user or group), and then select the permission that you want.

    You can click Lookup in Active Directory to search for users or groups.

  3. Click OK.

Appendix A: Certificate Template Configuration

Appendix A describes certificate template settings in the Certificate Templates MMC that are relevant to ILM CMS. Each of the headings in this section detail tabs in the Properties page for a certificate template. This appendix does not detail how to configure information in the Properties tab.

Request Handling tab

You can view Request Handling tab in the Certificate Templates MMC.

To view the Request Handling tab

  1. In Certificate Templates, right-click a certificate template and select Properties.

  2. In *[TemplateName]*Properties, click the Request Handling tab.

Note

Because ILM CMS does not support subject handling in certificate templates, subject handling settings are not available in the properties of a certificate template. Subject handling settings are detailed under Do the following when the subject is enrolled and when the private key associated with this certificate is used.

Delete revoked or expired certificates (do not archive) setting

If you enable the Delete Revoked or Expired Certificates (do not archive) setting for a smart card certificate template that is managed by ILM CMS, the Certificate Lifecycle Manager Client deletes any revoked or expired certificates that ILM CMS issued using that template. Enabling this setting ensures that profiles managed by ILM CMS maintain only a valid set of authentication certificates. This minimizes the amount of smart card memory required by profiles.

Note

Because the Microsoft Windows 2000 operating system does not support archived key options, you might get errors during enrollment and other certificate management activities if you are using Windows 2000.

CSPs setting

When you use ILM CMS to issue certificates for smart cards, ILM CMS ignores the selected CSPs and uses the CLM profile template configuration instead. As a result, you do not have to install the smart card CSP on the CA in order to issue smart card certificates in ILM CMS.

Note

For software-based certificate profiles, ILM CMS uses the selected CSPs.

Subject Name tab

You can view the Subject Name tab in the Certificate Templates MMC.

To view the Subject Name tab

  1. In Certificate Templates, right-click a certificate template and select Properties.

  2. In *[TemplateName]*Properties, click the Subject Name tab.

Supply in the request setting

By default, ILM CMS does not supply the subject name in the certificate request. Do not use the Supply in Request setting unless you enable the Show advanced options setting in the Certificate Templates section of the profile template.

Important

If you are using the Windows Vista® operating system, you must provide the subject name in the certificate request.

Build from this Active Directory information setting

The Build from this Active Directory information setting has two options.

Subject name format setting

When you use the CLM Subject Name Policy Module plug-in, we recommend that you configure the value for Subject Name Format to None. When this value is configured as None, ILM CMS does not generate unexpected subject name formats in issued certificates. Setting this value to None gives subject name control to the CLM Subject Name Policy Module plug-in.

Include this information in alternate subject name setting

The value for the Include this information in alternate subject name setting, which is called the Subject Alternative Name in the CLM Web site, has no direct effect on ILM CMS functionality. However, certificates issued through ILM CMS must adhere to the subject name requirements specified in the certificate template. As a result, if data needed to comply with subject name requirements is not present in Active Directory when ILM CMS issues a certificate, ILM CMS returns an error raised by the CA. You commonly encounter this error when you use the SubjectAltName parameter to store an e-mail address for a user, and when the subject name data is not provisioned with Active Directory.

Issuance Requirements tab

You can view the Issuance Requirements tab in the Certificate Templates MMC.

To view the Issuance Requirements tab

  1. In Certificate Templates, right-click a certificate template and select Properties.

  2. In *[TemplateName]*Properties, click the Issuance Requirements tab.

CA certificate manager approval setting

You can specify whether a CA certificate manager's approval is required for a certificate template in ILM CMS. However, ILM CMS does not support certificate templates that require additional CA certificate manager approval, which is configured on the Issuance Requirements tab. Because ILM CMS does not support additional CA certificate manager approval, do not enforce it on the certificate template.

This number of authorized signatures setting

When you use an enrollment agent in ILM CMS, you should configure the This number of authorized signatures setting to 1. When you configure the number of signatures to 1, you must also configure the policy type and application policy. Configure the Policy type required in signature setting to Application policy. Configure the Application policy setting to Certificate Request Agent.

If you do not configure the This number of authorized signatures setting to 1, all certificates issued using an enrollment agent have the subject name of the enrollment agent.

Note

If you are not using enrollment agents, ILM CMS will use the context of the logged in user to request certificates. As a result, ILM CMS does not require additional signatures.

Appendix B: Regular Expressions

ILM CMS uses regular expressions to validate data. A regular expression is a text pattern consisting of ordinary characters, for example, the letters A through Z, and special characters known as metacharacters. The pattern describes one or more strings to match when searching text.

Table 23 shows examples of regular expressions. Table 24 shows the metacharacters available in ILM CMS.

Table 23   Regular expression examples

Expression Description

^\s*$/

Matches a blank line.

\d{2}-\d{5}/

Validates an ID number that consists of two digits, a hyphen, and an additional five digits.

\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*

Matches an e-mail address.

Table 24   Regular expression metacharacters available CLM 2007

Character Description

\

Marks the next character as a special character, a literal, a back reference, or an octal escape. For example, n matches the character n and \n matches a new line character. The sequence \\ matches \ and \( matches (.

^

Matches the position at the beginning of the input string. If the Multiline property of the RegExp object is configured, ^ also matches the position following \n or \r.

$

Matches the position at the end of the input string. If the Multiline property of the RegExp object is configured, $ also matches the position preceding \n or \r.

*

Matches the preceding character or sub-expression zero or more times. For example, zo* matches z and zoo. * is equivalent to {0,}.

+

Matches the preceding character or sub-expression one or more times. For example, zo+ matches zo and zoo, but not z. + is equivalent to {1,}.

?

Matches the preceding character or sub-expression zero or one time. For example, do(es)? matches the do in do or does. ? is equivalent to {0,1}.

{n}

Matches a character exactly n times (n is a nonnegative integer). For example, o{2} does not match the o in Bob, but does match the two o characters in food.

{n,}

Matches a character at least n times (n is a nonnegative integer). For example, o{2,} does not match the o in Bob, but does match all of the o characters in foooood. o{1,} is equivalent to o+. o{0,} is equivalent to o*.

{n,m}

Matches at least n and, at most, m times (m and n are non-negative integers, where n <= m). For example, o{1,3} matches the first three o characters in fooooood. o{0,1} is equivalent to o?. Do not place a space between the comma and the numbers.

?

Restricts the matching pattern when this character immediately follows any of the other quantifiers (*, +, ?, {n}, {n,}, {n,m}). A restricted pattern matches as little of the searched string as possible, whereas the default pattern matches as much of the searched string as possible. For example, in the string oooo, o+? matches a single o, while o+ matches all o characters.

.

Matches any single character except "\n". To match any character including "\n", use a pattern such as "[\s\S]".

(pattern)

A sub-expression that matches the pattern and captures the match. You can use the $0...$9 properties to retrieve the captured match from the collection for the resulting match. To match the parenthesis characters "(" and ")", use "\(" or "\)" respectively.

(?:pattern)

A sub-expression that matches the pattern, but does not capture the match. ILM CMS does not capture this match for later use. It is useful for combining parts of a pattern with the or character (|). For example, industr(?:y|ies) is a more economical expression than industry|industries.

(?=pattern)

A sub-expression that performs a positive look-ahead search, which matches the string at any point a string-matching pattern begins. ILM CMS does not capture this match for later use. For example, Windows (?=95|98|NT|2000) matches Windows in Windows 2000 but not Windows in Windows 3.1. After a match occurs, the search for the next match begins immediately following the last match and not after the characters that comprise the look-ahead are matched.

(?!pattern)

A sub-expression that performs a negative look-ahead search, which matches the search string at any point where a string-not-matching pattern begins. ILM CMS does not capture this match for later use. For example, Windows (?!95|98|NT|2000) matches Windows in Windows 3.1. but does not match Windows in Windows 2000. Look-ahead searches do not consume characters. That is, after a match occurs, the search for the next match begins immediately following the last match, not after the characters that comprise the look-ahead.

x|y

Matches either x or y. For example, z|food matches z or food. (z|f)ood matches zood or food.

[xyz]

Matches any character in the character set that is enclosed in the brackets. For example, [abc] matches the a in plain.

[^xyz]

Matches any character in the character set that is not enclosed in the brackets. For example, [^abc] matches the p in plain.

[a-z]

Matches any character in the range of characters that is enclosed in the brackets. For example, [a-z] matches any lowercase alphabetic character in the range a through z.

[^a-z]

Matches any character in the range of characters that is not enclosed in the brackets. For example, [^a-z] matches any character not in the range a through z.

\b

Matches a word boundary, which is the position between a word and a space. For example, er\b matches the er in never but not the er in verb.

\B

Matches a non-word boundary. For example, er\B matches the er in verb but not the er in never.

\cx

Matches the control character indicated by x. For example, \cM matches a CR/LF: carriage return/line feed character. The value of x must be in the range of A-Z or a-z. If it is not, ILM CMS assumes that c is a literal c character.

\d

Matches a digit character, which is equivalent to [0-9].

\D

Matches a non-digit character, which is equivalent to [^0-9].

\f

Matches a form-feed character, which is equivalent to \x0c and \cL.

\n

Matches a new line character, which is equivalent to \x0a and \cJ.

\r

Matches a carriage return character, which is equivalent to \x0d and \cM.

\s

Matches any white space character, which is equivalent to \f\n\r\t\v. White space characters include space, tab, and form-feed characters.

\t

Matches a tab character, which is equivalent to \x09 and \cI.

\v

Matches a vertical tab character, which is equivalent to \x0b and \cK.

\w

Matches any word character including an underscore, which is equivalent to [A-Za-z0-9_].

\W

Matches any non-word character, which is equivalent to [^A-Za-z0-9_].

\xn

Matches n, where n is a hexadecimal escape value. Hexadecimal escape values must be exactly two digits. For example, \x41 matches A. \x041 is equivalent to \x04 and 1. By using \xn, ILM CMS can include ASCII codes in regular expressions.

\num

Matches num, where num is a positive integer. \num is a back reference to previously captured matches. For example, (.)\1 matches two consecutive identical characters.

\n

Identifies either an octal escape value or a back reference. If \n is preceded by at least n captured sub-expressions, n is a back reference. Otherwise, n is an octal escape value, if n is an octal digit (0-7).

\nm

Identifies either an octal escape value or a back reference. If \nm is preceded by at least nm captured sub-expressions, nm is a back reference. If \nm is preceded by at least n captures, n is a back reference followed by a literal m. If neither of the preceding conditions exists, \nm matches octal escape value nm when n and m are octal digits (0-7).

\nml

Matches an octal escape value nml when n is an octal digit (0-3) and m and l are octal digits (0-7).

\un

Matches n where n is a Unicode character expressed as four hexadecimal digits. For example, \u00A9 matches the copyright symbol (©).

Appendix C: Document Printing

As part of the workflow for a specific policy, ILM CMS might have to distribute printed instructions to the user. ILM CMS can print these documents from the CLM server or from a client computer as part of the workflow. PIN cover letters, which include the PIN and instructions for using it, are typically printed from the server. Other documents, such as confirmation letters and instructions for installing the Certificate Lifecycle Manager Client, are often printed from client computers.

The following topics describe document printing in ILM CMS:

  • Document printing requirements

  • Creating a document

  • Configuring a profile template for document printing

  • Automated server printing

  • E-mail distribution attributes

Note

For information about smart card printing, see Appendix D: Smart Card Printing.

Document printing requirements

Printing documents from the CLM server has the following requirements:

  • You must install and register Microsoft Office Word 2003 on the CLM server.

  • You must make Word 2003 available to CLM Agent (CLMAgent).

    Note

    CLMAgent is a software agent that is created during a default installation of ILM CMS. CLMAgent conducts operations for the ILM CMS that require specific permissions. ILM CMS uses this agent's certificate to sign data.

  • You must install a printer and make it available to CLMAgent from the CLM server. This can be a local or network printer.

  • You must assign Launch permissions to CLMAgent for Word 2003 documents in the DCOM object configuration at the CLM server.

  • You must assign Read permissions to CLMAgent for the Program Files\Microsoft Certificate Lifecycle Manager\Print Documents folder.

To configure document printing permissions

  1. Log on to the CLM server as the CLMAgent.

  2. In Word 2003, test printing a document.

  3. Log off from the CLM server.

  4. Log on to the CLM server as a system administrator, click Start, click Run, type dcomcnfg, and then click OK.

  5. In the Component Services console tree, expand Component Services, expand Computers, expand My Computer, and then expand DCOM Config.

  6. In the console tree, right-click Microsoft Word Document, and then click Properties.

  7. On the Security tab, under Launch Permissions, click Customize, and then click Edit.

  8. On the Security page, click Add, select CLMAgent, and then click OK.

  9. On the Security page, ensure that the Local Launch and Local Activation permissions for CLMAgent are both configured to Allow, and then click OK.

  10. On the Security tab, under Access Permissions, click Customize, and then click Edit.

  11. Select CLMAgent, and then ensure that the Local Access permission is configured to Allow.

  12. Click OK to save your changes.

  13. On the Identity tab, select This user.

  14. In User, type CLMAgent.

  15. Type the CLMAgent password, and then type it again to confirm it.

  16. Click OK to exit and save the Word 2003 document properties.

  17. Close the Component Services console.

Creating a document

You can use the following procedure to create ILM CMS policy workflow documents.

To create a document to print as part of a policy workflow

  1. Use Notepad to compose the document.

    Table 25 shows the fields to use to map to dynamic data.

  2. In Notepad, copy the contents of the document, and then paste it into Word 2003.

  3. Save the Word 2003 document, in HTML (.htm) format, to the Print Documents folder at the following location: %ProgramFiles%\Microsoft Certificate Lifecycle Manager\Print Documents.

Table 25   Dynamic fields for CLM 2007 policy workflow documents

Field Description

{Secret1}

Replaced by the value of the first secret.

{Secret2}

Replaced by the value of the second secret.

{User}

Replaced by the value of the user who was issued the profile template. This value appears as DOMAIN\UserName.

{Manager}

Replaced by the value of the manager for the user, as specified in Active Directory. This value appears as DOMAIN\UserName.

{Originator}

Replaced by the value of the request originator. This value appears as DOMAIN\UserName.

{User!attribute}

Replaced by the value of the user who was issued the profile template. {User!attribute} is followed by the value of the specified attribute. For example, if configured to {User!mail}, the result is syedabbas@contoso.com.

{Manager!attribute}

Replaced by the value of the manager for the user, as specified in Active Directory, followed by the value of the specified attribute.

{Originator!attribute}

Replaced by the value of the originator of the request followed by the value of the specified attribute.

{SCSerialNumber}

Replaced by the smart card serial number.

{SCPIN}

Replaced by the smart card PIN.

{SCSequence}

Replaced by the smart card sequence.

{LongDate}

Displays the current date using the long-date format specified in the Regional and Language Options for the CLM server.

{ShortDate}

Displays the current date using the short-date format specified in the Regional and Language Options for the CLM server.

{LongTime}

Displays the current time using the long-time format specified in the Regional and Language Options for the CLM server.

{ShortTime}

Displays the current time using the short-time format specified in the Regional and Language Options for the CLM server.

Configuring a profile template for document printing

After you create a document, you must configure the CLM profile template to print it.

To configure a profile template for document printing

  1. Log on to ILM CMS as an administrator.

  2. On the Home page, in Administration, click Manage profile templates.

  3. On the Profile Template Management page, click the link for the profile template that you want to configure for document printing.

  4. Under Select a view, click the policy you want to configure.

  5. On the Edit Profile Template page, in Document Printing, click Add new documents to print.

  6. In Printed Document Information, configure the document printing settings.

    Table 26 shows these settings.

  7. Choose whether to print the document at the server or at a client computer and click OK.

Table 26   Document printing settings

Setting Description

Name

Lists the name for the document. Type a meaningful name for the document. For example, Coverletter.

Description

Lists a brief description of the document.

Document path

Lists the file name and file name extension. You do not have to include the path.

MIME type

Defines the MIME type. You can use the default MIME type, which is application/msword, or change the MIME type to text/html. For application/msword to work correctly, client computers must have Word 2003 installed. If the client computers do not have Word 2003 installed, they do not support the expected MIME type.

Automated server printing

ILM CMS prints documents from the CLM server automatically, if you configure the profile template for server printing, and if the following conditions are met:

  • Server printing is configured

  • The request initiator is the executor of the request

  • The number of approvals is configured to 0 (zero)

  • The request type is one of the following:

    • Suspend/reinstate

    • Disable/revoke

    • Retire

    You must configure all of the following settings to Off: erase user data, block user PIN, block admin PIN, reset admin PIN).

Note

ILM CMS automatically prints documents at the server for all request types serviced through the Bulk Smart Card Issuance Tool.

E-mail distribution attributes

For workflows involving e-mail distribution, ILM CMS permits the use of specific fields that map to dynamic data. Table 27 shows these fields.

Table 27   E-mail dynamic fields

Field Description

{PasswordX}

Displays the one-time password with x value.

{User}

Displays the name of the user in a Microsoft Windows NT® 4.0 operating system compatible format.

{Manager}

Displays the name of the manager of the user in a Windows NT 4.0 operating system compatible format.

{Originator}

Displays the name of the originator in a Windows NT 4.0 operating system compatible format.

{User!attribute}

Displays the value of the Active Directory attribute in the subscriber directory entry.

{Manager!attribute}

Displays the value of the Active Directory attribute in the manager directory entry.

{Originator!attribute}

Displays the value of the Active Directory attribute in the originator directory entry.

Note

In some cases, ILM CMS cannot replace a field. For example, ILM CMS cannot replace a field if a user has no manager.

Appendix D: Smart Card Printing

ILM CMS supports smart card printing. Smart card printing requires a smart card printing station that is equipped with a smart card printer that is compatible with ILM CMS. It also requires you to install prerequisite software.

The following topics describe smart card printing:

  • Smart card printing requirements

  • Enabling interaction between CLM 2007 and ID Works

  • Defining smart card layout and contents

  • Configuring a profile template for smart card printing

Note

For information about document printing, see Appendix C: Document Printing.

Smart card printing requirements

Table 28 lists the smart card printers that ILM CMS supports.

Table 28   Supported smart card printers

Smart card printer Description

Datacard SP35

Designed for low-to-mid volume one-sided smart card printing.

Datacard SP55

Designed for mid-volume, one- or two-sided smart card printing.

Datacard SP75

Designed for mid- to high-volume, one-or two-sided smart card printing.

To enable smart card printing from a Microsoft Windows® XP operating system or Windows Server 2003 smart card printing station, you must install prerequisite software. Table 29 lists these prerequisites.

Table 29   Prerequisite software for smart card printing

Prerequisite Description

Microsoft .NET Framework version 2.0

You must install the Microsoft .NET Framework on the smart card printing station.

Smart Card CSP and related software

You must install the smart card CSP and support software for your smart cards. If you use a legacy smart card, you must install the CSP and PKCS #11 file. For a base CSP smart card, you must install the Microsoft Base Smart Card CSP and the minidriver for the vendor.

Microsoft Certificate Lifecycle Manager Client

You must install the Certificate Lifecycle Manager Client on each computer where you want to enable smart card enrollment and smart card management activities.

Datacard ID Works 5.1, Enterprise Edition

You must install ID Works on the smart card printing station. The Bulk Smart Card Issuance Tool uses ID Works to integrate ILM CMS and Active Directory attributes on printed smart cards.

Bulk Smart Card Issuance Tool

You must install the Microsoft CLM Bulk Smart Card Issuance Tool because it includes plug-ins for interaction with ID Works. You can use the Bulk Smart Card Issuance Tool to bulk print smart cards. It is included with ILM CMS and is available in the CLMBulkClient folder of the ILM CMS installation CD.

Enabling interaction between CLM 2007 and ID Works

After you install ID Works, you configure the software to enable interaction between ILM CMS and ID Works.

To enable interaction between CLM 2007 and ID Works

  1. Install the smart card printer driver.

    This driver allows Microsoft Windows to interact with the smart card printer.

  2. Install the Bulk Smart Card Issuance Tool.

    Bulk Smart Card Issuance registers a custom dynamic-link library (DLL) that allows ILM CMS to pass smart card field mappings to ID Works. ID Works uses these mappings to include data on printed smart cards.

  3. In ID Works Enterprise Administrator, enable Printer Plug-ins.

  4. To enable the correct printer plug-ins to allow the custom ILM CMS DLL to interact with ID Works, follow these steps:

    • In ID Works Enterprise Administrator, on the Printing menu, click Assign Printer Plug-ins.

    • In Installed Printer Name, click Smart Driver.

    • In Printer Plug-in Name, click DataCard ImageCard Select/IV Plug-in.

  5. On the local drive for the smart card printing station, create a project folder for smart card layouts. A typical path for this folder is %ProgramFiles%\Datacard\ID WORKS\Projects.

Defining smart card layout and contents

After you configure the interaction between ILM CMS and ID Works, you can use ID Works Enterprise Designer to define the smart card layout and contents. This requires you to map the attributes you want from the Active Directory and CLM databases to the corresponding variables in ID Works Enterprise Designer. Table 30 shows the ILM CMS and Active Directory field mapping tags for smart card printing. All of the fields in the table correspond to Active Directory attributes, except SCSerialNumber, SCPIN, and SCSequence.

Table 30   CLM 2007 and Active Directory fields

Field Description

{User}

Replaced by the value of the user who was issued the profile template. This value appears as DOMAIN\UserName.

{Manager}

Replaced by the value of the manager for the user, as specified in Active Directory. This value appears as DOMAIN\UserName.

{Originator}

Replaced by the value of the request originator. This value appears as DOMAIN\UserName.

{User!attribute}

Replaced by the value of the user who was issued the profile template, and followed by the value of the specified attribute. For example, if configured to {User!mail} the result is the e-mail address for the user. For example, syedabbas@contoso.com.

{Manager!attribute}

Replaced by the value of the manager for the user, as specified in Active Directory, and followed by the value of the attribute specified.

{Originator!attribute}

Replaced by the value of the request originator, and followed by the value of the specified attribute.

{SCSerialNumber}

Replaced by the smart card serial number. This field is not an Active Directory attribute.

For example, to map the ID Works Serial variable to the ILM CMS attribute tag for the smart card serial number, define the field as follows:

Serial:{SCSerialNumber}

{SCPIN}

Replaced by the smart card PIN. This field is not an Active Directory attribute.

{SCSequence}

Replaced by the smart card sequence. This field is not an Active Directory attribute.

{LongDate}

Displays the current date, using the long-date format, which is specified in the Regional and Language Options for the CLM server.

{ShortDate}

Displays the current date, using the short-date format, which is specified in the Regional and Language Options for the CLM server.

{LongTime}

Displays the current time, using the long-time format, which is specified in the Regional and Language Options for the CLM server.

{ShortTime}

Displays the current time, using the short-time format, which is specified in the Regional and Language Options for the CLM server.

The variable names used in ID Works are not predefined. You can choose any name for a variable, as long as you use that name, matching the case, in the smart card layout definition. If the smart card design requires multiple field mappings, separate the fields using semicolons.

After you have defined the smart card layout and, you save the resulting file to the smart card layout projects folder on the smart card printing station.

Configuring a profile template for smart card printing

After you define the smart card layout and contents using ID Works, you configure the CLM profile template to print it.

To configure a profile template for smart card printing

  1. Log on to ILM CMS as an administrator.

  2. On the Home page, in Administration, click Manage profile templates.

  3. On the Profile Template Management page, click the link for the profile template that you want to modify for smart card printing.

  4. On the Edit Profile Template page, in Smart Card Configuration, click Change settings.

  5. In Printing, select the Print smart card check box.

  6. For Print project name, type the name of the project file that you used when you saved the file in ID Works Enterprise Designer.

  7. In Card name, type the name of the smart card definition that you used in the ID Works project file, for example, Employee.

    The smart card name defines the layout of the printed smart card.

  8. In Print project field mapping, type the field names that you used in ID Works Enterprise Designer, and then click OK.

Appendix E: Assigning Approval Permissions Using Active Directory Permissions

You can optionally enable that users who are managers can be assigned Approval permissions for their employees.

Managers (as defined by the Active Directory Manager attribute) can be assigned approval permissions for all requests originated by their employees.

You can enable this permission by modifying the <add key="Clm.RequestSecurity.ManagerCanApprove" value="false" /> value in the Web.config file. If you change this value to true, you will enable this functionality for all new requests.