Configuring SSL on FIM CM Server
Applies To: Forefront Identity Manager 2010
Microsoft® Forefront® Identity Manager Certificate Management (FIM CM) is a policy and workflow-driven solution that helps organizations manage the lifecycle of digital certificates and smart cards. FIM CM lowers the costs that are associated with digital certificates and smart cards by enabling organizations to more efficiently deploy, manage, and maintain a certificate-based infrastructure. FIM CM streamlines provisioning, deprovisioning, configuration, and auditing of digital certificates and smart cards, and increases security through strong, multifactor authentication technology.
This document provides step-by-step instructions for installing and configuring a FIM CM profile template and management policies so you can then active SSL connection capability to your FIM CM server.
This document assumes that you have a basic understanding of the following information technology (IT) concepts and tasks:
How certificates work in Windows Server®.
Basic knowledge of Active Directory® and Windows Server knowledge
For more information about Windows Server certificates, see Infrastructure Planning and Design (https://go.microsoft.com/fwlink/?LinkId=89435). For more information about Windows Server and Active Directory, see Active Directory Collection (https://go.microsoft.com/fwlink/?LinkID=45505).
This guide is intended for IT planners, systems architects, technology decision makers, consultants, infrastructure planners, and IT personnel who plan and develop certificate management on the network.
The procedures in this document require 60 to 90 minutes to complete.
Note
These time estimates assume that the testing environment is already configured and ready for testing to begin. They do not include the time required to set up the test environment.
The procedures in this document will help you create and configure a FIM CM profile template and use the CLM portal to request a Web Server certificate.
To perform the procedures in this document, it is assumed that your test environment has been set up and configured.
Your environment should consist of the following:
Windows Server, named FIMCMServer
FIM CM, installed on FIM CM Server
A minimum of one certification authority (CA) installed, named FIMCM, which can be either an enterprise root CA or an enterprise subordinate CA
Microsoft SQL Server
Internet Information Services (IIS), with the Simple Mail Transfer Protocol (SMTP) service activated
Microsoft .NET Framework
In addition, this document assumes that all computers are members of the Fabrikam.com forest.
Note
You can test the results of the procedures in this document on a single computer that has all of these components. However, for your production environment, we strongly recommend that you not set up FIM CMand Active Directory on the same computer for performance reasons.
To perform the procedures in this guide, you must create a user and security group that is delegated the minimum permissions necessary to perform the procedures.
Log on as the administrator.
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
In Active Directory Users and Computers, right-click Users, and then click New User.
On the New User page, type FIMCM_Template for the user name, enter a password, clear the User must change password at next logon check box, and then click Finish.
Right-click Users, and then click New Group.
For the group name, enter FIMCM_Template_Admins, ensure that the group scope is set to Global and that the group type is set to Security, and then click OK.
In the details pane, right-click FIMCM_Template_Admins, and then click Properties.
Click the Members tab, and add the user FIMCM_Template to the group.
The FIMCM_Template_Admins group needs the necessary permissions to create and configure profile templates in FIM CM.
Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.
Click View, and ensure that Show Services Node is selected.
Double-click Services, double-click Public Key Services, and then click Profile Templates.
Right-click Profile Templates, and then click Properties.
Click the Security tab, add the FIMCM_Template_Admins group, and then click OK.
In Group or user names, select FIMCM_Template_Admins, and then allow Full Control.
Click Advanced, select FIMCM_Template_Admins, and then click Edit.
In Apply onto, click This object and all child objects, and then click OK three times to exit.
Close Active Directory Sites and Services.
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
Click View, and ensure that Advanced Features is selected.
Double-click the domain, double-click System, double-click Microsoft, double-click Certificate Manager, and then click FIMCMServer.
Right-click FIMCMServer, and then click Properties.
Click the Security tab, add the FIMCM_Template_Admins group, and allow the FIM CM Audit permission. Ensure that you also allow the Read permission.
Click OK.
Close Active Directory Users and Computers.
Click Start, click Run, type certtmpl.msc, and then click OK.
In the right pane, click Web Server, and then click Properties.
Click the Security tab, add the FIMCM_Template_Admins group, and allow the Read and Enroll permissions.
Click OK.
Close Certificate Templates.
To create a new profile template, you will have to copy an existing template. Two sample templates are provided with FIM CMfor this purpose.
Log in as FIMCM_Template.
In Internet Explorer, open https://CLMServer/clm.
Click the Certificate Manager logo.
On the Home page of the FIM CM Web Portal, in the Administration section, click Manage profile templates.
On the Profile Template Management page, in the Profile Template List section, select the FIM CM Sample Profile Template check box, and then click Copy a selected profile template.
On the Duplicate Profile page, in the Profile Template Name section, in the New Profile Template Name text box, type Web Server SSL Certificates, and then click OK.
For each profile template, you must configure a set of General Settings as well as settings for the certificate template that is used by the profile template.
In the FIM CM Web Portal, in the navigation pane, in the Select a view section, ensure that Profile Details is selected.
On the Edit Profile Template [Web Server SSL Certificates] page, in the General section, click Change general settings.
On the Edit Profile Template [Web Server SSL Certificates] page, in the Name and Description section, in the Description text box, type Allows issuance and management of Web Server SSL Certificates.
On the Edit Profile Template [Web Server SSL Certificates] page, leave all other settings at their default value, and then in the lower-right section of the page, click OK.
On the Edit Profile Template [Web Server SSL Certificates] page, in the Certificate Templates section, click Add new certificate template(s) to profile template.
Make the following changes on the Edit Profile Template [Web Server SSL Certificates] page:
In General Options, select Allow Raw Request.
In Certificate Authorities, select FIMCM.
In Certificate Templates, select Web Server.
In the lower-right section of the page, click Add.
In the Certificate Templates section, select the User check box, and then click Delete selected certificate templates.
In the Microsoft Internet Explorer dialog box, click OK to delete the selected items.
Each profile template has a set of management policies that can be configured. For this scenario, you only have to configure the enroll policy.
In the left pane, in the Select a view section, click Enroll Policy.
On the Edit Profile Template [Web Server SSL Certificates] page, in the Workflow: General section, click Change general settings.
On the Edit Profile Template [Web Server SSL Certificates] page, ensure that the following options are set:
Enable policy: Select
Use self-serve: Select
Require enrollment agent: Disable
All comments to be collected: Disable
Allow request priority to be collected: Disable
Default request priority: 0
Number of approvals: 0
Number of active or suspended profiles/smart cards allowed: Unlimited
In the lower-right section of the page, click OK.
In the Workflow: Initiate Enroll Requests section, select the NT AUTHORITY/SYSTEM check box, and then click Delete principal(s) for enroll request initiation.
To confirm the deletion, in the Microsoft Internet Explorer dialog box, click OK.
On the Edit Profile Template [Web Server SSL Certificates] page, in the Data Collection section, select the Sample Data Item check box, and then click Delete data collection items.
To confirm the deletion, in the Internet Explorer dialog box, click OK.
In the Data Collection section, click Add new data collection item.
In the Data Item Name and Type section, make the following changes:
Name: Web Server Hostname
Description: Provide the NetBIOS name of the Web server
Type: String
Default Value: Disable
Required: Select
In the Data Item Originator section, select User.
In the Data Item Validation section, select Data type.
In the Data Item Storage section, ensure that the following settings are set:
Store data in: Database
Encrypted: Disabled
In the lower-right section of the page, click OK to save any changes.
On the Edit Profile Template [Web Server SSL Certificates] page, in the One Time Passwords section, click Change password provider settings.
On the Edit Profile Template [Web Server SSL Certificates] page, in the Password Provider section, ensure that Default password provider is selected; in Number of one time passwords (password provider data), type 0; and then click OK.
After the enrollment policy is set, you can test the profile template by installing a secure sockets layer (SSL) certificate on FIMCMServer. Perform the following tasks:
Add the FIMCM_Template_Admins group to the local Administrators group.
Configure DNS.
Initiate and process the Web Server certificate request.
Log on as the administrator.
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
Select Users. In the details pane, right-click CLM_Template_Admins, and then click Properties.
Click the Member of tab, and then add Administrators.
Important
Before you complete the next procedure, you must ensure that Domain Name System (DNS) is installed on your server. If it is not already installed, install DNS, and then return to this procedure.
Click Start, point to Administrative Tools, and then click DNS.
In the console tree, double-click FIMCMServer, double-click Forward Lookup Zones, and then click Fabrikam.com.
In the console tree, right-click Fabrikam.com, and then click New Alias (CNAME).
In the New Resource Record dialog box, do the following:
In the Alias name (uses parent domain if left blank) text box, type clm.
In Fully qualified domain name (FQDN) for target host, type CLMServer.Fabrikam.com.
In the New Resource Record dialog box, click OK.
Close the DNS console.
Click Start, click Run, type cmd, and then click OK.
At the command prompt, type ipconfig /flushdns, and then press ENTER.
At the command prompt, type ping FIMCMServer.Fabrikam.com, and then press ENTER.
Ensure that the DNS name resolves successfully.
Log on as FIMCM_Template.
In Administrative Tools, open Internet Information Services (IIS) Manager.
In the console tree, double-click CLMServer, double-click Web Sites, and then click Default Web Site.
Right-click Default Web Site, and then click Properties.
In the Default Web Site Properties dialog box, click the Directory Security tab.
On the Directory Security tab, in the Secure communications section, click Server Certificate.
On the Welcome to the Web Server Certificate Wizard page, click Next.
On the Server Certificate page, click Create a new certificate, and then click Next.
On the Delayed or Immediate Request page, click Prepare the request now, but send it later, and then click Next.
On the Name and Security Settings page, in Name, type FIMCM Web Portal , set the Bit length to 1024, and then click Next.
On the Organization Information page, enter the following information, and then click Next.
Organization: <any name>
Organizational unit: <any name>
On the Your Site's Common Name page, in Common name, type FIMCMServer, and then click Next.
On the Geographical Information page, enter the following information, and then click Next.
Country/Regions: US (United States)
State/province: Washington
City/locality: Redmond
On the Certificate Request File Name page, in File Name, type c:\fimcmreq.txt, and then click Next.
On the Request File Summary page, verify the settings, and then click Next.
On the Completing the Web Site Properties dialog box, click OK.
In the Default Web Site Properties dialog box, click OK.
Minimize the Internet Information Services (IIS) Manager console.
Open C:\fimcmreq.txt.
On the Edit menu, click Select All.
On the Edit menu, click Copy.
Close C:\fimcmreq.txt.
Open Internet Explorer.
In Internet Explorer, open https://FIMCMServer/fimcm.
Click the Microsoft Certificate Lifecycle Manager logo.
On the Home page, in the Select a view section, click Manage my info.
On the Home page, in the Common Tasks section, click Request a new set of certificates.
In the Select a Profile Template section, select Web Server SSL Certificates, and then click Next.
In the Data Collection section, in Web Server hostname, type FIMCMServer, and then click Next.
On the Installing Certificates page, in the Key Generation: Web Server section, in Name, type FIMCM, right-click the Raw certificate request text area, and then click Paste.
Ensure that the request file contents appear, and then click Next.
On the Installing Certificates page, in the Template Common Name (click to download) column, click WebServer.
In File Download, click Save.
In Save As, in File name, type c:\fimcmcert, and then click Save.
If the Download Complete dialog box appears, click Close.
On the Installing Certificates page, ensure that the Success column shows as a check mark, and then click Next.
Close Internet Explorer.
Restore the Internet Information Services (IIS) Manager console.
Right-click Default Web Site, and then click Properties.
In the Default Web Site Properties dialog box, click the Directory Security tab.
On the Directory Security tab, in the Secure communications section, click Server Certificate.
On the Welcome to the Web Server Certificate Wizard page, click Next.
On the Pending Certificate Request page, click Process the pending request and install the certificate, and then click Next.
On the Process a Pending Request page, in Path and file name, type c:\fimcmcert.p7b, and then click Next.
On the SSL Port page, in SSL port this Web site should use, type 443, and then click Next.
On the Certificate Summary page, verify the information, and then click Next.
On the Completing the Web Server Certificate Wizard page, click Finish.
In the Default Web Site Properties dialog box, click OK.
In Internet Information Services (IIS) Manager, in the console tree, double-click Default Web Site, right-click FIMCM, and then click Properties.
In the FIMCM Properties dialog box, click the Directory Security tab.
On the Directory Security tab, in the Secure communications section, click Edit.
In the Secure Communications dialog box, select the Require secure channel SSL check box, select the Require 128-bit encryption check box, and then click OK.
In the FIMCM Properties dialog box, click OK.
Close IIS Manager.
Open Internet Explorer.
Open https://FIMCMServer/certificatemanagement.
If the Security Alert dialog box opens, select the In the future, do not show this warning check box, and then click OK.
Ensure that no SSL-related errors appear for the SSL certificate.