Installing and Configuring CLM 2007 in a Test Environment

  • Article

You can install Microsoft® Identity Lifecycle Manager "2" Certificate Management Service (ILM CMS) in a test environment to evaluate product features. Because ILM CMS is a complex identity management solution, we recommend that you evaluate and deploy ILM CMS in a test environment before you deploy it in a production environment.

Note

A server that runs ILM CMS is known as a CLM server. A computer that runs Microsoft® Certificate Lifecycle Manager 2007 Client is known as a CLM client.

You must complete the following steps to install and configure ILM CMS in a test environment:

  • Step 1: Install Prerequisite Software

  • Step 2: Perform Prerequisite Tasks

  • Step 3: Install CLM 2007

  • Step 4: Install Certificate Lifecycle Manager 2007 Client

  • Step 5: Configure CLM 2007

This document does not provide thorough design guidelines and deployment requirements. For more information about installing and configuring ILM CMS for a production environment, see Installing and Configuring ILM CMS on a Server (https://go.microsoft.com/fwlink/?LinkId=88419).

Step 1: Install Prerequisite Software

Before you install ILM CMS and Certificate Lifecycle Manager 2007 Client, you must install the following prerequisite software, which provides the base infrastructure for the ILM CMS environment:

  • Microsoft® Windows Server® 2003, Enterprise Edition or Microsoft® Windows Server® 2003, Datacenter Edition

  • Microsoft® Windows Server® 2003, Enterprise Edition certification authority

  • Internet Information Services (IIS) 6.0

  • The Microsoft .NET Framework 2.0

  • Microsoft SQL Server™ 2005

    ILM CMS supports both integrated and mixed-mode authentication methods.

  • Optional: A Simple Mail Transfer Protocol (SMTP) server with anonymous relaying allowed

Step 2: Perform Prerequisite Tasks

Before you install ILM CMS and Certificate Lifecycle Manager 2007 Client, you must perform the following prerequisite tasks:

  • Modify the Active Directory schema

  • Enable the default certificate template for the Key Recovery Agent

  • Enable the default certificate template for the Enrollment Agent

Modify the Active Directory schema

To modify the schema for Active Directory® directory service, you must be a member of the Schema Admins group for the Active Directory forest.

Before you install ILM CMS and Certificate Lifecycle Manager 2007 Client, you must apply the schema modifications that are defined in Clm.ldif, which is a Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIF) file. You can use either of the following methods to apply the modifications:

  • Run the LDAP Data Interchange Format Data Exchange tool, ldifde.exe.

    ldifde.exe is part of Microsoft Windows® Support Tools for Windows XP and Windows Server 2003.

    Note

    The Windows Support Tools are not automatically installed when you install Windows. To install the Windows Support Tools, run the Suptools.msi program that is in the Support\Tools folder on the Windows CD.

  • Run the ModifySchema.vbs sample script.

    ModifySchema.vbs modifies the schema on the default forest using the current credentials for the user. If your settings differ from the default settings, you must edit the script before you run it.

Clm.ldif and ModifySchema.vbs are in the CLM\Schema folder on the ILM CMS installation CD.

Enable the default certificate template for the Key Recovery Agent

A Key Recovery Agent is an Information Technology (IT) administrator who can decrypt archived private keys for users. KeyRecoveryAgent is the default certificate template for the Key Recovery Agent in ILM CMS. The certificate template is only available if it is enabled on an active enterprise CA in the CA hierarchy.

Note

The following procedure must be performed by a user who is assigned the Manage CA permission to the enterprise CA.

To enable the default certificate template for the Key Recovery Agent

  1. Click Start, point to Administrative Tools, and then click Certification Authority.

  2. In Certification Authority, expand the set of folders for the default CA.

  3. In the console tree, select Certificate Templates.

  4. Right-click Certificate Templates, point to New, and then click Certificate Template to Issue.

  5. In New Certificate Template to Issue, select Key Recovery Agent, and then click OK.

Enable the default certificate template for the Enrollment Agent

An Enrollment Agent is an IT administrator that requests certificates on behalf of a user. EnrollmentAgent is the default certificate template for the Enrollment Agent in ILM CMS. The certificate template is only available if it is enabled on an active enterprise CA in the CA hierarchy.

Note

The following procedure must be performed by a user who is assigned the Manage CA permission to the enterprise CA.

To enable the default certificate template for the Enrollment Agent

  1. Click Start, point to Administrative Tools, and then click Certification Authority.

  2. In Certification Authority, expand the set of folders for the default CA.

  3. In the console tree, select Certificate Templates.

  4. Right-click Certificate Templates, and then select New Certificate Template to Issue.

  5. In New Certificate Template to Issue, select Enrollment Agent, and then click OK.

Step 3: Install CLM 2007

The ILM CMS provides the core administrative functionality for certificate lifecycle management in ILM CMS.

Note

To complete the following procedure successfully, you must install SQL Server 2005 and the ILM CMS on the same computer, and that computer must be a CA. For information on installing SQL Server 2005, see Installing and Configuring ILM CMS on a Server (https://go.microsoft.com/fwlink/?LinkId=88419).

To install CLM 2007

  1. From the ILM CMS installation CD, run CLM.msi.

  2. CLM.msi is located at [CDDrive]\CLM\.

  3. On the Welcome to the Installation Wizard page, click Next.

  4. On the Certificate Lifecycle Manager License Agreement page, read the license agreement, select I accept the terms in the license agreement, and then click Next.

  5. On the Product Key page, enter a valid product key, and then click Next.

  6. If you do not enter a valid product key, the installation software installs ILM CMS as an evaluation copy, which you can use for 180 days.

  7. On the Custom Setup page, ensure that all of the available components are selected.

  8. To change where the files are installed, click Change, change the installation location, and then click OK.

  9. The default installation path is %ProgramFiles%\Microsoft Certificate Lifecycle Manager.

  10. On the Custom Setup page, click Next.

  11. On the Virtual Web Folder page, type a name for the virtual Web folder.

  12. The default virtual Web folder name is Clm. ILM CMS uses this name as the part of the URL. For example, https://localhost/clm is Web address for ILM CMS.

  13. On the Ready to Install Certificate Lifecycle Manager page, click Install to begin installation.

  14. On the Certificate Lifecycle Manager Installation Complete page, clear the Launch the CLM Configuration Wizard check box, and then click Finish.

Step 4: Install Certificate Lifecycle Manager 2007 Client

Certificate Lifecycle Manager 2007 Client enables users to manage their smart card and software certificates.

Hardware and software requirements

Table 1 shows the hardware and software requirements for the Certificate Lifecycle Manager 2007 Client.

Table 1   CLM 2007 hardware and software requirements

Component Requirement

Microsoft Windows XP Service Pack 2

Certificate Lifecycle Manager 2007 Client components are designed for Windows XP.

Microsoft Internet Explorer® 6.x

Because ILM CMS requires Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for administrative traffic and certificates, Internet Explorer 6.x is required. In addition, ILM CMS has advanced scripting features that are optimized for Internet Explorer.

Middleware

Microsoft Base cryptographic service Provider (CSP) with a vendor-specific minidriver, or a legacy CSP with vendor middleware that is compatible with a PKCS #11 file.

You must get the middleware from a vendor other than Microsoft.

Smart card reader and one or more smart cards that are compatible with ILM CMS

Required only if you implement smart card certificates. For information about smart card compatibility with ILM CMS, contact your smart card vendor.

Note

Any user account that uses the Certificate Lifecycle Manager 2007 Client must be a member of the Administrators group on the local computer.

Install Certificate Lifecycle Manager 2007 Client

You must perform the following steps to ensure that the Certificate Lifecycle Manager 2007 Client is properly configured:

  1. Install the client on each computer where you want to use the Certificate Lifecycle Manager 2007 Client.

  2. Add the CLM Web site to the Trusted Sites on each computer that runs Certificate Lifecycle Manager 2007 Client.

  3. Enable automatic prompting for downloads.

Important

Do not perform any smart card management activities until after you have installed Certificate Lifecycle Manager 2007 Client.

Note

Because Certificate Lifecycle Manager 2007 Client requires supported smart card middleware, or a smart card minidriver and card module, you must install middleware before you perform smart card operations. For more information about requirements for Certificate Lifecycle Manager 2007 Client, see Hardware and software requirements.

To install the Certificate Lifecycle Manager 2007 Client

  1. From the ILM CMS installation CD, run CLMClient.msi.

  2. CLMClient.msi is located at [CDDrive]\CLMClient\.

  3. On the Welcome to the Installation Wizard page, click Next.

  4. On the Certificate Lifecycle Manager License Agreement page, read the license agreement, select I accept the terms in the license agreement, and then click Next.

  5. On the Setup Type page, under Setup Type, select one of the following options, and then click Next:

    1. Complete

      Installs the Certificate Lifecycle Manager 2007 Client files and features that are required, including the Smart Card Self Service Control, the Smart Card Personalization Control, and the Certificate Profile Update Control.

    2. Custom

      Installs the Certificate Lifecycle Manager 2007 Client files and features that you select.

  6. On the Ready to Install Certificate Lifecycle Manager Client page, click Install.

  7. On the Certificate Lifecycle Manager Client Installation Complete page, click Finish.

On each computer where you want to use to access the CLM Web site, you must add the CLM Web site to the Trusted Sites Web content security zone in Internet Explorer. Because the CLM Web site enforces the use of trusted sites, it does not function correctly if you do not add the CLM Web site to Trusted Sites.

To add the CLM Web site to Trusted Sites in Internet Explorer

  1. In Internet Explorer, on the Tools menu, click Internet Options.

  2. In Internet Options, click the Security tab, click Trusted Sites, and then click Sites.

  3. In Trusted Sites, type the address of the CLM Web site, and then click Add.

  4. Click Close, and then click OK.

The default configuration for Trusted Sites prompts the user prior to loading controls that are not marked safe for scripting. Because the Certificate Lifecycle Manager 2007 Client is not marked safe for scripting, you must enable Initialize and script ActiveX controls not marked as safe for scripting, if you do not want Internet Explorer to prompt users when a control loads.

To export comma-delimited report data, in Internet Explorer, you must enable the Automatic prompting for file downloads setting. If you enable this setting, Internet Explorer prompts you when you export the report.

To enable comma-delimited report data to be exported

  1. In Internet Explorer, on the Tools menu, click Internet Options.

  2. In Internet Options, click the Security tab.

  3. Under Security level for this zone, click Custom Level.

  4. In Security Settings - Internet Zone, under Downloads, click Enable for Automatic prompting for file downloads.

Step 5: Configure CLM 2007

You must run the CLM Configuration Wizard to configure ILM CMS. The Configuration Wizard guides you through the necessary configuration tasks, creates the CLM database, and can automatically create the required user accounts.

Note

A member of the Enterprise Administrators group must perform the following procedure.

To configure CLM 2007

  1. Click Start, point to Programs, point to Microsoft Certificate Lifecycle Manager, and then click Configuration Wizard.

  2. On the Welcome to the Configuration Wizard page, click Next.

  3. On the CA Configuration page, verify the name of the CA and the server's Domain Name System (DNS) name, and then click Next.

  4. If you want to specify a remote CA, do the following steps:

    1. Click Browse, and then select any enterprise CA in the forest shown in the Select Certification Authority dialog box.

    2. Verify the CA and DNS names, and then click OK.

  5. On the Set up the SQL Server Database page, configure the SQL Server that ILM CMS uses.

    In Name of SQL Server, type the IP address of the SQL database. If the SQL database is on the same computer, use the default value, which is (local).

  6. On the Set up the SQL Server Database page, configure the administrative account for SQL Server.

  7. On the Set up the SQL Server Database page, configure the password for the SQL Server administrative account.

    To use the credentials for the current user or to specify a user account and password to use to connect to the SQL database, do one of the following steps:

    • To use the account information for the current user, select the Use my credentials to create the database check box.

    • To specify a different user account, clear the Use my credentials to create the database check box, and then type the user account and password used for connections to the SQL database.

  8. If you installed the SQL Server database on a different server, or if you want to use the credentials for a different user, provide the user account information and password.

  9. On the Set up the SQL Server Database page, click Next.

  10. On the Database Settings page, under Database name specify the database name for the CLM database.

  11. Under Specify a location for the database file, you can enter a location or use the null value. If you leave the null value, ILM CMS uses the default location for the SQL Server database file.

    Note

    We recommend that you browse for a database directory only if you installed SQL Server on the same computer as you installed ILM CMS.

  12. Under Specify the database user account that Certificate Lifecycle Manager users to connect to the database, choose one of the following authentication options:

    • SQL integrated authentication is selected by default, which specifies that you want to use Windows Integrated Authentication for SQL Server. This authentication mechanism gives the Web Pool Agent user account the necessary permissions to the CLM database.

    • Click SQL mixed mode authentication if you want to provide a different user account and password for ILM CMS to connect to the SQL Server database. You can use the default name for the user account, which is CLMUser, or you can specify a name for a custom user account. If you use the SQL Mixed Mode Authenticationsetting, the Configuration Wizard also creates a user account named CLMExternal, which is used for creating requests with the CLM SQL API.

  13. On the Database Settings page, click Next.

  14. On the Set up Active Directory page, type the name of the entry that Active Directory uses to store ILM CMS configuration information.

    Use the default values on the Directory Settings page, and then click Next.

  15. On the Agents - Microsoft CLM page, you can use the default user accounts that ILM CMS uses to carry out its functions, or you can clear the Use the CLM default settings check box, and then click Custom Accounts to create your own.

    Table 2 shows the default user accounts.

  16. On the Agents - Microsoft CLM page, click Next.

  17. On the Set up server certificates page, select the default certificate templates for the Key Recovery Agent, the CLM Agent, and the Enrollment Agent.

    Table 3 shows these certificate templates. To manually create and configure the certificate templates, select the Create and configure certificates manually check box.

  18. On the Set up server certificates page, click Next.

  19. On the Set up E-mail Server, Document Printing page, type the IP address or DNS name of the Simple Mail Transfer Protocol (SMTP) host that ILM CMS uses to send e-mail notifications, and then type the name of the folder where ILM CMS stores files to send to a printer:

    • The default SMTP IP address is 127.0.0.1, which indicates that ILM CMS uses the local SMTP service.

      Note

      To distribute one-time passwords, ILM CMS requires anonymous SMTP relaying. If you configure SMTP relaying on an SMTP server, you can lock SMTP relaying to a specific IP address. You can also configure SMTP relaying to perform authenticated relaying to an SMTP server where SMTP relaying can resolve a mail exchanger (MX) record. For more information about enabling local SMTP relaying, see Configuring SMTP Virtual Server Relay Restrictions (IIS 6.0) (https://go.microsoft.com/fwlink/?LinkId=81978).

    • The default folder for print documents is %ProgramFiles%\Microsoft Certificate Lifecycle Manager\Print Documents.

  20. On the Set up E-mail Server, Document Printing page, click Next.

  21. On the Ready to Configure page, review the selected settings, and then click Configure.

    Configuration might take a few minutes.

  22. When configuration completes, click Finish to exit the Configuration Wizard.

  23. To access the CLM Web site, in Internet Explorer, go to https://DNSName/CLM.

    DNSName is the DNS name assigned to the server that hosts the CLM Web site.

Note

On each computer where you want to use to access the CLM Web site, you must add the CLM Web site to the Trusted Sites Web content security zone in Internet Explorer. Because the CLM Web site enforces the use of trusted sites, it does not function correctly if you do not add the CLM Web site to Trusted Sites.

By default, the CLM agent user accounts are stored in the Active Directory CN=Users,DomainName container. DomainName is the Lightweight Directory Access Protocol (LDAP) distinguished name of the default domain. Table 2 shows the required CLM agent user accounts. Creating these accounts is detailed in step 15 of the procedure above.

Table 2   CLM agent user accounts

User account Description

CLM Agent

Conducts operations for the CLM Web site that require specific permissions. ILM CMS uses this certificate for the CLM Agent to sign data. The default account name for this agent is CLMAgent.

Key Recovery Agent

Recovers archived private keys from the CA database. The default account name for this agent is CLMKRAgent.

Authorization Agent

Reads security information of user and group entries in Active Directory. The default account name for this agent is CLMAuthAgent.

CA Manager Agent

Performs actions against the certification authority. The default account name for this agent is CLMCAMngr.

Web Pool Agent

Runs the CLM Web site in IIS. The default account name for this agent is CLMWebPool. If you use Integrated Windows Authentication, it grants the Web Pool Agent account permissions to the CLM database and performs all read/write operations that the ILM CMS would otherwise perform in the SQL database.

Enrollment Agent

Requests certificates on behalf of a user account. The default account name for this agent is CLMEnrollAgent.

Table 3 shows the certificates that you must configure on the Set up server certificates page, which is described in step 17 in the procedure above.

Table 3   CLM agent user account certificates

Certificate Certificate template

Recovery agent Key Recovery Agent certificate

Requests the Key Recovery Agent certificate that is used by the CLMKRAgent user account. By default, ILM CMS uses the KeyRecoveryAgent certificate template.

CLM Agent signing certificate

Signs certificate requests. By default, ILM CMS uses the User certificate template.

Enrollment agent certificate

Signs certificate requests by the CLMEnrollAgent user account. By default, ILM CMS uses the EnrollmentAgent certificate template.