Configuring the Certificate Lifecycle Manager 2007 Service

The Microsoft® Certificate Lifecycle Manager 2007 Service, known as the CLM Service, is an administrative service that performs workflow tasks for ILM CMS. The CLM Service performs the following functions:

  • Notifies users of certificate renewals

  • Processes External API requests

  • Performs online updates of profile templates and smart cards

  • Issues and retires temporary smart cards

noteNote
Not all ILM CMS deployments require each CLM Service function. For example, a ILM CMS software certificates deployment does not require the temporary smart card function. You can choose the appropriate functions for your ILM CMS deployment.

When you install ILM CMS on the CLM server, the installation process installs the CLM Service. Then, you must manually configure the CLM Service to enable its functions and management policies.

The following topics describe how to configure the CLM Service:

Configuring the CLM Service

To configure the CLM Service, you perform the following steps:

  1. Step 1: Create a new domain user account

  2. Step 2: Grant required user rights to the domain user account

  3. Step 3: Add the domain user account to the required groups

  4. Step 4: Configure the CLM Service to use the domain user account

  5. Step 5: Configure the CLM Service to start automatically

  6. Step 6: Configure SQL Server for Windows Integrated Authentication

  7. Step 7: Restart the CLM Service

  8. Step 8: Configure CLM extended permissions

Step 1: Create a new domain user account

Before you configure the CLM Service to use a domain user account in Step 4 of the following procedure, you must create a new domain user account.

To create a new domain user account

  1. Log on to a domain controller as a domain administrator.

  2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. In Active Directory Users and Computers, right-click Users, and click New User.

  4. On the New User page, type a user name and password, clear the User must change password at next logon check box, and then click OK.

noteNote
Be sure to create the user account as a user account on the domain and not as a user account on the local computer.

Step 2: Grant required user rights to the domain user account

You use Security Policy Editor (Secpol.msc) to grant the following required user rights to the domain user account:

  • Act as part of the operating system

  • Generate security audits

  • Replace a process level token

To grant the required user rights to the user

  1. Log on to a domain controller as a domain administrator.

  2. Click Start, click Run, type secpol.msc, and then click OK.

  3. In Local Security Settings, expand Local Policies, and click User Rights Assignment.

  4. In the details pane, right-click the user that you want, and then click Properties.

  5. In [setting] Properties, click Add User or Group.

  6. In Select Users or Groups, type the name for the user account, and then click OK.

  7. In [setting] Properties, click OK.

  8. Repeat steps 3 through 6 for each user right that you want to grant.

Step 3: Add the domain user account to the required groups

You use the Active Directory® Users and Computer snap-in to add the domain user account to the following groups on the CLM server:

  • Local Administrators

  • IIS_WPG

To add the domain user account to the required groups

  1. Log on as an administrator.

  2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. In Active Directory Users and Computers, click Groups, right-click GroupName, and then click Add to Group.

  4. GroupName is the name of the group.

  5. In GroupName Properties, click Add.

  6. In Select Users, Computers, or Groups, type the name for the user account, and then click OK.

  7. In GroupName Properties, click OK.

  8. Repeat steps 2 through 5 for each group that you want to add.

Step 4: Configure the CLM Service to use the domain user account

You must configure the CLM Service to use the domain user account that you created in Step 1.

To configure the CLM Service to use the domain user account

  1. Log on as an administrator.

  2. Click Start, click Run, type Services.msc, and then click OK.

  3. In Services (local), right-click Certificate Lifecycle Manager Service, and then click Properties.

  4. On the Certificate Lifecycle Manager Service Properties page, on the Log on tab, click This account.

  5. In This account, type the name for the user account.

  6. In Password, type the password for the user account.

  7. In Confirm password, type the password again, and then click OK.

Step 5: Configure the CLM Service to start automatically

To ensure that the CLM Service processes requests correctly, you must configure it to start automatically.

To configure the CLM Service to start automatically

  1. Log on as an administrator.

  2. Click Start, point to All Programs, point to Administrative Tools, and then click Services.

  3. In Services (local), right-click Certificate Lifecycle Manager Service, and then click Properties.

  4. On the Certificate Lifecycle Manager Service Properties page, click the General tab.

  5. In Startup type, select Automatic, and then click OK.

Step 6: Configure SQL Server for Windows Integrated Authentication

If your Microsoft SQL Server® database uses Microsoft Windows® Integrated Authentication, you must perform the steps in the following procedure. However, if your database uses mixed-mode authentication, do not perform this procedure.

To configure SQL Server for integrated authentication with CLM 2007

  1. Log on to the computer running SQL Server as a user who is a database administrator.

  2. Click Start, point to All Programs, point to Microsoft SQL Server, and then click Enterprise Manager.

  3. In the console tree, expand Microsoft SQL Servers, expand SQL Server Group, expand, (local) Windows NT, and then expand Security.

  4. In the console tree, right-click Logins, and then click New Login.

  5. To find the new domain user account that you created in Step 1, on the General tab, next to Name, click the ellipsis button ().

  6. Click the name of the new domain user account, and then click OK.

  7. In the SQL Server Login Properties dialog box, select Windows Authentication, select the domain, and then select Grant access.

  8. The CLM Service uses the default domain.

  9. On the Database Access tab, click Permit for the CLM database.

  10. In Database roles for CLM, for public and clmApp, select Permit.

  11. Selecting Permit ensures that the service has the appropriate permissions to write to the CLM database.

Step 7: Restart the CLM Service

To apply the configuration changes that you have made, you must restart the CLM Service.

To restart the CLM Service

  1. Log on to the CLM server as an administrator.

  2. Click Start, point to All Programs, point to Administrative Tools, and then click Services.

  3. In Services (local), right-click Certificate Lifecycle Manager Service, and then click Restart.

Step 8: Configure CLM extended permissions

Finally, configure the CLM extended permissions that are required for the management policies workflow that will use the CLM Service. For a list of all of the CLM extended permissions, see Installing and Configuring ILM CMS on a Server (http://go.microsoft.com/fwlink/?LinkId=88419).

The following topics describe specific CLM extended permissions that are required for ILM CMS functions and management policies:

Configure the CLM Service for Renewal Requests

You can configure the CLM Service to automatically issue a renewal request for certificates that are within the renewal time specified in a certificate template. When you configure ILM CMS to distribute one-time passwords, users automatically receive e-mail messages to remind them to renew certificates. In addition, users receive one-time passwords to use to complete additional authentication.

ImportantImportant
Before you configure renewal requests, you must perform the configuration steps in Configuring the CLM Service.

To configure the CLM Service for renewal requests

  1. Perform the initial configuration of the CLM Service.

  2. For information about performing the initial configuration, see Configuring the CLM Service.

  3. Assign the CLM Request Renew extended permission to the user account that you created in Configuring the CLM Service.

  4. To verify the Renewal Requests configuration, perform the following actions:

    1. Verify that the external user account is given Enroll Initiate permissions within the desired ILM CMS profile templates.

    2. Change the cert_renew date of an active certificate in the Certificates table to some time in the past.

      To determine the desired certificate, examine the value that is contained in the cert_request_request_id column. This value corresponds to the certificate ID in the CA.

    3. Restart the CLM Service to trigger immediate request processing.

      The CLM Service will then place the renewal request based on the policy configuration of the profile template.

Configure the CLM Service to Use the External API

You can configure the CLM Service to use the External API. The External API enables custom applications to request certificates and to insert certificate data into the CLM database. The CLM Service uses the External API to gather the incoming requests for the External database table.

ILM CMS processes external requests periodically—instead of immediately—based on the time specified in the configuration file for the CLM Service.

ImportantImportant
If you configure the renewal requests function of the CLM Service, you can use the same account for both the renewal requests and the External API.

To configure the CLM Service to use the External API

  1. Perform the initial configuration of the CLM Service, which is described in Configuring the CLM Service.

  2. Assign CLM extended permissions to the user account that you created in Configuring the CLM Service.

    Table 1 shows the required CLM extended permissions.

  3. Edit the CLM.Service.Interval value in the configuration file for the CLM Service.

    The location for the configuration file is %ProgramFiles%\Microsoft Certificate Lifecycle Manager\Bin\Microsoft.CLM.Service.exe.config.

    The default request process value is five hours, which is 18000000 milliseconds. The minimum interval for the service to run is one hour, which is 3,600,000 milliseconds.

    noteNote
    If you try to set the request process value to less than one hour, ILM CMS enforces the one-hour minimum interval.

Table 1   Required permissions for External API processing

Permission Description

Read

You must grant the user Read permission to the affected profile templates in Active Directory.

CLM Enroll

You must grant the user CLM Enroll permission to the affected profile templates in Active Directory. You must set this extended permission on profile templates in Active Directory Sites and Services.

Enroll Initiate

You must grant the user Enroll Initiate permission. This permission is set in profile templates and managed on the CLM Web site.

Configure the CLM Service for Online Updates

You can configure the CLM Service to update each profile template or smart card that you create from a profile template that is no longer current. For example, if the profile template that you used to create the profile template or smart card has fewer certificate templates than the current profile template has, the CLM Service creates an online update request.

Table 2 shows the conditions in which the CLM Service creates an online update request.

Table 2   Conditions in which the CLM Service creates an online update request

Condition Result

If the profile templates have different certificate templates

The CLM Service creates an online update request. The reason given is certificate template list change.

If the profile templates have the same certificate templates

The CLM Service does not create an online update request.

If an online update request already exists for a profile or smart card

The CLM Service does not create a new online update request.

To issue an online update request, instead of a renewal request, when the certificate is within the expiry period, you must modify the CLM Service configuration file, Microsoft.CLM.Service.exe.config.

To configure the CLM Service to process the External API

  1. Perform the initial configuration of the CLM Service.

    For information about performing the initial configuration, see Configuring the CLM Service.

  2. Add the following key to the configuration file for the CLM Service: <add key=”CLM.Service.RenewalService.OnlineUpdateProfileTemplates” value=”template”/>

    The default location for the configuration file is %ProgramFiles%\Microsoft Certificate Lifecycle Manager\Bin\Microsoft.Clm.Service.exe.config.

    noteNote
    The template value represents the name of a valid profile template. Be sure that you replace this placeholder value with the value for an existing profile template. When you specify multiple templates, separate their names with semicolons.

  3. Use a text editor to edit the CLM.Service.Interval value in the configuration file for the CLM Service.

    The location for the configuration file is %ProgramFiles%\Microsoft Certificate Lifecycle Manager\Bin\Microsoft.CLM.Service.exe.config.

    The default request process value is five hours (key="CLM.Service.Interval" value="18000000"). The minimum interval for the service to run is one hour, which is 3,600,000 milliseconds.

    noteNote
    If you try to set the request process value to less than one hour, ILM CMS enforces the one-hour minimum interval.

  4. Remove the comments from the following section in Web.config.

    noteNote
    The default location for Web.config is %ProgramFiles%\Microsoft Certificate Lifecycle Manager\web\Web.config.

    <!--

    <ClmNotifications>

    <add event="ApproveRequest" class="Microsoft.Clm.NotificationSinks.OnApproveRequest,Microsoft.Clm.NotificationSinks" initializationData="multi-value attribute"/>

    <add event="OnlineUpdateProfileComplete" class="Microsoft.Clm.NotificationSinks.OnOnlineUpdateProfileComplete,Microsoft.Clm.NotificationSinks" initializationData="multi-value attribute"/>

    <add event="MarkRequestAsFailed" class="Microsoft.Clm.NotificationSinks.OnMarkRequestAsFailed,Microsoft.Clm.NotificationSinks" initializationData="multi-value attribute"/>

    </ClmNotifications>

    -->

    Replace the multi-value attribute values in the initializationData sections of Web.config with a multi-string value Active Directory attribute.

    noteNote
    To update the value of this Active Directory attribute, the CLM Agent account requires Write permission to it.

  5. To add the required client registry key and values, at the command prompt on each computer running Microsoft Certificate Lifecycle Manager 2007 Client, type clmProfileUpdate.exe /u /url <CLMServerURL> /a <Attribute>.

    You do not have to edit the registry directly. Table 3 shows these registry values. Table 4 shows the parameters for ClmProfileUpdate.exe.

    ClmProfileUpdate.exe is the Profile Template Update Control, which is a Certificate Lifecycle Manager Client component. The default location for ClmProfileUpdate.exe is %ProgramFiles%\Microsoft Certificate Lifecycle Manager Client\bin\.

In Certificate Lifecycle Manager Client, you must use ClmProfileUpdate.exe to configure the registry keys for the multi-string value Active Directory attribute specified in the initializationData sections of Web.config and for the CLM Web site. ClmProfileUpdate.exe edits the Windows registry and adds the following registry key to the Certificate Lifecycle Manager Client: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CLM\v1.0\Agent. Table 3 shows the registry values that ClmProfileUpdate.exe adds when you perform step 5 in the previous procedure.

Table 3   Certificate Lifecycle Manager Client registry key values

Registry key value Description

Attribute

Displays the Active Directory attribute. This value is a string value (REG_SZ).

URL

Displays the URL for the CLM server. This value is a string value (REG_SZ).

Table 4   Parameters for clmProfileUpdate.exe

Parameter Description

/?

Displays help.

/u

Updates the registry with the data that you specify following this parameter, and then exits the command-line.

/url

Specifies the URL for the ILM CMS. The URL must have a trailing forward slash. For example, http://www.contoso.com/clm/.

/a

Specifies an Active Directory attribute. This value should be the same value that you configured as the multi-value attribute in the initializationData sections of Web.config. Step 4 in the preceding procedure describes this process.

Configure the CLM Service for Temporary Smart Cards

You can use the CLM Service to issue and retire temporary smart cards. Typically, you issue a temporary smart card to replace a lost or misplaced a smart card or to provide temporary network access to a user who has no existing certificate, such as a contractor or consultant. When a user no longer needs a temporary smart card, you can retire the smart card.

To retire temporary smart cards when they have at least one expired certificate on them, you must make sure that the CLM Service is running.

noteNote
The workflow used by the temporary smart card retire function is controlled by the profile template settings that you configured when you issued the smart card. Therefore, to automatically retire temporary smart cards and revoke all certificates on those smart cards, you must configure the temporary smart card policy not to require additional approvals. You do this by setting the Number of approvals in the General Workflow Options to 0.

For more information about configuring temporary smart card functions, see Configuring the CLM Service.

Community Additions

ADD
Show: