Technical Overview of CLM 2007
Microsoft® Identity Lifecycle Manager "2" Certificate Management Service (ILM CMS) is an identity-assurance management system that maximizes the trust and flexibility associated with digital certificates and smart cards. ILM CMS provides enhanced management for the Microsoft Windows Server® 2003 operating system, Active Directory® directory service, and smart cards. A server that runs ILM CMS is known as a CLM server.
The following topics provide a technical overview of ILM CMS.
CLM 2007 Architecture
CLM 2007 Profile Templates
Simplifying Certificate Management with CLM 2007
ILM CMS has the following features:
A complete and integrated management solution for deploying smart cards and digital certificates
Delegated request and approval capabilities for distributed environments
In-person authentication and self-service management
Integration with Active Directory and Microsoft certification authorities (CAs)
Policy support for workflow, registration data collection, and document printing
Smart card lifecycle management, including smart card printing
Personal identification number (PIN) management for activating and unblocking PINs
A smart card inventory system that simplifies distribution by updating the inventory when you activate a smart card
Reporting and audit tracking of all smart card lifecycle activities
A Bulk Smart Card Issuance tool that facilitates enrollment and smart card issuance for hundreds of users
In any digital certificate or smart card deployment, increasing trust inevitably increases administration. Similarly, decreasing administration, decreases trust. In addition, if you do not deploy digital certificates and smart cards efficiently, you can add significant cost to their deployment. ILM CMS solves this dilemma by simplifying the administrative process required to convey trust and ensure secure and structured distribution. The result is a highly-flexible registration and management solution.
CLM 2007 Architecture
ILM CMS is designed to integrate closely with Microsoft Windows Server 2003, Enterprise Edition, Active Directory, and CAs. Because of this integration, ILM CMS can use your existing infrastructure to provide powerful, highly flexible certificate management activities. As digital identities gain importance in enterprises, Microsoft has increased its support for digital certificates and improved the effectiveness and robustness of the Microsoft CA. By integrating certificate technologies from Microsoft, and providing a detailed management interface, ILM CMS enables end-to-end certificate and smart card management.
By acting as an administrative proxy, ILM CMS provides sophisticated management features for Windows Server 2003, Enterprise Edition, CAs. After you install ILM CMS, it manages and maintains all digital certificate and smart card management functions. In combination, a CLM server, CAs, and access control list (ACL) extensions enable detailed CA management.
ILM CMS has the following components for certificate management:
A server running the ILM CMS software, which includes the CLM Web site and the core ILM CMS server components that integrate with the following infrastructure:
Active Directory
Microsoft Windows 2003, Enterprise Edition, CA
Microsoft SQL Server™ 2005
Simple Mail Transfer Protocol (SMTP) mail services, which is required only if you choose to integrate e-mailing one-time passwords to users
One or more Microsoft Windows® XP Service Pack 2 (SP2) computers running the following software:
Microsoft Certificate Lifecycle Manager 2007 Client, which allows users to request smart card certificates
Bulk Smart Card Issuance Tool, which administrators can use to perform batch operations for smart card certificates
CLM 2007
ILM CMS implements all ILM CMS functionality and manages communications with the CLM database, Active Directory, and all managed CAs. By managing communication with managed CAs, ILM CMS provides certificate management for a specific CA, and an aggregate view of multiple CAs in your organization.
A CLM server consists of the CLM Web site and a relational database running on Microsoft SQL Server 2005. The CLM Web site is the administrative focal point for all ILM CMS management activities. You have the following options for installing and deploying SQL Server and CLM servers:
You can install SQL Server on the server on which you install a CLM server, or you can install it on an enterprise database server.
You can deploy a CLM server on a dedicated server or on a shared server.
Shared servers include CAs and application servers.
You can deploy one or more CLM servers.
Active Directory
ILM CMS uses Active Directory as a central repository in the following separate, but related, ways:
ILM CMS stores profile templates in Active Directory as typical Active Directory objects; therefore, profile templates have security attributes, such as permissions, within Active Directory ACLs. ACLs are critical to ILM CMS operation.
ILM CMS depends on Active Directory to authenticate users within a session. Although protocols, such as Kerberos, provide authentication, attributes create user permissions, such as individual user and group memberships.
ILM CMS uses extended permissions in Active Directory. These extended permissions allow ILM CMS to determine what activities users can and cannot perform during a session in ILM CMS and Active Directory.
Active Directory group memberships and permissions control the functionality available to users of ILM CMS, including the activities that they can complete on the CLM Web site. For more information on the activities and views, see Installing and Configuring ILM CMS on a Server (https://go.microsoft.com/fwlink/?LinkID=88419).
Extended permissions
Through schema extension, ILM CMS adds a set of extended permissions to Active Directory to allow certificate managers to delegate management activities. For more information about extended permissions, see Installing and Configuring ILM CMS on a Server (https://go.microsoft.com/fwlink/?LinkID=88419).
Microsoft Windows 2003, Enterprise Edition, CA
Microsoft Windows Server 2003, Enterprise Edition, CA issues and manages certificates and public keys for encryption. You must install this CA on a server running Windows Server 2003, Enterprise Edition. Only Windows Server 2003, Enterprise Edition supports the key recovery and issuance of version 2 certificate templates that ILM CMS requires.
To actively manage a Windows Server 2003, Enterprise Edition, CA, you must install a policy module and an exit module, and then configure them locally on each CA server. These modules communicate with a CLM server, control the behavior of the CA, and provide logging and auditing in a central location.
Microsoft SQL Server 2005
Although we recommend that you use ILM CMS with SQL Server 2005, ILM CMS also supports Microsoft SQL Server 2000. ILM CMS uses the SQL Server database primarily for reporting and providing application-specific data. The database does not provide user and role database functions because ILM CMS retrieves that information directly from Active Directory.
SMTP mail services
In ILM CMS, you can use e-mail to deliver notifications and one-time passwords. To do so in a production environment, you configure ILM CMS to provide e-mail services to a CLM server by providing the IP address or host name of an e-mail server capable of relaying messages by SMTP.
CLM Web site
Certificate managers are users that have the appropriate level of permissions in ILM CMS to administer other users or to administer the ILM CMS application. Typically, certificate managers are responsible for managing a group of users and, if needed, their smart cards. A certificate manager conducts management functions for a user group for which the user has permissions.
Certificate managers and users are not mutually exclusive roles, however. A user can hold both roles simultaneously. A user can become a certificate manager simply with the addition of ILM CMS management permissions within Active Directory. These permissions can be provided to the user directly or indirectly through group memberships. If those permissions are removed, the user is no longer a certificate manager and cannot access the management view of the CLM Web site. (A user is also known as a certificate subscriber.)
ILM CMS uses Internet Information Services (IIS) 6.0 in Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition, as the Web server for management applications.
From the home page on the CLM Web site, certificate managers and users can select an appropriate view, depending on their roles and credentials. The view for a user is named Manage My Info, and the view for a manager is named Manager operations. Although users and certificate managers use the same universal resource locator (URL) to access Manage My Info and Manager operations, ILM CMS displays content appropriate to a user's role and permissions.
Important
You must use Internet Explorer 6.x or Internet Explorer 7.x to use the CLM Web site.
Manage My Info view
From the Manage My Info view, users interact directly with the self-service features in ILM CMS. Users can complete activities for their certificates only, and only if they have permission for those activities. Typically, users can complete the following activities:
Enroll certificates and smart cards (self-enrollment)
Request management action, for example, to recover certificates or unblock smart cards
View certificates or smart cards
Manager operations view
From the Manager operations view, certificate managers interact directly with the management features in ILM CMS. Typically, certificate managers can complete the following activities:
Manage users
Manage smart cards
Approve certificate requests
Revoke certificates
Report on and audit certificate and smart card operations
Certificate Lifecycle Manager 2007 Client
You can install Certificate Lifecycle Manager 2007 Client on Windows XP computers. Certificate Lifecycle Manager 2007 Client assists in client-side, smart card management activities, such as changing the PIN on a smart card.
Although you must use Certificate Lifecycle Manager 2007 Client to deploy smart cards, it is not required for deploying software-based certificates. When you deploy software-based certificates, ILM CMS uses standard Web browser capabilities to perform all certificate functions and key management functions.
Certificate Lifecycle Manager Client has the following components:
Smart Card Self Service Control
Smart Card Personalization Control
Certificate Profile Update Control
General support files
Using the Smart Card Self Service Control in ILM CMS, users and administrators can manage smart cards through a connection from Certificate Lifecycle Manager Client to the smart card. Users run Certificate Lifecycle Manager Client to update their PINs and to use the CLM Web site to enroll for certificates and complete requests.
CLM 2007 Profile Templates
Profile templates are at the core of all ILM CMS management activity. All profile templates are stored in Active Directory. A profile template includes all of the information necessary to manage the multiple certificates that users might require throughout the certificate lifecycle. In addition, a profile template includes information about the final location of the certificate. A profile template can implement one or more certificate templates. ILM CMS stores software-based certificates on the local computer and hardware-based certificates on a smart card.
Note
You cannot combine software-based and smart card-based certificates in a single profile template.
When you store certificates on a smart card, ILM CMS configures a CLM profile template with the information necessary to manage the card, thus providing a single point for administration.
A profile template helps answer the following questions that you might have:
How many certificates, and which ones, should I issue for a group of users?
Which certification authority (CA) should I use to issue the certificates?
How should I use enrollment, recovery, revocation, renewal, and other management policies to manage certificates throughout their lifecycle?
How should I manage certificates on a smart card?
Certificate templates
A certificate template defines the structure and content of a digital certificate that is issued by a Windows Server 2003, Enterprise Edition, CA. ILM CMS stores certificate templates in Active Directory as part of a CA's native operations. A profile template can implement one or more certificate templates.
For information about configuring and managing certificate templates, see Implementing and Administering Certificate Templates in Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkID=71146).
To work effectively with applications from Microsoft and other vendors, a profile template uses the certificate templates in Active Directory that are published by a Windows 2003, Enterprise Edition, CA. ILM CMS enhances those templates by providing more certificate template configuration options and by providing those options in the context of management policies. ILM CMS can also manage multiple certificates while applying sophisticated workflow or self-service features for lifecycle management.
If an organization has different types of authentication certificates and encryption certificates, ILM CMS can handle them differently depending on whether the encryption certificates are backed up for future recovery. For example, if an organization uses ILM CMS to recover a profile template because a smart card is lost, ILM CMS generates new authentication certificates, but recovers the existing encryption certificates. At the same time, ILM CMS manages the administrative details associated with initializing and managing the new smart card.
Management policies
ILM CMS uses management polices, which are part of profile templates, to define how it manages certificates and smart cards during their lifecycles. You can use the ILM CMS management policies to control both software-based and hardware-based profile templates.
Important
A profile template can support only software-based certificates or smart card certificates, which are hardware-based. ILM CMS includes two sample profile templates. These sample profile templates are in Active Directory, and, as with other profile templates, you can manage them from the CLM Web site.
The following table shows the management policies in ILM CMS.
| Management policy | Description |
|---|---|
Duplicate |
Defines settings specific to duplicating a profile template or smart card, including who can initiate duplicate requests, what data is collected, whether one-time passwords should be used, how one-time passwords are distributed, and what documents should be printed for a duplicate request. |
Enroll |
Defines settings specific to enrollment for a profile template, including who can initiate enrollment requests, what data is collected, whether one-time passwords should be used, how one-time passwords are distributed, and what documents should be printed for an enroll request. |
Online Update |
Defines settings specific to a the online updates of a profile template, including specific settings for certificate change reasons, who can initiate online update requests, what data is collected, whether one-time passwords should be used, and how one-time passwords are distributed. |
Replace |
Defines settings specific to recovering a profile template or replacing a smart card, including smart card application management settings, revocation settings for the certificates being replaced, duplicate profile template and smart revocation settings, who can initiate replace requests, what data is collected, whether one-time passwords should be used, how one-time passwords are distributed, and what documents should be printed for a replace request. Note This policy is specific to smart card profile templates. |
Recover |
Defines settings specific to recovering a profile template or replacing a smart card, including what happens to certificates that are replaced, what happens to duplicate profile templates or smart cards that are recovered, who can initiate recover requests, what data is collected, whether one-time passwords should be used, how one-time passwords are distributed, and what documents should be printed for a recover request. Note This policy is specific to software-based profile templates. |
Recover On Behalf |
Defines settings specific to recovering a profile template or smart card on behalf of another user, including who can initiate recover requests on behalf of other users, who can serve as an enrollment agent to complete enrollment on behalf of other users, what data is collected, and what documents should be printed for a recover on behalf request. |
Renew |
Defines settings specific to renewing a profile template, including revocation settings for renewing a profile template or smart card, who can initiate renew requests, who can serve as an enrollment agent for renew requests, what data is collected, whether one-time passwords should be used, how one-time passwords are distributed, and what documents should be printed for a renew request. |
Suspend and Reinstate |
Defines settings specific to suspending and reinstating a profile template or smart card, including revocation settings for suspending or reinstating a profile template or smart card, who can initiate suspend and reinstate requests, what data is collected, whether one-time passwords should be used, how one-time passwords are distributed, and what documents should be printed for a suspend or reinstate request. |
Disable |
Defines settings specific to revoking or disabling a profile template or smart card, including revocation reasons, who can initiate disable requests, what data is collected, whether one-time passwords should be used, how one-time passwords are distributed, and what documents should be printed for a disable request. Note This policy is specific to smart card profile templates. It is similar to the Revoke policy, but it implements settings that are specific to smart cards. |
Revoke |
Defines settings specific to revoking or disabling a profile template or smart card, including revocation settings, who can initiate revoke requests, what data is collected, whether one-time passwords should be used, how one-time passwords are distributed, and what documents should be printed for a revoke request. |
Retire |
Defines settings specific to retiring a smart card, including smart card application management settings, revocation settings, who can initiate retire requests, what data is collected, whether one-time passwords should be used, how one-time passwords are distributed, and what documents should be printed for a retire request. Note This policy is specific to smart card profile templates. |
Temporary Cards |
Defines settings specific to enrolling, disabling, and retiring temporary smart cards, including smart card application management settings, revocation settings, who can initiate enroll, disable, and retire requests for temporary smart cards, what data is collected, whether one-time passwords should be used, how one-time passwords are distributed, and what documents should be printed for a temporary smart card request. Note This policy is specific to smart card profile templates. |
Unblock |
Defines settings specific to unblocking a profile template or smart card, including smart card application management settings, who can initiate unblock requests, what data is collected, whether one-time passwords should be used, how one-time passwords are distributed, and what documents should be printed for an unblock request. Note This policy is specific to smart card profile templates. |
Offline Unblock |
Defines settings specific to unblocking a profile template or smart card when no connection can be made to the CLM server, including who can initiate unblock requests and what data is collected. Note This policy is specific to smart card profile templates. |
Simplifying Certificate Management with CLM 2007
To solve the problems of enrolling and managing certificates, many enterprises implement smart card and software certificates. These implementations provide internal users, and possibly external users, such as customers and partners, with certificates that have appropriate assurance levels. Policy problems can ensue, however, when appropriate levels of assurance vary across the enterprise. For example, a certificate for a visitor or contractor might have a different assurance level than the certificate for a full-time employee. Ultimately, these assurance levels and requirements correspond to registration and management procedures that often require custom development.
Enterprises can use ILM CMS to manage certificate templates, workflow, one-time password generation and distribution, multiple approvals, additional registration data, certificate extensions, and many other functions. Enterprises can use ILM CMS to maximize their smart card and certificate deployments to include all relevant individuals, both internal and external, to the enterprise. This policy-based approach supports a wide range of requirements and scenarios, ensuring that certificates are trusted appropriately.
Certificate registration models
There are three broad registration models that an organization can implement: self-service, delegated, and centralized. An organization can implement one or all of these registration models in one environment. To achieve this support, ILM CMS requires different validation processes for each registration, and marks each certificate with a specific extension, depending on its assurance level.
Note
Generally, the more processes applied to the registration procedure, the higher the assurance level.
The following topics describe the ILM CMS registration models.
Self-service registration model
In the self-service registration model, a user performs or requests certificate management activities from a Web-based interface. For example, if a user requests a new certificate, ILM CMS can coordinate validating request information against third-party data sources and passing the request to an individual or a group for approval.
Delegated registration model
In the delegated registration model, someone other than the user initiates registration. The user then completes registration by providing a supplied, one-time password. For example, if a user calls the Help Desk to have a smart card unblocked, the Help Desk technician initiates the unblock request. Then, ILM CMS sends a one-time password to the user who enters the password received to complete the unblock process.
Centralized registration model
In the centralized registration model, users do not participate in the management policy. For the workflow, a user designated as the originator initiates the request and an enrollment agent runs the request.
Important
The use of an enrollment agent is mandatory in a centralized registration model. Only an enrollment agent can request certificates on behalf of other users.
Certificate and key management
ILM CMS makes certificate and key management simpler by using profile templates and their corresponding management policies. Organizations can use the management policies to control where keys are generated and stored, how recovery works, how temporary smart cards are retired, and other certificate-related activities. ILM CMS categorizes certificate and key management activities first based on whether they are for software-based certificates or smart card certificates. The ILM CMS Web site then allows organizations to configure specific workflow settings for each profile template in the context of the management policy.
ILM CMS uses the settings that administrators set in the management policies on the CLM Web site to control complex certificate and key management functions. For example, during enrollment, ILM CMS can differentiate between an encryption certificate configured for escrow and a signature certificate that is not configured for escrow. If smart cards are involved, ILM CMS generates the signing keys directly on the smart card, where the private key cannot be removed. It then creates the encryption keys in software so that it can escrow the keys and place them back on the card. This way, during a recovery operation, ILM CMS can generate new signing keys, as well as recover encryption keys, regardless of the fact that the certificates were on a smart card.
CLM 2007 Language Support
With the release of CLM Feature Pack 1 (FP1), multiple language support is added to all CLM components, including:
CLM Client
CLM Bulk Smart Card Issuance Tool
CLM Server
The following languages are supported in CLM FP1:
Dutch
English
French
German
Italian
Japanese
Portuguese
Spanish
Traditional Chinese
Installation
When you run Identity Lifecycle Manager 2007 setup, the ILM2007 installation screen will always be in English. However, when you select a CLM FP1 component to install, the language used for the installer is determined by the user UI language on the computer at the time of installation.
Note
If the user UI language is not one of the languages supported by CLM then the installer language will default to English.
During installation, all supported languages are installed regardless of the language used for the installer.
Client Installation
When installing the CLM Client or the Bulk Smart Card Issuance Tool, all languages are installed. By default, the following components will use the user UI language:
Error messages and system messages from the CLM Client and the Bulk Smart Card Issuance Tool
The interface presented by the Smart Card Self Service Control and Smart Card Personalization Control
Internet Explorer can be configured to view the CLM Web Portal in a different language than the user UI language. For example, the user UI language may be set to Spanish, while Internet Explorer is configured to German. In this case, the user will view the CLM Web Portal pages in German. For more information about setting language preferences for Internet Explorer, see Help in Internet Explorer.
Note
If the language specified in the Internet Explorer configuration is not a language supported by the CLM Server, the web pages will display in English.
Server Installation
When installing the CLM Server components, which include the certification authority (CA) modules, Configuration Wizard, command line utilities, setup package and all associated documentation, the installed language is determined by the user UI language. If the user UI language is not supported by the CLM Server, then the default language will be English. System event logs will always use the user UI language.