Installing and Configuring the FIM CM Client

Updated: August 10, 2010

Applies To: Forefront Identity Manager 2010

The Microsoft® Forefront® Identity Manager Certificate Management (FIM CM) client assists in client-side, smart card management activities such as changing the personal identification number (PIN) on a smart card. A computer that runs this software is known as a FIM CM client. You must install a FIM CM client to deploy smart cards, but not to deploy software-based certificates.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Audience

This document is intended for information technology (IT) planners, systems administrators, system architects, technology decision-makers, consultants, infrastructure planners, and IT personnel.

Prerequisite Knowledge

This document assumes that you have a basic understanding of the following IT tasks:

  1. Installing software on client computers.

  2. Basic knowledge of registry editing.

Time Requirements

The procedures in this document take about 90 minutes to complete.

What This Document Covers

Hardware and Software Requirements for the FIM CM Client

Table 1 shows the hardware and software requirements for the FIM CM client.

Table 1: Hardware and software requirements

Component Requirement

Operating system

The FIM CM client components are designed for computers running the 32-bit editions of Windows XP, Windows Vista Enterprise, Windows Vista Ultimate, and Windows 7 and the 64-bit editions of Windows Vista Enterprise, Windows Vista Ultimate, and Windows 7.

ImportantImportant
Install the 64-bit components on clients running 64-bit editions of operating systems and when 64-bit middleware and 64-bit Internet Explorer is used.

Note that on 64-bit editions of Windows Vista and Windows 7, the default Internet Explorer edition is 32-bit.

Install the 32-bit components when using the 32-bit middleware and the 32-bit edition of Windows Internet Explorer.

Internet Explorer®

Because FIM CM requires Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for administrative traffic and certificates, Microsoft Internet Explorer 6.x or later is required. FIM CM has advanced scripting features that are optimized for Internet Explorer.

Windows Internet Explorer 8 and Internet Explorer 7 are also supported.

Middleware

Microsoft Base Smart Card Cryptographic Provider, a cryptographic service provider (CSP), with a vendor-specific minidriver or a legacy CSP with middleware that is compatible with a Public Key Cryptographic Standards (PKCS) #11 file.

See the following Knowledge Base article for additional information about the Microsoft Base CSP as well as links to download:

Description of the Software Update for Base Smart Card Cryptographic Service Provider (http://go.microsoft.com/fwlink/?LinkID=161161)

You must get the middleware from a vendor other than Microsoft. For a list of supported middleware, see the Release Notes for Forefront Identity Manager 2010.

A smart card reader and one or more smart cards that are compatible with the FIM CM client

Required only if you implement smart card certificates. For information about smart card compatibility with the FIM CM client, contact your smart card vendor.

Installing the FIM CM Client

ImportantImportant
Do not perform any smart card management activities until after you install the FIM CM client.

noteNote
The FIM CM client depends on the supported smart card middleware or a smart card minidriver and smart card module. Before you use the FIM CM client to perform the smart card operations, you must install the required middleware. For more information, see Hardware and Software Requirements for the FIM CM Client.

To configure the FIM CM client correctly, you must perform the following steps to ensure that the FIM CM client is properly configured:

  1. Install the client on each computer where you want to use the FIM CM client.

  2. Add the FIM CM Portal to the Trusted Sites on each FIM CM client computer.

  3. Turn on automatic prompting for downloads.

To install the FIM CM client

  1. From the FIM CM installation CD, run CM Client.msi.

    The CM Client.msi file is located at [CDDrive]\CMClient\.

  2. On the Welcome to the Forefront Identity Manager CM Client Setup Wizard page, click Next.

  3. On the End-user License Agreement page, read the license agreement, select I accept the terms in the license agreement, and then click Next.

  4. On the Custom Setup page, select the components to install, and then click Next.

  5. On the Configure CM Client page, enter the list of sites used by your FIM 2010 installations, and then select an option to configure your Trusted Sites settings in Internet Explorer.

    ImportantImportant
    If you are installing the FIM CM client on a computer that is running Internet Explorer 7, you must add this list of sites to Trusted Sites.

  6. On the Install Forefront Identity Manager CM Client page, click Install.

  7. On the Completed the Forefront Identity Manager CM Client Setup Wizard page, click Finish.

On each computer where you want to access the FIM CM Portal, you must add the FIM CM Portal to the Trusted Sites Web content security zone in Internet Explorer.

noteNote
Because the FIM CM Portal enforces the use of trusted sites, it does not function correctly if you do not add the FIM CM Portal to Trusted Sites.

To add the FIM CM Portal to Trusted Sites in Internet Explorer

  1. WarningWarning
    The following procedure is only needed for Internet Explorer 7.

    In Internet Explorer, on the Tools menu, click Internet Options.

  2. In Internet Options, click the Security tab, click Trusted Sites, and then click Sites.

  3. In Trusted Sites, type the address of the FIM CM Portal, and then click Add.

  4. Click Close, and then click OK.

The default configuration for Trusted Sites prompts the user before loading controls that are not marked safe for scripting. Because the FIM CM client is not marked safe for scripting, you must activate Initialize and script ActiveX controls not marked as safe for scripting, if you do not want Internet Explorer to prompt users when a control loads.

To export comma-delimited report data, in Internet Explorer, you must activate the Automatic prompting for file downloads policy setting. If you activate this policy setting, Internet Explorer prompts you when you export the report.

To activate comma-delimited report data to be exported

  1. In Internet Explorer, on the Tools menu, click Internet Options.

  2. In Internet Options, click the Security tab.

  3. Under Security level for this zone, click Custom Level.

  4. In Security Settings - Internet Zone, under Downloads, click Enable for Automatic prompting for file downloads.

Secure Session Settings for the FIM CM Client

By default, the FIM CM client encrypts all data that is transmitted to the FIM CM server. The FIM CM client tries to use the Advanced Encryption Standard (AES) 128 encryption algorithm to encrypt data. If AES 128 is unavailable, the FIM CM client uses the Triple Data Encryption Algorithm (TDEA) encryption algorithm. If these algorithms are unavailable, FIM CM client also tries to use the CSP named Microsoft Enhanced RSA and AES Cryptographic Provider.

When you use the FIM CM client to encrypt data, you can override the default setting by selecting a different CSP and encryption algorithm.

Encryption configuration options

To configure an encryption algorithm, you must create two registry keys under HKLM\SOFTWARE\Microsoft\Clm\v1.0\SmartCardClient\. Table 2 shows these registry keys.

Table 2: Encryption registry keys

Registry key Description

CSP

Defines the CSP. The value type is REGSZ, and the entry is the name of the CSP.

AlgID

Defines the encryption algorithm identification number The value type is DWORD. For the entry, see Table 3.

Table 3: Encryption algorithms and values for the AlgID registry key

Encryption algorithm DWORD value

3DES

9 or 3

AES_128

14

AES_192

15

AES_256

16

Secure session validation

You can use the session validation options to determine the revocation status of a certificate.

noteNote
By default, the FIM CM client does not check revocation status.

To specify whether the FIM CM client checks revocation status, you must create a DWORD registry key named SessionCertValidation under HKLM\SOFTWARE\Microsoft\Clm\v1.0\SmartCardClient\. Table 4 shows the values that you can use to specify the revocation status of the Certificate Management (CM) server certificate.

Table 4: Revocation checks and associated values for SessionCertValidation

Revocation check DWORD value

No Check (default)

0

Check end certificate

1

Check entire certificate chain

2

Check entire certificate chain minus root

4

Setting Smart Card PIN Rules for the FIM CM Client

The following table shows the PIN rules for a smart card managed by the FIM CM client. The PIN rules are located under the following registry key in HKLM: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CLM\v1.0\SmartCardClient\PinRules.

noteNote
The FIM CM client does not enforce PIN rules unless the associated registry key is present.

Table 5: PIN rules and sample registry values

PIN rule Type Sample value Description

MaxPinLength

DWORD

00000008

Specifies the maximum length allowed in the PIN.

The FIM CM client can read the value from the smart card when you use a smart card with PKCS #11 middleware. Alternatively, the FIM CM client can get the value from the PIN rule itself.

The highest MaxPinLength is 14 and is enforced by FIM CM, regardless of the presence of this registry value.

ImportantImportant
P11 cards also have their own internal rules, which take precedence over those of FIM CM.

MinPinLength

DWORD

00000004

Specifies the minimum length allowed in the PIN.

The FIM CM client can read the value from the smart card when you use a smart card with PKCS #11 middleware. Alternatively, the FIM CM client can get the value from the PIN rule itself.

The lowest MinPinLength is 4 and is enforced by FIM CM, regardless of the presence of this registry value.

ImportantImportant
P11 cards also have their own internal rules, which take precedence over those of FIM CM.

MaxRepeatChar

DWORD

00000000

Specifies the maximum number of consecutive, repeated characters allowed in the PIN, for example, 11111 or ssssss.

MaxSortedSequenceChar

DWORD

00000002

Specifies the maximum length of a sorted character sequence allowed in the PIN, for example, 1234 or abcde.

PinHistory

DWORD

00000003

Specifies the length of the PIN's history, which is stored as a sequence of hashes on the smart card. Configuring the history of a PIN helps prevent dictionary attacks since the larger encrypted set makes it more difficult to guess the decryption key (PIN).

During the initial provisioning, the FIM CM client ignores the smart card PIN history. Therefore, a PIN selected by a user might match the initial smart card PIN because the FIM CM client has no previous history on the smart card.

The PIN history algorithm has the following characteristics:

  • The FIM CM client stores a cryptographically random salt on the smart card in plain text. The salt size is 120 bits.

  • The FIM CM client adds the random salt to the PIN during SHA1 hash calculation.

  • The FIM CM client calculates the SHA1 hash several times to increase computation complexity. Each calculation uses the output of the last calculation as input. SHA1 makes the same number of calculations for all smart cards—approximately 2,000.

MinUppercase

DWORD

00000001

Specifies a character set restriction or allowance of uppercase characters in the PIN. If the PIN rules do not specify a character set rule, the FIM CM client places no restrictions on the characters allowed. However, if the PIN rules specify any character set rule, the FIM CM client implicitly disallows all other characters unless a PIN rule explicitly turns on that character.

When MinUppercase specifies an allowance, the FIM CM client does not display a corresponding user interface notification. The FIM CM client displays only restriction rules in the PIN dialog boxes.

MinLowercase

DWORD

00000001

Specifies a character set restriction or allowance of lowercase characters in the PIN. If no character set rule is specified in the PIN rules, the FIM CM client places no restrictions on the characters allowed. However, if any character set rule is specified, the FIM CM client implicitly disallows all other characters unless they are explicitly turned on by a rule.

When this rule specifies an allowance, the FIM CM client does not display a corresponding user interface notification. The FIM CM client only displays restriction rules in the PIN dialog boxes.

MinNumeric

DWORD

00000001

Specifies a character set restriction or allowance of numeric characters in the PIN. If no character set rule is specified in the PIN rules, the FIM CM client places no restrictions on the characters allowed. However, if any character set rule is specified, the FIM CM client implicitly disallows all other characters unless they are explicitly turned on by a rule.

When this rule specifies an allowance, the FIM CM client does not display a corresponding user interface notification. The FIM CM client only displays restriction rules in the PIN dialog boxes.

MinSpecial

DWORD

00000000

Specifies a character set restriction or allowance of special characters in the PIN. Special characters are printable ASCII characters that are not numbers or letters. If no character set rule is specified in the PIN rules, no restrictions are put on the characters allowed. However, if any character set rule is specified, all other characters are implicitly disallowed unless explicitly activated by a rule.

When this rule specifies an allowance, the FIM CM client does not display a corresponding user interface notification. The FIM CM client only displays restriction rules in the PIN dialog boxes.

Filter

String

([a-zA-Z0-9]*)

Specifies a character set restriction or allowance of alphabetical, alphanumeric, and printable characters in the PIN. These include uppercase and lowercase characters. If no character set rule is specified in the PIN rules, no restrictions are put on the characters allowed. However, if any character set rule is specified, all other characters are implicitly disallowed unless explicitly turned on by a rule.

When this rule specifies an allowance, no corresponding user interface notification is displayed. Only restriction rules are displayed in the PIN dialog boxes.

Considering security for PIN rules

Consider protecting the smart card PIN rule registry keys as soon as you create them. To do so, we recommend that you configure access control lists (ACLs), and then audit write operations for the registry keys.

To configure ACLs on PIN rule registry data

  1. To open the Registry Editor, click Start, click Run, type regedit, and then click OK.

  2. In the Registry Editor, select the FIM CM client registry key that you want to configure.

    For a list of available registry keys, see Setting Smart Card PIN Rules for the FIM CM Client.

  3. Right-click the registry key, and then select Permissions.

  4. In Permissions, assign permissions for existing users or groups, or to add a user or group for which to assign permissions, click Add.

To turn on auditing for write operations on registry keys

  1. To open the Registry Editor, click Start, click Run, type regedit, and then click OK.

  2. In the Registry Editor, select the registry key that you want to configure.

    For a list of available registry keys, Setting Smart Card PIN Rules for the FIM CM Client.

  3. Right-click the registry key, and then select Permissions.

  4. In Permissions, click Advanced, and then click the Auditing tab.

  5. On the Auditing tab, click Add.

  6. In Select User or Group, select the specific user or group to audit when you are prompted, and then click OK.

    We recommend that you select a group that covers all users, for example, Everyone. At a minimum, audit the Set Key permission.

AllowPrivateExchangeKeyImport and AllowPrivateSignatureKeyImport

The ability to import encryption certificates and their associated private keys on a Microsoft Smart Card Base CSP-compliant smart card is controlled through registry settings. For example, when an encryption certificate is included in the profile template, an import of an encryption certificate is required for Duplicate, Replace, or Temporary card workflows.

To set the registry key to allow for the import of encryption certificates and their associated private keys use one of the following:

32-bit Client on 32-bit Operatings System: Use the following registry keys:

HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateExchangeKeyImport
REG_DWORD: default
Value: 1


HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateSignatureKeyImport
REG_DWORD: default
Value: 1


64-bit Client on 64-bit Operatings System: Use the following registry keys:

HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateExchangeKeyImport
REG_DWORD: default
Value: 1


HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateSignatureKeyImport
REG_DWORD: default
Value: 1


32-bit Client on 64-bit Operatings System: Use the following registry keys:

HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateExchangeKeyImport
REG_DWORD: default
Value: 1


HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateSignatureKeyImport
REG_DWORD: default
Value: 1


AllowPrivateKeyExchange Registry Key

ImportantImportant
If you attempt to import an encryption certificate and its associated private key, you will receive an error indicating that the current settings of the BaseCSP provider does not allow private key import if these registry keys are not in place.

noteNote
Only the 32-bit version of Gemalto smart card middleware is supported on Windows Vista 64-bit and Windows 7 64-bit. Only the 32-bit version of Aladdin smart card middleware is supported on Windows Vista 64-bit. Aladdin middleware is not supported at all on Windows 7.

Community Additions

ADD
Show: