Configuring SSL on FIM CM Server

  • Article

Applies To: Forefront Identity Manager 2010

Microsoft® Forefront® Identity Manager Certificate Management (FIM CM) is a policy and workflow-driven solution that helps organizations manage the lifecycle of digital certificates and smart cards. FIM CM lowers the costs that are associated with digital certificates and smart cards by enabling organizations to more efficiently deploy, manage, and maintain a certificate-based infrastructure. FIM CM streamlines provisioning, deprovisioning, configuration, and auditing of digital certificates and smart cards, and increases security through strong, multifactor authentication technology.

What This Document Covers

This document provides step-by-step instructions for installing and configuring a FIM CM profile template and management policies so you can then active SSL connection capability to your FIM CM server.

Prerequisite Knowledge

This document assumes that you have a basic understanding of the following information technology (IT) concepts and tasks:

Audience

This guide is intended for IT planners, systems architects, technology decision makers, consultants, infrastructure planners, and IT personnel who plan and develop certificate management on the network.

Time requirements

The procedures in this document require 60 to 90 minutes to complete.

Note

These time estimates assume that the testing environment is already configured and ready for testing to begin. They do not include the time required to set up the test environment.

Scenario Description

The procedures in this document will help you create and configure a FIM CM profile template and use the CLM portal to request a Web Server certificate.

Testing environment

To perform the procedures in this document, it is assumed that your test environment has been set up and configured.

Your environment should consist of the following:

  • Windows Server, named FIMCMServer

  • FIM CM, installed on FIM CM Server

  • A minimum of one certification authority (CA) installed, named FIMCM, which can be either an enterprise root CA or an enterprise subordinate CA

  • Microsoft SQL Server

  • Internet Information Services (IIS), with the Simple Mail Transfer Protocol (SMTP) service activated

  • Microsoft .NET Framework

In addition, this document assumes that all computers are members of the Fabrikam.com forest.

Note

You can test the results of the procedures in this document on a single computer that has all of these components. However, for your production environment, we strongly recommend that you not set up FIM CMand Active Directory on the same computer for performance reasons.

Preinstallation Tasks

Create a user and security group with necessary profile template permissions

To perform the procedures in this guide, you must create a user and security group that is delegated the minimum permissions necessary to perform the procedures.

To create a new user and security group

  1. Log on as the administrator.

  2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. In Active Directory Users and Computers, right-click Users, and then click New User.

  4. On the New User page, type FIMCM_Template for the user name, enter a password, clear the User must change password at next logon check box, and then click Finish.

  5. Right-click Users, and then click New Group.

  6. For the group name, enter FIMCM_Template_Admins, ensure that the group scope is set to Global and that the group type is set to Security, and then click OK.

  7. In the details pane, right-click FIMCM_Template_Admins, and then click Properties.

  8. Click the Members tab, and add the user FIMCM_Template to the group.

The FIMCM_Template_Admins group needs the necessary permissions to create and configure profile templates in FIM CM.

To configure profile template permissions

  1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. Click View, and ensure that Show Services Node is selected.

  3. Double-click Services, double-click Public Key Services, and then click Profile Templates.

  4. Right-click Profile Templates, and then click Properties.

  5. Click the Security tab, add the FIMCM_Template_Admins group, and then click OK.

  6. In Group or user names, select FIMCM_Template_Admins, and then allow Full Control.

  7. Click Advanced, select FIMCM_Template_Admins, and then click Edit.

  8. In Apply onto, click This object and all child objects, and then click OK three times to exit.

  9. Close Active Directory Sites and Services.

To configure the Service Connection Point permissions

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. Click View, and ensure that Advanced Features is selected.

  3. Double-click the domain, double-click System, double-click Microsoft, double-click Certificate Manager, and then click FIMCMServer.

  4. Right-click FIMCMServer, and then click Properties.

  5. Click the Security tab, add the FIMCM_Template_Admins group, and allow the FIM CM Audit permission. Ensure that you also allow the Read permission.

  6. Click OK.

  7. Close Active Directory Users and Computers.

To configure the Web Server certificate template permissions

  1. Click Start, click Run, type certtmpl.msc, and then click OK.

  2. In the right pane, click Web Server, and then click Properties.

  3. Click the Security tab, add the FIMCM_Template_Admins group, and allow the Read and Enroll permissions.

  4. Click OK.

  5. Close Certificate Templates.

Create and Configure a New Profile Template

Create the profile template

To create a new profile template, you will have to copy an existing template. Two sample templates are provided with FIM CMfor this purpose.

To create a new profile template

  1. Log in as FIMCM_Template.

  2. In Internet Explorer, open https://CLMServer/clm.

  3. Click the Certificate Manager logo.

  4. On the Home page of the FIM CM Web Portal, in the Administration section, click Manage profile templates.

  5. On the Profile Template Management page, in the Profile Template List section, select the FIM CM Sample Profile Template check box, and then click Copy a selected profile template.

  6. On the Duplicate Profile page, in the Profile Template Name section, in the New Profile Template Name text box, type Web Server SSL Certificates, and then click OK.

Configure the profile template

For each profile template, you must configure a set of General Settings as well as settings for the certificate template that is used by the profile template.

Modify the general settings

To modify the general settings

  1. In the FIM CM Web Portal, in the navigation pane, in the Select a view section, ensure that Profile Details is selected.

  2. On the Edit Profile Template [Web Server SSL Certificates] page, in the General section, click Change general settings.

  3. On the Edit Profile Template [Web Server SSL Certificates] page, in the Name and Description section, in the Description text box, type Allows issuance and management of Web Server SSL Certificates.

  4. On the Edit Profile Template [Web Server SSL Certificates] page, leave all other settings at their default value, and then in the lower-right section of the page, click OK.

To modify the certificate template settings

  1. On the Edit Profile Template [Web Server SSL Certificates] page, in the Certificate Templates section, click Add new certificate template(s) to profile template.

  2. Make the following changes on the Edit Profile Template [Web Server SSL Certificates] page:

    1. In General Options, select Allow Raw Request.

    2. In Certificate Authorities, select FIMCM.

    3. In Certificate Templates, select Web Server.

  3. In the lower-right section of the page, click Add.

  4. In the Certificate Templates section, select the User check box, and then click Delete selected certificate templates.

  5. In the Microsoft Internet Explorer dialog box, click OK to delete the selected items.

Configure the enroll policy

Each profile template has a set of management policies that can be configured. For this scenario, you only have to configure the enroll policy.

To define the general workflow settings

  1. In the left pane, in the Select a view section, click Enroll Policy.

  2. On the Edit Profile Template [Web Server SSL Certificates] page, in the Workflow: General section, click Change general settings.

  3. On the Edit Profile Template [Web Server SSL Certificates] page, ensure that the following options are set:

    1. Enable policy: Select

    2. Use self-serve: Select

    3. Require enrollment agent: Disable

    4. All comments to be collected: Disable

    5. Allow request priority to be collected: Disable

    6. Default request priority: 0

    7. Number of approvals: 0

    8. Number of active or suspended profiles/smart cards allowed: Unlimited

  4. In the lower-right section of the page, click OK.

To define who can initiate an enrollment request

  1. In the Workflow: Initiate Enroll Requests section, select the NT AUTHORITY/SYSTEM check box, and then click Delete principal(s) for enroll request initiation.

  2. To confirm the deletion, in the Microsoft Internet Explorer dialog box, click OK.

To change the Data Collection settings

  1. On the Edit Profile Template [Web Server SSL Certificates] page, in the Data Collection section, select the Sample Data Item check box, and then click Delete data collection items.

  2. To confirm the deletion, in the Internet Explorer dialog box, click OK.

  3. In the Data Collection section, click Add new data collection item.

  4. In the Data Item Name and Type section, make the following changes:

    1. Name: Web Server Hostname

    2. Description: Provide the NetBIOS name of the Web server

    3. Type: String

    4. Default Value: Disable

    5. Required: Select

  5. In the Data Item Originator section, select User.

  6. In the Data Item Validation section, select Data type.

  7. In the Data Item Storage section, ensure that the following settings are set:

    1. Store data in: Database

    2. Encrypted: Disabled

  8. In the lower-right section of the page, click OK to save any changes.

Change the one-time password settings

  1. On the Edit Profile Template [Web Server SSL Certificates] page, in the One Time Passwords section, click Change password provider settings.

  2. On the Edit Profile Template [Web Server SSL Certificates] page, in the Password Provider section, ensure that Default password provider is selected; in Number of one time passwords (password provider data), type 0; and then click OK.

Requesting a Web Server Certificate

After the enrollment policy is set, you can test the profile template by installing a secure sockets layer (SSL) certificate on FIMCMServer. Perform the following tasks:

  • Add the FIMCM_Template_Admins group to the local Administrators group.

  • Configure DNS.

  • Initiate and process the Web Server certificate request.

To add the FIMCM_Template_Admins group to the local administrators group

  1. Log on as the administrator.

  2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. Select Users. In the details pane, right-click CLM_Template_Admins, and then click Properties.

  4. Click the Member of tab, and then add Administrators.

Important

Before you complete the next procedure, you must ensure that Domain Name System (DNS) is installed on your server. If it is not already installed, install DNS, and then return to this procedure.

To configure the CNAME record in DNS

  1. Click Start, point to Administrative Tools, and then click DNS.

  2. In the console tree, double-click FIMCMServer, double-click Forward Lookup Zones, and then click Fabrikam.com.

  3. In the console tree, right-click Fabrikam.com, and then click New Alias (CNAME).

  4. In the New Resource Record dialog box, do the following:

    1. In the Alias name (uses parent domain if left blank) text box, type clm.

    2. In Fully qualified domain name (FQDN) for target host, type CLMServer.Fabrikam.com.

  5. In the New Resource Record dialog box, click OK.

  6. Close the DNS console.

  7. Click Start, click Run, type cmd, and then click OK.

  8. At the command prompt, type ipconfig /flushdns, and then press ENTER.

  9. At the command prompt, type ping FIMCMServer.Fabrikam.com, and then press ENTER.

  10. Ensure that the DNS name resolves successfully.

To initiate the Web server certificate request

  1. Log on as FIMCM_Template.

  2. In Administrative Tools, open Internet Information Services (IIS) Manager.

  3. In the console tree, double-click CLMServer, double-click Web Sites, and then click Default Web Site.

  4. Right-click Default Web Site, and then click Properties.

  5. In the Default Web Site Properties dialog box, click the Directory Security tab.

  6. On the Directory Security tab, in the Secure communications section, click Server Certificate.

  7. On the Welcome to the Web Server Certificate Wizard page, click Next.

  8. On the Server Certificate page, click Create a new certificate, and then click Next.

  9. On the Delayed or Immediate Request page, click Prepare the request now, but send it later, and then click Next.

  10. On the Name and Security Settings page, in Name, type FIMCM Web Portal , set the Bit length to 1024, and then click Next.

  11. On the Organization Information page, enter the following information, and then click Next.

    1. Organization: <any name>

    2. Organizational unit: <any name>

  12. On the Your Site's Common Name page, in Common name, type FIMCMServer, and then click Next.

  13. On the Geographical Information page, enter the following information, and then click Next.

    1. Country/Regions: US (United States)

    2. State/province: Washington

    3. City/locality: Redmond

  14. On the Certificate Request File Name page, in File Name, type c:\fimcmreq.txt, and then click Next.

  15. On the Request File Summary page, verify the settings, and then click Next.

  16. On the Completing the Web Site Properties dialog box, click OK.

  17. In the Default Web Site Properties dialog box, click OK.

  18. Minimize the Internet Information Services (IIS) Manager console.

To process the Web server certificate request

  1. Open C:\fimcmreq.txt.

  2. On the Edit menu, click Select All.

  3. On the Edit menu, click Copy.

  4. Close C:\fimcmreq.txt.

  5. Open Internet Explorer.

  6. In Internet Explorer, open https://FIMCMServer/fimcm.

  7. Click the Microsoft Certificate Lifecycle Manager logo.

  8. On the Home page, in the Select a view section, click Manage my info.

  9. On the Home page, in the Common Tasks section, click Request a new set of certificates.

  10. In the Select a Profile Template section, select Web Server SSL Certificates, and then click Next.

  11. In the Data Collection section, in Web Server hostname, type FIMCMServer, and then click Next.

  12. On the Installing Certificates page, in the Key Generation: Web Server section, in Name, type FIMCM, right-click the Raw certificate request text area, and then click Paste.

  13. Ensure that the request file contents appear, and then click Next.

  14. On the Installing Certificates page, in the Template Common Name (click to download) column, click WebServer.

  15. In File Download, click Save.

  16. In Save As, in File name, type c:\fimcmcert, and then click Save.

  17. If the Download Complete dialog box appears, click Close.

  18. On the Installing Certificates page, ensure that the Success column shows as a check mark, and then click Next.

  19. Close Internet Explorer.

To complete the Web server certificate request

  1. Restore the Internet Information Services (IIS) Manager console.

  2. Right-click Default Web Site, and then click Properties.

  3. In the Default Web Site Properties dialog box, click the Directory Security tab.

  4. On the Directory Security tab, in the Secure communications section, click Server Certificate.

  5. On the Welcome to the Web Server Certificate Wizard page, click Next.

  6. On the Pending Certificate Request page, click Process the pending request and install the certificate, and then click Next.

  7. On the Process a Pending Request page, in Path and file name, type c:\fimcmcert.p7b, and then click Next.

  8. On the SSL Port page, in SSL port this Web site should use, type 443, and then click Next.

  9. On the Certificate Summary page, verify the information, and then click Next.

  10. On the Completing the Web Server Certificate Wizard page, click Finish.

  11. In the Default Web Site Properties dialog box, click OK.

To activate SSL for the FIM CM virtual directory

  1. In Internet Information Services (IIS) Manager, in the console tree, double-click Default Web Site, right-click FIMCM, and then click Properties.

  2. In the FIMCM Properties dialog box, click the Directory Security tab.

  3. On the Directory Security tab, in the Secure communications section, click Edit.

  4. In the Secure Communications dialog box, select the Require secure channel SSL check box, select the Require 128-bit encryption check box, and then click OK.

  5. In the FIMCM Properties dialog box, click OK.

  6. Close IIS Manager.

To test the SSL connection to the FIM CM server

  1. Open Internet Explorer.

  2. Open https://FIMCMServer/certificatemanagement.

  3. If the Security Alert dialog box opens, select the In the future, do not show this warning check box, and then click OK.

  4. Ensure that no SSL-related errors appear for the SSL certificate.