FIM CM Architecture

Applies To: Forefront Identity Manager Certificate Management

FIM CM provides enterprise-grade certificate and smart card management capabilities for centralized or highly distributed enterprises. It allows security and system administrators to apply certificate management policies consistently across a wide range of certificate uses and to a diverse user base of clients.

FIM CM provides the following certificate and smart card lifecycle management capabilities:

• User self-service – The FIM CM portal also provides users with the ability to perform self-registration process or to perform basic certificate and smart card lifecycle management tasks such as requesting new certificates or performing PIN resets.

• Configurable policy-based workflows for common tasks – FIM CM provides the ability to apply policies against common certificate and smart card management tasks from any given certificate or grouping of certificates through the use of profile templates. Profile templates provide a common set of policies for certificate enrollment, renewal, update, recovery, revocation and retirement. In addition, specialized policies have been created to handle lifecycle management challenges related to the management of smart cards such as temporary issuance of smart cards, smart card duplication, personalization and retirement.

• Detailed auditing and reporting – FIM CM provides a comprehensive set of reports for common reporting tasks. “Out-of-the-box” reports include certificate usage, certificate expiry summary report, smart card report, request report, certificate template settings report, profile template settings report, certificate template usage report, certificate revocation list report and smart card history reports. Detailed auditing of all Certificate Lifecycle Management tasks is also available to the administrator through the web-based management interface.

• Support for centralized, de-centralized and self-service scenarios – FIM CM’s role and permissions architecture provides for a fine-grained level of control. This is achieved by leveraging the capabilities of Active Directory groups and FIM CM permissions. This allows for configurations that support centralized or de-centralized administration and management through designated accounts. It also provides for user self-service scenarios where users are delegated specific permissions to perform their own self-management tasks.

• Tightly integrated with Certificate Services and Active Directory – FIM CM is tightly integrated with underlying Microsoft technologies including the two Windows Server components Active Directory Certificate Services and Active Directory Domain Services. FIM CM integrates with Certificate Services by acting as a higher-level management interface (commonly referred to as a Registration Authority or RA) between administrators and certificate services (see architectural overview below) through the use of FIM CM policy and exit modules. This allows FIM CM to perform all day to day certificate management tasks which would previously be performed through the Certificate Services MMC. Integration with Active Directory is supported by extending the schema to support FIM CM objects and permissions. This allows enterprises to leverage existing infrastructure to the fullest extent and to extend the functionality of their existing investment.

FIM CM Physical and Component Architecture

Figure 1 below provides an overview of the physical architecture of a typical FIM CM implementation -- showing a physical representation (servers) on the top and the associated logical components on the bottom drawing.

Each of these components is described in the following sections.

FIM CM Component Architecture

The core of the architecture is the FIM CM server, which is a web based ASP.NET application running on an IIS web server. The FIM CM server provides management services to Microsoft Certificate Authorities, which integrates with the architecture utilizing a policy module and an exit module. The FIM CM server utilizes SQL Server as a repository for FIM CM profile templates and operational and management information. Users access the FIM CM portal via Internet Explorer utilizing an ActiveX control which integrates with local smart card middleware. FIM CM management functions are also made available through the FIM CM portal for authorized managers.

FIM CM provides sophisticated management features to Windows Server 2003 and Windows Server 2008 CAs (single or multiple) by acting as an administrative proxy. Once installed within an organization, all digital certificate and smart card management functions can pass through FIM CM, with a single instance managing multiple issuing CAs.

A typical FIM CM deployment consists of at least one FIM CM server and one or more issuing CAs. It is possible for a single FIM CM server to manage multiple CAs simultaneously, or for multiple FIM CM servers to manage a single CA. The FIM CM server consists of a Windows Server with FIM CM actings as an administrative proxy to the CAs. This server provides an easy-to-use Web interface to an application engine that is integrated with Active Directory Certificate Services and Directory Services. All application configuration information is stored in an SQL Server database that is accessed by the FIM CM server and the CA modules.

FIM CM Physical Architecture

FIM CM Server

The FIM CM server runs on both Windows Server 2003 and Windows Server 2008 and Internet Information Services (IIS). FIM CM is an ASP.NET application that requires the Microsoft .NET Framework to be installed on the server platform. The .NET Framework is a separate but mandatory installation component. The server stores all FIM CM management information in a Microsoft SQL Server database It can be located on a non-dedicated server such as an enterprise database server, and the FIM CM installation package can create the appropriate databases.

Manager Web Portal – This component of the FIM CM solution interacts with FIM CM and exposes functionality used for managing end-user certificates. The specific functionality available to FIM CM managers is based on their group memberships and permissions within Active Directory.

Subscriber Web Portal – This is the component of the FIM CM server that interacts directly with the certificate subscribers in a self-service mode. The specific functionality available to FIM CM users is based on their group memberships and permissions within Active Directory.

Microsoft Certificate Services

FIM CM is tightly integrated with Windows Server 2003 Certificate Services as well as Windows Server 2008 Active Directory Certificate Services. The FIM CM architecture augments the functionality of Certificate Services through the addition of modules that enhance its functionality. These modules include a FIM CM policy module and exit module.

The FIM CM policy modules determine whether certificate requests received by the CA should be automatically approved, denied or marked as pending and they can set specific attribute values in the certificates being request. The exit modules provide post-processing once after a certificate has been issued. FIM CM ships with policy modules that can provide additional functionality depending on the deployment scenario that is required. The included modules provide additional functionality in support of S/MIME certificates, certificate subject and subject alternative name customization, as well as configuring support for non-FIM CM generated requests. The FIM CM exit modules provides connectivity to the SQL database and ensures that processing is passed back to the FIM CM server once a certificate has been issued. The exit module also provides the capability to log and audit all certificates generated by the Certificate Server and makes this available through the FIM CM interface. This provides a significantly enhanced certificate logging and auditing capability available through the FIM CM interface versus the traditional method of tracking certificates via the Microsoft Management Console Certificate Authority interface.

Active Directory Domain Services

FIM CM is tightly integrated with Active Directory for user authentication and the definition of user permissions within the application. During the FIM CM install, the Active Directory Schema is updated to support the additional objects and privileges required for FIM CM. This allows an organization to leverage an existing infrastructure component and a single management interface for their PKI infrastructure. It also allows FIM CM to leverage the administrative and management models configured within the organizations Enterprise Active Directory environment.

Similar to a standard certificate services installation, FIM CM continues to store published certificates into the Active Directory Certificate store for accessibility throughout the organization. The use of Active Directory in this scenario allows organizations to fully benefit from their investment in a highly distributed and redundant directory environment.

SQL Server

FIM CM utilizes Microsoft SQL Server as its repository for all certificate and smart card management information. This includes profile templates and audit logs of all activities executed through FIM CM. Microsoft SQL Server 2008 64-bit edition is currently supported with FIM CM. For high-availability or disaster recovery scenarios FIM CM supports the utilization of SQL Server running in a cluster environment and the use of SQL Server log shipping functionality.

APIs

FIM CM is designed to support customizations and extensions that may be required by specific customers. These extensions can be developed using a variety of tools that support the .NET Framework including Microsoft Visual Studio® .NET. Within Visual Studio .NET, C# is the preferred development language for customizations. Three different APIs are natively supported within FIM CM.

Provisioning API – The provisioning API allows for custom applications to access smart card and certificate management workflows within FIM CM. This allows FIM CM to support customized registration applications or applications that integrate with smart cards that are not natively supported within FIM CM. The provision API could be used to integrate FIM CM with physical security systems or provide an interface for specialized registration requirements such as a FIPS-201 registration console.

Notification API – The notification API can be used to initiate custom code modules based on FIM CM events. This API provides an enhanced notification capability that can be used to augment FIM CM’s notification capabilities beyond what is currently provided. The notification API can be used for the distribution of one-time-passwords (OTPs) to devices such as cell phones or to integrate with custom applications that could perform actions based on FIM CM events such as initiating provisioning of account information to other applications.

SQL API – The SQL API provides an interface that allows developers to access FIM CM functionality by writing to the SQL Server database store through a defined interface. The SQL API allows developers to write custom applications to query and submit FIM CM requests that can then be processed using FIM CM profile templates. The functionality can be used for a wide range of applications such as customized registration interfaces and certificate management applications.

Extensibility - FIM CM also has the ability to use custom validators which are code modules that can be called from data item collectors attached to policies within profile templates. Custom validators are code modules that can use external code to validate data input during the enrollment process or at any policy that utilizes data collection. The custom validators provide a capability to validate input beyond native FIM CM functionality. Example applications of a custom validator are allowing the enrollment process to validate an employee number against information contained within an organization’s human resources database.

In addition to the API’s provided, FIM CM capabilities integrates with Microsoft® Forefront® Identity Manager (FIM) 2010’s identity synchronization engine – enabling identity integration via FIM 2010’s Management Agents. This allows FIM CM to take advantage of FIM 2010 connectivity to over 20 different platforms. FIM 2010’s identity synchronization engine also provides a native FIM 2010 Management Agent which provides out-of-the box connectivity between FIM 2010’s synchronization engine and FIM CM.

FIM CM Client

FIM CM is designed to minimize the software components required on client workstations. Users access the FIM CM portal using a standard web browser which utilizes underlying software and the FIM CM client for smart card communications and profile management.

At a minimum, clients require Windows XP SP2 and Internet Explorer 6. The FIM CM portal has a minimum requirement of Internet Explorer 6.0 and fully supports for Windows 7 and Internet Explorer 8.0 in FIM CM. If FIM CM is used for smart card management scenarios, the FIM CM client requires either a Microsoft Base Cryptographic Service Provider (BaseCSP) compliant mini-driver or 3rd party smart card middleware from a supported vendor. BaseCSP mini-drivers and 3rd party middleware are discussed further in the next section. With the Vista client support in FIM CM it also supports off-line PIN unblock.

The FIM CM client provides additional functionality and software components to support client side user self-service capabilities related to managing the smart card. If self-service management (for example, PIN Change, Enrollment, and others) is not required, then the FIM CM smart card client is also not required to be installed on the desktop. Specifically the FIM CM client adds the following components: the ActiveX Smart Card Self Service control which provides client-side certificate management capabilities and the smart card personalization control. The client also provides support for online update capabilities for certificate profiles as well as the tool for offline Smart Card PIN unblocking in Windows Vista.

Middleware

One of the challenges that has existed in the smart card industry is a tight binding or association between smart cards, smart card drivers and the management infrastructure capable of managing the cards. This is largely due to a lack of standards at the smart card level or variations in the implementation of those standards making it difficult for a generic management system to effectively manage a range of smart cards.

One of the standards that has been implemented for the management and run-time use of smart cards is called PKCS#11. This standard has been widely implemented by smart card vendors but not always consistently enough for the purposes of a general management system. FIM CM does support PKCS#11 as a mechanism to manage smart cards from a number of smart card vendors. The support however is specific to each smart card vendors middleware and therefore there are specific dependencies and potential issues in the future when that middleware changes. Another approach to smart card middleware is the implementation of a Microsoft BaseCSP compliant mini-driver. The Microsoft BaseCSP provides a robust mechanism for managing smart cards and allows smart card vendors to provide a relatively small component (called the mini-driver) to enable the card. FIM CM can then manage any smart card that has a compliant mini-driver. Microsoft additionally has testing requirements for mini-drivers that can be used to assess and evaluate the quality of mini-drivers further improving the success and ease of deployment.

While both of these approaches can produce a successful smart card deployment, it is the strategic direction for FIM CM smart card support to use the BaseCSP architecture. As a result, if an option exists to use this architecture it should probably be selected for future support reasons. BaseCSP support on the client side is available in Windows XP, Windows Vista, and Windows 7.

Smart Cards and Tokens

FIM CM component supports a wide range of smart cards and authentication tokens. Vendors provide smart card capabilities in many form factors including the traditional smart card and smart card reader and USB based tokens containing smart card chips. Recent advancements in smart card technology have allowed smart card vendors to integrate other functionality into smart cards and smart card tokens, including combination cards which support both physical and logical access control, smart cards and tokens that include one-time-password generators in addition to traditional smart card functionality, and smart cards that integrate data storage with certificate storage.

FIM CM has the ability to support a wide range of smart cards and smart card readers. FIM CM supports the following smart cards:

• BaseCSP Compliant Smart Cards

  • Gemalto’s .NET card

  • HID’s Crescendo C200 card

  • And any card that has been approved through Microsoft’s BaseCSP compliance program.

• PKCS#11 Compliant Cards and Middleware from the following vendors:

  • Axalto Client Software (ACS) v5.2

  • HID’s Crescendo C700 card

  • AET SafeSign v2.1

  • Aladdin eToken RTE 3.6

  • Gemplus GemSafe v4.2

  • Siemens HiPath SIcurity Card API v3.1.026

Protocols and Dependencies

Figure 2 above provides an illustration of the TCP/IP communications between various components of the architecture. A summary list of source/destinations, associated protocol and TCP/IP port numbers are provided in Table 1 below. Many of these protocols allow for configuration of the TCP/IP port settings such as SQL, SMTP, and HTTPS. Kerberos, Active Directory related protocols and RPC ports are not configurable. It is important that firewalls or port filtering router permit communications using the ports identified for each of the hosts in the architecture.

Table 1 – Desktop Optimization Architecture TCP/IP Protocol Chart

Previous topic

Strong Authentication Deployment Challenges

Next topic

Operating FIM CM in an Enterprise Environment

See Also

Concepts

FIM CM 2010 Technical Overview