Using the Management Agent for Certificate Management

With the management agent for Certificate Management, you can create profiles based on existing Microsoft® Forefront Identity Manager (FIM) 2010 R2 Certificate Management (CM) Profile Templates that you can then use to manage the lifecycle of both software and smart card-based certificates.

Important

The Microsoft .NET Framework 3.0 must be installed on the Windows server running FIM to successfully run the management agent for Certificate Management.

Connected data source support

FIM Certificate Management

Management agent type

This is a call-based management agent.

Schema

The schema is generated based on a fixed schema that models the database structure. Refresh schema is not available for this management agent because it uses a static schema that cannot be changed.

Remarks

  • The management agent imports the following object types from FIM CM:

    • Requests (clmRequest)

    • Profiles (clmProfile)

    Note

    In addition, a third object, clmConfig holds various configuration settings from FIM CM.

  • Objects in FIM CM are identified by GUIDs. Profile objects and request objects each have GUIDs assigned to them. Users in FIM CM are not assigned new GUIDs; they use the objectGUID attribute from the corresponding Active Directory user object. Joining objects from FIM CM to the metaverse (MV) is done using the objectGUID attribute from Active Directory. This requires the management agent for Active Directory to have an import attribute flow rule that sends the objectGUID attribute to the metaverse as a binary attribute. This can be done using direct import attribute flow with the management agent for Active Directory.

    Important

    The objectGUID attribute is not part of the metaverse schema by default. The objectGUID attribute must be added as a custom attribute, of type binary (indexed), to the person object type in the metaverse before you can create a management agent for Certificate and Smart Card Management. For more information, see Add an Attribute

  • The management agent for Certificate and Smart Card Management must match the version of the FIM CM server that it is connecting to. For example, if you have upgraded the FIM CM server to FIM then you must reinstall the management agent for Certificate and Smart Card Management from the FIM media.

  • When creating and configuring an instance of the management agent for Certificate and Smart Card Management, the only configuration changes that are supported are those in Configure Connection Information and in Configure Additional Parameters pages in Management Agent Designer. You must not make any changes to any of the other configuration pages.

  • For a specified profile template, the management agent for Certificate and Smart Card Management supports the following management policies:

    • Enroll Policy

    • Reinstate Policy

    • Recover On Behalf Policy

    • Duplicate Policy

    • Disable Policy (Smart card profile templates only)

    • Retire Policy (Smart card profile templates only)

    • Temporary Cards Policy (Smart card profile templates only)

  • To run the management agent for Certificate and Smart Card Management, the Microsoft Forefront Identity Manager 2010 R2 service account must have access to the following registry keys:

    Registry key Minimum access required

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

    Read/Write

    HKLM\Software\Microsoft\EnterpriseCertificates

    Read

    HKLM\Software\Microsoft\SystemCertificates

    Read

    HKLM\Software\Policies\Microsoft\SystemCertificates

    Read

Important

By adding the Microsoft Forefront Identity Manager 2010 R2 service account to the local administrators group, the account will obtain all the necessary registry key permission listed above. However, this is not recommended as a security best practice.

  • The user account specified in the Configure Connection Information page in Management Agent Designer must be assigned the correct permissions at the following locations:

    • Service Connection Point (SCP) - SCP permissions determine whether a user is assigned a management role within the FIM CM deployment. For example, if a user must initiate requests for other users, the user is assigned the FIM CM Request Enroll permission at the SCP.

    • Profile template object - The profile template permissions determine whether a user can read the profile template’s contents (to execute management policy workflows within the profile template) or receive certificates based on the profile template’s management policies. If a user is required to enroll certificates based on the profile template, the user must be assigned the FIM CM Enroll permission on the profile template.

    • Users or groups - A user or group that is assigned a FIM CM management role must have permissions on the user or group objects they manage within the environment. For example, if you want to enable a manager to recover certificates issued to members of the EFSUsers group, you must assign the manager, or a group containing the manager, the FIM CM Request Recover permission on the EFSUsers group object.

    • Within a management policy - A user or group must be assigned the management role within the management policy. For example, if a user is tasked with approving enrollment requests, you must assign that user permission to approve enrollment requests within the Enroll management policy. Management policies are stored in the Profile template objects and are configured using the FIM CM Web portal.

      Note

      For more information on FIM CM permissions, see the FIM CM online help.

    • CLM SQL tables - If you have configured FIM CM to use Windows Authentication for access to the FIM CM SQL database, the user account specified when creating the management agent for Certificate and Smart Card Management requires the db_datareader role on the Profiles and Requests tables in the FIM CM SQL database.

    • Registry key - For the SQL connection string to be read from the registry on the server running FIM CM, the account specified in the management agent for Certificate and Smart Card Management must be granted Read access to the following registry key on the server running FIM CM:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CLM\v1.0\Server\WebUser

      Note

      If you are missing any of the required permission assignments, you receive an "Access Denied" error message when you attempt to run the management agent.

  • The management agent installation program installs the Microsoft.CLM.ClmMaProxy.DLL in the %ProgramFiles%\Microsoft Certificate Lifecycle Manager\web\bin folder on all connected servers running FIM CM.

  • The FIM CM web.config file (%ProgramFiles%\Microsoft Certificate Lifecycle Manager\web\web.config) must be updated before running the management agent for Certificate and Smart Card Management. In the “<!-- REMOTING SECTION (BUILT-IN) ++++++++++++++++++++++++++++++++++++++++++-->” section, between the <service></service> tags, add the following line:

    <wellknown mode="Singleton" type="ExtensibleWfMA.ClmMaProxy, Microsoft.Clm.ClmMaProxy" objectUri="clmManagementAgent.rem"/>
    
  • Each server running FIM CM requires its own management agent. However, if you have multiple servers running FIM CM that share a single SQL database, for example in a load balancing environment, you have to create only one management agent.

  • The management agent for Certificate and Smart Card Management supports the use of Delta imports; however, if you use failover for the FIM CM SQL database, in the event that a failover of the database occurs, you must perform a Full Import run of the management agent after the failover event. You must also perform a Full Import run of the management agent if you subsequently fail back to the original SQL database.

  • During provisioning of a request, FIM sets the originator of the request as the user account name specified in Configure Connection Information in Management Agent Designer. FIM uses the user account attribute to prevent a situation in which FIM attempts to reprovision an existing request. If the account FIM uses to connect to the server running FIM CM has changed, previously provisioned requests might be reprovisioned.

  • To run the management agent for Certificate and Smart Card Management, the Microsoft Forefront Identity Manager 2010 R2 service account must be a member of the FIMSyncJoiners security group.

  • The management agent for Certificate and Smart Card Management must be configured to run in a separate process. For more information, see Run a Management Agent in a Separate Process.

  • This management agent does not support password management.

Configure Additional Parameters

The following additional parameters can be configured in Management Agent Designer.

Parameter Values Notes

ignoreCertWarnings

  • True

  • False (default)

The management agent for Certificate and Smart Card Management supports SSL for connecting to the server running FIM CM. In a development environment it may be useful to ignore warnings when trying to use a server certificate. This parameter should not be used in a production environment because it introduces a security risk.

authenticationType

  • negotiate (default)

  • basic

  • digest

  • kerberos

  • ntlm

The management agent for Certificate and Smart Card Management authenticates through IIS on the server running FIM CM. The authentication types available in IIS are available for use on the management agent for Certificate and Smart Card Management. You can do this by adding this configuration parameter and providing one of the above values. By default the management agent for Certificate and Smart Card Management will use NTLM.

defaultRequestComments

  • Default comes from the cs object attribute "req_comments"

Comments can be added to Requests in CLM. This can be done in the metaverse extension by setting the "req_comments" attribute. Adding the defaultRequestComments configuration parameter will cause all Requests to use the value supplied in the configuration parameter as the Request comment.

defaultRequestPriority

  • Default comes from the cs object attribute "req_priority"

A Priority can be added to Requests in FIM CM. This can be done in the metaverse extension by setting the "req_priority" attribute. Adding the defaultRequestPriority configuration parameter will cause all Requests to use the value supplied in the configuration parameter as the Request priority.

typeOfReqToSubmitOnProfileDelete

  • Disable

  • Retire

  • Suspend

  • TemporaryCardDisable

  • TemporaryCardRetire

If the management agent deprovisioning rule is configured to stage deletions, then the management agent for Certificate and Smart Card Management will submit a Request to CLM. The type of request can be configured using the typeOfReqToSubmitOnProfileDelete configuration parameter. If the configuration parameter is missing or empty then no Request will be submitted.

useSQLAuth

  • True

  • False (default)

The connection to the database on the server running CLM can be configured to use SQL authentication. Adding the "useSqlAuth" configuration parameter allows the management agent for Certificate and Smart Card Management to connect to the database on the server running CLM using SQL login credentials. The credentials are configured using the "sqlUserName" and "sqlPassword" configuration parameters.

sqlUserName

(only used if "useSqlAuth" == true)

sqlPassword

(only used if "useSqlAuth" == true)

  • N/A

Configure this parameter to use encryption. The value will be hidden from the user interface and stored in the database on the server running FIM in encrypted form available only to the Microsoft Forefront Identity Manager 2010 R2 service account.

connectionString

Default is to use the connection string FIM receives from FIM CM.

The connection string used for connecting to the database on the server running FIM CM is read from the server running FIM CM by default during imports. This configuration parameter can be used to override that connection string.

See Also

Concepts

Configuring Management Agents
Create a Management Agent
Select Attributes
Configure Additional parameters for Extensible Connectivity
Configure Connector Filter Rules
Configure Join and Projection Rules
Configure Attribute Flow Rules
Configure Deprovisioning Rules