2.5.4.1 Enroll RMS Server - RMS Server

Goal

Enroll the server with the Microsoft cloud services so that clients trust the server and send it requests.

Context of use

An RMS server performs enrollment before servicing any client requests. Servers perform enrollment by generating an enrollment request and sending it to the RMS cloud service. Server enrollment requests contain the public portion of the RMS server's key pair and other enrollment information such as its GUID. Server enrollment requests can be made synchronously by the server directly contacting the RMS cloud service, or asynchronously by an RMS administrator exporting the enrollment request and contacting the RMS cloud service from another computer. For more information, see [MS-RMPR] section 3.1.3.2

Actors

  • Direct actor: The direct actor of this use case is the RMS server.

  • Primary actor: The primary actor is the RMS administrator.

  • Supporting actors: The supporting actor is the RMS cloud service.

Stakeholders and interests

  • RMS server, as described in section 2.5.1.

  • RMS administrator, as described in section 2.5.1.

  • RMS cloud service, as described in section 2.5.1.

Preconditions

The server generates an asymmetric key pair for the certificate that represents the server's identity.

Minimal guarantees

If a correctly formatted enrollment request is sent to the RMS cloud service, a server certificate is generated, signed, and appended to the server enrollment certificate chain.

Success guarantee

The success guarantee is the same as the minimal guarantee.

Main success scenario

  1. Trigger: The administrator triggers this use case after RMS is installed on a server and when the server's certificate needs to be renewed.

  2. The RMS server makes an enrollment request to the RMS cloud service.

  3. The RMS cloud service returns a signed server certificate and the server enrollment certificate chain, which is then used by the server.

Extensions

Enrollment requests can also be made asynchronously by an RMS administrator exporting the enrollment request and sending it to the RMS cloud service from another computer.