2.5.4.1 Enroll RMS Server - RMS Server
Goal
Enroll the server with the Microsoft cloud services so that clients trust the server and send it requests.
Context of use
An RMS server performs enrollment before servicing any client requests. Servers perform enrollment by generating an enrollment request and sending it to the RMS cloud service. Server enrollment requests contain the public portion of the RMS server's key pair and other enrollment information such as its GUID. Server enrollment requests can be made synchronously by the server directly contacting the RMS cloud service, or asynchronously by an RMS administrator exporting the enrollment request and contacting the RMS cloud service from another computer. For more information, see [MS-RMPR] section 3.1.3.2
Actors
Direct actor: The direct actor of this use case is the RMS server.
Primary actor: The primary actor is the RMS administrator.
Supporting actors: The supporting actor is the RMS cloud service.
Stakeholders and interests
RMS server, as described in section 2.5.1.
RMS administrator, as described in section 2.5.1.
RMS cloud service, as described in section 2.5.1.
Preconditions
The server generates an asymmetric key pair for the certificate that represents the server's identity.
Minimal guarantees
If a correctly formatted enrollment request is sent to the RMS cloud service, a server certificate is generated, signed, and appended to the server enrollment certificate chain.
Success guarantee
The success guarantee is the same as the minimal guarantee.
Main success scenario
Trigger: The administrator triggers this use case after RMS is installed on a server and when the server's certificate needs to be renewed.
The RMS server makes an enrollment request to the RMS cloud service.
The RMS cloud service returns a signed server certificate and the server enrollment certificate chain, which is then used by the server.
Extensions
Enrollment requests can also be made asynchronously by an RMS administrator exporting the enrollment request and sending it to the RMS cloud service from another computer.