Operating FIM CM in an Enterprise Environment
Applies To: Forefront Identity Manager Certificate Management
This topic describes how to effectively implement FIM CM in an enterprise environment.
Operating FIM CM effectively generally means implementing policies in the software that are appropriate for the organization and allowing the software to expose those policies in its workflows. The workflows in turn may require different individuals performing a variety of functions that might be end user related, approval related, administrator related or others. These tasks can be applied to roles that are defined within Active Directory Domain Services (AD DS) as groups and then utilized in FIM CM. This is the essence of a role in FIM CM – it is the creation of an AD DS group and associating FIM CM permissions with that group. That group can then be used within FIM CM and will only be able to perform the functions that have been granted via the permissions. This provides a flexible mechanism for organizations to create as many roles (AD groups) as they require and any combination of FIM CM permissions. The result is flexibility that can allow organizations to meet a wide range of requirements.
A flexible smart card and certificate management solution requires delegation of responsibilities, and therefore sophisticated role management and detailed permissions. These roles determine permissions within the system to perform certificate management functions for specific users, as well as permissions to configure the application environment. FIM CM uses Active Directory extensively for this functionality and extends the environment to include FIM CM permissions as seen in Figure 3 below. The benefit of this approach is that the customer does not need to build a separate system of users and permissions for the certificate or smart card deployment but rather uses the existing infrastructure.
Certificate managers receive their permissions within the system based on their group memberships and permissions within Active Directory. Because the permission system within FIM CM actually uses Active Directory groups, there are few restrictions on how the management of the application and users can be delegated.
A subscriber is an end user that requires a smart card and/or certificate services. This user may require a digital certificate for smart card logon, wireless access, secure e-mail, VPN services, or many other public key infrastructure (PKI)-aware applications. The goal of FIM CM is to make the management of these certificates as easy as possible for end users, while simultaneously providing the organization with an appropriate level of security.
FIM CM provides a subscriber Web portal that enables specific self-service management functions. Self-service functions can be attractive to organizations that are attempting to minimize administrative costs; however, self-service functions also have disadvantages from a pure security perspective. FIM CM handles this challenge by allowing organizations to define which functions should be available for self-service and which should not. This can be done on an individual profile template basis or user group basis, which means that one type of profile can be managed in a self-service fashion while another is not. All workflow functions can utilize email integration for notification and automatic distribution of authentication and approval information (if desired). Additional information regarding profile templates is provided in the Profile Templates section of this topic.
Figure 4 shows a typical configuration for the subscriber portal. From this portal, it is possible for subscriber to view and manage their certificates and smart cards (based on configuration and policy). This includes potentially being able to request a smart card or recover a smart card. How the request is processed is determined by the profile template. Examples include the request being completed immediately, or potentially requiring an approval from help desk or some other individual such as the user’s manager.
FIM CM can use a variety of authentication mechanisms to the portal for subscribers and managers. Because FIM CM uses Active Directory to determine a user’s permissions, the user must ultimately authenticate with his or her domain credentials to the portal. FIM CM can be configured to use integrated authentication, in which case the user can simply navigate to the FIM CM portal, and if the user is authenticated to the domain, the user will not be prompted to authenticate again. Other options can also be used, including basic authentication (domain user name and password) or certificate/smart-card-based authentication, if desired. The most important implication of this approach is that FIM CM does not require a separate database of users, passwords, and permissions. It is possible to provide a group of users, such as a help desk, with access to FIM CM by simply granting the appropriate permissions to that user group within Active Directory. The rest is handled in a completely integrated fashion with the operating system and Active Directory.
A manager within FIM CM is an individual that has been granted permissions to access the FIM CM manager Web portal (see Figure 5). This portal resides on the same FIM CM server as the certificate subscriber portal but exposes functionality used for managing other users and application information. Permissions are granted to a certificate manager using the standard Active Directory security management tools. Typically, this means users must be granted access to FIM CM and are then granted access to specific FIM CM functions such as enroll, recover, or revoke. Finally, they are given permissions to manage a particular group or groups of end users. Even more detail is possible by granting access to specific certificate templates that they can manage, while restricting other certificate management functions.
Managers can also be granted permissions to approve the certificate requests of other managers or end users that have submitted self-service requests. These requests are handled through the easy-to-use Web portal, coupled with email support once the requests have been processed. Reporting and auditing functions are then available to track activities and to perform analysis and verification of certificate management functions. Because auditing is a specific FIM CM permission, it is possible to configure a user role that is only able to generate reports and not perform any actual certificate management functions.
A profile template is a core component of all management activities within FIM CM. The purpose of a profile template is to provide a single administrative unit that includes all of the information necessary to manage multiple certificates that may be required by a user community throughout the certificate’s entire life cycle.
A profile template also includes information related to the final location for those certificates, which can be software-based (stored on the local computer) or hardware-based (stored on a smart card). In the case that the certificates are stored on a smart card, a FIM CM profile template is also configured with the information necessary to manage the smart card, and therefore provides a single point of administration for the smart card and the certificates.
A profile template can contain one or more certificate templates that can be managed as a single item. Without this approach, an organization is forced to manage multiple user certificates independently, which is expensive and prone to error. A profile template allows for the deployment of authentication and encryption type certificates in a single step.
Additionally, FIM CM is able to handle authentication certificates and encryption certificates differently depending on whether the encryption certificates are backed up for future recovery. For example, when FIM CM is asked to recover a particular profile because a smart card may have been lost, the application generates new authentication certificates but recovers the existing encryption certificates. At the same time, FIM CM manages the administrative details associated with initializing the smart card.
Figure 6 shows the general configuration for a profile template and the various items that are included in that configuration. It allows the specification of the profile template as software-based or hardware-based (smart card). The certificate templates section provides the ability to add or remove certificate templates. These certificate templates are read directly from Active Directory and are issued from a selected certification authority (CA). If desired, the individual certificate templates can even be issued from different CAs. In most cases, the collection of certificate templates includes a combination of signing/authentication and encryption certificates.
If the profile template is configured to support a smart card deployment, then management details for the actual smart card can be provided. Some of these details are shown in Figure 7 and include the smart card provider, password rules, and administrative password configuration.
The profile template includes configuration for the management policies that are used to manage the deployed profile. These management tasks include:
Unblock (for smart card profiles)
Duplicate (for smart card profiles)
Each of these tasks can be configured separately so that the way a profile is enrolled might be different from how it is recovered or renewed. This provides the enterprise customer with a wide variety of choices in terms of how these tasks are managed.
Each management task can use Web forms to capture information that can be stored or validated against other data sources. This configuration is performed as part of the application management and does not require any custom development activities.
Furthermore, there can also be a predetermined approval mechanism and distribution of approval information such as e-mails and one-time passwords. All of this information is captured and configured at the profile template level. Once complete, the profile template is simply put into use and the software implements the rules, workflow, and permissions.
FIM CM provides a rich auditing functionality and all the basic certificate lifecycle management reports required for an initial deployment. FIM CM stores all certificate lifecycle activity logs and auditing information in the SQL Server repository. All reports are accessible through a web based management interface.
Three different types of reports can be generated from FIM CM:
Summary Reports – which provides graphical summaries of certificate lifecycle information
Detail Reports – which provide detailed information about certificate lifecycle management objects or events
Settings Reports – which provide reports on the configuration and settings of certificate templates or profile templates.
Request report – The certificate request report provides a drill-down summary of certificate requests that allows the administrator to focus on a particular certificate and track all activities that have occurred based on that certificate.
Certificate expiry summary report – This report provides a graphical summary of the number of certificates that are expiring within any given window.
Certificate usage – This report provides a summary of certificates that have been revoked or expired according to either certificate template or FIM CM profile template.
Smart Card inventory report – This report provides a summary of all smart cards that have been issued by the system.
Smart card report – The smart card report provides detailed information on the smart cards that have been issued by FIM CM and are under active management by the system.
Smart card history report – This report provides information on the request history of any of the smart cards managed by the system.
Certificate template usage report – This report can provide a list of certificates organized according to the certificate template used to generate the certificate. This report is a useful tool for providing a report of which users have been issued a particular sort of certificate, and when those certificates will be expiring.
Certificate revocation list report – The certificate revocation list report provides a list of all certificates that have been revoked and the reason for their revocation. It provides a report equivalent to the lasted published certificate revocation list within the PKI.
Profile template settings report - The profile template report provides a summary of the configuration of any given profile template used by FIM CM.
Certificate template settings report – The certificate template report provides a summary of the configuration of any given certificate template used by FIM CM.
FIM CM provides several mechanisms to track issues and determine resolutions. These include providing messages to the Windows Event Viewer. FIM CM can also provide text based error tracing to a log file that can be configured in the Web.Config file. These two mechanisms provide a wide range of error reporting functionality.