Configuring the CA for FIM CM
Applies To: Forefront Identity Manager Certificate Management
The following steps are only necessary if the CA and the FIM CM Portal are not installed on the same server.
Determine the database connection string
Configure the Exit Module and Policy Module
For FIM CM to work correctly, you must configure the FIM CM exit module and FIM CM policy module.
FIM CM requires a server running 64-bit Windows Server 2008 or later. The CA modules can be installed on a 32-bit Windows Server 2003 CA or on a Windows Server 2008 installation with AD CS.
Determine the database connection string
If the SQL Server 2008 computer and the CA are on different computers, the CA will also need a connection string for the SQL Server 2008 computer.
To determine the connection string syntax
On Certification Authority, ensure you are logged in using an account that is a member of Enterprise Admins.
Configure the system to display file extensions. To do so, click Start. Type Folder Options and then click Folder Options when it appears on the Start menu.
On the Folder Options dialog box, in the View tab, under Advanced Settings, clear the Hide extensions for known file types and then click OK.
Right-click the Desktop, click New, and then click Text Document.
Type ConnectionString.udl as the text file name and remove the .txt file name extension when you do this.
Click Yes to confirm the extension change.
Right-click the file ConnectionString.udl and then click Properties.
In Connection, on Select or enter server name, type <SQL_server_name>
Select Use Windows NT Integrated security.
In Select the database on the server, click FIMCertificateManagement from the drop-down menu.
Click Test Connection. You should see a Microsoft Data Link dialog box appear reporting that the test connection succeeded. If you do not, verify all of your previous selections and that the network connectivity is working properly. Once the connection has been successfully made, click OK twice.
Right-click the ConnectionString.udl file and then click Open with.
In the Open with dialog box, clear the Always use the selected program to open this kind of file. Click Browse.
Another Open with dialog box opens. In File name type C:\Windows\System32\Notepad.exe and then click Open and then click OK.
You will not need the
Provider=SQLOLEDB.1;portion of the connection string. Copy the rest of the string that should look similar to
Integrated Security=SSPI; Persist Security Info=False;Initial Catalog=FIMCertificateManagement;Data Source=<SQL_server_name>.
Configure the FIM CM Exit Module and Policy Module
If the FIM CM Portal and CA server are installed on separate computers, the Exit Module and Policy Module on the CA will have to be configured manually.
To configure the FIM CM Exit Module and Policy Module
Ensure that you are logged on using an account that has the ability to manage the CA. Members of Enterprise Admins typically have such permissions.
In the Server Manager console tree, ensure the Roles and Active Directory Certificate Services are expanded. Right-click the CA that you are using for FIM CM and then click Properties.
In the CA Properties dialog box, on the Exit Module tab, click Add.
In the Set Active Exit Module dialog box, select FIM CM Exit Module and then click OK.
Select FIM CM Exit Module and then click Properties.
In the Configuration Properties dialog box, in Specify FIM CM database connection string, enter the connection string that you determined in the previous procedure and then click OK.
The Microsoft FIM Certificate Management dialog box appears telling you that the Certification Authority must be restarted before the changes can take place. Click OK.
In the Policy Module tab, click Properties.
In the Configuration Properties dialog box, on the General tab, ensure that Pass non-CM requests to the default policy module for processing is selected.
In the Default Policy Module tab, click Properties.
In the Default Policy Module dialog box, ensure that Follow the settings in the certificate template if applicable. Otherwise, automatically issue the certificate is selected.
On the Signing Certificates tab, click Add.
In the Certificate dialog box, enter the thumbprint of the Agent that you obtained earlier. Click OK twice.
The Microsoft FIM Certificate Management dialog box appears telling you that the CA must be restarted before the changes can take place. Click OK on the message. You should now see the thumbprint that you entered under Valid Signing Certificates.
In the CA Properties dialog box, click OK.
Open an elevated command prompt. Then type net stop certsvc && net start certsvc and press ENTER. Active Directory Certificate Services is restarted.