Web Abstract:
- Information technology (IT) organizations that issue high-assurance certificates such as smart card certificates must ensure their certificates’ security.
- Microsoft’s Identity Lifecycle Manager (ILM) 2007 lets information technology (IT) administrators define workflows to increase certificates’ assurance levels.
- Microsoft’s Identity Lifecycle Manager (ILM) 2007’s certificate management feature helps information technology (IT) organizations manage the life cycle of both software-based and smart card-based digital certificates to ensure the certificates’ security.
|
As a matter of their security policy, many organizations must issue
high-assurance certificates, such as smart card certificates. The reasons for
using smart card certificates vary. Perhaps a company wants to eliminate passwords
on its network. Or, maybe a company wants to increase other organizations' trust
levels by being able to certify that only the person listed in the certificate's
subject has control of the certificate's private key.
Microsoft's Identity Lifecycle Manager (ILM) 2007 lets you
define workflows for various management activities that occur
during a certificate's lifetime, to increase certificates' assurance
levels. These workflows ensure that your organization's written
security policies are implemented, which in turn increases other
organizations' trust in your certificates.
ILM 2007 comprises two previously existing products: Microsoft Identity Integration
Server (MIIS) 2003 and the recently acquired Alacris idNexus (also known as
Certificate Lifecycle Manager or CLM during its beta testing period). These
products are rebranded in ILM 2007 as the metadirectory and synchronization
facilities and the certificate management facilities.
In this article, I focus on ILM 2007's certificate management component. In
addition, I provide an example of how you can use this feature to increase the
assurance level of your certificates and ensure that predefined workflows are
followed when medium-assurance certificates are issued.
Metadirectory and Synchronization
The primary function of ILM 2007's metadirectory and synchronization facilities
is to provide provisioning and deprovisioning capabilities to the enterprise.
The synchronization facilities allow convergence of identity information in
all connected identity stores within an organization. ILM 2007 includes more
than 30 types of management agents (MAs) out of the box for many of the leading
directories, databases, email systems, mainframes, and line-of-business applications.
A new MA, the Certificate Lifecycle Manger 2007 Management Agent, allows synchronization
between the metadirectory and certificate management facilities. This MA lets
you issue certificates and smart cards to new users as part of the provisioning
process. In addition, when a user leaves the organization, the MA can ensure
that important certificates are revoked as part of the deprovisioning process.
Certificate Management
ILM 2007 certificate management is a policy- and workflow-driven, identity-assurance
management system that helps organizations manage the life cycle of both software-based
and smart card-based digital certificates. ILM 2007 certificate management lets
you define certificate management workflows that enforce an organization's policies
and increase the assurance levels of the certificates issued through the workflows.
For example, a business partner will likely feel more confident about the identity
of one of your employees if a face-to-face meeting with the employee occurred
during the certificate issuance process. ILM 2007 certificate management also
streamlines the provisioning, configuration, and management of digital certificates
and smart cards, while increasing security through strong, multifactor-authentication
technology. ILM 2007 certificate management integrates fully with both Microsoft
Certificate Services and Active Directory (AD), letting customers leverage their
existing infrastructure during the deployment.
Components. ILM 2007 certificate management includes two
mandatory components and two optional components. The two mandatory components
are the certificate management server and the Certification Authority (CA) modules.
- The ILM 2007 certificate management server is an ASP.NET application that
requires both Microsoft Internet Information Server (IIS) 6.0 and the Microsoft
.NET framework 2.0. The information that ILM 2007 certificate management server
collects can be stored in either a SQL Server 2005 SP1 or SQL Server 2000
SP4 database. The ILM 2007 certificate management server includes two Web
portals: a manager Web portal and a subscriber Web portal that are used during
certificate management workflows.
- The CA modules include both an exit module and a pluggable policy module.
The exit module allows ILM 2007 certificate management to capture all certificates
issued by a managed CA in the ILM 2007 certificate management database. The
policy module lets an organization modify certificate requests during processing
to allow better integration and management with ILM 2007 certificate management.
The two optional components of ILM 2007 certificate management are the ILM
2007 certificate management client software and the Bulk Enrollment Client.
- The ILM 2007 certificate management client software is required only if
you plan to issue and manage smart card-based certificates. The client software
installs an ActiveX control that lets the ILM 2007 certificate management
Web portal communicate with, write to, and manage smart cards.
- The Bulk Enrollment Client enables the printing and management of numerous
smart cards. The Bulk Enrollment Client requires installation of the ILM 2007
certificate management client software and DataCard's ID Works Enterprise
Identification Software. The ID Works software lets an organization define
the layout of a printed smart card and provides programmatic interfaces to
the smart card printers.
Profile templates. In ILM 2007 certificate management, profile
templates control the management of certificates. A profile template is a new
AD object (created through a schema modification) that enables the definition
of certificate management tasks. A profile template includes the following three
related components:
- One or more certificate templates, grouped together to allow enrollment,
revocation, or renewal in one operation. For example, if you choose to deploy
separate email signing and encryption certificates, both certificate templates
would be included in one profile template.
- Profile details that indicate whether a profile template is software-based
or smart cardbased. (You can't combine software-based and smart card-based
certificates in one profile template.) If you're configuring a smart card
profile template, the profile details will include information about the smart
card middleware used, user PIN generation, and reuse settings.
- Management policies that define the workflows used to manage a certificate
through its entire life cycle. For each management policy, a separate workflow
is defined, including definitions of who performs management tasks during
the workflow. For example, you can designate different people to initiate
a smart card unblock request and to approve the unblock request. Table
1 shows the management policies available in ILM 2007 certificate management.
Previous
Register
