Forefront Identity Management – Certificate Management (FIM CM 2010) – Part 2

FIM CM Components

FIM CM is a portal that runs under its own application pool identity .Configuration of the product is done by manipulating the web.config file (Located here c:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\web). Knowledge of the sections in the web.config file is required for FIM CM administration.

FIM CM uses its own database (FIM CM default database name is (FIMCertificateManagement) that is created during the initial configuration wizard when you first install FIM CM on your server. The FIM CM uses its application pool identity for database access. A new SQL Role is introduced named (clmapp) and should be granted to the FIM CM application pool identity. The FIM CM database contains information about smart cards, and their admin keys.

FIM CM also stores profile template data in the configuration partition of Active Directory. DACL on those profile templates determine part of the authorization model within FIM CM.

FIM CM also has its own Service Connection Point (SCP) under the system container in AD .Permissions on the SCP determines if users are allowed to log on to the FIM CM admin portal or user portal.

FIM CM portal comes in two modes, user mode in which end users enrolled with certificates can view their digital identity information or request new ones, and admin mode, in which FIM CM admins perform their management tasks. Permissions on the SCP control which mode to be accessed.

As part of FIM CM installation, AD schema is extended to include new FIM CM permissions like (CLM audit, CLM Request Enroll …).

Note: You can place the FIM CM database in a backend SQL, or on the same server as FIM CM server. In all cases, I recommend to have the FIM CM database on a dedicated SQL server that doesn’t host any other database. The reason behind this is that you don’t want your company SQL administrators to have high privileges on this database as it contains sensitive information.

FIM CM communicates heavily with:

  • Active Directory : for authentication , authorization and profile templates configuration
  • SQL Database: to store information especially smart card information and its admin keys.
  • CA: one or more CA servers to request certificates or revoke existing ones.
  • Mail Server: to send notifications if configured.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s