May 30 th – 31 st, 2006 Sheraton Ottawa

Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft Corporation Beta 1

Agenda Credential Management Overview Introduction to CLM CLM Architecture Overview DemoQuestion/Discussion

Regulatory Compliance HIPAASarbanes-OxleyGraham-Leach-Bliley Basel II 21CFR Part 11 HSPD-12 MITS Compliance Opening Corporate Resources Protecting IP Improved Efficiencies Competitive Advantage Security and Risk Management VPN Access Secure Business Drivers Credential Management Customer requirements

Management System 1 Management System 2 Credential Management Current solutions To address requirements Deploy multiple disparate management systems Cost and complexity increases as range of authentication technologies extends Digital Certificate OTP Mobile Devices RFID Access Cards Biometrics Smart Cards USB Tokens Management System 3

The Alacris Acquisition Microsoft Certificate Lifecycle Manager is based on technologies acquired from Alacris in September 2005 Alacris was completely integrated into Microsoft and no longer exists as an independent corporation

Certificate Lifecycle Manager Microsoft ® Certificate Lifecycle Manager (CLM) is a digital identity management solution that helps Microsoft customers provision, manage and maintain digital certificates and smart card technologies to strengthen the security of their IT environments.

Certificate Lifecycle Manager Functional overview Single administration point for digital certificates and smart cards Configurable policy-based workflows for common tasks Enroll/renew/update Recover/card replacement Revoke Retire/disable smart card Issue temporary/duplicate smart card Personalize smart card Detailed auditing and reporting Support for both centralized and self-service scenarios Integration with existing infrastructure investments Windows Active Directory; Windows Certificate Services

Microsoft Certificate Lifecycle Manager Microsoft CAs End User CLM Policy Module CLM Exit Module Internet Explorer CLM Browser Control CLM AD Integration CLM Web App Internet Information Server Physical Architecture Component Architecture SQL AD Certificate Lifecycle Manager Architectural overview Microsoft Certificate Authority Smart Card Middleware

Certificate Lifecycle Manager Server-side components Certificate Lifecycle Manager.NET web application supporting administrative functionality Provides access to both the Subscriber and Manager web portals Leverages Active Directory (AD) ACLs for permissions and workflow definition Windows Server 2003 Certificate Services Add-on Extends default policy module functionality with advanced certificate request features Replaces the default exit module for centralized auditing capabilities throughout the AD forest

Solution Components Windows Active Directory CLM utilizes existing AD infrastructure Storing CLM Profile Templates Must provide Certificate Subscribers and Certificate Managers with appropriate access Authentication Uses AD user and group permissions to grant users rights Configurable for Integrated User Authentication Authorization Provides CLM the ability to determine what user can and cannot do within a session All CLM permissions based on ACLs provisioned with standard AD tools

Solution Components AD extended rights Active Directory security groups can be created to allow user to access self-service components The following permissions are available and can either be granted or denied CLM Audit CLM Enroll CLM Enrollment Agent CLM Recover CLM Renew CLM Revoke CLM Unblock

Solution Components Microsoft SQL Sever Database Repository Microsoft SQL Server 2000sp3+ is required Used for reporting and application specific data No user and role information is stored in the database Authentication Settings Mixed Mode Deployment Models Stand-alone server or coexist with CLM Leverage existing enterprise database

Solution Components /SMTP services For delivery of notifications and one time passwords Specify IP address or host name of mail server capable of relaying SMTP messages CLM uses anonymous relaying to send all outbound messages

Solution Components Windows Certificate Services Windows 2003 Server Enterprise Edition Key Recovery Issuance of v2 certificate templates Communication with Certificate Authority CLM Policy Module CLM Exit Module RPC for CA Manager access

Solution Components CLM Policy Module Communicates with CLM Controls the behavior of the CA in relation to CLM The CLM Policy Module has a ‘pluggable’ architecture allowing additional modules to be plugged in to enhance functionality CLM ships with 4 policy module add-on’s out of the box

Solution Components CLM Exit Module Records all CA activity to SQL Provides robust logging and auditing in a central location

Solution Components Certificate templates Windows 2003 PKI implements Certificate Templates to define the contents of issue certificates Certificate Templates must have the appropriate permissions, allowing management by certificate managers and enrollment by certificate subscribers

Solution Components Certificate Lifecycle Manager Client Smart Card Self Service Control ActiveX browser control plug-in allows for web based smart card management Smart Card Personalization Control Integrates CLM with the smart card middleware All communication secured using SSL Provides advanced archived certificate escrow capabilities including secure key injection Card PIN management Java applet management

Certificate Lifecycle Manager Profile templates Include policies for each task that might be performed Additional profile data included for smart card management Can include templates issued from more than one CA Profile Templates include one or more certificate managed as a single entity Policy updates managed on a per user basis by Active Directory (AD) groups Contains necessary information to enforce policy across multiple certificates, users, and groups Stored in AD and available across the forest Certificate Template(s) Management Policies Profile Templates Enrollment Work flow Self-Service Data Collection Recovery Work flow Self-Service Data Collection Etc., Work flow Self-Service Data Collection Smart Card Information (if needed)

Solution Components Certificate Lifecycle Manager Client Demo 1: Self Service Enrollment User Authenticates to CLM Web Portal User Requests Certificate Profile Certificates Issued to User Certificate Subscriber

Solution Components Certificate Lifecycle Manager Client Demo 2: Self Service Requiring Approval User Requests Certificate Profile User Authenticates to CLM Web Portal Certificate Administrator Approves Request Sent to User with OTP1 User Completes Request & Issues Certificate Automated WorkflowCertificate AdministratorCertificate Subscriber

Solution Components Certificate Lifecycle Manager Client Demo 3: Smart Card Issued by Enrollment Agent & Certificate Administrator Issues Smart Card with Certificates & Random PIN Manager Requests a Smart Card for User Certificate Administrator Creates an Unblock Request Sent to User with OTP1 User Completes Unblock Request & Resets PIN Sent to Manager with OTP2 Certificate SubscriberManagerCertificate AdministratorAutomated WorkflowCertificate Administrator Automated Workflow

Solution Components Certificate Lifecycle Manager Client Release Schedule CLM Beta 1: Released CLM Beta 2: Q3 / CY06 CLM RTM: Q1 / CY07 Additional Information

© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.