Upload
phebe-dalton
View
218
Download
3
Tags:
Embed Size (px)
Citation preview
May 30May 30thth – 31 – 31stst, 2006, 2006Sheraton OttawaSheraton OttawaMay 30May 30thth – 31 – 31stst, 2006, 2006Sheraton OttawaSheraton Ottawa
Saleem KanjiSaleem KanjiTechnology Solutions Professional - Windows Server Technology Solutions Professional - Windows Server Microsoft CorporationMicrosoft Corporation
Beta 1Beta 1
Credential Management OverviewCredential Management Overview
Introduction to CLMIntroduction to CLM
CLM Architecture OverviewCLM Architecture Overview
Demo Demo
Question/DiscussionQuestion/Discussion
Regulatory Regulatory ComplianceCompliance
HIPAAHIPAA
Sarbanes-OxleySarbanes-Oxley
Graham-Leach-BlileyGraham-Leach-Bliley
Basel IIBasel II
21CFR Part 1121CFR Part 11
HSPD-12HSPD-12
MITS ComplianceMITS Compliance
Opening Corporate ResourcesOpening Corporate Resources
Protecting IPProtecting IP
Improved EfficienciesImproved Efficiencies
Competitive AdvantageCompetitive Advantage
Security and Risk Security and Risk ManagementManagement
VPN AccessVPN Access
Secure EmailSecure Email
Business Business DriversDrivers
ManagementManagementSystem 1System 1
ManagementManagementSystem 2System 2
To address requirementsTo address requirementsDeploy multiple disparate management systemsDeploy multiple disparate management systems
Cost and complexity increases as range of authenticationCost and complexity increases as range of authenticationtechnologies extendstechnologies extends
DigitalDigitalCertificateCertificate OTPOTPMobile Mobile
DevicesDevices
RFID RFID Access Access CardsCards
BiometricsBiometricsSmart Smart CardsCards
USB USB TokensTokens
ManagementManagementSystem 3System 3
Microsoft Certificate Lifecycle Microsoft Certificate Lifecycle ManagerManageris based on technologies acquired is based on technologies acquired from Alacris in September 2005from Alacris in September 2005
Alacris was completely integrated into Alacris was completely integrated into Microsoft and no longer exists as an Microsoft and no longer exists as an independent corporationindependent corporation
MicrosoftMicrosoft®® Certificate Lifecycle Manager Certificate Lifecycle Manager (CLM) is a digital identity management (CLM) is a digital identity management
solutionsolutionthat helps Microsoft customers that helps Microsoft customers
provision, manage and maintain digital provision, manage and maintain digital certificatescertificates
and smart card technologies to and smart card technologies to strengthenstrengthen
the security of their IT environments.the security of their IT environments.
Single administration point for digital certificates and Single administration point for digital certificates and smart cardssmart cards
Configurable policy-based workflows for common tasksConfigurable policy-based workflows for common tasksEnroll/renew/updateEnroll/renew/update
Recover/card replacementRecover/card replacement
RevokeRevoke
Retire/disable smart cardRetire/disable smart card
Issue temporary/duplicate smart cardIssue temporary/duplicate smart card
Personalize smart cardPersonalize smart card
Detailed auditing and reportingDetailed auditing and reporting
Support for both centralized and self-service scenariosSupport for both centralized and self-service scenarios
Integration with existing infrastructure investmentsIntegration with existing infrastructure investmentsWindows Active Directory; Windows Certificate ServicesWindows Active Directory; Windows Certificate Services
MicrosoftMicrosoftCertificateCertificateLifecycle Lifecycle ManagerManager
Microsoft CAsMicrosoft CAs
End UserEnd User
CLM Policy ModuleCLM Policy Module
CLM Exit ModuleCLM Exit Module
Internet Explorer
CLM Browser ControlCLM Browser Control
CLM AD IntegrationCLM AD Integration
CLM Web AppCLM Web App
Internet Information Server
Physical ArchitecturePhysical Architecture Component ArchitectureComponent Architecture
SQLSQLADAD
E-mailE-mail
Certificate Lifecycle Certificate Lifecycle ManagerManagerArchitectural overviewArchitectural overview
Microsoft Certificate Authority
Smart Card Middleware
Certificate Lifecycle ManagerCertificate Lifecycle Manager.NET web application supporting administrative .NET web application supporting administrative functionalityfunctionality
Provides access to both the Subscriber and Manager web Provides access to both the Subscriber and Manager web portalsportals
Leverages Active Directory (AD) ACLs for permissions and Leverages Active Directory (AD) ACLs for permissions and workflow definitionworkflow definition
Windows Server 2003 Certificate Services Add-onWindows Server 2003 Certificate Services Add-onExtends default policy module functionality with advancedExtends default policy module functionality with advancedcertificate request featurescertificate request features
Replaces the default exit module for centralized auditingReplaces the default exit module for centralized auditingcapabilities throughout the AD forestcapabilities throughout the AD forest
CLM utilizes existing AD infrastructureCLM utilizes existing AD infrastructureStoring CLM Profile TemplatesStoring CLM Profile Templates
Must provide Certificate Subscribers andMust provide Certificate Subscribers andCertificate Managers with appropriate accessCertificate Managers with appropriate access
AuthenticationAuthenticationUses AD user and group permissions to grant users Uses AD user and group permissions to grant users rightsrightsConfigurable for Integrated User AuthenticationConfigurable for Integrated User Authentication
AuthorizationAuthorizationProvides CLM the ability to determine what user canProvides CLM the ability to determine what user canand cannot do within a sessionand cannot do within a sessionAll CLM permissions based on ACLs provisioned withAll CLM permissions based on ACLs provisioned withstandard AD toolsstandard AD tools
Active Directory security groups can be createdActive Directory security groups can be createdto allow user to access self-service componentsto allow user to access self-service components
The following permissions are available and can The following permissions are available and can either be granted or deniedeither be granted or denied
CLM AuditCLM Audit
CLM EnrollCLM Enroll
CLM Enrollment AgentCLM Enrollment Agent
CLM RecoverCLM Recover
CLM RenewCLM Renew
CLM RevokeCLM Revoke
CLM UnblockCLM Unblock
Database RepositoryDatabase RepositoryMicrosoft SQL Server 2000sp3+ is requiredMicrosoft SQL Server 2000sp3+ is required
Used for reporting and application specific dataUsed for reporting and application specific data
No user and role information is stored in the No user and role information is stored in the databasedatabase
Authentication SettingsAuthentication SettingsMixed ModeMixed Mode
Deployment ModelsDeployment ModelsStand-alone server or coexist with CLMStand-alone server or coexist with CLM
Leverage existing enterprise databaseLeverage existing enterprise database
For delivery of notifications and oneFor delivery of notifications and onetime passwordstime passwords
Specify IP address or host name of mail Specify IP address or host name of mail server capable of relaying SMTP server capable of relaying SMTP messagesmessages
CLM uses anonymous relaying to send CLM uses anonymous relaying to send all outbound messagesall outbound messages
Windows 2003 Server Enterprise Windows 2003 Server Enterprise EditionEdition
Key RecoveryKey Recovery
Issuance of v2 certificate templatesIssuance of v2 certificate templates
Communication with Certificate Communication with Certificate AuthorityAuthority
CLM Policy ModuleCLM Policy Module
CLM Exit ModuleCLM Exit Module
RPC for CA Manager accessRPC for CA Manager access
Communicates with Communicates with CLMCLM
Controls the behavior Controls the behavior of the CA in relation to of the CA in relation to CLMCLM
The CLM Policy Module The CLM Policy Module has a ‘pluggable’ has a ‘pluggable’ architecture allowing architecture allowing additional modulesadditional modulesto be plugged in to to be plugged in to enhance functionalityenhance functionality
CLM ships with 4 policy CLM ships with 4 policy module add-on’s out of module add-on’s out of the boxthe box
Records all CA Records all CA activity to SQLactivity to SQL
Provides robust Provides robust logging and logging and auditing in a auditing in a central locationcentral location
Windows 2003 PKI implements Windows 2003 PKI implements Certificate Templates to define the Certificate Templates to define the contents ofcontents ofissue certificatesissue certificates
Certificate Templates must have the Certificate Templates must have the appropriate permissions, allowing appropriate permissions, allowing management by certificate managersmanagement by certificate managersand enrollment by certificate and enrollment by certificate subscriberssubscribers
Smart Card Self Service ControlSmart Card Self Service ControlActiveX browser control plug-in allowsActiveX browser control plug-in allowsfor web based smart card managementfor web based smart card management
Smart Card Personalization ControlSmart Card Personalization ControlIntegrates CLM with the smart card middlewareIntegrates CLM with the smart card middleware
All communication secured using SSLAll communication secured using SSL
Provides advanced archived certificate escrow Provides advanced archived certificate escrow capabilities including secure key injectioncapabilities including secure key injection
Card PIN managementCard PIN management
Java applet managementJava applet management
Include policies for each taskInclude policies for each taskthat might be performedthat might be performed
Additional profile data includedAdditional profile data includedfor smart card managementfor smart card management
Can include templates issued Can include templates issued from more than one CAfrom more than one CA
Profile Templates include oneProfile Templates include oneor more certificate managedor more certificate managedas a single entityas a single entity
Policy updates managedPolicy updates managedon a per user basis by Active on a per user basis by Active Directory (AD) groupsDirectory (AD) groups
Contains necessary informationContains necessary informationto enforce policy across to enforce policy across multiple certificates, users, and multiple certificates, users, and groupsgroups
Stored in AD and availableStored in AD and availableacross the forestacross the forest
Certificate Template(s)Certificate Template(s)
Management Policies
Profile TemplatesProfile Templates
EnrollmentEnrollmentWork flowWork flow
Self-ServiceSelf-ServiceDataData
CollectionCollection
RecoveryRecoveryWork flowWork flow
Self-ServiceSelf-ServiceDataData
CollectionCollection
Etc.,Etc.,Work flowWork flow
Self-ServiceSelf-ServiceDataData
CollectionCollection
Smart Card InformationSmart Card Information(if needed)(if needed)
Demo 1: Self Service EnrollmentDemo 1: Self Service Enrollment
User Authenticates to CLM Web Portal
User Requests Certificate
Profile
Certificates Issued to User
Certificate Subscriber Certificate Subscriber Certificate Subscriber
Demo 2: Self Service Requiring ApprovalDemo 2: Self Service Requiring Approval
User Requests Certificate
Profile
User Authenticates to CLM Web Portal
Certificate Administrator
Approves Request
Email Sent to User with OTP1
User Completes Request & Issues
Certificate
Automated WorkflowCertificate Administrator Certificate SubscriberCertificate SubscriberCertificate Subscriber
Demo 3: Smart Card Issued by Enrollment Demo 3: Smart Card Issued by Enrollment AgentAgent
Certificate Administrator Issues Smart
Card with Certificates & & Random PIN
Manager Requests a
Smart Card for User
Certificate Administrator
Creates an Unblock Request
Email Sent to User with OTP1
User Completes Unblock Request
& Resets PIN
Email Sent to Manager with
OTP2
Certificate SubscriberManager Certificate Administrator Automated WorkflowCertificate Administrator
Automated Workflow
Release ScheduleRelease Schedule
CLM Beta 1: ReleasedCLM Beta 1: Released
CLM Beta 2: Q3 / CY06CLM Beta 2: Q3 / CY06
CLM RTM: Q1 / CY07CLM RTM: Q1 / CY07
Additional InformationAdditional Information
http://www.microsoft.com/clmhttp://www.microsoft.com/clm
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.