Installing and Configuring the FIM CM Client
Applies To: Forefront Identity Manager 2010
The Microsoft® Forefront® Identity Manager Certificate Management (FIM CM) client assists in client-side, smart card management activities such as changing the personal identification number (PIN) on a smart card. A computer that runs this software is known as a FIM CM client. You must install a FIM CM client to deploy smart cards, but not to deploy software-based certificates.
For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.
Audience
This document is intended for information technology (IT) planners, systems administrators, system architects, technology decision-makers, consultants, infrastructure planners, and IT personnel.
Prerequisite Knowledge
This document assumes that you have a basic understanding of the following IT tasks:
Installing software on client computers.
Basic knowledge of registry editing.
Time Requirements
The procedures in this document take about 90 minutes to complete.
What This Document Covers
The following topics describe how to install and configure the FIM CM client:
Hardware and Software Requirements for the FIM CM Client
Installing the FIM CM Client
Secure Session Settings for the FIM CM Client
Setting Smart Card PIN Rules for the FIM CM Client
AllowPrivateExchangeKeyImport and AllowPrivateSignatureKeyImport
Hardware and Software Requirements for the FIM CM Client
Table 1 shows the hardware and software requirements for the FIM CM client.
Table 1: Hardware and software requirements
| Component | Requirement |
|---|---|
Operating system |
The FIM CM client components are designed for computers running the 32-bit editions of Windows XP, Windows Vista Enterprise, Windows Vista Ultimate, and Windows 7 and the 64-bit editions of Windows Vista Enterprise, Windows Vista Ultimate, and Windows 7. Important Install the 64-bit components on clients running 64-bit editions of operating systems and when 64-bit middleware and 64-bit Internet Explorer is used. Note that on 64-bit editions of Windows Vista and Windows 7, the default Internet Explorer edition is 32-bit. Install the 32-bit components when using the 32-bit middleware and the 32-bit edition of Windows Internet Explorer. |
Internet Explorer® |
Because FIM CM requires Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for administrative traffic and certificates, Microsoft Internet Explorer 6.x or later is required. FIM CM has advanced scripting features that are optimized for Internet Explorer. Windows Internet Explorer 8 and Internet Explorer 7 are also supported. |
Middleware |
Microsoft Base Smart Card Cryptographic Provider, a cryptographic service provider (CSP), with a vendor-specific minidriver or a legacy CSP with middleware that is compatible with a Public Key Cryptographic Standards (PKCS) #11 file. See the following Knowledge Base article for additional information about the Microsoft Base CSP as well as links to download: Description of the Software Update for Base Smart Card Cryptographic Service Provider (https://go.microsoft.com/fwlink/?LinkID=161161) You must get the middleware from a vendor other than Microsoft. For a list of supported middleware, see the Release Notes for Forefront Identity Manager 2010. |
A smart card reader and one or more smart cards that are compatible with the FIM CM client |
Required only if you implement smart card certificates. For information about smart card compatibility with the FIM CM client, contact your smart card vendor. |
Installing the FIM CM Client
Important
Do not perform any smart card management activities until after you install the FIM CM client.
Note
The FIM CM client depends on the supported smart card middleware or a smart card minidriver and smart card module. Before you use the FIM CM client to perform the smart card operations, you must install the required middleware. For more information, see Hardware and Software Requirements for the FIM CM Client.
To configure the FIM CM client correctly, you must perform the following steps to ensure that the FIM CM client is properly configured:
Install the client on each computer where you want to use the FIM CM client.
Add the FIM CM Portal to the Trusted Sites on each FIM CM client computer.
Turn on automatic prompting for downloads.
To install the FIM CM client
From the FIM CM installation CD, run CM Client.msi.
The CM Client.msi file is located at [CDDrive]\CMClient\.
On the Welcome to the Forefront Identity Manager CM Client Setup Wizard page, click Next.
On the End-user License Agreement page, read the license agreement, select I accept the terms in the license agreement, and then click Next.
On the Custom Setup page, select the components to install, and then click Next.
On the Configure CM Client page, enter the list of sites used by your FIM 2010 installations, and then select an option to configure your Trusted Sites settings in Internet Explorer.
Important
If you are installing the FIM CM client on a computer that is running Internet Explorer 7, you must add this list of sites to Trusted Sites.
On the Install Forefront Identity Manager CM Client page, click Install.
On the Completed the Forefront Identity Manager CM Client Setup Wizard page, click Finish.
On each computer where you want to access the FIM CM Portal, you must add the FIM CM Portal to the Trusted Sites Web content security zone in Internet Explorer.
Note
Because the FIM CM Portal enforces the use of trusted sites, it does not function correctly if you do not add the FIM CM Portal to Trusted Sites.
To add the FIM CM Portal to Trusted Sites in Internet Explorer
-
Warning
The following procedure is only needed for Internet Explorer 7.
In Internet Explorer, on the Tools menu, click Internet Options.
In Internet Options, click the Security tab, click Trusted Sites, and then click Sites.
In Trusted Sites, type the address of the FIM CM Portal, and then click Add.
Click Close, and then click OK.
The default configuration for Trusted Sites prompts the user before loading controls that are not marked safe for scripting. Because the FIM CM client is not marked safe for scripting, you must activate Initialize and script ActiveX controls not marked as safe for scripting, if you do not want Internet Explorer to prompt users when a control loads.
To export comma-delimited report data, in Internet Explorer, you must activate the Automatic prompting for file downloads policy setting. If you activate this policy setting, Internet Explorer prompts you when you export the report.
To activate comma-delimited report data to be exported
In Internet Explorer, on the Tools menu, click Internet Options.
In Internet Options, click the Security tab.
Under Security level for this zone, click Custom Level.
In Security Settings - Internet Zone, under Downloads, click Enable for Automatic prompting for file downloads.
Secure Session Settings for the FIM CM Client
By default, the FIM CM client encrypts all data that is transmitted to the FIM CM server. The FIM CM client tries to use the Advanced Encryption Standard (AES) 128 encryption algorithm to encrypt data. If AES 128 is unavailable, the FIM CM client uses the Triple Data Encryption Algorithm (TDEA) encryption algorithm. If these algorithms are unavailable, FIM CM client also tries to use the CSP named Microsoft Enhanced RSA and AES Cryptographic Provider.
When you use the FIM CM client to encrypt data, you can override the default setting by selecting a different CSP and encryption algorithm.
Encryption configuration options
To configure an encryption algorithm, you must create two registry keys under HKLM\SOFTWARE\Microsoft\Clm\v1.0\SmartCardClient\. Table 2 shows these registry keys.
Table 2: Encryption registry keys
| Registry key | Description |
|---|---|
CSP |
Defines the CSP. The value type is REGSZ, and the entry is the name of the CSP. |
AlgID |
Defines the encryption algorithm identification number The value type is DWORD. For the entry, see Table 3. |
Table 3: Encryption algorithms and values for the AlgID registry key
| Encryption algorithm | DWORD value |
|---|---|
3DES |
9 or 3 |
AES_128 |
14 |
AES_192 |
15 |
AES_256 |
16 |
Secure session validation
You can use the session validation options to determine the revocation status of a certificate.
Note
By default, the FIM CM client does not check revocation status.
To specify whether the FIM CM client checks revocation status, you must create a DWORD registry key named SessionCertValidation under HKLM\SOFTWARE\Microsoft\Clm\v1.0\SmartCardClient\. Table 4 shows the values that you can use to specify the revocation status of the Certificate Management (CM) server certificate.
Table 4: Revocation checks and associated values for SessionCertValidation
| Revocation check | DWORD value |
|---|---|
No Check (default) |
0 |
Check end certificate |
1 |
Check entire certificate chain |
2 |
Check entire certificate chain minus root |
4 |
Setting Smart Card PIN Rules for the FIM CM Client
The following table shows the PIN rules for a smart card managed by the FIM CM client. The PIN rules are located under the following registry key in HKLM: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CLM\v1.0\SmartCardClient\PinRules.
Note
The FIM CM client does not enforce PIN rules unless the associated registry key is present.
Table 5: PIN rules and sample registry values
| PIN rule | Type | Sample value | Description |
|---|---|---|---|
MaxPinLength |
DWORD |
00000008 |
Specifies the maximum length allowed in the PIN. The FIM CM client can read the value from the smart card when you use a smart card with PKCS #11 middleware. Alternatively, the FIM CM client can get the value from the PIN rule itself. The highest MaxPinLength is 14 and is enforced by FIM CM, regardless of the presence of this registry value. Important P11 cards also have their own internal rules, which take precedence over those of FIM CM. |
MinPinLength |
DWORD |
00000004 |
Specifies the minimum length allowed in the PIN. The FIM CM client can read the value from the smart card when you use a smart card with PKCS #11 middleware. Alternatively, the FIM CM client can get the value from the PIN rule itself. The lowest MinPinLength is 4 and is enforced by FIM CM, regardless of the presence of this registry value. Important P11 cards also have their own internal rules, which take precedence over those of FIM CM. |
MaxRepeatChar |
DWORD |
00000000 |
Specifies the maximum number of consecutive, repeated characters allowed in the PIN, for example, 11111 or ssssss. |
MaxSortedSequenceChar |
DWORD |
00000002 |
Specifies the maximum length of a sorted character sequence allowed in the PIN, for example, 1234 or abcde. |
PinHistory |
DWORD |
00000003 |
Specifies the length of the PIN's history, which is stored as a sequence of hashes on the smart card. Configuring the history of a PIN helps prevent dictionary attacks since the larger encrypted set makes it more difficult to guess the decryption key (PIN). During the initial provisioning, the FIM CM client ignores the smart card PIN history. Therefore, a PIN selected by a user might match the initial smart card PIN because the FIM CM client has no previous history on the smart card. The PIN history algorithm has the following characteristics:
|
MinUppercase |
DWORD |
00000001 |
Specifies a character set restriction or allowance of uppercase characters in the PIN. If the PIN rules do not specify a character set rule, the FIM CM client places no restrictions on the characters allowed. However, if the PIN rules specify any character set rule, the FIM CM client implicitly disallows all other characters unless a PIN rule explicitly turns on that character. When MinUppercase specifies an allowance, the FIM CM client does not display a corresponding user interface notification. The FIM CM client displays only restriction rules in the PIN dialog boxes. |
MinLowercase |
DWORD |
00000001 |
Specifies a character set restriction or allowance of lowercase characters in the PIN. If no character set rule is specified in the PIN rules, the FIM CM client places no restrictions on the characters allowed. However, if any character set rule is specified, the FIM CM client implicitly disallows all other characters unless they are explicitly turned on by a rule. When this rule specifies an allowance, the FIM CM client does not display a corresponding user interface notification. The FIM CM client only displays restriction rules in the PIN dialog boxes. |
MinNumeric |
DWORD |
00000001 |
Specifies a character set restriction or allowance of numeric characters in the PIN. If no character set rule is specified in the PIN rules, the FIM CM client places no restrictions on the characters allowed. However, if any character set rule is specified, the FIM CM client implicitly disallows all other characters unless they are explicitly turned on by a rule. When this rule specifies an allowance, the FIM CM client does not display a corresponding user interface notification. The FIM CM client only displays restriction rules in the PIN dialog boxes. |
MinSpecial |
DWORD |
00000000 |
Specifies a character set restriction or allowance of special characters in the PIN. Special characters are printable ASCII characters that are not numbers or letters. If no character set rule is specified in the PIN rules, no restrictions are put on the characters allowed. However, if any character set rule is specified, all other characters are implicitly disallowed unless explicitly activated by a rule. When this rule specifies an allowance, the FIM CM client does not display a corresponding user interface notification. The FIM CM client only displays restriction rules in the PIN dialog boxes. |
Filter |
String |
([a-zA-Z0-9]*) |
Specifies a character set restriction or allowance of alphabetical, alphanumeric, and printable characters in the PIN. These include uppercase and lowercase characters. If no character set rule is specified in the PIN rules, no restrictions are put on the characters allowed. However, if any character set rule is specified, all other characters are implicitly disallowed unless explicitly turned on by a rule. When this rule specifies an allowance, no corresponding user interface notification is displayed. Only restriction rules are displayed in the PIN dialog boxes. |
Considering security for PIN rules
Consider protecting the smart card PIN rule registry keys as soon as you create them. To do so, we recommend that you configure access control lists (ACLs), and then audit write operations for the registry keys.
To configure ACLs on PIN rule registry data
To open the Registry Editor, click Start, click Run, type regedit, and then click OK.
In the Registry Editor, select the FIM CM client registry key that you want to configure.
For a list of available registry keys, see Setting Smart Card PIN Rules for the FIM CM Client.
Right-click the registry key, and then select Permissions.
In Permissions, assign permissions for existing users or groups, or to add a user or group for which to assign permissions, click Add.
To turn on auditing for write operations on registry keys
To open the Registry Editor, click Start, click Run, type regedit, and then click OK.
In the Registry Editor, select the registry key that you want to configure.
For a list of available registry keys, Setting Smart Card PIN Rules for the FIM CM Client.
Right-click the registry key, and then select Permissions.
In Permissions, click Advanced, and then click the Auditing tab.
On the Auditing tab, click Add.
In Select User or Group, select the specific user or group to audit when you are prompted, and then click OK.
We recommend that you select a group that covers all users, for example, Everyone. At a minimum, audit the Set Key permission.
AllowPrivateExchangeKeyImport and AllowPrivateSignatureKeyImport
The ability to import encryption certificates and their associated private keys on a Microsoft Smart Card Base CSP-compliant smart card is controlled through registry settings. For example, when an encryption certificate is included in the profile template, an import of an encryption certificate is required for Duplicate, Replace, or Temporary card workflows.
To set the registry key to allow for the import of encryption certificates and their associated private keys use one of the following:
32-bit Client on 32-bit Operatings System: Use the following registry keys:
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateExchangeKeyImport
REG_DWORD: default
Value: 1
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateSignatureKeyImport
REG_DWORD: default
Value: 1
64-bit Client on 64-bit Operatings System: Use the following registry keys:
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateExchangeKeyImport
REG_DWORD: default
Value: 1
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateSignatureKeyImport
REG_DWORD: default
Value: 1
32-bit Client on 64-bit Operatings System: Use the following registry keys:
HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateExchangeKeyImport
REG_DWORD: default
Value: 1
HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateSignatureKeyImport
REG_DWORD: default
Value: 1
.png "AllowPrivateKeyExchange Registry Key")
Important
If you attempt to import an encryption certificate and its associated private key, you will receive an error indicating that the current settings of the BaseCSP provider does not allow private key import if these registry keys are not in place.
Note
Only the 32-bit version of Gemalto smart card middleware is supported on Windows Vista 64-bit and Windows 7 64-bit. Only the 32-bit version of Aladdin smart card middleware is supported on Windows Vista 64-bit. Aladdin middleware is not supported at all on Windows 7.