Configuring FIM CM
Applies To: Forefront Identity Manager Certificate Management
To correctly configure FIM CM, you must run the FIM CM Configuration Wizard. The FIM CM Configuration Wizard guides you through the necessary configuration tasks, and it creates the FIM CM database. It can also create the required user accounts automatically.
- Although you can perform the following procedure without completing the prerequisite configuration tasks that are described in Optional: Delegating Permissions to Run FIM CM Configuration Wizard, you can do so only if you perform this procedure with a user account that is a member of the Enterprise Admins group.
- Many organizations use Hardware Security Modules (HSMs) to store the private keys of various critical identities. In such cases, the FIM CM Configuration Wizard cannot generate the certificates to be used with the HSM. The certificates with private key material that is stored on an HSM must be generated manually using the HSM vendor’s CSP, they must be backed up for disaster recovery purposes, and the FIM CM Configuration Wizard should not be requesting certificates for FIM CM agent accounts. By using the FIM CM configuration wizard, you can speed up the configuration process. To see examples for installing specific vendor HSMs, see the following TechNet Wiki articles Installing and Configuring an nCipher Hardware Security Module (HSM) with FIM CM 2010 (https://go.microsoft.com/fwlink/?LinkId=205743) and Installing and Configuring a LunaSA Hardware Security Module (HSM) with FIM CM 2010 (https://go.microsoft.com/fwlink/?LinkId=205745).
To run the Certificate Management Config Wizard
On the server you want to use as the FIM CM server click Start and then click Certificate Management Config Wizard. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
In the Configuration Wizard – Microsoft Forefront Identity Manager 2010, on the Welcome to the Configuration Wizard click Next.
On the CA Configuration page, the default setting will be the Enterprise Root CA (if you want to issue certificates from a different CA, ensure it is selected). To do so, click Browse and in the Select Certification Authority dialog box under CA, click <your_target_CA> and then click OK. Click Next.
On the Set up the SQL Server Database page, configure SQL Server for use with FIM CM. In Name of SQL Server, type the IP address or name of the SQL Server database. If the SQL Server database is on the same computer, use the default value, which is (local).
On the Set up the SQL Server Database page, configure the SQL Server service account.
On the Set up the SQL Server Database page, configure the password for the SQL Server administrative account. To use the credentials for the current user, or to specify a user account and password to use to connect to the SQL Server database, perform one of the following actions:
To use the account information for the current user, select the Use my credentials to create the database check box.
To specify a different user account, clear the Use my credentials to create the database check box, and then type the user account and password that is used for connections to the SQL Server database.
If you installed the SQL Server database on a different server, or if you want to use the credentials for a different user, provide the user account information and password.
On the Set up the SQL Server Database page, click Next.
On the Database Settings page, under Database name, specify the name for the FIM CM database.
Under Specify a location for the database file, you can enter a location or use the null value. If you use the null value, FIM CM uses the default location for the SQL Server database file.
Only use Browse if you installed SQL Server and FIM CM on the same computer.
Under Specify the database user account that Certificate Lifecycle Manager uses to connect to the database, select one of the following authentication methods:
SQL integrated authentication is selected by default. This authentication mechanism gives the Web Pool Agent account the necessary permissions to the FIM CM database.
If you want to provide a different user account and password for FIM CM to connect to the SQL Server database, click SQL mixed mode authentication. You can use the default name for the user account, which is CMUser, or you can specify a name for a custom user account. If you use the SQL Mixed Mode Authentication setting, the FIM CM Configuration Wizard also creates a user account named CMExternal, which is used for creating requests with the FIM CM SQL application programming interface (API).
On the Database Settings page, click Next.
On the Set up Active Directory page, type the name of the directory entry that AD DS uses to store FIM CM configuration information.
Use the default values on the Directory Settings page, and then click Next.
On the Agents - FIM CM page, perform one of the following actions:
To use the default user accounts, leave the check boxes unchanged.
To create use preconfigured user accounts, clear Use the FIM CM default settings, and then click Custom Accounts.
On the Agents - FIM CM page, click Next.
On the Set up server certificates page, ensure that you configure the certificates that you created for the FIM CM Agents, as described in the Prepare the FIM CM Agent Certificate Templates section.
FIM CM Agent user account certificates
FIM CM agent account CA certificate copied FIM CM certificate template created Certificate template
Key Recovery Agent
FIM CM Key recovery agent
Requests the key recovery agent certificate that is used by the CLMKRAgent user account. By default, the configuration wizard selects the KeyRecoveryAgent certificate template in the list of available templates.
It is critical that you back up or archive this certificate and its associated private key to maintain ability to recover private keys. For specific steps, see FIM CM Backup and Restore Guide.
FIM CM agent
Signs FIM CM requests. The certificate template that is used to issue this certificate must allow a Cryptographic Service Provider (CSP) that provides support for AES-256 and SHA-256 encryption algorithms (for example, Microsoft Enhanced RSA and AES Cryptographic Provider). By default, this certificate is also used to encrypt sensitive data in the FIM CM database.
It is critical that you back up and/or archive this certificate and its associated private key to avoid data loss. For specific steps, see FIM CM Backup and Restore Guide.
FIM CM Enrollment agent
Signs certificate requests by the CLMEnrollAgent user account. By default, the configuration wizard selects the EnrollmentAgent certificate template in the list of available templates.
On the Set up server certificates page, click Next.
On the Set up E-mail Server, Document Printing page, type the IP address or DNS name of the Simple Mail Transfer Protocol (SMTP) host that FIM CM uses to send e-mail notifications.
The default SMTP IP address is 127.0.0.1, which indicates that FIM CM uses the local SMTP service.
To distribute one-time passwords, FIM CM requires anonymous SMTP relaying. If you configure SMTP relaying on an SMTP server, you can lock SMTP relaying to a specific IP address. You can also configure SMTP relaying to perform authenticated relaying to an SMTP server where SMTP relaying can resolve a mail exchanger (MX) record. For more information about enabling local SMTP relaying, see Configuring SMTP Virtual Server Relay Restrictions (IIS 6.0) (https://go.microsoft.com/fwlink/?LinkId=81978).
Type the name of the folder where FIM CM stores files to send to a printer.
The default folder for these files, Print Documents, is at the following location: <Programfiles>\Microsoft Certificate Lifecycle Manager\Print Documents.
On the Set up E-mail Server, Document Printing page, click Next.
You can make any adjustments by using the Back button in the configuration wizard. You will not have to redo any items other than the ones you want to change (your previous settings are retained), even if you have to go back to the beginning of the Configuration Wizard.
On the Ready to Configure page, verify the selected settings. When you are ready to proceed with the configuration, click Configure.
A Configuration Wizard - Microsoft Forefront Identity Manager 2010 dialog box appears with a warning message indicating that the
FIM CM portal virtual IIS directory is currently not configured to require communication over a secure channel. At this stage in the configuration, this is okay. Click OK to confirm the warning message.
Wait until the Configuration Wizard - Microsoft Forefront Identity Manager 2010 displays the following message
FIM CM was configured successfully. To exist the wizard, click Finish.Once you see that message, you can click Finish.
The Finish button is available to click before the configuration is complete. Do not click the Finish button until the progress bar disappears and the message indicates that Microsoft® Forefront Identity Manager Certificate Management (FIM CM) was configured successfully.
To open the FIM CM Portal, if you did not change the default Web configuration, in Internet Explorer, go to https:// <FIM_Server_Name>/certificatemanagement.
DNSName is the DNS name that is assigned to the server that hosts FIM CM.
On each computer where you want to access the FIM CM Portal, you must add the FIM CM Portal to the Trusted Sites Web content security zone in Internet Explorer. Because the FIM CM Portal enforces the use of trusted sites, it does not function correctly if you do not add the FIM CM Portal to Trusted Sites.
Backup your Key Recovery and FIM CM Agent certificates/keys for disaster recovery purposes.
Installing the FIM CM CA Files
Optional: Delegating Permissions to Run FIM CM Configuration Wizard