FIM CM Operations - Part 1
FIM CM Operations
Although simple and intuitive at first sight, FIM CM Operations sometimes yield rather interesting and subtle results. The differences among certain operations are border line and sometimes are misinterpreted.
This post is intended to provide a clear and concise hands-on summary to help out understanding each operation's purpose, context and outcome.
Operations in FIM CM can be categorized:
- A. from CA functionality perspective grouped in Enrollment and Revocation operations:
Enrollment
- § Software profiles
- § Duplicate
- § Enroll
- § Online Update
- § Recover on Behalf
- § Recovery
- § Renew
- § Smartcard profiles
- § Duplicate
- § Enroll
- § Online Update
- § Recover On Behalf
- § Renew
- § Replace
- § Temp card Enroll
Revocation
- § Software profiles
- § Online Update
- § Renew
- § Revoke
- § Suspend
- § Reinstate
- § Smart card profiles
- § Disable
- § Online Update
- § Renew
- § Replace
- § Retire
- § Suspend
- § Reinstate
- § Temp card Disable
- § Temp card Retire
- B. from FIM CM Management Policies perspective grouped in software (SW) and smart card (SC) related operations.
Management Policies
Management Policy |
Self Serve |
Initiator |
Approver |
Enroll Agent |
OTP |
Data Collection |
Disable |
√ |
√ |
- |
- |
√ |
User/Mgr |
Duplicate |
√ |
√ |
√ |
√ |
√ |
User/Mgr |
Enroll |
√ |
√ |
√ |
√ |
√ |
User/Mgr |
Offline Unblock |
- |
√ |
- |
√ |
- |
Mgr |
Online Update |
√ |
√ |
√ |
√ |
√ |
User/Mgr |
Recover on Behalf |
- |
√ |
√ |
√ |
- |
Mgr |
Recovery |
√ |
√ |
√ |
√ |
√ |
User/Mgr |
Renew |
√ |
√ |
√ |
√ |
√ |
User/Mgr |
Replace |
√ |
√ |
√ |
√ |
√ |
User/Mgr |
Retire |
√ |
√ |
√ |
- |
√ |
User/Mgr |
Revoke |
√ |
√ |
√ |
- |
√ |
User/Mgr |
Suspend |
√ |
√ |
√ |
- |
√ |
User/Mgr |
Reinstate |
√ |
√ |
√ |
- |
√ |
User/Mgr |
Temporary Cards Enroll |
√ |
√ |
√ |
√ |
√ |
User/Mgr |
Temporary Cards Disable |
√ |
√ |
- |
- |
- |
- |
Temporary Cards Retire |
√ |
√ |
√ |
- |
- |
- |
Unblock |
√ |
√ |
√ |
- |
√ |
User/Mgr |
Management Policy |
SW |
SC |
CA function |
Outcome |
Revocation and DeltaCRL published |
Disable |
|
√ |
Revoke |
All certs revoked. |
After approver Approve and subscriber Enter DC |
Duplicate |
√ |
√ |
Enroll |
Primary profile: all certs unchanged. Duplicate profile certs: primary profile valid arch certs and new auth certs. |
|
Enroll |
√ |
√ |
Enroll |
All new certs. |
|
Offline Unblock |
|
√ |
- |
User Pin changed |
|
Online Update |
√ |
√ |
Enroll Revoke |
Certificate content change. New valid updated all certs. Revoke old auth (and optional old arch) certs. Certificate template list change. If added to list, then enroll new certs. If deleted from list, then revoke old certs: auth removed from profile, arch kept in profile. Certificate expiry. Same as Renew except that old arch certs are optionally revoked. |
After approver Approve and subscriber Enter DC |
Recover on Behalf |
√ |
√ |
Enroll |
Arch certs revoked recovered. |
|
Recovery |
√ |
|
Enroll |
Arch certs revoked recovered and new auth certs. |
|
Renew |
√ |
√ |
Enroll Revoke |
Old profile: all certs revoked. New profile certs: old arch recovered certs, new arch certs and new auth certs. |
After approver Approve and subscriber Enter DC |
Replace |
|
√ |
Enroll Revoke |
Old profile: all certs revoked. Recovered profile certs: arch certs recovered and new auth certs. |
After approver Approve BEFORE subscriber Enter DC |
Retire |
|
√ |
Revoke |
All certs revoked. |
After approver Approve and subscriber Enter DC |
Revoke |
√ |
|
Revoke |
All certs revoked. |
After approver Approve and subscriber Enter DC |
Suspend |
√ |
√ |
Revoke |
All certs temporary revoked. |
After approver Approve and subscriber Enter DC. Reason Certificate Hold |
Reinstate |
√ |
√ |
Revoke |
All certs un-revoked. |
After approver Approve and subscriber Enter DC. Reason Remove from CRL. |
Temporary Cards Enroll |
|
√ |
Enroll Revoke(*) |
Not linked to perm card: new auth certs, no arch certs. Linked to perm card, suspend perm card(*) Perm card: auth cert revoked, arch cert valid. Temp card: recovered archived revoked certs and new auth certs. |
After enroll agent executes. Reason Certificate Hold(*) |
Temporary Cards Disable |
|
√ |
Revoke |
Not linked to perm card: Temp auth certs revoked, no arch certs. Linked to perm card, suspend perm card: Perm card: perm auth cert un-revoked and old arch cert valid. Temp card: auth cert revoked and arch cert valid. |
After initiator Initiate |
Temporary Cards Retire |
|
√ |
Revoke |
Not linked to perm card: Temp auth certs revoked, no arch certs. Linked to perm card, suspend perm card: Perm card: perm auth cert un-revoked and old arch cert valid. Temp card: auth cert revoked and arch cert valid. |
After approver Approve |
Unblock |
|
√ |
- |
User Pin changed |
|