May 30May 30thth – 31 – 31stst, 2006, 2006Sheraton OttawaSheraton OttawaMay 30May 30thth – 31 – 31stst, 2006, 2006Sheraton OttawaSheraton Ottawa

Saleem KanjiSaleem KanjiTechnology Solutions Professional - Windows Server Technology Solutions Professional - Windows Server Microsoft CorporationMicrosoft Corporation

Beta 1Beta 1

Credential Management OverviewCredential Management Overview

Introduction to CLMIntroduction to CLM

CLM Architecture OverviewCLM Architecture Overview

Demo Demo

Question/DiscussionQuestion/Discussion

Regulatory Regulatory ComplianceCompliance

HIPAAHIPAA

Sarbanes-OxleySarbanes-Oxley

Graham-Leach-BlileyGraham-Leach-Bliley

Basel IIBasel II

21CFR Part 1121CFR Part 11

HSPD-12HSPD-12

MITS ComplianceMITS Compliance

Opening Corporate ResourcesOpening Corporate Resources

Protecting IPProtecting IP

Improved EfficienciesImproved Efficiencies

Competitive AdvantageCompetitive Advantage

Security and Risk Security and Risk ManagementManagement

VPN AccessVPN Access

Secure EmailSecure Email

Business Business DriversDrivers

ManagementManagementSystem 1System 1

ManagementManagementSystem 2System 2

To address requirementsTo address requirementsDeploy multiple disparate management systemsDeploy multiple disparate management systems

Cost and complexity increases as range of authenticationCost and complexity increases as range of authenticationtechnologies extendstechnologies extends

DigitalDigitalCertificateCertificate OTPOTPMobile Mobile

DevicesDevices

RFID RFID Access Access CardsCards

BiometricsBiometricsSmart Smart CardsCards

USB USB TokensTokens

ManagementManagementSystem 3System 3

Microsoft Certificate Lifecycle Microsoft Certificate Lifecycle ManagerManageris based on technologies acquired is based on technologies acquired from Alacris in September 2005from Alacris in September 2005

Alacris was completely integrated into Alacris was completely integrated into Microsoft and no longer exists as an Microsoft and no longer exists as an independent corporationindependent corporation

MicrosoftMicrosoft®® Certificate Lifecycle Manager Certificate Lifecycle Manager (CLM) is a digital identity management (CLM) is a digital identity management

solutionsolutionthat helps Microsoft customers that helps Microsoft customers

provision, manage and maintain digital provision, manage and maintain digital certificatescertificates

and smart card technologies to and smart card technologies to strengthenstrengthen

the security of their IT environments.the security of their IT environments.

Single administration point for digital certificates and Single administration point for digital certificates and smart cardssmart cards

Configurable policy-based workflows for common tasksConfigurable policy-based workflows for common tasksEnroll/renew/updateEnroll/renew/update

Recover/card replacementRecover/card replacement

RevokeRevoke

Retire/disable smart cardRetire/disable smart card

Issue temporary/duplicate smart cardIssue temporary/duplicate smart card

Personalize smart cardPersonalize smart card

Detailed auditing and reportingDetailed auditing and reporting

Support for both centralized and self-service scenariosSupport for both centralized and self-service scenarios

Integration with existing infrastructure investmentsIntegration with existing infrastructure investmentsWindows Active Directory; Windows Certificate ServicesWindows Active Directory; Windows Certificate Services

MicrosoftMicrosoftCertificateCertificateLifecycle Lifecycle ManagerManager

Microsoft CAsMicrosoft CAs

End UserEnd User

CLM Policy ModuleCLM Policy Module

CLM Exit ModuleCLM Exit Module

Internet Explorer

CLM Browser ControlCLM Browser Control

CLM AD IntegrationCLM AD Integration

CLM Web AppCLM Web App

Internet Information Server

Physical ArchitecturePhysical Architecture Component ArchitectureComponent Architecture

SQLSQLADAD

E-mailE-mail

Certificate Lifecycle Certificate Lifecycle ManagerManagerArchitectural overviewArchitectural overview

Microsoft Certificate Authority

Smart Card Middleware

Certificate Lifecycle ManagerCertificate Lifecycle Manager.NET web application supporting administrative .NET web application supporting administrative functionalityfunctionality

Provides access to both the Subscriber and Manager web Provides access to both the Subscriber and Manager web portalsportals

Leverages Active Directory (AD) ACLs for permissions and Leverages Active Directory (AD) ACLs for permissions and workflow definitionworkflow definition

Windows Server 2003 Certificate Services Add-onWindows Server 2003 Certificate Services Add-onExtends default policy module functionality with advancedExtends default policy module functionality with advancedcertificate request featurescertificate request features

Replaces the default exit module for centralized auditingReplaces the default exit module for centralized auditingcapabilities throughout the AD forestcapabilities throughout the AD forest

CLM utilizes existing AD infrastructureCLM utilizes existing AD infrastructureStoring CLM Profile TemplatesStoring CLM Profile Templates

Must provide Certificate Subscribers andMust provide Certificate Subscribers andCertificate Managers with appropriate accessCertificate Managers with appropriate access

AuthenticationAuthenticationUses AD user and group permissions to grant users Uses AD user and group permissions to grant users rightsrightsConfigurable for Integrated User AuthenticationConfigurable for Integrated User Authentication

AuthorizationAuthorizationProvides CLM the ability to determine what user canProvides CLM the ability to determine what user canand cannot do within a sessionand cannot do within a sessionAll CLM permissions based on ACLs provisioned withAll CLM permissions based on ACLs provisioned withstandard AD toolsstandard AD tools

Active Directory security groups can be createdActive Directory security groups can be createdto allow user to access self-service componentsto allow user to access self-service components

The following permissions are available and can The following permissions are available and can either be granted or deniedeither be granted or denied

CLM AuditCLM Audit

CLM EnrollCLM Enroll

CLM Enrollment AgentCLM Enrollment Agent

CLM RecoverCLM Recover

CLM RenewCLM Renew

CLM RevokeCLM Revoke

CLM UnblockCLM Unblock

Database RepositoryDatabase RepositoryMicrosoft SQL Server 2000sp3+ is requiredMicrosoft SQL Server 2000sp3+ is required

Used for reporting and application specific dataUsed for reporting and application specific data

No user and role information is stored in the No user and role information is stored in the databasedatabase

Authentication SettingsAuthentication SettingsMixed ModeMixed Mode

Deployment ModelsDeployment ModelsStand-alone server or coexist with CLMStand-alone server or coexist with CLM

Leverage existing enterprise databaseLeverage existing enterprise database

For delivery of notifications and oneFor delivery of notifications and onetime passwordstime passwords

Specify IP address or host name of mail Specify IP address or host name of mail server capable of relaying SMTP server capable of relaying SMTP messagesmessages

CLM uses anonymous relaying to send CLM uses anonymous relaying to send all outbound messagesall outbound messages

Windows 2003 Server Enterprise Windows 2003 Server Enterprise EditionEdition

Key RecoveryKey Recovery

Issuance of v2 certificate templatesIssuance of v2 certificate templates

Communication with Certificate Communication with Certificate AuthorityAuthority

CLM Policy ModuleCLM Policy Module

CLM Exit ModuleCLM Exit Module

RPC for CA Manager accessRPC for CA Manager access

Communicates with Communicates with CLMCLM

Controls the behavior Controls the behavior of the CA in relation to of the CA in relation to CLMCLM

The CLM Policy Module The CLM Policy Module has a ‘pluggable’ has a ‘pluggable’ architecture allowing architecture allowing additional modulesadditional modulesto be plugged in to to be plugged in to enhance functionalityenhance functionality

CLM ships with 4 policy CLM ships with 4 policy module add-on’s out of module add-on’s out of the boxthe box

Records all CA Records all CA activity to SQLactivity to SQL

Provides robust Provides robust logging and logging and auditing in a auditing in a central locationcentral location

Windows 2003 PKI implements Windows 2003 PKI implements Certificate Templates to define the Certificate Templates to define the contents ofcontents ofissue certificatesissue certificates

Certificate Templates must have the Certificate Templates must have the appropriate permissions, allowing appropriate permissions, allowing management by certificate managersmanagement by certificate managersand enrollment by certificate and enrollment by certificate subscriberssubscribers

Smart Card Self Service ControlSmart Card Self Service ControlActiveX browser control plug-in allowsActiveX browser control plug-in allowsfor web based smart card managementfor web based smart card management

Smart Card Personalization ControlSmart Card Personalization ControlIntegrates CLM with the smart card middlewareIntegrates CLM with the smart card middleware

All communication secured using SSLAll communication secured using SSL

Provides advanced archived certificate escrow Provides advanced archived certificate escrow capabilities including secure key injectioncapabilities including secure key injection

Card PIN managementCard PIN management

Java applet managementJava applet management

Include policies for each taskInclude policies for each taskthat might be performedthat might be performed

Additional profile data includedAdditional profile data includedfor smart card managementfor smart card management

Can include templates issued Can include templates issued from more than one CAfrom more than one CA

Profile Templates include oneProfile Templates include oneor more certificate managedor more certificate managedas a single entityas a single entity

Policy updates managedPolicy updates managedon a per user basis by Active on a per user basis by Active Directory (AD) groupsDirectory (AD) groups

Contains necessary informationContains necessary informationto enforce policy across to enforce policy across multiple certificates, users, and multiple certificates, users, and groupsgroups

Stored in AD and availableStored in AD and availableacross the forestacross the forest

Certificate Template(s)Certificate Template(s)

Management Policies

Profile TemplatesProfile Templates

EnrollmentEnrollmentWork flowWork flow

Self-ServiceSelf-ServiceDataData

CollectionCollection

RecoveryRecoveryWork flowWork flow

Self-ServiceSelf-ServiceDataData

CollectionCollection

Etc.,Etc.,Work flowWork flow

Self-ServiceSelf-ServiceDataData

CollectionCollection

Smart Card InformationSmart Card Information(if needed)(if needed)

Demo 1: Self Service EnrollmentDemo 1: Self Service Enrollment

User Authenticates to CLM Web Portal

User Requests Certificate

Profile

Certificates Issued to User

Certificate Subscriber Certificate Subscriber Certificate Subscriber

Demo 2: Self Service Requiring ApprovalDemo 2: Self Service Requiring Approval

User Requests Certificate

Profile

User Authenticates to CLM Web Portal

Certificate Administrator

Approves Request

Email Sent to User with OTP1

User Completes Request & Issues

Certificate

Automated WorkflowCertificate Administrator Certificate SubscriberCertificate SubscriberCertificate Subscriber

Demo 3: Smart Card Issued by Enrollment Demo 3: Smart Card Issued by Enrollment AgentAgent

Certificate Administrator Issues Smart

Card with Certificates & & Random PIN

Manager Requests a

Smart Card for User

Certificate Administrator

Creates an Unblock Request

Email Sent to User with OTP1

User Completes Unblock Request

& Resets PIN

Email Sent to Manager with

OTP2

Certificate SubscriberManager Certificate Administrator Automated WorkflowCertificate Administrator

Automated Workflow

Release ScheduleRelease Schedule

CLM Beta 1: ReleasedCLM Beta 1: Released

CLM Beta 2: Q3 / CY06CLM Beta 2: Q3 / CY06

CLM RTM: Q1 / CY07CLM RTM: Q1 / CY07

Additional InformationAdditional Information

http://www.microsoft.com/clmhttp://www.microsoft.com/clm

© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.