Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
Management of PKI, certificates and smartcards with Forefront Identity Manager 2010 (FIM CM)
• Fredrik “DXter” Jonsson, Steria – Blog: http://poweradmin.se
• Hasain Alshakarti, TrueSec – Blog: http://secadmins.com
• Göran Melvås, Cortego/Techta – Blog: N/A
1
Benefits of FIM CM • Centralized Enrollment Agent (EA) and Key Recovery Agent (KRA)
• Improved overall process workflow
– New Card Enroll
– Lost Card Replace
– Card Retire
– Certificate Renewal
• Detailed auditing and reporting
• Support for extended self-service scenarios
• PIN unblocks with user’s credentials
• Integration with Active Directory and PKI
• Does not perform an “RFC-Based” renewal – Allows renewals after certificate expiration
2
Smart Cards, Readers, and Middleware Smart Cards • Custom built hybrid cards • Photo ID • Indala RFID Cards for Building Access • Gemalto smart card chip
– 128K .NET v2 cards (current standard) – Legacy cards (all Base CSP cards)
Middleware
• Microsoft Base Smart Card Crypto Provider • Mini-drivers specific to actual cards used Smart Card Readers • Built-in readers in our laptops • If no built-in readers:
– Omnikey – Gemalto
3
FIM 2010 CM Limitations
• FIM 2010 CM does not support multiple forests!
• Restrictions are only effective within Profile Templates, they are not FIM CM wide!
• FIM CM has no support for V3/2008/CNG Certificate Templates, including algorithms such as SHA256, (ECC) Elliptic Curve Cryptography, etc…
• No “auto enrollment” support of computer certificates (supply request only).
• No native support for third party operating systems or browsers.
• Limited card and CSP support (BaseCSP and mini driver based cards preferred!)