Forefront Identity Manager, Certificate Manager requires three certificates for infrastructure purposes. They are
- FIM CM Agent certificate
- FIM CM Enrollment Certificate
- FIM CM Key Recovery Agent Certificate
The certificates are rather sensitive and it makes sense to protect the private keys for these certificates on a HSM.
I have been using SafeNet HSM to protect these certificates and ran into a problem with the FIM-CM Agent certificate.
The requirement for the FIM-CM Agent certificate is that the CSP must support AES. Also FIM-CM does not support version 3 certificate templates, so it must be a CSP that is used by a version 2 template.
A software based Microsoft CSP is available that supports this. However when the private key must be protected by the HSM, the requirement is that the HSM vendor has a CSP that supports this requirement.
SafeNet supplies both a CNG based driver (64-bit KSP module) and a 32-bit and 64 bit CSP module.
As FIM-CM does not support a version 3 template that supports CNG, we are forced to using the CSP module from SafeNet. The question was then whether or not this CSP supports AES. SafeNet support was not sure about this, so I chose to test it out. The conclusion was that the 64-bit SafeNet CSP driver does not support AES and therefore FIM-CM failed with errors. This can be verified by setting the tracing level for Microsoft.Clm.BusinessLayer.Encryption to 4 in Web.config. The c:\temp\clm.txt now shows that there indeed are problems with the AES decryption.
One of my colleagues in Microsoft suggested that I changed FIM-CM to use TripleDes instead of AES. This can be done by changing the following line in web.config.
<!– One of the following: Aes, Des, TripleDes –>
<add key="Clm.Encryption.Algorithm" value="Aes" />
I chose to try TripleDes, and after that I issued a new FIM-CM Agent certificate and tried enrolling a certificate again from the FIM-CM portal. This time it worked, so now I have all three FIM-CM certificates protected by the HSM module, which is nice.
It is more secure, and I have the backup of the private keys covered by an existing backup procedure for the HSM modules, so I don’t have to make the FIM-CM private keys exportable and make explicit backups.