Integration of Microsoft CLM with Oracle Identity Manager _ Xellerate by liamei12345


									Identris Solution for Integrating Microsoft CLM and Oracle Identity

Executive Summary:

In today’s competitive business environment organizations are making every effort to secure access to
business critical and sensitive data and are looking for authentication solutions other than traditional
username and password such as Smart Cards with digital certificates. With Smart Card based system,
management of digital certificate lifecycle becomes an integral part of the IT System which also requires
approval, auditing, etc. Microsoft Certificate Life Cycle Manager (CLM) is a workflow and policy based
solution that addresses management of Digital Certificates and smart card life cycle. While CLM offers
its own workflow process for request and approval process, organizations that currently have
implemented or in the process of implementing Oracle Identity Manager, user provisioning solution
might find it difficult to maintain two different systems for approval process, provisioning, etc. This
paper describes in detail about how Identris CLM connector for Oracle Identity Manager can help to
leverage the investment on both Microsoft CLM and Oracle Identity Manager and effectively implement
user provisioning and smart card provisioning.


With increasing demand of two factor authentication as a compliance requirement and effective control
for identity theft, microprocessor based smartcards are becoming a proven authentication control. Even
though smartcard is not a new technology, it never became popular because of the management
challenges. To overcome this challenge and effective use of Microsoft® Windows Server™ 2003 PKI
services, Microsoft has recently released Microsoft Certificate Lifecycle Manager (CLM) which is policy
and workflow driven system to help organization manage smartcard and digital certificates. Certain key
features of Microsoft CLM are:

     Integration with Microsoft Active Directory and Windows 2003 Certificate Services

     PIN Management for resetting and unblocking of PIN

     Integration with Microsoft MIIS for Smartcard Provisioning

     Delegated Administration for Smartcard and digital certificate Request and their approval

     Strong workflow support for self registration

                                  @Copyright Identris 2007-2008                                         1
While Microsoft CLM offers a great functionality for Smart Card and Digital Certificate Management, it’s
a new product and organizations already have User provisioning products such as Oracle Identity

Provisioning Product such as Oracle Identity Manager can synchronize identity information across
various IT Resources based on rules and workflows and approvals that are configured in the system.
Oracle Identity Manger can:

     Automate the business process of employee on boarding and off boarding

     Automate access to various IT Resources based on Rules, Roles and Policy

     Approve user request for access to certain systems

     Synchronize identity data and password across various systems

     Provide user attestation process to determine who has access to what

     Provide detailed audit trail information

     Address regulatory compliance and reduce cost

While Microsoft CLM and Oracle Identity Manager are two different great products that address
different provisioning requirements, Enterprises that has both Oracle Identity Manager and Microsoft
CLM can take advantage of the Identris CLM Connector to leverage the integration capability between
those two systems.

Certain key features of Identris CLM Connector for Oracle Identity Manager are:

     Leverage the Investment in User Provisioning from Oracle Identity Manager

     Leverage the Existing user attestation process within OIM

     Leverage auditing and reporting from OIM

     Integrate provisioning Digital Certificate / Smart card with Microsoft CLM

     Leverage the existing approval process and system to approve Smart Card requests

     Integrate with Current OIM Off-boarding process to revoke Smart Cards within CLM

     Leverage the Reporting from Microsoft CLM and OIM

                                  @Copyright Identris 2007-2008                                        2

Identris integration solution of CLM and Oracle Identity manager provides sophisticated management
feature to identity management and strong two factor authentication using Smartcards.


                          Figure 1 Identris Integration Architecture Overview

This functionality is achieved by architecture of Identris CLM Connector for Oracle Identity Manger as:

       Oracle Identity Manager. Oracle Identity manager’s flexible architecture can handle the most
        complex IT and business requirement without require changes to existing IT infrastructure,

                                     @Copyright Identris 2007-2008                                        3
        policies or procedures. It has capability to perform provisioning, deprovisioning, profile
        synchronization with any IT resource using their open connector specification. It supports
        automatic Attestation or sometime refereed as recertification process which is key requirement
        of Sarbanes-Oxely requirement and a highly recommended security best practice. Unlike manual
        attestation process, Oracle Identity Manager provides fine grained access report with interactive
        user interface to Attestation reviewer. It also allow Attestation reviewer to initial corrective
        action using the same interface. OIM has inbuilt auditing feature which make its best
        provisioning product to meet any compliance requirement. Identris integration solution
        leverages these features for smartcard and digital certificate management to enable strong
        authentication in organizations.
       Microsoft Certificate Lifecycle Manager. Microsoft Certificate Lifecycle Manager (CLM) is a
        policy and workflow driven system that helps organization manage the lifecycle of digital
        certificates and smartcards. It allows organization to issue digital certificate or smartcard based
        on profile templates. Profile templates define the validity of certificate/smartcard, purpose of
        certificate/smartcard and who has access of which profile. It supports SQL API, .Net API and
        Notification API to manage certificate or smartcard lifecycle without user intervention. Identris
        is using these APIs to manage the user’s smartcards.
       Identris CLM connector pack. Identris CLM connector pack is bridge between Oracle Identity
        Manager and Microsoft certificate. It allows organization to take advantage of both technologies
        to increase security and reduce cost. It allows organization to automatic provision a smartcard
        for employees on their joining of the company and automatic deprovision on termination. When
        employee has smartcard to authenticate, for all IT resource like database, web application,
        financial application which support smartcard authentication, Identris connector pack
        configures smartcard profile for that user on provisioning. This allows employees to use single
        smartcard and PIN to authenticate to all IT resources. For organization, it is reducing cost by
        reducing help desk call for password reset and increasing security with enterprise single signon.
        It also notifies employees and their manager whenever certificate/smartcard renewal required.
        It allowed employee to request temporary smartcard incase if they forget smartcard at home. It
        ensures that when user has obtained a temporary smartcard no one can login with actual
        smartcard which is issued to user. With oracle identity manager, it performs attestation process
        for smartcards based on configured time interval.


With increasing demand of two factor authentication, Smartcards are rapidly becoming popular because
of their processing capability and support of PKI. But in adopting smartcard based authentication, many
organizations are facing challenges like how to enroll user for smartcard, how to revoke smartcard, how
to issue temporary smartcard, how to temporary disable smartcard access, how to reuse revoked
smartcards and many other. Answers of these questions are not easy because any wrong decision could
lead to major change in IT infrastructure or open vulnerabilities in organization’s infrastructure. Identris

                                   @Copyright Identris 2007-2008                                           4
integration solution of Oracle Identity manager and Microsoft Certificate Lifecycle manager allows
organization to introduce smartcard based authentication in their infrastructure without any major
change and obtain maximum ROI on each of those products. Its automatic provisioning/deprovision
capabilities are not increasing administrative or support cost. Its auditing capabilities allows IT auditor to
continuously verify compliance status of organization. And above all, its smartcard logon profile setup
capabilities allows user to access IT resource without remembering multiple username-password, which
makes them efficient and reduce cost of password reset for organization.

                                    @Copyright Identris 2007-2008                                            5

To top