Udostępnij za pośrednictwem


FIM CM Operations - Part 1

 

FIM CM Operations

Although simple and intuitive at first sight, FIM CM Operations sometimes yield rather interesting and subtle results. The differences among certain operations are border line and sometimes are misinterpreted.

This post is intended to provide a clear and concise hands-on summary to help out understanding each operation's purpose, context and outcome.       

Operations in FIM CM can be categorized:

  • A. from CA functionality perspective grouped in Enrollment and Revocation operations:

 

Enrollment

  • § Software profiles
  • § Duplicate
  • § Enroll
  • § Online Update
  • § Recover on Behalf
  • § Recovery
  • § Renew
  • § Smartcard profiles
  • § Duplicate
  • § Enroll
  • § Online Update
  • § Recover On Behalf
  • § Renew
  • § Replace
  • § Temp card Enroll

Revocation

  • § Software profiles
  • § Online Update
  • § Renew
  • § Revoke
  • § Suspend
  • § Reinstate
  • § Smart card profiles
  • § Disable
  • § Online Update
  • § Renew
  • § Replace
  • § Retire
  • § Suspend
  • § Reinstate
  • § Temp card Disable
  • § Temp card Retire

 

  • B. from FIM CM Management Policies perspective grouped in software (SW) and smart card (SC) related operations.

 

Management Policies

Management Policy

Self Serve

Initiator

Approver

Enroll Agent

OTP

Data Collection

Disable

-

-

User/Mgr

Duplicate

User/Mgr

Enroll

User/Mgr

Offline Unblock

-

-

-

Mgr

Online Update

User/Mgr

Recover on Behalf

-

-

Mgr

Recovery

User/Mgr

Renew

User/Mgr

Replace

User/Mgr

Retire

-

User/Mgr

Revoke

-

User/Mgr

Suspend

-

User/Mgr

Reinstate

-

User/Mgr

Temporary Cards Enroll

User/Mgr

Temporary Cards Disable

-

-

-

-

Temporary Cards Retire

-

-

-

Unblock

-

User/Mgr

 

Management Policy

SW

SC

CA function

Outcome

Revocation and DeltaCRL published

Disable

 

Revoke

All certs revoked.

After approver Approve and subscriber Enter DC

Duplicate

Enroll

Primary profile: all certs unchanged. Duplicate profile certs: primary profile valid arch certs and new auth certs.

 

Enroll

Enroll

All new certs.

 

Offline Unblock

 

-

User Pin changed

 

Online Update

Enroll Revoke

Certificate content change. New valid updated all certs. Revoke old auth (and optional old arch) certs.

Certificate template list change. If added to list, then enroll new certs. If deleted from list, then revoke old certs: auth removed from profile, arch kept in profile.

Certificate expiry. Same as Renew except that old arch certs are optionally revoked. 

After approver Approve and subscriber Enter DC

Recover on Behalf

Enroll

Arch certs revoked recovered.

 

Recovery

 

Enroll

Arch certs revoked recovered and new auth certs.

 

Renew

Enroll Revoke

Old profile: all certs revoked. New profile certs: old arch recovered certs, new arch certs and new auth certs.

After approver Approve and subscriber Enter DC

Replace

 

Enroll Revoke

Old profile: all certs revoked. Recovered profile certs: arch certs recovered and new auth certs.

After approver Approve BEFORE subscriber Enter DC

Retire

 

Revoke

All certs revoked.

After approver Approve and subscriber Enter DC

Revoke

 

Revoke

All certs revoked.

After approver Approve and subscriber Enter DC

Suspend

Revoke

All certs temporary revoked.

After approver Approve and subscriber Enter DC. Reason Certificate Hold

Reinstate

Revoke

All certs un-revoked.

After approver Approve and subscriber Enter DC. Reason Remove from CRL.

Temporary Cards Enroll

 

Enroll Revoke(*)

Not linked to perm card: new auth certs, no arch certs. Linked to perm card, suspend perm card(*) Perm card: auth cert revoked, arch cert valid. Temp card: recovered archived revoked certs and new auth certs.

After enroll agent executes. Reason Certificate Hold(*)

Temporary Cards Disable

 

Revoke

Not linked to perm card: Temp auth certs revoked, no arch certs. Linked to perm card, suspend perm card: Perm card: perm auth cert un-revoked and old arch cert valid. Temp card: auth cert revoked and arch cert valid.

After initiator Initiate

Temporary Cards Retire

 

Revoke

Not linked to perm card: Temp auth certs revoked, no arch certs. Linked to perm card, suspend perm card: Perm card: perm auth cert un-revoked and old arch cert valid. Temp card: auth cert revoked and arch cert valid.

After approver Approve

Unblock

 

-

User Pin changed