Microsoft Identity Lifecycle Manager 2007 Product Overview and FAQ

Identity Lifecycle Manager (ILM) 2007 enables IT organizations to reduce the cost of managing the identity and access life cycle by providing a single view of a user's identity across the heterogeneous enterprise and through the automation of common tasks. ILM 2007 builds on the metadirectory and user provisioning capabilities in Microsoft Identity Integration Server (MIIS) 2003 and adds new capabilities for managing strong credentials such as smartcards, providing an integrated approach that pulls together metadirectory, certificate and password management, and user provisioning across Windows and other enterprise systems. ILM 2007 simplifies the process of matching and managing identity records from disparate data repositories, and prevents anomalies, such as active records for employees who have left the organization. ILM 2007 provides IT with a policy framework to control and track the identity and access data that helps manage compliance. It also includes self-help tools for end users, enabling IT to improve efficiency by securely delegating many tasks to end users. Another key feature of ILM 2007 is that it includes a Windows-based certificate management solution that integrates with the Windows Server 2003 operating system and Active Directory to provide a turnkey solution for managing the end-to-end life cycle of smart cards and digital certificates for the Windows Server 2003 Certificate Authority.

Key Benefits
ILM 2007 is designed to simplify and automate some of the most costly aspects of Identity Lifecycle Management. ILM 2007 enables organization to: Synchronize Identity Information. Organizations that have many different directories and other data repositories such as a Human Resources (HR) data repository, mainframe systems, or databases, can use ILM 2007 to synchronize user accounts and attributes in all of those systems, including synchronization of passwords. Directory synchronization saves time and money that is currently spent on keeping data consistent and enforcing data ownership rules. Provision and Deprovision Users. In many organizations, information about new employees is entered in a HR database first. Then, the IT department creates user accounts, mailboxes, and other identity information in different database systems. ILM 2007 automatically creates these user accounts, mailboxes, and other identity information in target systems in real-time so new employees are productive immediately, and also ensures that corporate resource access is instantly revoked for employees who leave the organization. Manage Certificates and Smart Cards. ILM 2007 includes a workflow and policy based solution that enables organizations to easily manage the life cycle of digital certificates and smart cards. ILM 2007 leverages Active Directory Directory Services and Active Directory Certificate Services to provision digital certificates and smart cards, with automated workflow to manage the entire life cycle of certificate-based credentials. ILM 2007 significantly lowers the costs associated with digital certificates and smart cards by enabling organizations to more efficiently deploy, manage, and maintain a certificate-based infrastructure. It also streamlines the provisioning, configuration, and management of digital certificates and smart cards, while increasing security through strong, multifactor authentication technology. Key Benefits of ILM 2007 Feature Synchronize Identity Information Provision User Benefit Organizations benefit from improved IT productivity and reduced administrative costs as identity data is kept up to date across an enterprise without manual updates. End users can be more productive by accessing needed systems faster while

Key Benefits of ILM 2007 Feature Accounts Benefit corporate security is improved as employees' access to systems is automatically terminated when they leave. Administrators benefit from having these processes automated which improves their own productivity and helps to lower administrative costs. ILM 2007 reduces the costs associated with digital certificates and smart cards by enabling organizations to more efficiently deploy, manage, and maintain a certificate-based infrastructure. IT benefits through streamlined provisioning, deprovisioning, configuration, and auditing of digital certificates and smart cards, along with increased security through the use of strong, multi-factor authentication technology.

Manage Certificates and Smart Cards

Connectivity Capabilities
ILM 2007 creates and distributes an integrated view of identity information from multiple data sources. Broad connectivity capabilities give you the power to connect to the plethora of disparate identity information sources in your company-all without the need to install software of any kind on the target systems. Connectivity Capabilities of ILM 2007 Type of System Network Operating Systems and Directory Services Management Agents Microsoft Active Directory Windows Server 2003 R2, 2003, and 2000 Microsoft Active Directory Application Mode Windows Server 2003 R2 and 2003 Microsoft Windows NT 4.0 IBM Tivoli Directory Server Novell eDirectory 8.6.2, 8.7, and 8.7.x Sun Directory Server (Netscape/iPlanet/SunONE) 4.x and 5.x IBM Resource Access Control Facility Computer Associates eTrust ACF2 Computer Associates eTrust Top Secret Microsoft Exchange 2007, 2003, 2000, and 5.5 Lotus Notes 6.x, 5.0, and 4.6 SAP 5.0 and 4.7 Telephone switches XML-based systems DSML-based systems Microsoft SQL Server 2005, 2000, and 7 IBM DB2 Oracle 10g, 9i, and 8i Attribute value Pairs CSV Delimited Fixed Width

Mainframe

Email and Messaging Applications

Databases

File-Based

Connectivity Capabilities of ILM 2007 Type of System Management Agents Directory Services Markup Language (DSML) 2.0 LDAP Interchange Format (LDIF) All Other Extensible Management Agent for connectivity to all other systems

How Identity Lifecycle Manager 2007 Works

ILM 2007 has two central components, one that includes metadirectory and user provisioning capabilities and another for certificate and smart card management. Identity Synchronization and User Provisioning The identity synchronization and user provisioning component of ILM 2007 manages identity information across multiple stores by aggregating this information in a central repository called the metaverse. Management agents serve as connectors that translate data from these connected stores to the metaverse. For example, the e-mail system can be linked to its HR database through the metaverse. When an employee joining the organization is added to the HR database, ILM 2007 can automatically provision that employee to the e-mail system. Each employee's attributes, from the email system and the HR database, are imported into the connector space through management agents. The e-mail system can then use individual attributes, from the employee entry that originated in the HR database, such as the employee telephone number. If an employee's telephone number changes in the HR database, the new number will automatically be propagated to the e-mail system. Certificate and Smart Card Management ILM 2007 also provides sophisticated credential management features to Windows Server 2003 Certificate Authorities (CA) by acting as an administrative proxy. Once installed within an organization, all digital certificate and smartcard management functions pass through ILM 2007. The certificate management solution in ILM 2007 consists of three components: 1) Server component: Provides a Web interface and is the focal point of administrative functions. 2) Certificate Authority plug-in: Communicates with the server, controls the behavior of the CA(s), and provide rich logging and auditing in a central location. 3) Client-side components: Smartcard Self Service Control, which provides certificate management capabilities. Smartcard Personalization Control, which provides Java card management. Bulk Smartcard Issuance Tool, which is an application for centralized large scale smart card deployment scenarios.

Q&A

How does ILM 2007 relate to MIIS 2003? ILM 2007 includes and enhances the functionality of MIIS 2003. By integrating the metadirectory and user provisioning features of MIIS 2003 with a management solution for strong credentials, ILM is a powerful solution for managing the entire identity life cycle of users and credentials. What is Certificate Lifecycle Manager? Certificate Lifecycle Manager (CLM) is a policy- and workflow-driven technology that helps organizations manage the lifecycle of digital certificates and smart cards. This technology is being released as a key component of ILM 2007. How can I obtain Certificate Lifecycle Manager? Certificate Lifecycle Manager will be made available as part of ILM 2007. By acquiring ILM 2007 you will gain all of the features and technologies of CLM. What languages will ILM 2007 be available in? ILM 2007 will initially be released in English only. Language packs for the certificate management functionality will be released at a later date. Certificate management language packs are planned for the following languages: German, French, Spanish, Japanese, Chinese, Italian, Dutch, and Portuguese. System Requirements . Required Software Windows Server 2003 SQL Server ILM 2007 requires Windows Server 2003, Enterprise Edition, and Windows Server 2003 client access licenses (CALs). ILM 2007 requires SQL Server 2005 or 2000, Enterprise or Standard Edition, Service Pack 3 (SP3).

Required Hardware

1 GHz processor or faster processor recommended; Pentium 4 recommended 512 MB of RAM or higher; 1 GB or more recommended 350 MB of available hard-disk space or more for the default installation. An additional 1 GB of available hard-disk space is recommended for the log file. 8 GB of available hard-disk space on the partition that contains the database files for ILM 2007 metadirectory services and user provisioning CD-ROM or DVD-ROM drive Super VGA (1024 x 768) or higher-resolution monitor recommended Keyboard and mouse or compatible pointing device At least one network interface card (NIC) is required. If a private network is used, the head node requires at least two NICs, and each compute node requires at least one NIC. Each node may also require a high-speed NIC for a Message Passing Interface (MPI) network. Certificate and smart card management hardware requirements: CLM-compatible smart card(s) and smart card reader(s)
Detailed Software Requirements

Metadirectory services and user provisioning server requirements

Windows Server 2003 Enterprise Edition or Windows Server 2003 R2 Enterprise Edition Microsoft .NET Framework 2.0 Microsoft SQL Server 2000 Enterprise Edition, Standard Edition, or Developer Edition with Service Pack 3a or later; or Microsoft SQL Server 2005 Enterprise Edition, Standard Edition, or Developer Edition (32-bit or 64-bit) with Service Pack 1 recommended

Certificate and smart card management server requirements

An Active Directory infrastructure with a domain controller One (minimum) Windows Server 2003 Enterprise Edition certification authority (CA) installed as an Enterprise CA The certificate and smart card management server component can be installed on a computer running: Windows Server 2003 Enterprise Edition with Service Pack 1 or later; or Windows Server 2003 Datacenter Edition with Service Pack 1 or later Microsoft .NET Framework 2.0

Certificate and smart card management client requirements

Operating system (one of the following): Windows XP Professional with Service Pack 2 or later Windows 2000 Professional with Service Pack 4 or later Web browser (one of the following): Internet Explorer 6.x with Service Pack 1 or later Internet Explorer 7.x Vendor middleware (one of the following): Microsoft Base Cryptographic Service Provider with vendorspecific mini-driver Legacy cryptographic service provider (CSP) with PKCS11compatible vendor middleware

Supported PKCS11compatible card vendors

Axalto Access Client Software version 5.2 AET SafeSign Identity Client version 2.2 Aladdin eToken Runtime Environment version 3.65 Gemplus GemSafe version 4.2 service pack 3 Siemens HiPath SIcurity Card API version 3.1.026

Can SQL Server run on the same server on which ILM 2007 is running?

Yes, SQL Server may be run on the same server on which ILM 2007 is running. Typically, performance is enhanced when SQL Server and ILM 2007 run on the same server. Can the server-side certificate management components of ILM 2007 run on the same server as the ILM 2007 metadirectory and user provisioning components? Yes. All of the server-side components of ILM 2007 may run on the same server. However, depending on the security requirements on your environment and the processing required by your ILM 2007 server configuration, you may find it beneficial to run the components on different servers. When are CALs needed in ILM 2007? You must acquire and assign a user CAL for each user person for whom the software Identity Lifecycle Manager 2007 issues or manages one or more digital certificates. Otherwise, you do not need user CALs only to access instances of the server software. Furthermore, the only types of CALs available with ILM 2007 are user CALs. Device CALs are not available. Is there an external connector license available for ILM 2007? If not, when will it be available? An ILM 2007 external connector license is not available for ILM 2007 at this time. How do I license SQL Server for use with ILM 2007? Please consult the SQL Server Product site in the Shop for up-to-date information on how SQL Server is licensed, including answers to frequently asked questions. Do I need to purchase a new SQL Server license to run ILM 2007? No. You may use a copy of SQL Server that you have already licensed. ILM 2007 does not require a copy for its own exclusive use. It may be shared with other applications.
A.

Upgrading from Microsoft Identity Integration Server (MIIS) 2003

Is there an upgrade path from MIIS 2003 to ILM 2007? . Setup for ILM 2007 is designed to perform upgrades where appropriate. For example, ILM 2007 Volume License can upgrade an existing MIIS 2003 installation, Identity Integration Feature Pack (IIFP), ILM 2007 Evaluation Edition, and ILM 2007 MSDN. IIFP cannot upgrade anything except a previous IIFP. ILM 2007 MSDN cannot upgrade anything except a previous MIIS 2003 MSDN, etc. Below is a matrix that shows the upgrade paths available.

Upgrade paths for MIIS 2003, IIFP, and ILM 2007 Versions Product Being Installed Preexisting Product MIIS 2003 SP2 MIIS 2003 SP2 Web Upgrade Yes No No No IIFP ILM 2007 ILM 2007 MSDN ILM 2007 Evaluation

MIIS MIIS MSDN MIIS Evaluation IIFP Q.A.

Yes Yes Yes Yes

No No No

Yes Yes Yes

No Yes No No

No No No No

Yes Yes

Management Agents

Which management agents or connectors will be available with ILM 2007? . Connectivity Capabilities of ILM 2007 Type of System Network operating systems and directory services Management Agents Microsoft Active Directory Windows Server 2003 R2, 2003, and 2000 Microsoft Active Directory Application Mode Windows Server 2003 R2 and 2003 Microsoft Windows NT 4.0 IBM Tivoli Directory Server Novell eDirectory 8.6.2, 8.7, and 8.7.x Sun Directory Server (Netscape/iPlanet/SunONE) 4.x and 5.x IBM Resource Access Control Facility Computer Associates eTrust ACF2 Computer Associates eTrust Top Secret Microsoft Exchange 2003, 2000, and 5.5 Lotus Notes 6.x, 5.0, and 4.6 SAP 5.0 and 4.7 Telephone switches XML-based systems DSML-based systems Microsoft SQL Server 2005, 2000, and 7 IBM DB2 Oracle 10g, 9i, and 8i Attribute value Pairs CSV Delimited Fixed Width Directory Services Markup Language (DSML) 2.0 LDAP Interchange Format (LDIF) Extensible Management Agent for connectivity to all other systems

Mainframe

E-mail and messaging Applications

Databases

File-based1

All other

1 These file formats allow for integration with a variety of applications, databases, telephone switches, X.500 systems, and metadirectory products or underlying systems that can produce a file. What smart card platforms are supported by ILM 2007? Smart card platforms are supported indirectly through the middleware used to interface to the card. The middleware controls which specific cards are supported by it. ILM 2007 supports two forms of middleware: BaseCSP and PKCS#11. Any BaseCSP smart card module that conforms to the BaseCSP specification is supported by ILM 2007. ILM 2007 support for PKCS#11 includes support for the following vendors: 1. Axalto Client Software (ACS) v 5.2 2. AET SafeSign v2.1

3. Aladdin eToken RTE 3.6 4. Gemplus GemSafe v4.2 5. Siemens HiPath SIcurity Card API v3.1.026

Identity Lifecycle Manager Roadmap

What is Identity Lifecycle Manager "2"? ILM "2" will extend the functionality of ILM 2007 with new capabilities that will: o Empower people with integrated end-user self-service tools in Office and Windows. o Put IT in control through a robust delegation model and business process framework. o Improve operational efficiency by automating common identity lifecycle management tasks and empowering end users with self-help solutions. o In addition, Microsoft is implementing ILM "2" on a common set of services including workflow, delegation, Web services APIs, and loggingthat customers and independent software vendors can use to customize and extend the functionality in ILM "2". What are the key differences between ILM 2007 and ILM "2"? ILM "2" extends the functionality of ILM 2007 with new capabilities focused on empowering end users to manage aspects of their digital identities through tools they are comfortable with, such as Office and Windows. ILM "2" provides a series of solutions for management of users, access, credentials, and policies that empower end users with self-service while ensuring that IT is firmly in control. Microsoft is also implementing ILM "2" on a common set of servicesincluding workflow, delegation, Web services APIs, and audit logsthat customers and ISVs can use to extend the core product functionality. When can I get a beta of ILM "2"? Microsoft plans to release a beta of ILM "2" in mid-2007.