This topic describes how you can create, approve, and execute a request using the Provision APIs in Forefront Identity Manager Certificate Management (FIM CM). It also discusses the life cycle of a request.
Creating an Enrollment Request
The following procedure details the steps that you would ordinarily perform to create enrollment requests through the FIM CM Provision API.
- Use the FindOperations
class to retrieve a list of profile templates available for this
user, and select the appropriate profile template. You can also
specify a particular profile template.
- Create required data collection items to correspond to the data
collection requirements as laid out in the specific Profile
Template Policy.
- Create enrollment request using the InitiateEnroll
method.
The following example demonstrates these steps.
Copy Code | |
---|---|
// Initiate Request for a specific Profile Template with Guid parameter // profileTemplateUuid, with targetUserUuid being the GUID in Active // Directory of the target user ProfileTemplate profileTemplate = FindOperations.GetProfileTemplate(profileTemplateUuid); List<Microsoft.Clm.Shared.Requests.DataCollectionItem> dataCollectionList = new List<Microsoft.Clm.Shared.Requests.DataCollectionItem>(); dataCollectionList.Add(new Microsoft.Clm.Shared.Requests.DataCollectionItem("TelephoneNumber", "(555) 555-5555")); Microsoft.Clm.Shared.Requests.DataCollection dataCollection = new Microsoft.Clm.Shared.Requests.DataCollection(dataCollectionList); Request enrollRequest= RequestOperations.InitiateEnroll(profileTemplateUuid,dataCollection, targetUserUuid,"comment",0); |
Note You can use the same general procedure to
create other request types, for example Recover
,
Unblock
, Offline Unblock
, and
Retire
.
Approving a Request
The following procedure details steps that you would ordinarily perform to approve a request.
- Find a specific request to approve. You can use the FindOperations
class to search for specific requests based on factors such as
request status, target user, or request type.
- Create required data collection items for this policy. If you
are not sure of what data collection items are required, you can
use the ProfileTemplate
class to retrieve details from the policy.
- Perform additional operations required by your application to
approve the request.
- Call Approve to approve the request.
The following example demonstrates these steps.
Copy Code | |
---|---|
// Approve request for the request GUID specified by requestUuid Request request = FindOperations.GetRequest(requestUuid); List<Microsoft.Clm.Shared.Requests.DataCollectionItem> dataCollectionList = new List<Microsoft.Clm.Shared.Requests.DataCollectionItem>(); dataCollectionList.Add(new Microsoft.Clm.Shared.Requests.DataCollectionItem("TelephoneNumber", "(555) 555-5555")); Microsoft.Clm.Shared.Requests.DataCollection dataCollection = new Microsoft.Clm.Shared.Requests.DataCollection(dataCollectionList); Request approvedRequest = RequestOperations.Approve(request, dataCollection, “Approve Comment”); |
Performing the Request
The following procedure details steps that you would ordinarily perform to run a request after it has been approved.
- Find a specific request to execute. You can use the FindOperations
class to search for specific requests based on factors such as
request status, target user, or request type.
- After you have selected the request, load the request details
using the request’s unique identifier.
- If this is a new Smart Card Enroll or Smart Card Recover
request, use the CreateSmartcard method.
- For all certificate templates in the Profile Template that
require client-side requests, generate the Certificate Requests
(CMC Requests) using your own code implementation.
- Run the Enroll Request by calling the Enroll method,
which returns a collection of certificate responses (either PKCS #7
or PFX, or a mix of both, depending on Profile Template settings).
You can then either install these responses onto the smart card
through custom code, or install the responses into the certificate
store of the user (for using without smart card).
- Perform additional smart card processing as required by your
application. This can include storing additional smart card data,
making the smart card available for physical access, or any other
operation your application requires.
- Mark request as completed by calling Complete.
The following example demonstrates these steps.
Copy Code | |
---|---|
//Execute request for the request GUID specified by requestUuid. //'cardSerialNumber' parameter: Smart card serial number //'middleware' parameter : Middleware string //'atr' parameter : Answer to Reset of the card (ATR) |
Copy Code | |
---|---|
Request request = FindOperations.GetRequest(requestUuid); Microsoft.Clm.Shared.Smartcards.Smartcard smartCard; //Create and Assign a Smart Card smartCard = RequestOperations.CreateSmartcard(cardSerialNumber, middleware, atr, request); //Retrieve the Profile Template to determine Certificate Template List ProfileTemplate profileTemplate = FindOperations.GetProfileTemplate(request.ProfileTemplateUuid); //Implement your own GetCertificateRequests method to generate //certificate requests as needed ReadOnlyCollection<CertificateRequest> certificateRequests = GetCertificateRequests(profileTemplate); ReadOnlyCollection<Microsoft.Clm.Shared.Certificates.Certificate> results = ExecuteOperations.Enroll(request.Uuid, certificateRequests, "pfxPassword", "some comment"); //Install the responses as necessary //Mark the request as completed request = ExecuteOperations.Complete(request.Uuid); |
Request Lifecycle
A request moves between different states as it passes through its life cycle. The operations you perform on a request depend on the request’s current state. In addition, a request can only be executed when it is in an approved state.
The states that can exist for a request in a software profile template are as follows:
Pending
: If one or more approvals are required, a request is in a pending state after it is created. If no approvals are required, the request can transition to an approved state.
Canceled
: Once a request is in a pending state, the person who initiated or created the request can decide to cancel the request. Once canceled, the request is in a canceled state.
Denied
: If an approver chooses to deny a pending request, the request enters a denied state. A request cannot be approved after it is denied.
Approved
: If all designated approvers decide to approve a pending request or no approvals are required, the request enters an approved state.
Executing
: When execution is initiated on an approved request, the request enters an executing state.
Failed
: A request is marked as 'Failed' if the person running the request explicitly ends or abandons the request.
Completed
: If an executing request is completed successfully, the request enters a completed state.
For more information, see Request Processing.