Sign in
 
HomeLibraryWikiLearnGalleryDownloadsSupportForumsBlogs
Resources for IT Professionals >
Import clmKRAgent, clmAgent and clmEnrollAgent certficates into FIM CM

Answered Import clmKRAgent, clmAgent and clmEnrollAgent certficates into FIM CM

  • Wednesday, October 03, 2012 9:38 PM
     
     
    Sign In to Vote
    0

    I have built a FIM CM solution and I notice that the clmKRAgent, clmAgent and clmEnrollAgent certificates get enrolled during the installation process. I have then read that these certficates will have to be renewed periodically (http://technet.microsoft.com/en-us/library/hh149034(v=ws.10).aspx). Is there an easy way to import these into FIM CM so that I get an e-mail reminder when these certificates enter their renewal period?

    Can this be done using clmutil -importpfx?

    Regards,

    Stuart

     

All Replies

  • Wednesday, October 03, 2012 10:32 PM
     
     
    Sign In to Vote
    0

    Hi after doing a bit more digging it looks like I have to use clmutil -syncrequest or clmutil -sync.

    I have tried both commands I get an error that the "FIM CM Utility has stopped working". when I run -unique -sync xyzpki002.ad.mydomain.com\CA-Issuing01 I get the output shown below (in **Error Output**). I got the ca_server_name and ca_name values from the dbo.CertificateAuthority table. I have also update the CLMUtil.exe.config file as shown below (in **CLMUtil.exe.config**). Can someone please help me out with what I'm doing wrong?

    ********************************************CLMUtil.exe.config*********************************************

    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
    <appSettings>
     <!-- The following keys are required for the command line switches below :
       -sync
       -syncrequest
       -importpfx 
       -addca
          -removeca
          -listca
         
       "DatabasePath" can be an explict database connection string or a protected registry string from Web.Config.
     -->
        <add key=”DatabasePath”
     value=protected:Registry,DPAPI;
     value:HKLM\SOFTWARE\Microsoft\Clm\v1.0\Server\WebUser\,DBConnectionString” />

      <!-- The following keys are required for the command line switches below :
          -sync
       -syncrequest
       -importpfx 
       
       "CertImportDebugFile" can be set to an empty string to disable debug information.
     -->
        <add key="DefaultCertificateTemplateOID" value="1.2.3.4" />
        <add key="CertImportDebugFile" value="C:\Temp\debug.txt" />
       
        <!-- The following keys are required the -importpfxbatch command line switch ONLY -->
        <add key="ImportPfxSuccessDirectory" value="C:\Temp\success" />
        <add key="ImportPfxReportFileName" value="C:\Temp\success\report.txt" />   
    </appSettings>
    </configuration>

    ********Error Output******************************************

    About to look up :'AD\XYZPKI002$'.
    Error (GetUserUuid): The type initializer for 'Microsoft.Clm.DS.ConnectionOption
    s' threw an exception..
    Error: The type initializer for 'Microsoft.Clm.DS.ConnectionOptions' threw an ex
    ception..

    Unhandled Exception: System.Configuration.ConfigurationErrorsException: Configur
    ation system failed to initialize ---> System.Configuration.ConfigurationErrorsE
    xception: '"' is an unexpected token. The expected token is '"' or '''. Line 14,
     position 14. (C:\Program Files\Microsoft Forefront Identity Manager\2010\Certif
    icate Management\Bin\ClmUtil.exe.Config line 14) ---> System.Xml.XmlException: '
    "' is an unexpected token. The expected token is '"' or '''. Line 14, position 1
    4.
       at System.Xml.XmlTextReaderImpl.Throw(Exception e)
       at System.Xml.XmlTextReaderImpl.ParseAttributes()
       at System.Xml.XmlTextReaderImpl.ParseElement()
       at System.Xml.XmlTextReaderImpl.ParseElementContent()
       at System.Configuration.XmlUtil.CopyXmlNode(XmlUtilWriter utilWriter)
       at System.Configuration.XmlUtil.CopyElement(XmlUtilWriter utilWriter)
       at System.Configuration.XmlUtil.CopySection()
       at System.Configuration.BaseConfigurationRecord.ScanSectionsRecursive(XmlUtil
     xmlUtil, String parentConfigKey, Boolean inLocation, String locationSubPath, Ov
    errideModeSetting overrideMode, Boolean skipInChildApps)
       at System.Configuration.BaseConfigurationRecord.ScanSections(XmlUtil xmlUtil)

       at System.Configuration.BaseConfigurationRecord.InitConfigFromFile()
       --- End of inner exception stack trace ---
       at System.Configuration.ConfigurationSchemaErrors.ThrowIfErrors(Boolean ignor
    eLocal)
       at System.Configuration.BaseConfigurationRecord.ThrowIfInitErrors()
       at System.Configuration.ClientConfigurationSystem.EnsureInit(String configKey
    )
       --- End of inner exception stack trace ---
       at System.Configuration.ConfigurationManager.GetSection(String sectionName)
       at System.Configuration.PrivilegedConfigurationManager.GetSection(String sect
    ionName)
       at System.Diagnostics.DiagnosticsConfiguration.Initialize()
       at System.Diagnostics.DiagnosticsConfiguration.get_IndentSize()
       at System.Diagnostics.TraceInternal.InitializeSettings()
       at System.Diagnostics.TraceInternal.WriteLine(String message)
       at Microsoft.Clm.Utility.MainApplication.Main(String[] args)

     
  • Thursday, October 04, 2012 1:53 PM
     
     Answered
    Sign In to Vote
    0

    It seems that the CLMUtil.exe.config is misconfigured - missing " in front of protected:Registry

    Your value statement is

    <add key=”DatabasePath” value=protected:Registry,DPAPI;value:HKLM\SOFTWARE\Microsoft\Clm\v1.0\Server\WebUser\,DBConnectionString” />

    and it should be

    <add key="DatabasePath" value="protected:Registry,DPAPI;value:HKLM\SOFTWARE\Microsoft\Clm\v1.0\Server\WebUser\,DBConnectionString" />

    /Matthias