- Overview
- Supported Applications
- Details
- Additional Info
About CMU
CMU lets system administrators automate the common credential management tasks that most users find extremely daunting. Custom CMU scripts can be used to:
- facilitate PKI enrollment
- reconfigure critical applications after key rollover
- synchronize user credentials between web browsers
- create secure backups of user credentials
- transparently configure user CAPI, MAPI, Outlook S/MIME, and GAL profiles
Imagine what you'll save in help desk calls alone!
CMU scripts can be easily distributed as self-extracting/self-executing packages that users can run from your corporate web server by simply clicking on a link.
Supported Applications
CMU supports the configuration, management, and migration of credentials in and among the following applications:
• Microsoft Internet Explorer 5.0 and above
• Microsoft Outlook 2000, 2002, 2003, 2007
• Microsoft Exchange 5.5 and above
• Netscape 4.75 and above
• Mozilla 1.1, 1.6, and above
• Firefox 1.0 and above
• SecretAgent 5.x, SpyProof! 1.x
This diagram illustrates the configuration and credential migration capabilities of the product, while the table below provides a more detailed list of the available functions:
Detailed Function List
The principal functions provided by the CMU are:
Key |
Function |
Description |
b |
configure Outlook S/MIME | adds S/MIME encrypt and sign buttons to Outlook's message composition toolbar (works with Outlook 2000/2002/2003; Outlook 97/98 can be supported with a special cmu build); version 2.1 can force reconfiguration of Outlook so that Word is no longer used as the default e-mail editor |
c |
configure CAPI client authentication | configures the user's CAPI store so that IE does not prompt for certificate selection during client authentication, but rather automatically provides the user's freshest signing certificate; version 2.0 allows signing certificates to be filtered by issuing CA's authorityKeyIdentifer value |
d |
POST file or string; download file from specified URL | uses HTTPS to retrieve an arbitrary file from a specified web server (can be used to retrieve certificates, CRLs, or even auxiliary cmu batch scripts); latest version allows file (or literal string) to be POST'ed to the server and result captured to a file |
e |
export | exports user credentials as PKCS#12 files from specified browsers to a local backup folder; descriptive file names are automatically generated to make it easy to locate a particular key pair in an emergency |
i |
import | imports the specified PKCS#7 and PKCS#12 files into the certificate stores of all supported browsers; version 2.0 supports base64-encoded as well as binary PDUs |
l |
list | displays the friendly names of all PKCS#12 files in a local backup folder |
m |
configure MAPI security | sets the user's freshest signing and/or encrypting certificate(s) found in CAPI as the S/MIME certificates in the user's default MAPI security profile for use with Outlook (extremely useful after key rollover); version 2.1 allows user certificates to be filtered by issuing CA's authorityKeyIdentifer value |
p |
publish to GAL | publishes the user's freshest certificates to the global address list (GAL) using MAPI to automatically identify the user account and appropriate Exchange Server host; version 2.1 user allows certificates to be filtered by issuing CA's authorityKeyIdentifer value |
r |
reinitialize | backs up the user's existing default Netscape databases and recreates them using the specified password (useful when a user forgets his Netscape database password) |
s |
synchronize | imports into specified browsers all PKCS#12 files found in a local backup folder together with all new PKCS#7 and PKCS#12 files specified on the command line |
u |
update SecretAgent and/or SpyProof! profiles | reconfigures user profiles for these ISC applications to use freshest signing and encryption certiifcates in CAPI or as speciified on the command line |
q |
create/update LDAP query in Outlook | allows customized LDAP queries to be programmatically added to the user's "address books" in Outlook |
w |
write NSS directory list file | allows a list of Netscape-based credential database folders to be written to a text file and reused with other commands thereby avoiding repeated database discovery searches |
A large number of options allow you to customize CMU to best fit your particular credential management needs. And ISC is always willing to add related features that we may not have already thought of. Let us know what new functions you need!
Additional Information
CMU 2.0 Command Line Interface Documentation (PDF updated 6/13/08)
The size of the cmu executable alone is roughly 800KB. Included in the standard distribution are three optional 'tools directories' that provide support for the three different Netscape/Mozilla database architectures that have been fielded since release 4.75. Each set of optional database 'tools' adds 1-2MB to the size of the total package. Of couse, the cmu executable and any necessary 'tools' can be pulled upon demand from a shared file/application server, so the total 'footprint' on end user systems is minimal. (The cmu inspects each Netscape/Mozilla database it encounters to determine which version(s) of the tools are required. Program configuration variables can be used to specify the locations of the various tool directories if they are not in their default locations immediately underneath the cmu.exe directory.)
