|
For the latest version, please use Certificate Lifecycle Manager 6.10.0! |
Realms
In MTG CLM, a realm acts as a strict logical boundary used to segregate data, enforce access controls and support multi-tenant architectures.
By utilizing realms, organizations can securely isolate different departments, subsidiaries or environments (e.g., separating Development from Production) within a single MTG CLM deployment.
Data Isolation and Boundaries
Realms provide strict data segregation. When an object is created, it is permanently bound to that specific realm and cannot be transferred to another. The following components are strictly isolated within their respective realms:
Multi-Realm Access
While the data itself cannot cross boundaries, access can be provisioned flexibly. Users, API clients and groups can be assigned multiple realm roles, extending their access to the certificate lifecycle operations of each assigned realm. This supports cross-functional or multi-tenant workflows when administrators or specific service accounts require visibility across different environments.
The SYSTEM Realm
The SYSTEM realm is the default, immutable realm created during the installation of MTG CLM.
Its purpose is to manage certificates, which are needed by MTG CLM itself (such as CMP Signer, user certificates used for authentication, etc).
Because those certificates also go through the full certificate lifecycle, the SYSTEM realm serves as a centralized location, aiding you in monitoring,
renewing and using those certificates according to your specific needs.
Realm Lifecycle and Cascading Effects
Because realms act as foundational containers for your PKI data, modifying a realm’s lifecycle state directly impacts all objects within it.
-
Archiving a Realm: When a realm is archived, all associated certificates, certificate requests, end entities, and policies within that realm are also deactivated. Archived realms can no longer be used for active certificate operations, but their historical data remains intact for auditing and compliance purposes.
-
Deleting a Realm: Deletion is a permanent action. A realm can only be deleted if it has been archived first. Deleting a realm permanently removes the realm and all of its associated, isolated data from the database.
Realm Certificate Providers
Certificate providers are configured on a per-realm basis. To use a specific provider within a realm, you must assign it during the realm’s creation or by editing the realm’s settings. This mechanism ensures strict control over accessibility within specific environments.
Realm Notifications
Older versions of MTG CLM utilized basic mailing lists defined at the realm level. This has been replaced by a centralized, highly configurable notification engine.
To configure lifecycle alerts, expiration warnings and contact groups for a specific realm’s activity, refer to the notifications and global contacts documentation.