Saturday, July 2, 2016

Configure Device communication when using an existing SSL Certificated with Enterprise Mobility Manager



The two main components of WSO2 Enterprise Mobility Manager are mobile device management and mobile application management. Setting up WSO2 EMM can be done by following the “Getting Started” guide as mentioned in the documentation. This article mainly emphasizes on how to obtain the certification configuration for your personal domain.

Enrolled devices and WSO2 Enterprise Mobility Manager communicates using the HTTPS protocol. This is to make sure that the private and sensitive data stored in the mobile device cannot be retrieved by a third party or unauthorized personals. All the communication carried out between devices, APNS and EMM server is based on certificates included in the key-store files with the extension “jks”. These security features are critical since EMM supports both cooperate owned (COPE) and personal (BOYD) device management. In the section “Configuring the product” guide you have been provided with the steps to configure the EMM server to used in your local subnet where the server and the devices uses a SSL certificate issued by the inbuilt Certificate Authority of the EMM server.

Communications between devices and EMM server

WSO2 EMM server consists of the following components:
  • SCEP server component.
  • CA server component.
  • Device Management Component.

The iOS device acts as a SCEP client where it sends the SCEP request to the Server. For enrollment purposes, this communication requires a certificate which will be generated by the CA server component of EMM. The iOS device will generate a private/public key pair and send a certificate signing/authorization request to the CA where the CA component will need to generate the public key certificate and store the public key for encryption which will be used later.

There is communication between IOS devices and APNS as well as Android devices and GCM for policy monitoring and to perform operations. All the devices will communicate with the EMM server using the agent applications. All these communications must be secured using certificates.
You can see the communication flow in Figure 1 given below.




In order to provide secure communication between the components represented in Figure 1, you have to obtain an SSL certificate for your domain from a Certificate Authority. When hosted under a public domain the obtained SSL certificates needs to be included into the key stores.


Obtaining an SSL Certificates for your domain

You can choose one of the SSL certificate providers available in the market according to your requirements and budget. You can successfully obtain an SSL certificate for your domain by following the steps provided below accordingly:

  1. Purchase a SSL certificate.
  2. Create a CSR form including your domain and project data
  3. Submit the CSR to the SSL vendor
  4. Verify the CSR request by validating that you control the domain the certificate will protect.
  5. Your SSL certificate will be delivered to you or can be downloaded as facilitated by your certificate vendor.

You can follow the “Get SSL on my website” guide for more information on how to obtain SSL certification.

Configuring for IOS device management

Configuring the IOS device management and communications is a three step process :
  1. Obtaining a signed CSR from WSO2.
  2. Configuring EMM server for IOS device management.
  3. Configuring the IOS client.


Obtaining a signed CSR from WSO2

Create a Certificate Signing Request (CSR) file from the EMM server using your private key. You can use commands given below to generate the CSR file:

openssl genrsa -des3 -out <Your_Private_Key_File> 2048
openssl req -new -key <Your_Private_Key_File> -out <You_CSR_File>

Make sure to create both Your_Private_Key_File and Your_CSR_File files with .pem extension

Provide correct information to the prompted questions related to your organization and the project. Make sure to provide the actual organization name as this is a required field. The Email address provided should be valid as this will act as the identification of your CSR request in order to identify you in a CSR expiration situation. Common name stands for the fully qualified domain name of your server. Make sure that the information you have provided is of high accuracy since the artifacts provided will bind to the provided domain name. IOS device can be only managed by the server which is hosted under the provided host name.
You can submit the CSR request to the “Obtain the signed CSR file” form. Make sure to enter the same information as you entered in the CSR request when filling the above form.
You will be provided with the following artifacts which is required to configure the EMM server to manage IOS devices:
  1. The signed CSR file in .plst format.
  2. Agent source code.
  3. P2 repository, which contains the feature list.


Please refer “Obtaining the Signed CSR File” guide for more information on obtaining a signed CSR file.

Configuring EMM server for IOS device management

IOS server configuration is a complex and prolonged process which can be described by the following steps. By following these steps in order you can easily configure the EMM server for iOS device management:

  1. Installing IOS feature to EMM server.
  2. Configure general IOS server settings.
  3. Generate the MDM APNS certificate.

Installing IOS feature to the EMM server

Start the EMM server in order to install the features from the P2 repository obtained via the CSR request.
You can navigate to the carbon console using <YOUR_DOMAIN>/carbon and then navigate to the configure tab. Then select the features option from the list.
IOS related features will be available in the P2 repository provided to you with the signed CSR. Install all the three features given. After the installation of the features is completed, stop the EMM server and process to the following location : <EMM_HOME>/repository/conf
You will find a new configuration file “ios-config.xml” in the directory. Modify the “iOSEMMConfigurations” accordingly. Please refer to “Installing WSO2 EMM iOS Features via the P2 Repository” guide for more information.
Configure general IOS server settings.
In order to setup your server with IOS, follow the instructions given in “ General iOS Server Configurations” guide until Step 5.
After completing Step 5 follow the instructions given below:
  • Convert the downloaded ssl certificates from your vendor to .pem files.
openssl x509 -in <RA CRT> -out <RA CERT PEM>
Example:
openssl x509 -in your-domain-com-apache.crt -out your-domain-com-apache.pem
openssl x509 -in your-domain-com-ee.crt -out your-domain-com-ee.pem
  • Create a certificate chain with the root and intermediate certifications.
cat <CERTIFCATE 1> <CERTIFICATE 2> ... >> <CERTIFICATE CHAIN>
Example:
cat your-domain-com-apache.pem your-domain-com-ee.pem >> clientcertchain.pem
cat your-domain-com-apache.crt your-domain-com-ee.crt >> clientcertchain.crt
  • Export the SSL certificate chain file as a PKCS12 file with "wso2carbon" as the alias.
openssl pkcs12 -export -out <KEYSTORE>.p12 -inkey <RSA_key>.key -in clientcertchain.crt -CAfile clientcertchain.pem -name "<alias>"
Example:
openssl pkcs12 -export -out KEYSTORE.p12 -inkey ia.key -in clientcertchain.crt -CAfile clientcertchain.pem -name "wso2carbon"



After following the steps as above resume the configuration from Step 7.b as in “General iOS Server Configurations” guide.
Note that Step 6 and 7.a need to be skipped since the server configuration mentioned in those steps is for the public domain with already obtained SSL certificates.

Generate the MDM APNS certificate.
Go to the Apple Push Certificate Portal and upload the .plist file provided with the signed CSR from WSO2 and generate the MDM certificate. Follow the instructions given in “Generate MDM APNS Certificate” guide in order to convert the downloaded certificate to .pxf format.


After completing the instructions given, you can proceed with the IOS platform configuration as instructed in the “IOS Platform Configuration” guide.


Configuring Android device management

To enable secure communication between android devices and your EMM server please follow the “Android Configurations” guide. You can skip the certificate generation described in Step 1 under “Generating a BKS File” and move to Step 2 directly since you have already completed the above when configuring the IOS device communication.


Configuring Windows device management

There are no additional configurations needed to enable windows device management.

No comments:

Post a Comment