technical certi cates overview - blackberry...registration authority (ra) good msm functions as the...

Technical Certificates Overview

Version 8.2

Mobile Service Manager

Certificates Overview 2

Legal NoticeThis document, as well as all accompanying documents for this product, is published by Good Technology Corporation (“Good”). Good may have patents or pending patent applications, trademarks, copyrights, and other intellectual property rights covering the subject matter in these documents. The furnishing of this, or any other document, does not in any way imply any license to these or other intellectual properties, except as expressly provided in written license agreements with Good. This document is for the use of licensed or authorized users only. No part of this document may be used, sold, reproduced, stored in a database or retrieval system or transmitted in any form or by any means, electronic or physical, for any purpose, other than the purchaser’s authorized use without the express written permission of Good. Any unauthorized copying, distribution or disclosure of information is a violation of copyright laws.

While every effort has been made to ensure technical accuracy, information in this document is subject to change without notice and does not represent a commitment on the part of Good. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those written agreements.

The documentation provided is subject to change at Good’s sole discretion without notice. It is your responsibility to utilize the most current documentation available. Good assumes no duty to update you, and therefore Good recommends that you check frequently for new versions. This documentation is provided “as is” and Good assumes no liability for the accuracy or completeness of the content. The content of this document may contain information regarding Good’s future plans, including roadmaps and feature sets not yet available. It is stressed that this information is non-binding and Good creates no contractual obligation to deliver the features and functionality described herein, and expressly disclaims all theories of contract, detrimental reliance and/or promissory estoppel or similar theories.

Legal Information© Copyright 2015. All rights reserved. All use is subject to license terms posted at www.good.com/legal. GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR GOVERNMENT, GOOD FOR YOU, GOOD APPCENTRAL, GOOD DYNAMICS, SECURED BY GOOD, GOOD MOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD TRUST, GOOD VAULT, and GOOD DYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related entities. All third-party technology products are protected by issued and pending U.S. and foreign patents.


Table of Contents

Contents

1 Good MSM Certificates: Technical Overview 6

2 Good MSM Certificate Prerequisites 7

Configure the Certificate Authority 10

Grant the Good MSM Service Account rights to the CA 10

Encryption Services 11

Publish the CEP Encryption and Exchange Enrollment Agent (offline request) templates 12

Create Wi-Fi CA templates 13

Create CA templates 13

Create VPN CA templates 17

Create Exchange CA templates 17

Configure Good MSM to Access your CA 17

Creating an Identity Certificate 18

Creating a Wi-Fi Configuration 19

Creating a VPN Configuration 20

Creating an Exchange ActiveSync Configuration 21

Appendix A: Configuring a Certificate Authority (CA) on Windows Server 2008 23

Certificate Prerequisites

BoxTone Certificates Technical Overview 4

01

Good MSM Certificates: Technical Overview

There a few important items to understand about Good’s certificate management functionality for Apple iOS devices before starting to configure Good MSM to support your internal CA environment:

� Good MSM will automatically discover enterprise Certificate Authority (CA) servers that are members of the same Domain as the Good MSM server.

� Good MSM will automatically validate certificate templates installed on the CA server so that only templates appropriate to the specific use case of client authentication will be exposed.

� Good MSM does not require SCEP to be turn on at the CA server itself, and does not require that the CA server be directly exposed to devices. Good MSM acts as a registration authority, and sets up its own SCEP server to handle the process of issuing authentication certificates to a device that needs to be provisioned to access an enterprise CA server. Only the Good MSM server needs to talk directly to the CA server and it does so using a secure protocol other than SCEP.

� Good MSM does more than simply remove the authentication cert from the device when the device is retired. Good MSM revokes the certificate so that if it is restored via a backup, the CA server will reject the certificate when the user attempts to use it to access a corporate Wi- Fi network.

� Good MSM will automatically renew a certificate before it expires based on the expiration date. � Good MSM certificates support Wi- Fi Access Points configured with WPA2 Enterprise EAP- TLS.

VPN and Exchange access will be supported in future versions of BoxTone.



02



In order to configure Good MSM to deliver certificates to iOS devices, an authoritative Microsoft PKI infrastructure needs to be in place. The following section is a detailed overview of Good’s requirements.

Field Description CA Environment The Good MSM server and Microsoft CA PKI infrastructure must be members of the

same domain. � The CA must have access to directory services and be able to issue and

manage certificates � The CA must have the ability to issue it’s own self signed certificates. � The CA must have the ability to create a new private key in order to generate

and issue certificates to a client � The CA must have the ability to configure a cryptographic service provider

and pick a hash algorithm that will create a new private key with a specific key length

Common Name The CA must have the ability to configure the CA name. � This is required to specify a Common Name (CN) with � distinguished name prefixes. � Good MSM recommends creating a CA Common Name specific to the Good

MSM installation

Certificate Authority Validity Period and renewal

The CA validity period needs to be renewed before it expires. If it is not, all certificates that have been issued will need to be reissued. Be sure to set you CA validity period such that you will have enough time to renew

Good MSM Service Account

The Good MSM service account must have the following access to the Certificate Authority:

� Read � Issue Certificates � Manage Certificates � Request Certificates



Field Description

Registration Authority (RA)

Good MSM functions as the Registration Authority for certificates. The Good MSM RA uses two sets of credentials for signing and encryption. Good MSM uses CEP for encryptions and the Exchange Enrollment Agent (Offline Requests) for signing the certificates. Both the CEP and Exchange Enrollment agent templates must be configured and published for the Good MSM service to pick up and validate the services.

CEP Encryption Template

The Good MSM service account must have read and enroll permissions to the CEP Encryption Template

Exchange Enrollment Agent (Offline Requests)

The Good MSM service account must have read and enroll permissions to the Exchange Enrollment Agent

Wi-Fi Templates Permissions

The Good MSM Service account must have read and enroll permissions to Wi-Fi templates.

Wi-Fi Templates: Configuration Requirements

Wi-Fi Templates should be configured as follows: � The Wi-Fi template must be configured to have the subject name supplied in

the request. � The Wi-Fi template must have the application policy of at least one authorized

signature set to certificate request agent for issuing certificates. This policy must be set for re-enrollment

� Wi-Fi template must be published before the Good MSM service will be able to pick up and use the template.

Wi-Fi Access Points � The Wi-Fi Access Point must be configured to � communicate with the Active Directory Domain that contains the CA via

Radius � Users that will access the Wi-Fi Access Point must be a member of a group

that has permission to access the AP � Good MSM supports WPA2-Enterprise EAP-TLS

Exchange Templates Permissions

� The Good MSM Service account must have read and enroll permissions to Exchange templates.

� The Exchange template can be very similar to Wi-Fi templates



Field Description

Exchange Templates: Configuration Requirements

Exchange Templates should be configured as follows:

� The Exchange template must be configured to have the subject name supplied in the request.

� The Exchange template must have the application policy of at least one authorized signature set to certificate request agent for issuing certificates. This policy must be set for re-enrollment

� Exchange template must be published before the Good MSM service will be able to pick up and use the template.

VPN Templates Permissions

� The Good MSM Service account must have read and enroll permissions to VPN templates.

� The VPN template can be very similar to Wi-Fi templates

VPN Templates: Configuration Requirements

VPN Templates should be configured as follows: � The VPN template must be configured to have the subject name supplied in

the request. � The VPN template must have the application policy of at least one authorized

signature set to certificate request agent for issuing certificates. This policy must be set for re-enrollment

� VPN template must be published before the Good MSM service will be able to pick up and use the template.

VPN Connection Types

Good MSM supports Cisco Any Connect and Juniper SSL � Either Cisco or Juniper connection must be configured to support certificate

based authentication � Depending upon the connection type appropriate VPN client must be installed

on the device to connect to the VPN payload



Configure the Certificate AuthorityThe following section is a high level overview of the tasks needed to configure a CA within your environment. As certificate management is an integral part of an enterprise’s overall security infrastructure, Good MSM strongly recommends reviewing CA documentation from Microsoft before making any changes to your internal CA environment.

Grant the Good MSM Service Account rights to the CAThe following step Follow these steps to configure the new CA for use in the Good MSM certificate management workflow:

� Right click on CA, choose properties. � Select the Security tab. � Add Good MSM service account and select the Read, Issue and Manage Certificates, and Request

Certificates rights as displayed below

Grant the Good MSM service account rights to Exchange Enrollment Agent (Offline Request) and CEP



Encryption ServicesFollow these steps to allow the Good MDM server to act as a RegistrationAuthority on behalf of the CA:

� Go to Certificate Templates (under Active Directory Certificate Services) � Right click on Exchange Enrollment Agent (Offline Request) � Select the Security tab. � Add Good MSM service account and set the Read and Enroll rights as displayed below:

� Right click on CEP Encryption � Select the Security tab. � Add Good MSM service account and set the Read and Enroll rights as displayed below:



Publish the CEP Encryption and Exchange Enrollment Agent (offline request) templates

Perform the following under the CA that was created within the domain: � Right click in the list of Certificate Templates and select New � Choose Certificate Template to Issue

In the dialog, select the CEP Encryption and Exchange Enrollment Agent (offline request) templates as shown below.



� Click OK

Create Wi-Fi CA templatesPerforming the following steps on your CA will allow you to create a template that will create identity certificates provide the rights to authenticate users to a Wi-Fi network:

Create CA templates

� Click Certificate Templates (under Active Directory Certificate Services) � Right click on User and choose “Duplicate template”

� You will be prompted to select a user template type, select Windows 2003 Server, Enterprise



Edition. � Provide a name for the template display name. � Select the Security tab.

� Add Good MSM service account to the dialog and select the Read and Enroll rights.

� Select the Subject Name tab and select Supply in the request.

� Select the Issuance Requirements tab. Check the field labeled This number of authorized signatures to 1.



� Set the field labeled Application Policy to Certificate Request Agent

Publish template

Performing the following steps on your CA will allow you to publish the templates you created in the previous steps:

� Right click in the list of Certificate Templates and select new. � Choose Certificate Template to Issue”. � Select the Wi-Fi template just created.



� Click OKConfigure the Good MSM Service Account to be a restricted CA manager Performing the following steps on your CA will allow the Good MSM Service Account to be a restricted CA manager.

� Right click on the CA and choose properties. � Select the tab labeled Certificate Managers. Choose Good MSM service account in the list of

Certificate Managers � In the field labeled Certificate Templates select All (if listed) and click Remove. � Click Add… and add the Wi- Fi certificate template that was created above.

� Click OK



Create VPN CA templatesFollow the steps under create Wi-Fi CA template.

Create Exchange CA templatesFollow the steps under create Wi-Fi CA template.

Configure Good MSM to Access your CAGeneral Setup

To configure Good MSM to use your CA the following steps should be performed:

� Log into the Good MSM web console � In the menu under the tab labeled SECURITY select Certificates. � Under Certificate Authorities highlight the name of the CA you wish to configure. The CA being

used in this example is named demo- DEMO- DC- CA

� In the right hand pane perform the following steps: � Request the Encryption certificates into Good MSM by clicking the button labeled Request in the

row entitled Encryption. � Request the Encryption certificates into Good MSM by clicking the button labeled Request in the



row entitled Signing � Once the requests have been completed, refresh your browser. Once the page refresh is complete,

the screen will appear as below:

Creating an Identity Certificate

Before you create a Wi-Fi device configuration that will authenticate with certificates, Good MSM must be configured to use the Identity Certificate that was created on your CA.

To do this: � In the menu under the tab labeled SECURITY select Device Configurations. � Select a Device Configuration and go into Edit Mode � Within the box labeled Add Configuration select Identity Certificate � Good MSM will automatically populate the fields with a simple Display Name, the Certificate

Authority, and the Certificate Template to use. If desired you can optionally configure the subject template to match a key value pair to track the user. In the example below the user’s CN is being matched to their Principle name.



Creating a Wi-Fi ConfigurationAfter adding in the Identity Certificate you need to configure a Wi-Fi configuration to use the identity certificate. To do this:

� Within the box labeled Add Configuration under device configuration select Wi-Fi � Enter the SSID for the Wi-Fi network in the field labeled SSID � Check Hidden Network and Automatically join the network if appropriate in your environment. � In the field labeled Security Types select WPA / WPA2 Enterprise. � Check the box labeled TLS. � In the field labeled Identify Certificate, select the identity certificate configured above. � The field labeled Trusted Certificate Names is optional. If needed in your environment, add the list

of server certificate common names that will be accepted by your Wi-Fi Access Points. � Check the box labeled Allow trust exceptions if appropriate in your environment. (not

recommended) � Configure Proxy Type as appropriate in your environment.



� After setting up the Wi-Fi configuration click Save & Publish to deploy the configuration.More information on creating device configurations can be found within the Good MSM Security Management Guide

Creating a VPN Configuration

After adding in the Identity Certificate you need to configure a VPN configuration to use the identity certificate. To do this:

� Within the box labeled Add Configuration under device configuration select VPN � Enter the connection name for the VPN network in the field labeled Connection Name � In the field labeled Connection Type select VPN AnyConnect from the drop down � In the field labeled Server enter the server domain name that accepts certificate � In the field labeled User Authentication select Certificate from the drop down � In the field labeled Identify Certificate, select the identity certificate configured above. � Enable VPN On Demand is optional and do not check that field. If you need to restrict access,

check this box and provide the server domain names � Group Name field is optional and leave it blank � Proxy Type field is optional. This field defaults to None



Creating an Exchange ActiveSync ConfigurationAfter adding in the Identity Certificate you need to configure a Email configuration to use the identity certificate. To do this:

� Within the box labeled Add Configuration under device configuration select Email � Enter the account name for the Email network in the field labeled Account Name � In the field labeled CAS Server for Exchange 2010 enter the exchange server name that supports



certificate based authentication � Leave the default settings for other field selections � In the field labeled User Authentication select Certificate from the drop down � In the field labeled Identify Certificate, select the identity certificate configured above


01Certificate Prerequisites


Appendix A

Configuring a Certificate Authority (CA) on Windows Server 2008

The following section provides a brief overview of how a CA is configured in a Windows 2008 Environment. This is only an example of one method that can befollowed to configure a CA. Before you configure a CA within your environment you should work with the various stakeholders within your organization to identify your overall requirements and a certificate infrastructure should be designed to meetthose needs.

Install CA RoleFollow these steps to configure Windows Server 2008 to act as a Certificate Authority:

� Open Server Manager � In the Server Manager, click Role, Add Roles. � In the Wizard, select Active Directory Certificates Services. � Select “Certification Authority” � Select Enterprise



� Select “Root CA”

� Select “Create a new Private Key”



� The next screen lists various Cryptographic Service Provides (CSP). Select the hash algorithm that works best in your environment. Good MSM supports them all algorithms supported by the Microsoft CA.

� Enter the common name that will be used to identify the CA in the next screen. This name will be synchronized with Good MSM and appear in the Good MSM UI.

� Configure Expiration date of the CA on this page.



� Click next until the installation finishes and finally select close.

� Close and re- open the Server Manager application. The CA role you just added should appear

Technical Certificates Overview

Mobile Service Manager

Version 8.2.0.1.1072

Copyright 2015 by Good Technology. All rights reserved.

Trademarks

Good is a registered trademark of Good Technology Incorporated.

Microsoft and Microsoft Windows are registered trademarks of Microsoft Corporation. All other product names used are trademarks of their respective owners.

Notice

The material in this document is for information only and is subject to change without notice. While reasonable efforts have been made in the preparation of this document to assure its accuracy, Good Technology Inc. assumes no liability resulting from errors or omissions in this document, or from the use of the information contained herein. Good Technology Inc. reserves the right to make changes in the product design without reservation and without notification to its users.

Edition

July 15, 2015

technical certi cates overview - blackberry...registration authority (ra) good msm functions as the...

Documents