technical certi cates overview - blackberry...registration authority (ra) good msm functions as the...
TRANSCRIPT
Certificates Overview 2
Legal NoticeThis document, as well as all accompanying documents for this product, is published by Good Technology Corporation (“Good”). Good may have patents or pending patent applications, trademarks, copyrights, and other intellectual property rights covering the subject matter in these documents. The furnishing of this, or any other document, does not in any way imply any license to these or other intellectual properties, except as expressly provided in written license agreements with Good. This document is for the use of licensed or authorized users only. No part of this document may be used, sold, reproduced, stored in a database or retrieval system or transmitted in any form or by any means, electronic or physical, for any purpose, other than the purchaser’s authorized use without the express written permission of Good. Any unauthorized copying, distribution or disclosure of information is a violation of copyright laws.
While every effort has been made to ensure technical accuracy, information in this document is subject to change without notice and does not represent a commitment on the part of Good. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those written agreements.
The documentation provided is subject to change at Good’s sole discretion without notice. It is your responsibility to utilize the most current documentation available. Good assumes no duty to update you, and therefore Good recommends that you check frequently for new versions. This documentation is provided “as is” and Good assumes no liability for the accuracy or completeness of the content. The content of this document may contain information regarding Good’s future plans, including roadmaps and feature sets not yet available. It is stressed that this information is non-binding and Good creates no contractual obligation to deliver the features and functionality described herein, and expressly disclaims all theories of contract, detrimental reliance and/or promissory estoppel or similar theories.
Legal Information© Copyright 2015. All rights reserved. All use is subject to license terms posted at www.good.com/legal. GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR GOVERNMENT, GOOD FOR YOU, GOOD APPCENTRAL, GOOD DYNAMICS, SECURED BY GOOD, GOOD MOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD TRUST, GOOD VAULT, and GOOD DYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related entities. All third-party technology products are protected by issued and pending U.S. and foreign patents.
Certificates Overview 3
Table of Contents
Contents
1 Good MSM Certificates: Technical Overview 6
2 Good MSM Certificate Prerequisites 7
Configure the Certificate Authority 10
Grant the Good MSM Service Account rights to the CA 10
Encryption Services 11
Publish the CEP Encryption and Exchange Enrollment Agent (offline request) templates 12
Create Wi-Fi CA templates 13
Create CA templates 13
Create VPN CA templates 17
Create Exchange CA templates 17
Configure Good MSM to Access your CA 17
Creating an Identity Certificate 18
Creating a Wi-Fi Configuration 19
Creating a VPN Configuration 20
Creating an Exchange ActiveSync Configuration 21
Appendix A: Configuring a Certificate Authority (CA) on Windows Server 2008 23
Certificate Prerequisites
BoxTone Certificates Technical Overview 4
01
Good MSM Certificates: Technical Overview
There a few important items to understand about Good’s certificate management functionality for Apple iOS devices before starting to configure Good MSM to support your internal CA environment:
� Good MSM will automatically discover enterprise Certificate Authority (CA) servers that are members of the same Domain as the Good MSM server.
� Good MSM will automatically validate certificate templates installed on the CA server so that only templates appropriate to the specific use case of client authentication will be exposed.
� Good MSM does not require SCEP to be turn on at the CA server itself, and does not require that the CA server be directly exposed to devices. Good MSM acts as a registration authority, and sets up its own SCEP server to handle the process of issuing authentication certificates to a device that needs to be provisioned to access an enterprise CA server. Only the Good MSM server needs to talk directly to the CA server and it does so using a secure protocol other than SCEP.
� Good MSM does more than simply remove the authentication cert from the device when the device is retired. Good MSM revokes the certificate so that if it is restored via a backup, the CA server will reject the certificate when the user attempts to use it to access a corporate Wi- Fi network.
� Good MSM will automatically renew a certificate before it expires based on the expiration date. � Good MSM certificates support Wi- Fi Access Points configured with WPA2 Enterprise EAP- TLS.
VPN and Exchange access will be supported in future versions of BoxTone.
Certificate Prerequisites
BoxTone Certificates Technical Overview 5
02
BoxTone Certificates Technical Overview 5
Certificate Prerequisites
In order to configure Good MSM to deliver certificates to iOS devices, an authoritative Microsoft PKI infrastructure needs to be in place. The following section is a detailed overview of Good’s requirements.
Field Description CA Environment The Good MSM server and Microsoft CA PKI infrastructure must be members of the
same domain. � The CA must have access to directory services and be able to issue and
manage certificates � The CA must have the ability to issue it’s own self signed certificates. � The CA must have the ability to create a new private key in order to generate
and issue certificates to a client � The CA must have the ability to configure a cryptographic service provider
and pick a hash algorithm that will create a new private key with a specific key length
Common Name The CA must have the ability to configure the CA name. � This is required to specify a Common Name (CN) with � distinguished name prefixes. � Good MSM recommends creating a CA Common Name specific to the Good
MSM installation
Certificate Authority Validity Period and renewal
The CA validity period needs to be renewed before it expires. If it is not, all certificates that have been issued will need to be reissued. Be sure to set you CA validity period such that you will have enough time to renew
Good MSM Service Account
The Good MSM service account must have the following access to the Certificate Authority:
� Read � Issue Certificates � Manage Certificates � Request Certificates
Certificates Overview 6
Certificate Prerequisites
Field Description
Registration Authority (RA)
Good MSM functions as the Registration Authority for certificates. The Good MSM RA uses two sets of credentials for signing and encryption. Good MSM uses CEP for encryptions and the Exchange Enrollment Agent (Offline Requests) for signing the certificates. Both the CEP and Exchange Enrollment agent templates must be configured and published for the Good MSM service to pick up and validate the services.
CEP Encryption Template
The Good MSM service account must have read and enroll permissions to the CEP Encryption Template
Exchange Enrollment Agent (Offline Requests)
The Good MSM service account must have read and enroll permissions to the Exchange Enrollment Agent
Wi-Fi Templates Permissions
The Good MSM Service account must have read and enroll permissions to Wi-Fi templates.
Wi-Fi Templates: Configuration Requirements
Wi-Fi Templates should be configured as follows: � The Wi-Fi template must be configured to have the subject name supplied in
the request. � The Wi-Fi template must have the application policy of at least one authorized
signature set to certificate request agent for issuing certificates. This policy must be set for re-enrollment
� Wi-Fi template must be published before the Good MSM service will be able to pick up and use the template.
Wi-Fi Access Points � The Wi-Fi Access Point must be configured to � communicate with the Active Directory Domain that contains the CA via
Radius � Users that will access the Wi-Fi Access Point must be a member of a group
that has permission to access the AP � Good MSM supports WPA2-Enterprise EAP-TLS
Exchange Templates Permissions
� The Good MSM Service account must have read and enroll permissions to Exchange templates.
� The Exchange template can be very similar to Wi-Fi templates
Certificates Overview 7
Certificate Prerequisites
Field Description
Exchange Templates: Configuration Requirements
Exchange Templates should be configured as follows:
� The Exchange template must be configured to have the subject name supplied in the request.
� The Exchange template must have the application policy of at least one authorized signature set to certificate request agent for issuing certificates. This policy must be set for re-enrollment
� Exchange template must be published before the Good MSM service will be able to pick up and use the template.
VPN Templates Permissions
� The Good MSM Service account must have read and enroll permissions to VPN templates.
� The VPN template can be very similar to Wi-Fi templates
VPN Templates: Configuration Requirements
VPN Templates should be configured as follows: � The VPN template must be configured to have the subject name supplied in
the request. � The VPN template must have the application policy of at least one authorized
signature set to certificate request agent for issuing certificates. This policy must be set for re-enrollment
� VPN template must be published before the Good MSM service will be able to pick up and use the template.
VPN Connection Types
Good MSM supports Cisco Any Connect and Juniper SSL � Either Cisco or Juniper connection must be configured to support certificate
based authentication � Depending upon the connection type appropriate VPN client must be installed
on the device to connect to the VPN payload
Certificates Overview 8
Certificate Prerequisites
Configure the Certificate AuthorityThe following section is a high level overview of the tasks needed to configure a CA within your environment. As certificate management is an integral part of an enterprise’s overall security infrastructure, Good MSM strongly recommends reviewing CA documentation from Microsoft before making any changes to your internal CA environment.
Grant the Good MSM Service Account rights to the CAThe following step Follow these steps to configure the new CA for use in the Good MSM certificate management workflow:
� Right click on CA, choose properties. � Select the Security tab. � Add Good MSM service account and select the Read, Issue and Manage Certificates, and Request
Certificates rights as displayed below
Grant the Good MSM service account rights to Exchange Enrollment Agent (Offline Request) and CEP
Certificates Overview 9
Certificate Prerequisites
Encryption ServicesFollow these steps to allow the Good MDM server to act as a RegistrationAuthority on behalf of the CA:
� Go to Certificate Templates (under Active Directory Certificate Services) � Right click on Exchange Enrollment Agent (Offline Request) � Select the Security tab. � Add Good MSM service account and set the Read and Enroll rights as displayed below:
� Right click on CEP Encryption � Select the Security tab. � Add Good MSM service account and set the Read and Enroll rights as displayed below:
Certificates Overview 10
Certificate Prerequisites
Publish the CEP Encryption and Exchange Enrollment Agent (offline request) templates
Perform the following under the CA that was created within the domain: � Right click in the list of Certificate Templates and select New � Choose Certificate Template to Issue
In the dialog, select the CEP Encryption and Exchange Enrollment Agent (offline request) templates as shown below.
Certificates Overview 11
Certificate Prerequisites
� Click OK
Create Wi-Fi CA templatesPerforming the following steps on your CA will allow you to create a template that will create identity certificates provide the rights to authenticate users to a Wi-Fi network:
Create CA templates
� Click Certificate Templates (under Active Directory Certificate Services) � Right click on User and choose “Duplicate template”
� You will be prompted to select a user template type, select Windows 2003 Server, Enterprise
Certificates Overview 12
Certificate Prerequisites
Edition. � Provide a name for the template display name. � Select the Security tab.
� Add Good MSM service account to the dialog and select the Read and Enroll rights.
� Select the Subject Name tab and select Supply in the request.
� Select the Issuance Requirements tab. Check the field labeled This number of authorized signatures to 1.
Certificates Overview 13
Certificate Prerequisites
� Set the field labeled Application Policy to Certificate Request Agent
Publish template
Performing the following steps on your CA will allow you to publish the templates you created in the previous steps:
� Right click in the list of Certificate Templates and select new. � Choose Certificate Template to Issue”. � Select the Wi-Fi template just created.
Certificates Overview 14
Certificate Prerequisites
� Click OKConfigure the Good MSM Service Account to be a restricted CA manager Performing the following steps on your CA will allow the Good MSM Service Account to be a restricted CA manager.
� Right click on the CA and choose properties. � Select the tab labeled Certificate Managers. Choose Good MSM service account in the list of
Certificate Managers � In the field labeled Certificate Templates select All (if listed) and click Remove. � Click Add… and add the Wi- Fi certificate template that was created above.
� Click OK
Certificates Overview 15
Certificate Prerequisites
Create VPN CA templatesFollow the steps under create Wi-Fi CA template.
Create Exchange CA templatesFollow the steps under create Wi-Fi CA template.
Configure Good MSM to Access your CAGeneral Setup
To configure Good MSM to use your CA the following steps should be performed:
� Log into the Good MSM web console � In the menu under the tab labeled SECURITY select Certificates. � Under Certificate Authorities highlight the name of the CA you wish to configure. The CA being
used in this example is named demo- DEMO- DC- CA
� In the right hand pane perform the following steps: � Request the Encryption certificates into Good MSM by clicking the button labeled Request in the
row entitled Encryption. � Request the Encryption certificates into Good MSM by clicking the button labeled Request in the
Certificates Overview 16
Certificate Prerequisites
row entitled Signing � Once the requests have been completed, refresh your browser. Once the page refresh is complete,
the screen will appear as below:
Creating an Identity Certificate
Before you create a Wi-Fi device configuration that will authenticate with certificates, Good MSM must be configured to use the Identity Certificate that was created on your CA.
To do this: � In the menu under the tab labeled SECURITY select Device Configurations. � Select a Device Configuration and go into Edit Mode � Within the box labeled Add Configuration select Identity Certificate � Good MSM will automatically populate the fields with a simple Display Name, the Certificate
Authority, and the Certificate Template to use. If desired you can optionally configure the subject template to match a key value pair to track the user. In the example below the user’s CN is being matched to their Principle name.
Certificates Overview 17
Certificate Prerequisites
Creating a Wi-Fi ConfigurationAfter adding in the Identity Certificate you need to configure a Wi-Fi configuration to use the identity certificate. To do this:
� Within the box labeled Add Configuration under device configuration select Wi-Fi � Enter the SSID for the Wi-Fi network in the field labeled SSID � Check Hidden Network and Automatically join the network if appropriate in your environment. � In the field labeled Security Types select WPA / WPA2 Enterprise. � Check the box labeled TLS. � In the field labeled Identify Certificate, select the identity certificate configured above. � The field labeled Trusted Certificate Names is optional. If needed in your environment, add the list
of server certificate common names that will be accepted by your Wi-Fi Access Points. � Check the box labeled Allow trust exceptions if appropriate in your environment. (not
recommended) � Configure Proxy Type as appropriate in your environment.
Certificates Overview 18
Certificate Prerequisites
� After setting up the Wi-Fi configuration click Save & Publish to deploy the configuration.More information on creating device configurations can be found within the Good MSM Security Management Guide
Creating a VPN Configuration
After adding in the Identity Certificate you need to configure a VPN configuration to use the identity certificate. To do this:
� Within the box labeled Add Configuration under device configuration select VPN � Enter the connection name for the VPN network in the field labeled Connection Name � In the field labeled Connection Type select VPN AnyConnect from the drop down � In the field labeled Server enter the server domain name that accepts certificate � In the field labeled User Authentication select Certificate from the drop down � In the field labeled Identify Certificate, select the identity certificate configured above. � Enable VPN On Demand is optional and do not check that field. If you need to restrict access,
check this box and provide the server domain names � Group Name field is optional and leave it blank � Proxy Type field is optional. This field defaults to None
Certificates Overview 19
Certificate Prerequisites
Creating an Exchange ActiveSync ConfigurationAfter adding in the Identity Certificate you need to configure a Email configuration to use the identity certificate. To do this:
� Within the box labeled Add Configuration under device configuration select Email � Enter the account name for the Email network in the field labeled Account Name � In the field labeled CAS Server for Exchange 2010 enter the exchange server name that supports
Certificates Overview 20
Certificate Prerequisites
certificate based authentication � Leave the default settings for other field selections � In the field labeled User Authentication select Certificate from the drop down � In the field labeled Identify Certificate, select the identity certificate configured above
BoxTone Certificates Technical Overview 21
01Certificate Prerequisites
BoxTone Certificates Technical Overview 21
Appendix A
Configuring a Certificate Authority (CA) on Windows Server 2008
The following section provides a brief overview of how a CA is configured in a Windows 2008 Environment. This is only an example of one method that can befollowed to configure a CA. Before you configure a CA within your environment you should work with the various stakeholders within your organization to identify your overall requirements and a certificate infrastructure should be designed to meetthose needs.
Install CA RoleFollow these steps to configure Windows Server 2008 to act as a Certificate Authority:
� Open Server Manager � In the Server Manager, click Role, Add Roles. � In the Wizard, select Active Directory Certificates Services. � Select “Certification Authority” � Select Enterprise
Certificates Overview 22
Certificate Prerequisites
� Select “Root CA”
� Select “Create a new Private Key”
Certificates Overview 23
Certificate Prerequisites
� The next screen lists various Cryptographic Service Provides (CSP). Select the hash algorithm that works best in your environment. Good MSM supports them all algorithms supported by the Microsoft CA.
� Enter the common name that will be used to identify the CA in the next screen. This name will be synchronized with Good MSM and appear in the Good MSM UI.
� Configure Expiration date of the CA on this page.
Certificates Overview 24
Certificate Prerequisites
� Click next until the installation finishes and finally select close.
� Close and re- open the Server Manager application. The CA role you just added should appear
Technical Certificates Overview
Mobile Service Manager
Version 8.2.0.1.1072
Copyright 2015 by Good Technology. All rights reserved.
Trademarks
Good is a registered trademark of Good Technology Incorporated.
Microsoft and Microsoft Windows are registered trademarks of Microsoft Corporation. All other product names used are trademarks of their respective owners.
Notice
The material in this document is for information only and is subject to change without notice. While reasonable efforts have been made in the preparation of this document to assure its accuracy, Good Technology Inc. assumes no liability resulting from errors or omissions in this document, or from the use of the information contained herein. Good Technology Inc. reserves the right to make changes in the product design without reservation and without notification to its users.
Edition
July 15, 2015