Technical Certificates Overview Version 8.2 Mobile Service Manager
Legal Notice This document, as well as all accompanying documents for this product, is published by Good Technology Corporation ( Good ). Good may have patents or pending patent applications, trademarks, copyrights, and other intellectual property rights covering the subject matter in these documents. The furnishing of this, or any other document, does not in any way imply any license to these or other intellectual properties, except as expressly provided in written license agreements with Good. This document is for the use of licensed or authorized users only. No part of this document may be used, sold, reproduced, stored in a database or retrieval system or transmitted in any form or by any means, electronic or physical, for any purpose, other than the purchaser s authorized use without the express written permission of Good. Any unauthorized copying, distribution or disclosure of information is a violation of copyright laws. While every effort has been made to ensure technical accuracy, information in this document is subject to change without notice and does not represent a commitment on the part of Good. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those written agreements. The documentation provided is subject to change at Good s sole discretion without notice. It is your responsibility to utilize the most current documentation available. Good assumes no duty to update you, and therefore Good recommends that you check frequently for new versions. This documentation is provided as is and Good assumes no liability for the accuracy or completeness of the content. The content of this document may contain information regarding Good s future plans, including roadmaps and feature sets not yet available. It is stressed that this information is non-binding and Good creates no contractual obligation to deliver the features and functionality described herein, and expressly disclaims all theories of contract, detrimental reliance and/or promissory estoppel or similar theories. Legal Information Copyright 2015. All rights reserved. All use is subject to license terms posted at www.good.com/ legal. GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR GOVERNMENT, GOOD FOR YOU, GOOD APPCENTRAL, GOOD DYNAMICS, SECURED BY GOOD, GOOD MOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD TRUST, GOOD VAULT, and GOOD DYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related entities. All third-party technology products are protected by issued and pending U.S. and foreign patents. Certificates Overview 2
Table of Contents Contents 1 Good MSM Certificates: Technical Overview 6 2 Good MSM Certificate Prerequisites 7 Configure the Certificate Authority 10 Grant the Good MSM Service Account rights to the CA 10 Encryption Services 11 Publish the CEP Encryption and Exchange Enrollment Agent (offline request) templates 12 Create Wi-Fi CA templates 13 Create CA templates 13 Create VPN CA templates 17 Create Exchange CA templates 17 Configure Good MSM to Access your CA 17 Creating an Identity Certificate 18 Creating a Wi-Fi Configuration 19 Creating a VPN Configuration 20 Creating an Exchange ActiveSync Configuration 21 Appendix A: Configuring a Certificate Authority (CA) on Windows Server 2008 23 Certificates Overview 3
01 Good MSM Certificates: Technical Overview There a few important items to understand about Good s certificate management functionality for Apple ios devices before starting to configure Good MSM to support your internal CA environment: Good MSM will automatically discover enterprise Certificate Authority (CA) servers that are members of the same Domain as the Good MSM server. Good MSM will automatically validate certificate templates installed on the CA server so that only templates appropriate to the specific use case of client authentication will be exposed. Good MSM does not require SCEP to be turn on at the CA server itself, and does not require that the CA server be directly exposed to devices. Good MSM acts as a registration authority, and sets up its own SCEP server to handle the process of issuing authentication certificates to a device that needs to be provisioned to access an enterprise CA server. Only the Good MSM server needs to talk directly to the CA server and it does so using a secure protocol other than SCEP. Good MSM does more than simply remove the authentication cert from the device when the device is retired. Good MSM revokes the certificate so that if it is restored via a backup, the CA server will reject the certificate when the user attempts to use it to access a corporate Wi- Fi network. Good MSM will automatically renew a certificate before it expires based on the expiration date. Good MSM certificates support Wi- Fi Access Points configured with WPA2 Enterprise EAP- TLS. VPN and Exchange access will be supported in future versions of BoxTone. BoxTone Certificates Technical Overview 4
02 Certificate Prerequisites In order to configure Good MSM to deliver certificates to ios devices, an authoritative Microsoft PKI infrastructure needs to be in place. The following section is a detailed overview of Good s requirements. Field CA Environment Description The Good MSM server and Microsoft CA PKI infrastructure must be members of the same domain. The CA must have access to directory services and be able to issue and manage certificates The CA must have the ability to issue it s own self signed certificates. The CA must have the ability to create a new private key in order to generate and issue certificates to a client The CA must have the ability to configure a cryptographic service provider and pick a hash algorithm that will create a new private key with a specific key length Common Name The CA must have the ability to configure the CA name. This is required to specify a Common Name (CN) with distinguished name prefixes. Good MSM recommends creating a CA Common Name specific to the Good MSM installation Certificate Authority Validity Period and renewal Good MSM Service Account The CA validity period needs to be renewed before it expires. If it is not, all certificates that have been issued will need to be reissued. Be sure to set you CA validity period such that you will have enough time to renew The Good MSM service account must have the following access to the Certificate Authority: Read Issue Certificates Manage Certificates Request Certificates BoxTone Certificates Technical Overview 5
Field Registration Authority (RA) CEP Encryption Template Exchange Enrollment Agent (Offline Requests) Wi-Fi Templates Permissions Wi-Fi Templates: Configuration Requirements Description Good MSM functions as the Registration Authority for certificates. The Good MSM RA uses two sets of credentials for signing and encryption. Good MSM uses CEP for encryptions and the Exchange Enrollment Agent (Offline Requests) for signing the certificates. Both the CEP and Exchange Enrollment agent templates must be configured and published for the Good MSM service to pick up and validate the services. The Good MSM service account must have read and enroll permissions to the CEP Encryption Template The Good MSM service account must have read and enroll permissions to the Exchange Enrollment Agent The Good MSM Service account must have read and enroll permissions to Wi-Fi templates. Wi-Fi Templates should be configured as follows: The Wi-Fi template must be configured to have the subject name supplied in the request. The Wi-Fi template must have the application policy of at least one authorized signature set to certificate request agent for issuing certificates. This policy must be set for re-enrollment Wi-Fi template must be published before the Good MSM service will be able to pick up and use the template. Wi-Fi Access Points The Wi-Fi Access Point must be configured to communicate with the Active Directory Domain that contains the CA via Radius Users that will access the Wi-Fi Access Point must be a member of a group that has permission to access the AP Good MSM supports WPA2-Enterprise EAP-TLS Exchange Templates Permissions The Good MSM Service account must have read and enroll permissions to Exchange templates. The Exchange template can be very similar to Wi-Fi templates Certificates Overview 6
Field Exchange Templates: Configuration Requirements Description Exchange Templates should be configured as follows: The Exchange template must be configured to have the subject name supplied in the request. The Exchange template must have the application policy of at least one authorized signature set to certificate request agent for issuing certificates. This policy must be set for re-enrollment Exchange template must be published before the Good MSM service will be able to pick up and use the template. VPN Templates Permissions The Good MSM Service account must have read and enroll permissions to VPN templates. The VPN template can be very similar to Wi-Fi templates VPN Templates: Configuration Requirements VPN Templates should be configured as follows: The VPN template must be configured to have the subject name supplied in the request. The VPN template must have the application policy of at least one authorized signature set to certificate request agent for issuing certificates. This policy must be set for re-enrollment VPN template must be published before the Good MSM service will be able to pick up and use the template. VPN Connection Types Good MSM supports Cisco Any Connect and Juniper SSL Either Cisco or Juniper connection must be configured to support certificate based authentication Depending upon the connection type appropriate VPN client must be installed on the device to connect to the VPN payload Certificates Overview 7
Configure the Certificate Authority The following section is a high level overview of the tasks needed to configure a CA within your environment. As certificate management is an integral part of an enterprise s overall security infrastructure, Good MSM strongly recommends reviewing CA documentation from Microsoft before making any changes to your internal CA environment. Grant the Good MSM Service Account rights to the CA The following step Follow these steps to configure the new CA for use in the Good MSM certificate management workflow: Right click on CA, choose properties. Select the Security tab. Add Good MSM service account and select the Read, Issue and Manage Certificates, and Request Certificates rights as displayed below Grant the Good MSM service account rights to Exchange Enrollment Agent (Offline Request) and CEP Certificates Overview 8
Encryption Services Follow these steps to allow the Good MDM server to act as a Registration Authority on behalf of the CA: Go to Certificate Templates (under Active Directory Certificate Services) Right click on Exchange Enrollment Agent (Offline Request) Select the Security tab. Add Good MSM service account and set the Read and Enroll rights as displayed below: Right click on CEP Encryption Select the Security tab. Add Good MSM service account and set the Read and Enroll rights as displayed below: Certificates Overview 9
Publish the CEP Encryption and Exchange Enrollment Agent (offline request) templates Perform the following under the CA that was created within the domain: Right click in the list of Certificate Templates and select New Choose Certificate Template to Issue In the dialog, select the CEP Encryption and Exchange Enrollment Agent (offline request) templates as shown below. Certificates Overview 10
Click OK Create Wi-Fi CA templates Performing the following steps on your CA will allow you to create a template that will create identity certificates provide the rights to authenticate users to a Wi-Fi network: Create CA templates Click Certificate Templates (under Active Directory Certificate Services) Right click on User and choose Duplicate template You will be prompted to select a user template type, select Windows 2003 Server, Enterprise Certificates Overview 11
Edition. Provide a name for the template display name. Select the Security tab. Add Good MSM service account to the dialog and select the Read and Enroll rights. Select the Subject Name tab and select Supply in the request. Select the Issuance Requirements tab. Check the field labeled This number of authorized signatures to 1. Certificates Overview 12
Set the field labeled Application Policy to Certificate Request Agent Publish template Performing the following steps on your CA will allow you to publish the templates you created in the previous steps: Right click in the list of Certificate Templates and select new. Choose Certificate Template to Issue. Select the Wi-Fi template just created. Certificates Overview 13
Click OK Configure the Good MSM Service Account to be a restricted CA manager Performing the following steps on your CA will allow the Good MSM Service Account to be a restricted CA manager. Right click on the CA and choose properties. Select the tab labeled Certificate Managers. Choose Good MSM service account in the list of Certificate Managers In the field labeled Certificate Templates select All (if listed) and click Remove. Click Add and add the Wi- Fi certificate template that was created above. Click OK Certificates Overview 14
Create VPN CA templates Follow the steps under create Wi-Fi CA template. Create Exchange CA templates Follow the steps under create Wi-Fi CA template. Configure Good MSM to Access your CA General Setup To configure Good MSM to use your CA the following steps should be performed: Log into the Good MSM web console In the menu under the tab labeled SECURITY select Certificates. Under Certificate Authorities highlight the name of the CA you wish to configure. The CA being used in this example is named demo- DEMO- DC- CA In the right hand pane perform the following steps: Request the Encryption certificates into Good MSM by clicking the button labeled Request in the row entitled Encryption. Request the Encryption certificates into Good MSM by clicking the button labeled Request in the Certificates Overview 15
row entitled Signing Once the requests have been completed, refresh your browser. Once the page refresh is complete, the screen will appear as below: Creating an Identity Certificate Before you create a Wi-Fi device configuration that will authenticate with certificates, Good MSM must be configured to use the Identity Certificate that was created on your CA. To do this: In the menu under the tab labeled SECURITY select Device Configurations. Select a Device Configuration and go into Edit Mode Within the box labeled Add Configuration select Identity Certificate Good MSM will automatically populate the fields with a simple Display Name, the Certificate Authority, and the Certificate Template to use. If desired you can optionally configure the subject template to match a key value pair to track the user. In the example below the user s CN is being matched to their Principle name. Certificates Overview 16
Creating a Wi-Fi Configuration After adding in the Identity Certificate you need to configure a Wi-Fi configuration to use the identity certificate. To do this: Within the box labeled Add Configuration under device configuration select Wi-Fi Enter the SSID for the Wi-Fi network in the field labeled SSID Check Hidden Network and Automatically join the network if appropriate in your environment. In the field labeled Security Types select WPA / WPA2 Enterprise. Check the box labeled TLS. In the field labeled Identify Certificate, select the identity certificate configured above. The field labeled Trusted Certificate Names is optional. If needed in your environment, add the list of server certificate common names that will be accepted by your Wi-Fi Access Points. Check the box labeled Allow trust exceptions if appropriate in your environment. (not recommended) Configure Proxy Type as appropriate in your environment. Certificates Overview 17
After setting up the Wi-Fi configuration click Save & Publish to deploy the configuration. More information on creating device configurations can be found within the Good MSM Security Management Guide Creating a VPN Configuration After adding in the Identity Certificate you need to configure a VPN configuration to use the identity certificate. To do this: Within the box labeled Add Configuration under device configuration select VPN Enter the connection name for the VPN network in the field labeled Connection Name In the field labeled Connection Type select VPN AnyConnect from the drop down In the field labeled Server enter the server domain name that accepts certificate In the field labeled User Authentication select Certificate from the drop down In the field labeled Identify Certificate, select the identity certificate configured above. Enable VPN On Demand is optional and do not check that field. If you need to restrict access, check this box and provide the server domain names Group Name field is optional and leave it blank Proxy Type field is optional. This field defaults to None Certificates Overview 18
Creating an Exchange ActiveSync Configuration After adding in the Identity Certificate you need to configure a Email configuration to use the identity certificate. To do this: Within the box labeled Add Configuration under device configuration select Email Enter the account name for the Email network in the field labeled Account Name In the field labeled CAS Server for Exchange 2010 enter the exchange server name that supports Certificates Overview 19
certificate based authentication Leave the default settings for other field selections In the field labeled User Authentication select Certificate from the drop down In the field labeled Identify Certificate, select the identity certificate configured above Certificates Overview 20
01 Appendix A Configuring a Certificate Authority (CA) on Windows Server 2008 The following section provides a brief overview of how a CA is configured in a Windows 2008 Environment. This is only an example of one method that can be followed to configure a CA. Before you configure a CA within your environment you should work with the various stakeholders within your organization to identify your overall requirements and a certificate infrastructure should be designed to meet those needs. Install CA Role Follow these steps to configure Windows Server 2008 to act as a Certificate Authority: Open Server Manager In the Server Manager, click Role, Add Roles. In the Wizard, select Active Directory Certificates Services. Select Certification Authority Select Enterprise BoxTone Certificates Technical Overview 21
Select Root CA Select Create a new Private Key Certificates Overview 22
The next screen lists various Cryptographic Service Provides (CSP). Select the hash algorithm that works best in your environment. Good MSM supports them all algorithms supported by the Microsoft CA. Enter the common name that will be used to identify the CA in the next screen. This name will be synchronized with Good MSM and appear in the Good MSM UI. Configure Expiration date of the CA on this page. Certificates Overview 23
Click next until the installation finishes and finally select close. Close and re- open the Server Manager application. The CA role you just added should appear Certificates Overview 24
Technical Certificates Overview Version 8.2.0.1.1072 Copyright 2015 by Good Technology. All rights reserved. Trademarks Good is a registered trademark of Good Technology Incorporated. Microsoft and Microsoft Windows are registered trademarks of Microsoft Corporation. All other product names used are trademarks of their respective owners. Notice The material in this document is for information only and is subject to change without notice. While reasonable efforts have been made in the preparation of this document to assure its accuracy, Good Technology Inc. assumes no liability resulting from errors or omissions in this document, or from the use of the information contained herein. Good Technology Inc. reserves the right to make changes in the product design without reservation and without notification to its users. Edition July 15, 2015 Mobile Service Manager