EM L12 Symantec Mobile Management and Managed PKI Hands-On Lab



Similar documents
EM L18 Managing ios and Android Mobile Devices with Symantec Mobile Management Hands-On Lab

e-cert (Server) User Guide For Microsoft IIS 7.0

EM L05 Managing ios and Android Mobile Devices with Symantec Mobile Management Hands-On Lab

Guide for Generating. Apple Push Notification Service Certificate

APNS Certificate generating and installation

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

Generating an Apple Push Notification Service Certificate

SETUP SSL IN SHAREPOINT 2013 (USING SELF-SIGNED CERTIFICATE)

Browser-based Support Console

Document Classification: Public Document Name: SAPO Trust Centre - Generating a SSL CSR for IIS with SAN Document Reference:

HTTP communication between Symantec Enterprise Vault and Clearwell E- Discovery

Creating an Apple APNS Certificate

etoken Enterprise For: SSL SSL with etoken

UP L18 Enhanced MDM and Updated Protection Hands-On Lab

HTTP Server Setup for McAfee Endpoint Encryption (Formerly SafeBoot) Table of Contents

How to Obtain an APNs Certificate for CA MDM

Microsoft IIS 7 Guide to Installing Root Certificates, Generating CSR and Installing certificate

Entrust Managed Services PKI

QUANTIFY INSTALLATION GUIDE

ADFS Integration Guidelines

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

Windows Intune Walkthrough: Windows Phone 8 Management

NSi Mobile Installation Guide. Version 6.2

O Reilly Media, Inc. 3/2/2007

LAB 1: Installing Active Directory Federation Services

STATISTICA VERSION 10 STATISTICA ENTERPRISE SERVER INSTALLATION INSTRUCTIONS

Mobility Manager 9.0. Installation Guide

Mobile Secure Cloud Edition Document Version: ios Application Signing

INSTALLING YOUR SSL CERTIFICATE ON THE FILEHOLD SERVER ON WINDOWS 2008 X64 ON IIS 7

Generating an Apple Enterprise MDM Certificate

e-cert (Server) User Guide For Microsoft Exchange Server 2010

Symantec Managed PKI. Integration Guide for ActiveSync

Wavecrest Certificate

ECA IIS Instructions. January 2005

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Microsoft OCS with IPC-R: SIP (M)TLS Trunking. directpacket Product Supplement

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

Password Manager Windows Desktop Client

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Zenprise Device Manager 6.1

Microsoft IIS Integration Guide

Using Group Policies to Install AutoCAD. CMMU 5405 Nate Bartley 9/22/2005

Installation and Configuration Guide

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

Install the Production Treasury Root Certificate (Vista / Win 7)

ACTIVE DIRECTORY DEPLOYMENT

Sophos Anti-Virus for NetApp Storage Systems startup guide

Exchange 2010 PKI Configuration Guide

MicrosoftDynam ics GP TenantServices Installation and Adm inistration Guide

Using Protection Engine for Cloud Services for URL Filtering, Malware Protection and Proxy Integration Hands-On Lab

MadCap Software. Upgrading Guide. Pulse

Installation Guide. SafeNet Authentication Service

QMX ios MDM Pre-Requisites and Installation Guide

Print Audit 6 - SQL Server 2005 Express Edition

Step-by-step installation guide for monitoring untrusted servers using Operations Manager (Part 1 of 3)

Aspera Connect User Guide

Setting Up SSL on IIS6 for MEGA Advisor

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

Secure IIS Web Server with SSL

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

Learning the Basics of Citrix Web Interface 4.6, Citrix Secure Gateway 3.1 and GoDaddy Wildcard SSL Certificate

WHITE PAPER Citrix Secure Gateway Startup Guide

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Magaya Software Installation Guide

Shellfire L2TP-IPSec Setup Windows XP

Using SSH Secure Shell Client for FTP

App Orchestration 2.5

Verify LDAP over SSL/TLS (LDAPS) and CA Certificate Using Ldp.exe

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

How to Configure a Secure Connection to Microsoft SQL Server

Setting up Sharp MX-Color Imagers for Inbound Fax Routing to or Network Folder

Intel vpro Technology. How To Purchase and Install Symantec* Certificates for Intel AMT Remote Setup and Configuration

Installation Instruction STATISTICA Enterprise Server

VirtualXP Users Guide

ServiceDesk 7.1 Installation and Upgrade. ServiceDesk 7.1 Installation and Upgrade - Using Domain Service Credentials A Step by Step Guide

Microsoft Exchange 2010 and 2007

HOTPin Integration Guide: DirectAccess

Thirtyseven4 Endpoint Security (EPS) Upgrading Instructions

DMZ Server monitoring with

Last modified on for application version 4.4.4

Installing SQL Express. For CribMaster 9.2 and Later

System Area Management Software Tool Tip: Integrating into NetIQ AppManager

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

Sophos Anti-Virus for NetApp Storage Systems user guide. Product version: 3.0

Generating a Certificate Signing Request (CSR) from LoadMaster

XenDesktop Implementation Guide

Upgrading from MSDE to SQL Server 2005 Express Edition with Advanced Services SP2

Getting Started. Install the Omni Mobile Client

Certificate Management

INSTALLATION GUIDE ANYCONNECT ON WINDOWS WORKSTATIONS

Integrating idrac7 With Microsoft Active Directory

CWOPA Broadband Users. Windows Operating System

Instructions for Configuring a SAS Metadata Server for Use with JMP Clinical

MTA Course: Windows Operating System Fundamentals Topic: Understand backup and recovery methods File name: 10753_WindowsOS_SA_6.

Transcription:

EM L12 Symantec Mobile Management and Managed PKI Hands-On Lab Description Building and Managing a Certficate Authority infrastructure to support your Mobile Management infrastructure can be time consuming and cost prohibitive. Utilizing a VeriSign managed PKI infrastructure can help to alleviate these burdens. In this hands on lab students will have the opportunity to configure the Symantec Mobile Management environment to work with the hosted mpki solution and understand the benefits and advantages associated with it s use. This lab assumes a basic familiarity with SMM 7.1 and the SMP platform. At the end of this lab, you should be able to Understand the advantages of hosted PKI services Understand the requirements for working with a managed PKI account Be able to submit a CSR request to the PKI portal Import the required certificates for use with managed PKI Configure SMM to use a hosted SCEP configuraton profile Notes A brief presentation will introduce this lab session and discuss key concepts. The lab will be directed and provide you with step-by-step walkthroughs of key features. Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace. Be sure to ask your instructor any questions you may have. Thank you for coming to our lab session.

Getting Started Before you begin, you will need to be sure that the SMM-Exchange and SMM-Server virtual machines have been started (in that order). Once the VM s have finished loading, you will be ready to begin. Unless otherwise stated, all of the exercises should be done from the SMM-Server virtual machine. Setup a Symantec Managed PKI Account Installing the Managed PKI Account follows a series of steps. The Symantec PKI client is installed first. The PKI client enables you to install the PKI Manager Sign-in Certificate, which is required to securely access the PKI Manager portal. An administrator of the managed account needs to setup the Symantec Managed PKI Account. You need to configure access to your PKI account from the machine you will use to manage the service. The required certificate for account access will be installed on your workstation. For purposes of these lab exercises, the required account and access certificate and Certificate profile have already been installed and created for you. Verify the Symantec PKI client installation In these next step we will verify that the above requirements are installed and ready for use. 1. On the SMM-Server virtual machine, open Start > Control Panel 2. Select Programs > Programs and Features 3. Verify that the Symantec PKI Client is listed Verify that the PKI Manager Sign-in Certificate is installed Open a MMC certificates snap-in to the Current User account 1. Open the MMC console by clicking Start, type MMC in Search box, and the click Return when mmc.exe appears. 2. Select File > Add/Remove Snap-in, Highlight Certificates and move to Selected snap-ins with the Add button. 3. Leave default setting of My user account and click Finish. 4. Click OK to save changes. 5. Expand Certificates > Personal and select Certificates 6. Verify that the Scott Jareo Certificate, issued by Symantec Class 3 Admin is installed Note: This certificate is used for authentication to the PKI portal, and must be installed on the machine you will use to manage the service 2 of 10

Verify the Certificate Profile To be able to issue certificates from the PKI manager you must first configure the certificate profile that can be used to generate certificates. In this exercise we will walk through the configuraton of this profile, but will not create it as one has already been created for this lab. 1. Open a browser and navigate to the Symantec Managed PKI Portal page https://pki-manager.symauth.com/pki-manager/ 2. Click OK to confirm the Test Drive Admin Certifcate (previously viewed) 3. Enter the required PIN: mpkilab 4. Click OK to login 5. Click on the Manage Certificate Profiles icon on the bottom of the screen. 6. Verify the lab created Profile is already created called TFE Lab, under the Certifcate Profiles found column. The following steps will walk through how this profile was created, we will not need to save an additional profile. 1. Click on the Add Certficate profiles link at the top left hand of the page. 2. The Managed PKI Portal displays the Create Profile wizard with the Select Mode page first. 3. Select Production mode and click Continue 3 of 10

4. The Managed PKI Portal displays the Select Template page. 5. Select Secure Sign-in and then click Continue. 6. The Managed PKI Portal displays the Customize certificate options page. 7. Enter a Certificate Friendly Name. 8. Under Primary certificate options, select Enrollment method box and change the Enrollment Method drop box setting to SCEP 9. Click Continue to accept the change in enrollment method 10. Click on Advanced Options and verify that the SubjectAltName contains a field called othername (UPN) and it s source is set to SCEP Request 11. Click Cancel We do not need to save this particular profile as one has already been created. 4 of 10

Generate a Certificate Signing Request In order to work with the Symantec managed PKI certificate you need to generate a CSR that can be submitted to VeriSign to create the required RA certificate. This request is generated from a trusted machine running IIS. This does not have to be the Mobile Management Server. You can create the RA certificate on a different computer and export it to be used on the Mobile Management Server. You can also create the RA certificate on the Mobile Management Server to avoid needing to export/import the certificate. We will follow that scenario in the following exercise. 1. Open IIS Manager, Select Start > Control Panel > Administrative Tools > Internet Information Services (IIS) Manager, or use the Start menu shortcut. 2. Under Connections, Select the SMM-Server, and then double-click Server Certificates under IIS in the SMM-Server Home column. 3. Click on Create Certificate Request under the Action tab on the far right pane. 4. The system displays the Request Certificate wizard starting with the Distinguished Name Properties page. 5. Enter the following information and click Next : Common Name - The name that is attached to your certificate request, this can be any name you will recognize to identify the certificate. Organization - The name of your organization. Organizational unit - The name of the group or department within your organization City/locality - The city or locality where your organization is located. State/province - The state or province where your organization is located. Country/region - The country or region where your organization is located. 6. Leave the default Microsoft RSA SChannel Cryptographic Provider for the Cryptographic service provider and select 2048 for the Bit length 7. Click Next 8. Click the ellipsis button to browse to a file location 9. Select Desktop as the file locaton, enter a file name, (e.g. csrreq.txt), and Click Open 10. Click Finish, certificate request file will be saved on the desktop. 5 of 10

Create and install the Intermediate and RA Certificates You must now create an RA Certificate to secure communications and identify yourself to Managed PKI. In communications with Managed PKI, the RA certificate is used as a TLS/SSL client authentication certificate. The steps to configure are as follows: Creating your Certificate request 1. In your browser, navigate back to the Symantec Managed PKI Portal page: https://ptnr-pki-manager.bbtest.net/pki-manager if not still open. 2. Click on the Tasks icon and select Get an RA certificate 3. The Managed PKI Portal displays the Get an RA Certificate wizard displaying the Enter CSR page. 4. Open the CSR file previously created on the server desktop 5. Hit CTRL+A to Select All text 6. Hit CTRL+C to copy and then paste the CSR text into the provided form in the PKI portal 7. Click the Cancel button. We do not need to submit this request as one has already been created for this lab. Note: Hitting continue would create the certificate file and provide you an opportunity to download the file. For purposes of this lab environment that file has already been created and downloaded to your VM environment. PLEASE DO NOT SUBMIT A NEW REQUEST, 6 of 10

Completing the certificate request We will now walk through the steps reguired to complete the certificate request in preparation for installing the certifcates. Export the Intermediate Certificate 1. On the SMM-Server VM, navigate to C:\EM L12 MPKI 2. Open the RA-Certificate.p7b certificate file (This is the file that would be downloaded from the PKI portal in the previous step) 3. Navigate to the Certificates sub-folder. Note: The certificate file contains 2 files, the RA certificate (Registration Authority ###########) and an intermediate certificate. Certificates need to be installed on the SMM server. If the certificate request was generated on a server other than the SMM server, you would need to complete the certificate process for the RA certificate and export that certificate to be installed on the SMM server. 4. Right-click the intermediate certificate to export it > All Tasks > Export to open the certificate export wizard. 5. Click Next 6. Leave the default DER encoded binary X.509 (.CER) file type selection and click Next 7. Browse to a file path location such as Desktop to name the file and save it, click Next 8. Click Finish to export the file. Export and the RA Certificate Follow the steps 4-8 above to export the RA certificate to the desktop as a.cer file. Then complete the following: 7 of 10

1. Open IIS. I.e. Select Start > Control Panel > Administrative Tools > Internet Information Services (IIS) Manager. 2. Select the server, and then double-click Server Certificates. 3. Click on Complete Certificate Request under the Action tab on the far right pane. 4. Click the ellipsis button and browses to the RA certificate that was previously exported. 5. Enter a certificate friendly name in the Friendly name field and click OK. 6. The certificate will now be shown in the IIS Server Certificates page. 7. Select the certificate and click the Export link on the right hand side 8. Browse to save the file to the Desktop and give the certificate a password. The file will have a.pfx extension. Configure SCEP Profile 1. In your browser, navigate back to the Symantec Managed PKI Portal page: https://ptnr-pki-manager.bbtest.net/pki-manager if not still open. 2. Click on the Manage Certificate Profiles icon. 3. Select the TFE Lab Certificate profile previously created. 4. 5. Select and copy the endpoint URL found under Manage this profile E.g. http://pkiscep.symauth.com/scep/2.16.840.1.113733.1.16.1.2.3.5.1.1364019/cgi-bin/pkiclient.exe 6. Open the SMM console from the shortcut on the desktop and navigate to Home > Mobile Management 7. Select Device Management > Configuration Editor. 8 of 10

8. Under the ios Configuration column, Click on SCEP and then click on the new payload icon (yellow asterisk) in the right pane. 9. Enter a name and description for the new SCEP payload 10. Paste the certificate profile endpoint as the URL. 11. In addition, enter the following: Enter the Subject field as CN=Authentication Certificate Leave the challenge field blank. Set key size to 2048. Enable both boxes: Use as digital signature, use for key encipherment. 12. Click Save Changes 9 of 10

Activate MPKI Integration Code The code base installed with SMM 7.2 SP1 has been modified with further improvements for the import and automatic configuration of the MPKI certificates. In this final step we will use the Import functionality to add the required certificates to the SMP console and complete the MPKI integration. 1. In the SMP console navigate to Mobile Management > Settings > ios Enrollment. 2. Under the ios Enrollment configuration, set the Cryptographic credential used for authentication select the name of the SCEP MPKI profile previously configured. 3. Scroll down to the SCEP configuration area. 4. Click the Enable Symantec MPKI Integration radio button to turn integration on. 5. Using the Import button browse to import the certificates previously exported for the root authority (RA) certificate, MPKI Intermediate certificate, and MPKI root certificate. Note: The root certificate has been placed in C:\ EM L12 MPKI 6. Leave the default Symantec MPKI URL set to: https://pki-ws.symauth.com/pkiws/usermanagementservice 7. Click the Save button to save changes to configuration files. 8. SMM is now configured to use the Symantec PKI services for SCEP certificate enrollment 10 of 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information