Page Comparison

Follow the instructions below to configure the iOS server-side configurations:

1. Generate an Apple Push Notification Service (APNS) certificate.

2. Make a copy of the openssl.cnf file and move it to another location and edit the following:
   The Certificate Authority (CA) and Registration Authority (RA) certificates should be created as version 3 certificates. This step is carried out for the latter mentioned purpose.

   Code Block

   [ v3_req ] # Extensions to add to a certificate request basicConstraints=CA:TRUE keyUsage = Digital Signature, Key Encipherment [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer # This is what PKIX recommends but some broken software chokes on critical # extensions. basicConstraints = critical,CA:true # So we do this instead. #basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. keyUsage = Digital Signature, Certificate Sign, CRL Sign

3. Generate a self signed Certificate Authority (CA) certificate (version 3) and convert the certificate to .pem format using the following commands:

   Info
   It is assumed that the script is executed from the location where the modified openssl.cnf file was saved.

   1. openssl genrsa -out <CA PRIVATE KEY> 4096
      For example: openssl genrsa -out ca_private.key 4096
   2. openssl req -new -key <CA PRIVATE KEY> -out <CA CSR>
      For example: openssl req -new -key ca_private.key -out ca.csr
   3. openssl x509 -req -days <DAYS> -in <CA CSR> -signkey <CA PRIVATE KEY> -out <CA CRT> -extensions v3_ca -extfile <PATH-TO-MODIFIED-openssl.cnf-FILE>
      For example: openssl x509 -req -days 365 -in ca.csr -signkey ca_private.key -out ca.crt -extensions v3_ca -extfile ./openssl.cnf
   4. openssl rsa -in <CA PRIVATE KEY> -text > <CA PRIVATE PEM>
      For example:  openssl rsa -in ca_private.key -text > ca_private.pem
   5. openssl x509 -in <CA CRT> -out <CA CERT PEM>
      For example: openssl x509 -in ca.crt -out ca_cert.pem

4. Generate a Registration Authority (RA) certificate (version 3) signed it with the CA and convert the certificate to .pem format using the following commands:

   Info
   It is assumed that the script is executed from the location where the modified openssl.cnf file was saved.

   1. openssl genrsa -out <RA PRIVATE KEY> 4096
      For example:  openssl genrsa -out ra_private.key 4096

   2. openssl req -new -key <RA PRIVATE KEY> -out <RA CSR>
      For example: openssl req -new -key ra_private.key -out ra.csr
   3. openssl x509 -req -days <DAYS> -in <RA CSR> -CA <CA CRT> -CAkey <CA PRIVATE KEY> -set_serial <SERIAL NO> -out <RA CRT> -extensions v3_req -extfile <PATH-TO-MODIFIED- openssl.cnf-FILE>
      For example: openssl x509 -req -days 365 -in ra.csr -CA ca.crt -CAkey ca_private.key -set_serial 02 -out ra.crt -extensions v3_req -extfile ./openssl.cnf
   4. openssl rsa -in <CA PRIVATE KEY> -text> <RA PRIVATE PEM>
      For example: openssl rsa -in ra_private.key -text > ra_private.pem
   5. openssl x509 -in <RA CRT> -out <RA CERT PEM>
      For example: openssl x509 -in ra.crt -out ra_cert.pem

5. Generate the SSL certificate (version 3) based on your domain/IP address:

   Info
   Your IP address/Domain needs to be added as the Common Name, otherwise provisioning will fail.

   1. Generate a RSA key.
      openssl genrsa -out <RSA_key>.key 4096
      For example:
      openssl genrsa -out ia.key 4096
   2. Generate a CSR file.
      openssl req -new -key <RSA_key>.key -out <CSR>.csr
      For example:
      openssl req -new -key ia.key -out ia.csr
      Enter your server IP address/domain name (e.g., 192.168.1.157) as the Common Name else provisioning will fail.
   3. Generate the SSL certificate
      openssl x509 -req -days 730 -in <CSR>.csr -CA ca_cert.pem -CAkey ca_private.pem -set_serial <serial number> -out ia.crt
      For example: 
      openssl x509 -req -days 730 -in ia.csr -CA ca_cert.pem -CAkey ca_private.pem -set_serial 044324343 -out ia.crt

6. Export the SSL, CA and RA files as PKCS12 files with an alias.

   1. Export the SSL file as a PKCS12 file with an "wso2carbon" as the alias. 
      openssl pkcs12 -export -out <KEYSTORE>.p12 -inkey <RSA_key>.key -in ia.crt -CAfile ca_cert.pem -name "<alias>"
      For example:
      openssl pkcs12 -export -out KEYSTORE.p12 -inkey ia.key -in ia.crt -CAfile ca_cert.pem -name "wso2carbon"

   2. Export the CA file as a PKCS12 file with an alias.
      openssl pkcs12 -export -out <CA>.p12 -inkey <CA private key>.pem -in <CA Cert>.pem -name "<alias>"
      For example:
      openssl pkcs12 -export -out ca.p12 -inkey ca_private.pem -in ca_cert.pem -name "cacert"
      In the above example, cacert has been used as the CA alias. 
   3. Export the RA file as a PKCS12 file with an alias.
      openssl pkcs12 -export -out <RA>.p12 -inkey <RA private key>.pem -in <RA Cert>.pem -chain -CAfile <CA cert>.pem -name "<alias>"
      For example:
      openssl pkcs12 -export -out ra.p12 -inkey ra_private.pem -in ra_cert.pem -chain -CAfile ca_cert.pem -name "racert"
      In the above example, racert has been used as the RA alias. 
7. Copy the three P12 files to the <EMM_HOME>/repository/resources/security directory.
8. Import the generated P12 files as follows:
   

   1. Import the generated <KEYSTORE>.p12 file into the wso2carbon.jks and client-truststore.jks in the <EMM_HOME>/repository/resources/security directory.
      keytool -importkeystore -srckeystore <KEYSTORE>.p12 -srcstoretype PKCS12 -destkeystore <wso2carbon.jks/client-truststore.jks>

      Info
      Ensure to enter the keystore password and keystore key password  as  wso2carbon

      For example:
      keytool -importkeystore -srckeystore KEYSTORE.p12 -srcstoretype PKCS12 -destkeystore wso2carbon.jks
keytool -importkeystore -srckeystore KEYSTORE.p12 -srcstoretype PKCS12 -destkeystore client-truststore.jks

   2. Import the generated <CA>.p12 and <RA>.p12 files into the wso2EMM.jks in the <EMM_HOME>/repository/resources/security/ directory.
      keytool -importkeystore -srckeystore <CA/RA>.p12 -srcstoretype PKCS12 -destkeystore wso2mdm.jks
      
      For example:
      keytool -importkeystore -srckeystore ca.p12 -srcstoretype PKCS12 -destkeystore wso2mdm.jks
      Enter the keystore password as wso2carbon and keystore key password cacert

      keytool -importkeystore -srckeystore ra.p12 -srcstoretype PKCS12 -destkeystore wso2mdm.jks
      Enter the keystore password as  wso2carbon  and keystore key password as  racert


      Info
      title Troubleshooting
      Excerpt Why does the following error occur: " keytool error: java.io.IOException: Invalid keystore format"? If you enter the wrong private key password when importing the <CA>.p12 or <RA>.p12 files, the wso2emm.jks file will get corrupted and the above error message will appear. In such a situation, delete the wso2emm.jks file and execute the following command to import the generated <CA>.p12 and <RA>.p12 files into the wso2emm.jks file again. keytool -importkeystore -srckeystore <CA/RA>.p12 -srcstoretype PKCS12 -destkeystore wso2emm.jks When the above command is executed, WSO2 EMM will automatically create a new wso2emm.jks file with the imported file.

9. Update the following parameters in the emm-config .xml file, which is in the <EMM_HOME>/repository/conf/ directory: 

   • Enter the sever IP or the server domain name for the following parameters:
iOSEnrollURL, iOSProfileURL, iOSCheckinURL, iOSServerURL and TokenURL
   • The default EMM keystore details are defined in the <EMMKeystore> XML element. Therefore, if any of the following details are changed, it needs to be reflected in  <EMMKeystore>:

     • EMM Keystore file location

     • EMM Keystore type

     • EMM Keystore password

     • Certificate authority certificate alias 

     • Certificate authority private key password

     • Registration authority certificate alias

     • Registration authority private key password

     For example:

     Code Block

     <?xml version="1.0" encoding="ISO-8859-1"?> <iOSMDMConfigurations> <!-- iOS MDM endpoint urls --> <iOSEnrollURL>https://localhost:9443/ios/enrollment/scep</iOSEnrollURL> <iOSProfileURL>https://localhost:9443/ios/enrollment/profile</iOSProfileURL> <iOSCheckinURL>https://localhost:9443/ios/enrollment/checkin</iOSCheckinURL> <iOSServerURL>https://localhost:9443/ios/enrollment/server</iOSServerURL> <MDMKeystore> <!-- EMM Keystore file location--> <MDMKeystoreLocation>${carbon.home}/repository/resources/security/wso2mdm.jks</MDMKeystoreLocation> <!-- EMM Keystore type (JKS/PKCS12 etc.)--> <MDMKeystoreType>JKS</MDMKeystoreType> <!-- EMM Keystore password--> <MDMKeystorePassword>wso2carbon</MDMKeystorePassword> <!-- Certificate authority certificate alias --> <MDMCACertAlias>cacert</MDMCACertAlias> <!-- Certificate authority private key password --> <MDMCAPrivateKeyPassword>cacert</MDMCAPrivateKeyPassword> <!-- Registration authority certificate alias --> <MDMRACertAlias>racert</MDMRACertAlias> <!-- Registration authority private key password --> <MDMRAPrivateKeyPassword>racert</MDMRAPrivateKeyPassword> </MDMKeystore> </iOSMDMConfigurations>

After configuring the above obtain the signed CSR form and follow the proceeding step to complete the iOS server configurations.

Related links

• Generate an Apple Push Notification Service (APNS) certificate
• iOS Server Configurations
• Obtaining the signed CSR file