Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning
titleWIP

This document is work in progress!

The following diagram illustrates a typical deployment pattern for WSO2 IoT Server.

Image RemovedImage Added

As indicated in the above diagram, when clustering WSO2 IoT Server, there is worker manager separation. In a standard WSO2 product cluster, worker and manager separation is derived from deployment synchronization. However, this differs from standard WSO2 Carbon worker manager separation.

WSO2 IoT Server includes an admin console that can be used by any user with administrative privileges. These users can perform some actions operations on enrolled devices and the devices can retrieve those actions by requesting for the pending operations. This is done by either walking the device through a push notification or configuring the device to poll at a pre-compiled configured frequency.

Normally administrative tasks should be run from a manager node.

There are two major deployment patterns for the manager node. One could be running the manager node in the private network due to security constraints and other is allowing end users to access the management node so that they can control and view their devices.

A manager node is used to run background tasks that are necessary to the update the device information such as the location and applications installed.the list of installed applications. For more information on creating different profiles in WSO2 IoT Server, see Product Profiles.

Let's take a look at the steps to cluster WSO2 IoT Server:

Child pages (Children Display)

Tip
titleBefore you begin

You need the following to cluster WSO2 IoT Server:

Virtual machines used in a high availability cluster

The following is a list of virtual machines (VMs) that are used in a high availability cluster and their details.

  • Manager - 1 VM
  • Worker - 2 VMs
  • Key manager - 2 VMs
  • DBs - 1 MySQL instance

All the VMs have 4 cores and 4GB memory.

Open ports

80 and 443 are from the NGINX server.

The following ports need to be opened for Android and iOS devices so that it can connect to GCM (Google Cloud Message) and APNS (Apple Push Notification Service) and enroll to WSO2 IoT Server.

Android

The ports to open are 5228, 5229 and 5230. GCM typically uses only 5228, but it sometimes uses 5229 and 5230.

GCM does not provide specific IPs, so it is recommended to allow the firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169.  

iOS

  • 5223 - TCP port used by devices to communicate to APNS servers

  • 2195 - TCP port used to send notifications to APNS

  • 2196 - TCP port used by the APNS feedback service

  • 443 - TCP port used as a fallback on Wi-Fi, only when devices are unable to communicate to APNS on port 5223

The APNS servers use load balancing. The devices will not always connect to the same public IP address for notifications. The entire 17.0.0.0/8 address block is assigned to Apple, so it is best to allow this range in the firewall settings

...

Setting up the database

The following databases are needed when clustering WSO2 IoT Server.

...

App management database
(XXX)

...

The following databases are related to plugins. These enable you to keep the data that is essential for these devices to work (such as APNS related keys) and this data is not available in the CDM core database.

...

Stores the iOS related the data.

Info

If you have not configured WSO2 IoT Server for iOS, you won't have the database scripts in the given location. For more information on configuring WSO2 IoT Server for iOS, see iOS Configurations.

...

To change the datasource configurations, please change the following files.

Note

NOTE: Make sure to add the relevant JDBC library to the <IOTS_HOME>/lib directory. For example, add the mysql-connector-java-{version}.jar file to the <IOTS_HOME>/lib directory when using the mySQL database.

...

This file must include the datasource configuration for the following databases.

  • APIM database

  • Registry database

  • User management database
  • App Manager database
  • Store database
  • Social database

...

This file must include the datasource configuration for the following databases.

  • CDM core database

  • IOS plugin database

  • Android database

  • Windows database

Mounting the registry

See Remote Instance and Mount Configuration Details for more information on registry mounting and why it is useful. These must be done in all nodes. Do the following steps to configure this.

  1. O pen the <PRODUCT_HOME>/repository/conf/ datasources/master-datasources.xml file and add the following datasource configurations.

    Code Block
    languagexml
    <datasource>
             <name>WSO2REG_DB</name>
             <description>The datasource used for Registry database</description>
             <jndiConfig>
                   <name>jdbc/WSO2REG_DB</name>
             </jndiConfig>
             <definition type="RDBMS">
                   <configuration>
                        <url>jdbc:mysql://localhost:3306/C_REG</url>
                        <username>root</username>
                        <password></password>
                        <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                        <maxActive>50</maxActive>
                        <maxWait>60000</maxWait>
                        <testOnBorrow>true</testOnBorrow>
                        <validationQuery>SELECT 1</validationQuery>
                        <validationInterval>30000</validationInterval>
                   </configuration>
              </definition>
    </datasource>
  2. Add the following configurations to the <PRODUCT_HOME>/repository/conf/registry.xml file.

    Code Block
    languagexml
    <dbConfig name="mounted_registry">
            <dataSource>jdbc/WSO2REG_DB</dataSource>
    </dbConfig>
    
    <remoteInstance url="https://localhost:9443/registry">
            <id>instanceid</id>
            <dbConfig>mounted_registry</dbConfig>
            <readOnly>false</readOnly>
            <enableCache>true</enableCache>
            <registryRoot>/</registryRoot>
            <cacheId>root@jdbc:mysql://localhost:3306/C_REG</cacheId>
    </remoteInstance>
    
    <mount path="/_system/config" overwrite="true">
            <instanceId>instanceid</instanceId>
            <targetPath>/_system/config</targetPath>
    </mount>
    
    <mount path="/_system/governance" overwrite="true">
            <instanceId>instanceid</instanceId>
            <targetPath>/_system/governance</targetPath>
    </mount>

Configuring the load balancer

This section provides instructions on how to configure Nginx as the load balancer. You can use any load balancer for your setup and Nginx is used here as an example. This covers the configuration in the main Nginx configuration file.

The location of this file varies depending on how you installed the software on your machine. For many distributions, the file is located at /etc/nginx/nginx.conf. If it does not exist there, it may also be at /usr/local/nginx/conf/nginx.conf or /usr/local/etc/nginx/nginx.conf. You can create separate files inside the conf.d for each configuration. Three different configuration files are used for the Manager, Key Manager and Worker node in the example provided in this page.

  1. In the Key Manager, create a VHost file inside the /etc/nginx/conf.d  directory and add the following configurations into it.

    Code Block
    upstream keymgt.emm-c.wso2.com {
            ip_hash;
            server 192.168.57.149:9763;
            server 192.168.57.144:9763;
    }
    
    server {
            listen 80;
            server_name keymgt.emm-c.wso2.com;
            location / {
                   proxy_set_header X-Forwarded-Host $host;
                   proxy_set_header X-Forwarded-Server $host;
                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                   proxy_set_header Host $http_host;
                   proxy_read_timeout 5m;
                   proxy_send_timeout 5m;
                   proxy_pass http://keymgt.emm-c.wso2.com;
    
                   proxy_http_version 1.1;
                   proxy_set_header Upgrade $http_upgrade;
                   proxy_set_header Connection "upgrade";
            }
    }
    
    upstream ssl.keymgt.emm-c.wso2.com {
        ip_hash;
        server 192.168.57.149:9443;
        server 192.168.57.144:9443;
    
    }
    
    server {
    listen 443;
        server_name keymgt.emm-c.wso2.com;
        ssl on;
        ssl_certificate /opt/keys/server.crt;
        ssl_certificate_key /opt/keys/server.key;
        location / {
                   proxy_set_header X-Forwarded-Host $host;
                   proxy_set_header X-Forwarded-Server $host;
                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                   proxy_set_header Host $http_host;
                   proxy_read_timeout 5m;
                   proxy_send_timeout 5m;
                   proxy_pass https://ssl.keymgt.emm-c.wso2.com;
    
                   proxy_http_version 1.1;
                   proxy_set_header Upgrade $http_upgrade;
                   proxy_set_header Connection "upgrade";
            }
    }
  2. In the Manager node, create a VHost file inside the  /etc/nginx/conf.d  directory and add the following configurations into it.

    Code Block
    upstream mgt.emm-c.wso2.com {
            ip_hash;
            server 192.168.57.146:9763;
    }
    
    server {
            listen 80;
            server_name mgt.emm-c.wso2.com;
            location / {
                   proxy_set_header X-Forwarded-Host $host;
                   proxy_set_header X-Forwarded-Server $host;
                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                   proxy_set_header Host $http_host;
                   proxy_read_timeout 5m;
                   proxy_send_timeout 5m;
                   proxy_pass http://mgt.emm-c.wso2.com;
    
                   proxy_http_version 1.1;
                   proxy_set_header Upgrade $http_upgrade;
                   proxy_set_header Connection "upgrade";
            }
    }
    
    
    
    upstream ssl.mgt.emm-c.wso2.com {
        ip_hash;
        server 192.168.57.146:9443;
    
    }
    
    server {
    listen 443;
        server_name mgt.emm-c.wso2.com;
        ssl on;
        ssl_certificate /opt/keys/server.crt;
        ssl_certificate_key /opt/keys/server.key;
        location / {
                   proxy_set_header X-Forwarded-Host $host;
                   proxy_set_header X-Forwarded-Server $host;
                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                   proxy_set_header Host $http_host;
                   proxy_read_timeout 5m;
                   proxy_send_timeout 5m;
                   proxy_pass https://ssl.mgt.emm-c.wso2.com;
    
                   proxy_http_version 1.1;
                   proxy_set_header Upgrade $http_upgrade;
                   proxy_set_header Connection "upgrade";
            }
    }
  3. In the Worker node, create a VHost file  inside the  /etc/nginx/conf.d  directory and add the following configurations into it.

    Code Block
    upstream wkr.emm-c.wso2.com {
            ip_hash;
            server 192.168.57.145:9763;
            server 192.168.57.142:9763;
    }
    
    server {
            listen 80;
            server_name wkr.emm-c.wso2.com;
            location / {
                   proxy_set_header X-Forwarded-Host $host;
                   proxy_set_header X-Forwarded-Server $host;
                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                   proxy_set_header Host $http_host;
                   proxy_read_timeout 5m;
                   proxy_send_timeout 5m;
                   proxy_pass http://wkr.emm-c.wso2.com;
    
                   proxy_http_version 1.1;
                   proxy_set_header Upgrade $http_upgrade;
                   proxy_set_header Connection "upgrade";
            }
    }
    
    
    
    upstream ssl.wkr.emm-c.wso2.com {
        ip_hash;
        server 192.168.57.145:9443;
        server 192.168.57.142:9443;
    
    }
    
    server {
    listen 443;
        server_name wkr.emm-c.wso2.com;
        ssl on;
        ssl_certificate /opt/keys/server.crt;
        ssl_certificate_key /opt/keys/server.key;
        location / {
                   proxy_set_header X-Forwarded-Host $host;
                   proxy_set_header X-Forwarded-Server $host;
                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                   proxy_set_header Host $http_host;
                   proxy_read_timeout 5m;
                   proxy_send_timeout 5m;
                   proxy_pass https://ssl.wkr.emm-c.wso2.com;
    
                   proxy_http_version 1.1;
                   proxy_set_header Upgrade $http_upgrade;
                   proxy_set_header Connection "upgrade";
            }
    }

Generating SSL certificates to NGINX

Create SSL certificates for both the manager and worker nodes using the instructions that follow.

  1. Create the Server Key.
    $sudo openssl genrsa -des3 -out server.key 1024

  2. Certificate Signing Request.
    $sudo openssl req -new -key server.key -out server.csr

  3. Remove the password.
    $sudo cp server.key server.key.org
    $sudo openssl rsa -in server.key.org -out server.key

  4. Sign your SSL Certificate.
    $sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

While creating keys, enter the host name (*.emm-c.wso2.com) as the common name.

Add the public key of the NGINX server to the client_truststore.jks (you can download the public key from the browser). Use the following command to add the public key to client_truststore.jks

keytool -import -alias emm-c.wso2.com -file emm.wso2.com.crt -keystore <PRODUCT_HOME>/repository/resources/security/client-truststore.jks

Note

Note: If you need to configure iOS in your cluster, do not configure the SSL certificate in above way. You can use the SSL certificate generated in the 6th step of iOS Configuration document.

Configuring the manager node

EMM has three key consoles.

  • EMM console - For device management related tasks such as adding policies, operations, users, roles and devices.

  • Publisher - Used for adding and publishing the enterprise mobile applications.

  • Store - Device user can go and subscribe to the apps and it gets installed to the device.

The above three consoles could be running inside the company network due to security concerns or could be exposed through a load balancer.

Note

Note: There can be one EMM manager node if you use policy monitoring and policy change management. If you do not plan to use those, you can have a cluster of manager nodes.

Do the following to configure the manager node.

  1. In the <PRODUCT_HOME>/ repository/conf/security/authenticators.xml file, do the following configurations.  The hostURL, adminUsername, and adminPassword must be configured with the respective values in order to validate the OAuth token.

    Code Block
    languagexml
    <Authenticator name="OAuthAuthenticator" disabled="false">
    ...
            <Config>
                <Parameter name="isRemote">true</Parameter>
                <Parameter name="hostURL">https://keymgt.emm-c.wso2.com</Parameter>
                <Parameter name="adminUsername">admin</Parameter>
                <Parameter name="adminPassword">admin</Parameter>
            </Config>
    </Authenticator>
  2. Change the ServerUrl of the IdentityConfiguration in the <PRODUCT_HOME>/repository/conf/security/cdm-config.xml file. Enable policy monitoring and device monitoring as shown in the following configuration sample. You can change the frequency of the tasks running by changing the MonitoringFrequency and Frequency in the PolicyConfiguration and TaskConfiguration.

    Code Block
    languagexml
    <IdentityConfiguration>
            <ServerUrl>https://keymgt.emm-c.wso2.com</ServerUrl>
            <AdminUsername>admin</AdminUsername>
            <AdminPassword>admin</AdminPassword>
    </IdentityConfiguration>
    
    
    <PolicyConfiguration>
    ...
            <MonitoringEnable>true</MonitoringEnable>
            <MonitoringFrequency>60000</MonitoringFrequency>
    ...
    </PolicyConfiguration>
    
    <TaskConfiguration>
            <Enable>true</Enable>
            <Frequency>600000</Frequency>
           ……...
    </TaskConfiguration>
  3. Change the HostName and MgtHostName in the <PRODUCT_HOME>/repository/conf/carbon.xml file.

    Code Block
    languagexml
    <HostName>wkr.emm-c.wso2.com</HostName>
    <MgtHostName>mgt.emm-c.wso2.com</MgtHostName>
  4. Change the following in the config.json file in the <PRODUCT_HOME>/repository/deployment/server/jaggeryapps/emm/app/conf directory. This must only be configured in the manager node as this is specific to the admin UI.

    Code Block
    ………………………….
        "httpsURL" : "https://mgt.emm-c.wso2.com",
        "httpURL" : "http://mgt.emm-c.wso2.com",
    ………………………….
        "oauthProvider": {
            "appRegistration": {
                "appType": "webapp",
                "clientName": "emm",
                "owner": "admin@carbon.super",
                "dynamicClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/dynamic-client-web/register",
                "apiManagerClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/api-application-registration/register/tenants",
                "grantType": "password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer urn:ietf:params:oauth:grant-type:jwt-bearer",
                "tokenScope": "admin",
                "callbackUrl": "https://mgt.emm-c.wso2.com/api/device-mgt/v1.0"
            },
            "tokenServiceURL": "https://keymgt.emm-c.wso2.com/oauth2/token"
        },
    ………………..
        "generalConfig" : {
            "host" : "https://wkr.emm-c.wso2.com",
    ………………...
        },
  5. Change the following in the config.json file in the <PRODUCT_HOME>/repository/deployment/server/jaggeryapps/emm-web-agent/app/conf directory. This is used for the device agent download.

    Code Block
       "httpsURL" : "https://wkr.emm-c.wso2.com",
        "httpURL" : "http://wkr.emm-c.wso2.com",
        "enrollmentDir": "/emm-web-agent/enrollment",
        "iOSConfigRoot" : "https://wkr.emm-c.wso2.com/ios-enrollment/",
        "iOSAPIRoot" : "https://wkr.emm-c.wso2.com/api/device-mgt/ios/v1.0/",
        "dynamicClientRegistrationEndPoint" : "https://keymgt.emm-c.wso2.com/dynamic-client-web/register/",
        "adminService":"https://wkr.emm-c.wso2.com",
        "idPServer":"https://keymgt.emm-c.wso2.com",
        "callBackUrl":"https://wkr.emm-c.wso2.com/mdm-admin",
        "oauthProvider": {
            "appRegistration": {
                "appType": "webapp",
                "clientName": "emm-web-agent",
                "owner": "admin@carbon.super",
                "dynamicClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/dynamic-client-web/register",
                "apiManagerClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/api-application-registration/register/tenants",
                "grantType": "password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer urn:ietf:params:oauth:grant-type:jwt-bearer",
                "tokenScope": "admin",
                "callbackUrl": "https://wkr.emm-c.wso2.com/api/device-mgt/v1.0"
            },
            "tokenServiceURL": "https://keymgt.emm-c.wso2.com/oauth2/token"
        },
    …………..
        "generalConfig" : {
            "host" : "http://wkr.emm-c.wso2.com",
    …………………………..
        },

Configuring the worker node

Do the following to configure the worker node.

  1. In the <PRODUCT_HOME>/repository/conf/security/authenticators.xml file, do the following configurations. The hostURL, adminUsername, and adminPassword must be configured with the respective values in order to validate the OAuth token.

    Code Block
    languagexml
    <Authenticator name="OAuthAuthenticator" disabled="false">
            <Priority>10</Priority>
            <Config>
                <Parameter name="isRemote">true</Parameter>
                <Parameter name="hostURL">https://keymgt.emm-c.wso2.com</Parameter>
                <Parameter name="adminUsername">admin</Parameter>
                <Parameter name="adminPassword">admin</Parameter>
            </Config>
    </Authenticator>
  2. Change the ServerUrl of IdentityConfiguration in the <PRODUCT_HOME>/repository/conf/security/cdm-config.xml file. This is used by the worker node to validate the user details after the Key Manager validates the OAuth token. You must disable policy monitoring and device monitoring as indicated in the following code snippet.

    Code Block
    languagexml
    <IdentityConfiguration>
            <ServerUrl>https://keymgt.emm-c.wso2.com</ServerUrl>
            <AdminUsername>admin</AdminUsername>
            <AdminPassword>admin</AdminPassword>
    </IdentityConfiguration>
    
    <PolicyConfiguration>
    ...
            <MonitoringEnable>false</MonitoringEnable>
            <MonitoringFrequency>60000</MonitoringFrequency>
    ...
    </PolicyConfiguration>
    
    
    <TaskConfiguration>
            <Enable>false</Enable>
            <Frequency>600000</Frequency>
    ...
    </TaskConfiguration>
  3. Change the HostName and MgtHostName in the <PRODUCT_HOME>/repository/conf/carbon.xml file.

    Code Block
    languagexml
    <HostName>wkr.emm-c.wso2.com</HostName>
    <MgtHostName>wkr.emm-c.wso2.com</MgtHostName>
  4. Change following in the config.json file in the <PRODUCT_HOME>/repository/deployment/server/jaggeryapps/emm-web-agent/app/conf directory. These parameters are used to point to the NGINX URLs of worker nodes and the Key Manager. If this is not configured, the local IP address of the server is used.

    Code Block
       "httpsURL" : "https://wkr.emm-c.wso2.com",
        "httpURL" : "http://wkr.emm-c.wso2.com",
        "enrollmentDir": "/emm-web-agent/enrollment",
        "iOSConfigRoot" : "https://wkr.emm-c.wso2.com/ios-enrollment/",
        "iOSAPIRoot" : "https://wkr.emm-c.wso2.com/api/device-mgt/ios/v1.0/",
        "dynamicClientRegistrationEndPoint" : "https://keymgt.emm-c.wso2.com/dynamic-client-web/register/",
        "adminService":"https://wkr.emm-c.wso2.com",
        "idPServer":"https://keymgt.emm-c.wso2.com",
        "callBackUrl":"https://wkr.emm-c.wso2.com/mdm-admin",
        "oauthProvider": {
            "appRegistration": {
                "appType": "webapp",
                "clientName": "emm-web-agent",
                "owner": "admin@carbon.super",
                "dynamicClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/dynamic-client-web/register",
                "apiManagerClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/api-application-registration/register/tenants",
                "grantType": "password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer urn:ietf:params:oauth:grant-type:jwt-bearer",
                "tokenScope": "admin",
                "callbackUrl": "https://wkr.emm-c.wso2.com/api/device-mgt/v1.0"
            },
            "tokenServiceURL": "https://keymgt.emm-c.wso2.com/oauth2/token"
        },
    ...
        "generalConfig" : {
            "host" : "http://wkr.emm-c.wso2.com",
    ...
        },

Configuring the Key Manager node

Do the following configurations in the Key Manager node.

  1. Make sure that DB configurations are done and registry mounting is correctly set up.

  2. Configure the HostName. To do this, edit the <PRODUCT_HOME>/repository/conf/carbon.xml file as follows.
    <HostName>keymgt.emm.wso2.com</HostName>

Configuring the iOS server

The following are the steps involved when configuring iOS. Also see iOS Server Configurations in the WSO2 EMM documentation for more information.

  • Installing WSO2 EMM iOS features via the P2 repository

  • Configuring the general iOS server settings

  • Generating the MDM APNS certificate

You must be enrolled in the Apple Developer Program as an individual or organization before starting the iOS server configurations.

Follow the instructions given below to configure the iOS server-side configurations:

Installing WSO2 EMM iOS features via the P2 repository

For more information on installing the P2 repository, see Installing WSO2 EMM iOS features via the P2 Repository .

Configuring the general iOS server settings

...

Update the following parameters in the ios-config.xml file, which is in the <EMM_HOME>/repository/conf directory.  Enter the server IP or the server domain name for the following parameters.

Code Block
languagexml
<?xml version="1.0" encoding="ISO-8859-1"?>
<iOSEMMConfigurations>
    <!-- iOS MDM endpoint urls -->
    <iOSEnrollURL>https://wkr.emm-c.wso2.com/ios-enrollment/scep</iOSEnrollURL>
    <iOSProfileURL>https://wkr.emm-c.wso2.com/ios-enrollment/profile</iOSProfileURL>
    <iOSCheckinURL>https://wkr.emm-c.wso2.com/ios-enrollment/checkin</iOSCheckinURL>
    <iOSServerURL>https://wkr.emm-c.wso2.com/ios-enrollment/server</iOSServerURL>
</iOSEMMConfigurations>

Change the following properties in the config.json file in the <PRODUCT_HOME>/repository/deployment/server/jaggeryapps/emm-web-agent/app/conf directory as follows.

Code Block
.....
    "enrollmentDir": "/emm-web-agent/enrollment",
    "iOSConfigRoot" : "https://wkr.emm-c.wso2.com/ios-enrollment/",
    "iOSAPIRoot" : "https://wkr.emm-c.wso2.com/api/device-mgt/ios/v1.0/",
    "dynamicClientRegistrationEndPoint" : "https://keymgt.emm-c.wso2.com/dynamic-client-web/register/",
    "adminService":"https://wkr.emm-c.wso2.com",
    "idPServer":"https://keymgt.emm-c.wso2.com",
    "callBackUrl":"https://wkr.emm-c.wso2.com/mdm-admin",
   …………….
    "usernameLength":30,
    "device" : {
        "ios" : {
            "location" : "https://wkr.emm-c.wso2.com/emm-web-agent/public/mdm.page.enrollments.ios.download-agent/asset/ios-agent.ipa",
            "bundleID" : "org.wso2.carbon.emm.iOSMDMAgent",
            "version" : "1.0",
            "appName" : "EMM iOS Agent"
        }
    },

...

You must generate the Certificate Authority (CA), Registration Authority (RA) and SSL certificate. For more information on general iOS server configurations, see General iOS Server Configurations .

Note

Note: Once SSL certificates are generated and after following the rest of the steps, add the ia.crt and ia.key as the SSL certificates in NGINX.

Generating the MDM APNS certificate

For more information on generating the MDM APNS certificate, see Generating a MDM APNS Certificate .

Configuring the App Manager

For this release we are using WSO2 App Manager in the manager node. Applications will be uploaded to the manager node and URLs will be provided from the manager node. The devices will get them through the manager URLs.

To configure clustering with WSO2 App Manager, the Android agent has to be changed. Set the APP_MANAGER_HOST as http://mgt.emm-c.wso2.com in org.wso2.emm.agent.utils.Constants.

...

Configure single sign-on (SSO) for the Store and Publisher in the App Manager store and publisher. Change the following config elements in the <APPM_HOME>/repository/conf/app-manager.xml file.

  1. Change the ServerURL, Username and Password elements in the <AuthManager> section to point to the Identity Server URL and credentials.

    Code Block
    languagexml
    <ServerURL>https://keymgt.emm-c.wso2.com/services/</ServerURL>
  2. Change the providerURL element in the <SSOConfiguration> section as shown below:

    Code Block
    languagexml
    <IdentityProviderUrl>https://keymgt.emm-c.wso2.com/samlsso</IdentityProviderUrl><providerURL>https://keymgt.emm-c.wso2.com</providerURL>
  3. Change the ServerURL element in the <EntitlementServiceConfiguration> section as shown below:

    Code Block
    languagexml
    <ServerUrl>https://keymgt.emm-c.wso2.com</ServerUrl>

...

Change AppDownloadURLHost in <APPM_HOME>/repository/conf/app-manager.xml file.

Code Block
languagexml
<Config name="AppDownloadURLHost">http://mgt.emm-c.wso2.com</Config>

...

Change the identityProviderURL config in the <AppM_HOME>/repository/deployment/server/jaggeryapps/store/config/store.json file as shown below:

Code Block
languagexml
"ssoConfiguration": {
      "enabled": true,
      "issuer": "APPM_Store",
      "identityProviderURL": "https://keymgt.emm-c.wso2.com/samlsso",
      "keyStorePassword": "wso2carbon",
      "identityAlias": "wso2carbon",
      "responseSigningEnabled": "true",
      "storeAcs" : "https://mgt.emm-c.wso2.com/store/acs",
      "keyStoreName": "/repository/resources/security/wso2carbon.jks"
  },

...

Change the identityProviderURL element in the <AppM_HOME>/repository/deployment/server/jaggeryapps/publisher/config/publisher.json file as shown below:

Code Block
languagexml
"ssoConfiguration": {
      "enabled": true,
      "issuer": "APPM_Publisher",
      "identityProviderURL": "https://keymgt.emm-c.wso2.com/samlsso",
      "keyStorePassword": "wso2carbon",
      "identityAlias": "wso2carbon",
      "responseSigningEnabled": "true",
      "publisherAcs": "https://mgt.emm-c.wso2.com/publisher/sso",
      "keyStoreName": "/repository/resources/security/wso2carbon.jks"
  },

...

Start both the WSO2 App Manager and WSO2 Identity Server.

...

Log into the WSO2 Identity Server management console.

...

Click Add under Service Providers . This is found in the Main menu.

...

Give a name for the service provider and click Register .

...

You are navigated to the detailed configuration page. Expand SAML2 Web SSO Configuration inside the Inbound Authentication Configuration section and click Configure .

...

Provide the configurations to register the App Store as the SSO service provider. These sample values may change depending on your configuration.

  1. Issuer: APPM_Store

  2. Assertion Consumer URL: https://mgt.emm-c.wso2.com/store/acs. This is the URL for the ACS page for your running store app.

  3. Select the following options:

    1. Enable Response Signing

    2. Enable Single Logout

...

Click Register once done.

...

Similarly, provide configurations to register the App Publisher and social apps as SSO service providers. These sample values may change depending in your configuration.

  1. Issuer: APPM_Publisher

  2. Assertion Consumer URL: https://mgt.emm-c.wso2.com/publisher/acs. This is the URL for the ACS page for your running publisher app.

  3. Select the following options:

    1. Enable Response Signing

    2. Enable Single Logout

...

.