Versions Compared

Old Version 5

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This section includes the details on how to generate the Certificate Authority (CA), Registration Authority (RA) and SSL certificate. For more information, check out the subsections given below:

Table of Contents
maxLevel3
minLevel3

Prerequisites 

Configuring iOS server-side configurations

Follow the instructions below to configure the iOS server-side configurations:

  1. Generate an Apple Push Notification Service (APNS) certificate.

    Make a copy of the openssl.cnf file and move it to another location and edit the following:
    The Certificate Authority (CA) and Registration Authority (RA) certificates should be created as version 3 certificates. This step is carried out for the latter mentioned purpose. In the documentation you navigate to, follow the steps under the Configuring Push Notifications section to generate an APNS certificate.

    Info
    titleWhy is this step required?

    In iOS, the server passes messages to the client via the Apple Push Notification Service (APNS). When doing so in order to establish a secure connection between the EMM and the APNS server, a client SSL certificate needs to be generated and downloaded from Apple Inc. This APNS certificate is used to send an awake message to the iOS agent application.

  2. Create a new file named openssl.cnf in a preferred location.

  3. Include the following configurations to the openssl.cnf file, to generate version 3 certificates as shown below:

    Code Block
    [ v3_req ] 
# Extensions to add to a certificate request 
basicConstraints=CA:TRUE 
keyUsage = Digital SignaturedigitalSignature, KeykeyEncipherment Encipherment


[ v3_ca ] 
# Extensions for a typical CA 
# PKIX recommendation. 
subjectKeyIdentifier=hash 
authorityKeyIdentifier=keyid:always,issuer 
# This is what PKIX recommends but some broken software chokes on critical 
# extensions. 
basicConstraints = critical,CA:true 
# So we do this instead. 
#basicConstraints = CA:true 
# Key usage: this is typical for a CA certificate. However since it will 
# prevent it being used as an test self-signed certificate it is best 
# left out by default. 
keyUsage = DigitaldigitalSignature, Signature, Certificate Sign, CRL Sign
    Generate a self 
    keyCertSign, cRLSign
    Info
    titleWhy is this step required?

    The CA, RA, and SSL certificates will be generated using the openSSL toolkit as explained in step 4, step 5 and step 6 respectively. Therefore the openssl.cnf file must be configured as explained above.

  4. Anchor
    Step4
    Step4
    In the location where you modified and saved the openssl.cnf file, run the following commands to generate a self-signed Certificate Authority (CA)  certificate certificate (version 3) and convert the certificate to to the.pem format using the following commands:

    Info

    It is assumed that the script is executed from the location where the modified openssl.cnf file was saved.

    openssl

    1. openssl genrsa -out <CA PRIVATE KEY> 4096
      For example: openssl genrsa -out ca_private.key 4096
    2. openssl req -new -key <CA PRIVATE KEY> -out <CA CSR>
      For example: openssl req -new -key ca_private.key -out ca.csr
    3. openssl x509 -req -days <DAYS> -in <CA CSR> -signkey <CA PRIVATE KEY> -out <CA CRT> -extensions v3_ca -extfile <PATH-TO-MODIFIEDTHE-NEWLY-CREATED-openssl.cnf-FILE> FILE>  
      For example: openssl x509 -req -days 365 -in ca.csr -signkey ca_private.key -out ca.crt -extensions v3_ca -extfile ./openssl.cnf
    4. openssl rsa -in <CA PRIVATE KEY> -text > <CA PRIVATE PEM>
      For example:  openssl rsa -in ca_private.key -text > ca_private.pem
    5. openssl x509 -in <CA CRT> -out <CA CERT PEM>
      For example: openssl x509 -in ca.crt -out ca_cert.pem
    Generate

  5. Anchor
    Step5
    Step5
    In the same location, run the following commands to generate a Registration Authority (RA)  certificate certificate (version 3) signed , sign it with the CA and CA, and convert the certificate to .pem format using the following commands:

    InfoIt is assumed that the script is executed from the location where the modified openssl.cnf file was saved. 

    to the .pem format.  

    1. openssl genrsa -out <RA PRIVATE KEY> 4096
      For example:  openssl genrsa -out ra_private.key 4096

    2. openssl req -new -key <RA PRIVATE KEY> -out <RA CSR>
      For example: openssl req -new -key ra_private.key -out ra.csr
    3. openssl x509 -req -days <DAYS> -in <RA CSR> -CA <CA CRT> -CAkey <CA PRIVATE KEY> -set_serial <SERIAL NO> -out <RA CRT> -extensions v3_req -extfile <PATH-TO-MODIFIEDTHE-NEWLY-CREATED-openssl.cnf-FILE> FILE> 
      For example: openssl x509 -req -days 365 -in ra.csr -CA ca.crt -CAkey ca_private.key -set_serial 02 -out ra.crt -extensions v3_req -extfile ./openssl.cnf
    4. openssl rsa -in <CA PRIVATE KEY> -text> <RA PRIVATE PEM>
      For example: openssl rsa -in ra_private.key -text > ra_private.pem
    5. openssl x509 -in <RA CRT> -out <RA CERT PEM>
      For example: openssl x509 -in ra.crt -out ra_cert.pem

  6. Anchor
    Step6
    Step6
    Generate the SSL certificate (version 3) based on your domain/IP address:

    Your IP address/Domain needs to be added
    Info
    Note

    If you have already obtained an SSL certificate for your domain, you can skip this step and use that SSL certificate in step 7.

    Info
    iconfalse

    You must add your IP address/domain as the Common Name. Otherwise, otherwise provisioning will fail. 

    1. Generate a an RSA key.
      openssl genrsa -out <RSA_key>.key 4096
      For example:
      openssl genrsa -out ia.key 4096
    2. Generate a CSR file.
      openssl req -new -key <RSA_key>.key -out <CSR>.csr
      For example:
      openssl req -new -key ia.key -out ia.csr
      Enter your server IP address/domain name (e.g., 192.168.1.157) as the Common Name else provisioning will fail.
    3. Generate the SSL certificate
      openssl x509 -req -days 730 -in <CSR>.csr -CA ca_cert.pem -CAkey ca_private.pem -set_serial <serial number> -out ia.crt
      For example: 
      openssl x509 -req -days 730 -in ia.csr -CA ca_cert.pem -CAkey ca_private.pem -set_serial 044324343 -out ia.crt

  7. Export the SSL, CA and RA files as PKCS12 files with an alias.

    1. Export the SSL file as a PKCS12 file with an "wso2carbon" as the alias. 

      Note

      If you are using intermediate certifications, make sure to create a single certificate file that includes all these certificates by archiving them using the cat <CERTIFCATE 1> <CERTIFICATE 2> ... >> <CERTIFICATE CHAIN> command. Use the generated certificate chain for the proceeding step.

      openssl pkcs12 -export -out <KEYSTORE>.p12 -inkey <RSA_key>.key -in ia.crt -CAfile ca_cert.pem -name "<alias>"
      For example:
      openssl pkcs12 -export -out KEYSTORE.p12 -inkey ia.key -in ia.crt -CAfile ca_cert.pem -name "wso2carbon"

    2. Export the CA file as a PKCS12 file with an alias.
      openssl pkcs12 -export -out <CA>.p12 -inkey <CA private key>.pem -in <CA Cert>.pem -name "<alias>"
      For example:
      openssl pkcs12 -export -out ca.p12 -inkey ca_private.pem -in ca_cert.pem -name "cacert"
      In the above example, cacert has been used as the CA alias. 
    3. Export the RA file as a PKCS12 file with an alias.
      openssl pkcs12 -export -out <RA>.p12 -inkey <RA private key>.pem -in <RA Cert>.pem -chain -CAfile <CA cert>.pem -name "<alias>"
      For example:
      openssl pkcs12 -export -out ra.p12 -inkey ra_private.pem -in ra_cert.pem -chain -CAfile ca_cert.pem -name "racert"
      In the above example, racert has been used as the RA alias. 
    Info
    titleWhy is this step required?

    A PKCS12 file is used to store many cryptography objects as a single file. The certificates and their private keys that were generated using the above commands are stored in a PKCS12 file so that it can be imported to the respective KeyStores as shown in step 9.

  8. Copy the three P12 extension files to the <EMM_HOME>/repository/resources/security directory.

    Info
    titleWhy is this step required?

    The <EMM_HOME>/repository/resources/security directory is where the WSO2 EMM KeyStores are stored.
    Example for KeyStores: wso2carbon.jks, client-truststore.jks and wso2certs.jks.

  9. Anchor
    Step9
    Step9
    Import the generated P12 extension files as follows:

    1. Import the generated <KEYSTORE>.p12 file into the wso2carbon.jks and client-truststore.jks in the <EMM_HOME>/repository/resources/security directory.
      keytool -importkeystore -srckeystore <KEYSTORE>.p12 -srcstoretype PKCS12 -destkeystore <wso2carbon<wso2carbon.jks/client-truststore.jks>jks>

      Ensure to
      Info
      iconfalse
      • When prompted, enter the keystore password and keystore key
      password  as  wso2carbon
      • password as wso2carbon.
      • When prompted to replace an existing entry that has the same name as wso2carbon, enter yes.
        Example: Existing entry alias wso2carbon exists, overwrite? [no]:  yes

      For example:
      keytool -importkeystore -srckeystore KEYSTORE.p12 -srcstoretype PKCS12 -destkeystore wso2carbon.jks
      keytool -importkeystore -srckeystore KEYSTORE.p12 -srcstoretype PKCS12 -destkeystore client-truststore.jks

    2. Import the generated <CA>.p12 and <RA>.p12 files into the wso2EMMthe wso2certs.jks file, which is in the <EMM_HOME>/repository/resources/security/ directory directory.
      keytool -importkeystore -srckeystore <CA/RA>.p12 -srcstoretype PKCS12 -destkeystore wso2mdmwso2certs.jks jks 

      For example:
      keytool -importkeystore -srckeystore ca.p12 -srcstoretype PKCS12 -destkeystore wso2mdmwso2certs.jks jks 
      Enter the keystore password as wso2carbon and the keystore key password as cacert.

      keytool -importkeystore -srckeystore ra.p12 -srcstoretype PKCS12 -destkeystore wso2mdmwso2certs.jks jks 
      Enter the keystore password as  wso2carbon  and the keystore key password as  racert .

      Info
      titleTroubleshooting
      Excerpt
      Why does the following error occur: " keytool error: java.io.IOException: Invalid keystore format"?

      If you enter the wrong private key password when importing the <CA>.p12 or <RA>.p12 filesp12 files, the wso2emmwso2certs.jks file will get corrupted and the above error message will appear.

      In such a situation, delete the wso2emmwso2certs.jks file and execute the following command to import the generated <CA>.p12 and <RA>.p12 files p12 files into the wso2emmwso2certs.jks file again.
      keytool -importkeystore -srckeystore <CA/RA>.p12 -srcstoretype PKCS12 -destkeystore wso2emmwso2certs.jks

      When the above command is executed, WSO2 EMM will automatically create a new wso2emmwso2certs.jks file with the imported file.

  10. Update the following parameters in the emmThe default EMM keystore details are defined under the <CertificateKeystore> XML element in the certificate-config.xml file, which is in the <EMM_HOME>/repository/conf/ directory

  11. Enter the sever IP or the server domain name for the following parameters:
    iOSEnrollURL, iOSProfileURL, iOSCheckinURL, iOSServerURL     and TokenURL
    12. The default EMM keystore details are defined in the <EMMKeystore> XML element

    . Therefore, if any of the following details are changed, it needs to be reflected

    in  <EMMKeystore>

    in < CertificateKeystore>:

    • EMM Certificate Keystore file location
    • EMM Certificate Keystore type
    • EMM Certificate Keystore password
    • Certificate authority certificate alias 
    • Certificate authority private key password
    • Registration authority certificate alias

    • Registration authority private key

      password

      password For example

    Example:

    Code Block
    <?xml version="1.0" encoding="ISO-8859-1"?>
    <iOSMDMConfigurations>
    <CertificateConfigurations>
    <!--
    <CertificateKeystore>
    iOS
    MDM
    endpoint
    urls -->
    <iOSEnrollURL>https://localhost:9443/ios/enrollment/scep</iOSEnrollURL> <iOSProfileURL>https://localhost:9443/ios/enrollment/profile</iOSProfileURL> <iOSCheckinURL>https://localhost:9443/ios/enrollment/checkin</iOSCheckinURL> <iOSServerURL>https://localhost:9443/ios/enrollment/server</iOSServerURL> <MDMKeystore> 
    <!--
    EMM
    Certificate Keystore file location-->
    <MDMKeystoreLocation>$
    <CertificateKeystoreLocation>${carbon.home}/repository/resources/security/
    wso2mdm
    wso2certs.jks</
    MDMKeystoreLocation>
    CertificateKeystoreLocation>
        <!--
    EMM
    Certificate Keystore type (JKS/PKCS12 etc.)-->
    <MDMKeystoreType>JKS<
    <CertificateKeystoreType>JKS</
    MDMKeystoreType>
    CertificateKeystoreType>
        <!--
    EMM
    Certificate Keystore password-->
    <MDMKeystorePassword>wso2carbon<
    <CertificateKeystorePassword>wso2carbon</
    MDMKeystorePassword>
    CertificateKeystorePassword>
        <!-- Certificate authority certificate alias -->
    <MDMCACertAlias>cacert<
    <CACertAlias>cacert</
    MDMCACertAlias>
    CACertAlias>
        <!-- Certificate authority private key password -->
    <MDMCAPrivateKeyPassword>cacert<
    <CAPrivateKeyPassword>cacert</
    MDMCAPrivateKeyPassword>
    CAPrivateKeyPassword>
        <!-- Registration authority certificate alias -->
    <MDMRACertAlias>racert<
    <RACertAlias>racert</
    MDMRACertAlias>
    RACertAlias>
        <!-- Registration authority private key password -->
    <MDMRAPrivateKeyPassword>racert<
    <RAPrivateKeyPassword>racert</
    MDMRAPrivateKeyPassword>
    RAPrivateKeyPassword>
    </
    MDMKeystore>
    CertificateKeystore>
</
    iOSMDMConfigurations>

...

  1. CertificateConfigurations>

What's next

Obtain the signed CSR file and follow the proceeding step to complete the iOS server configurations.