UEM Certificates and CA

From idenprotect Knowledge Base
Jump to: navigation, search

Introduction

When users get enrolled with the idenprotect Core Platform, there are a number of possible use cases. One of those use cases is to use an idenprotect For Mobile application as an authentication delegate for BlackBerry Dynamics. If this is the use case you are planning to use, you will also need to ensure that you have configured one (or more) UEM servers.

This article discusses how to configure UEM to use idenprotect Certificates and how to configure UEM to use idenprotect as a Certificate Authority. For other information about the UEM configuration, please see our UEM Guide


Configuring UEM to use idenprotect keys and certificates

The idenprotect client generates signed key pairs that can be made available to the Blackberry Dynamics runtime which, in turn, can be used by Blackberry Dynamics applications for authenticating to web applications and servers via mutual TLS.

The BlackBerry Certificates and Runtime article explains the principles behind this. This article covers the configuration steps required on the UEM to allow idenprotect certificates and keys to be visible to the UEM server and BlackBerry runtime.

The steps required are

  1. Set up idenprotect as a CA connector
  2. Set up a credential profile to use that connector
  3. Allocate that profile to the user(s)
  4. Configure idenprotect for Blackberry to allow it be provide certificates
  5. Configure Blackberry Applications to allow them to use the provided certificates
  6. Allocate this profile to users


Configuring UEM to use idenprotect as a CA

The UEM needs to be configured to use idenprotect as a source of signed certificates (Certificate Authority). There are two ways of doing this.

1. Directly using the idenprotect for Blackberry Application

2. Via a PKI connector.

The direct approach is the preferred approach as it means the signed keys do not need to

leave the device. The PKI connector approach should only be used when the direct approach cannot be supported.

If using the PKI connector select PKI Connector required to True on the idenprotect server, for more information, see idenprotect for Mobile Configuration.

If using the direct approach, ensure that this is set to false.

Configuring idenprotect for Blackberry as a CA

From the UEM admin console home screen select

Settings->External Integration->Certification Authority

There you will see a list of options, select Add a connection for device-based certificates.

UEMaddCa.png

A search box will be shown, enter idenprotect and idenprotect for Blackberry should appear as an option.

Select idenprotect for Blackberry and give the connector a name

This now means the idenprotect for Blackberry application can act as a source of certificates and keys.

If idenprotect for Blackberry does not appear as an option, you need to ensure that it has been added as an application to the UEM server, see Add idenprotect to UEM

Configuring idenprotect PKI Connector

An alternative is to configure the UEM to use a PKI connector.

This requires an additional piece of software to be installed on the idenprotect server called PKI Proxy.

To configure the UEM to use this approach select the Add Blackberry Dynamics PKI connector option from the Certification Authority Menu.


Creating a Credentials Profile

From the main page on the UEM Admin Console go to

Policies and Profiles -> Certificates -> User Credential

Select the + button to add a new credential profile.

On this screen give the profile a name and a description and select the Certification authority connection configured in the previous step.

The name given to the credential profile must match the name set on the idenprotect Core Platform, refer to UEM Configuration

Uemcredentialprofile.png

Assigning the Credential Profile

Once the profile has been created it can be assigned to users or groups of users by selecting the profile name. Selecting the assigned to Users or assigned to the group tab. Selecting the edit option and adding users and groups as required.


Configuring Dynamics Apps

You have to configure applications on the UEM to use the keys/certificates created by the idenprotect profile. To do this go to the Apps screen on the UEM console, select the required application and scroll to the end of the page and select the option

"Allow BlackBerry Dynamics apps to use user certificates, SCEP profiles, and user credential profiles"

UEMallowCerts.png

This step must also be complete for the idenprotect for BlackBerry Application


Testing

Once the above configuration steps have been completed on the UEM and the corresponding settings on the idenprotect Core Platform then when the user generates a new Ephemeral Certificate (eg by entering flight mode on the client) then the certificate should be visible from the UEM console.

If the user then access and Dynamics App such as Blackberry Access, on the UEM console go to Users, select the user, and select certificates. You should see a certificate in this field and see the certificate associated with the Blackberry Application.

Trouble Shooting

If you get a message referring to a NULL credential profile, ensure that the idenprotect Core Platform has been set NOT to require a PKI Connector on the Config -> User Enrollment Client Configuration page. Also, check that the credential profile name on the UEM connection configuration matches the name set on the UEM server.

A message stating at a certificate cannot be retrieved or that the Blackberry is waiting for a certificate, then check that both the Dynamics application and the idenprotect application are enabled for the use of Certificate Profiles