Product Documentation

Configuring the XenMobile RSA Adapter

Apr 17, 2015

The XenMobile RSA Adapter provides an interface that allows Device Manager to submit certificate requests for a signature to an RSA Certificate Manager server. Device Manager submits a request to sign a certificate to the RSA adapter. The RSA Certificate Manager receives the request and uses the RSA Xuda Libraries to sign the certificate. The Certificate Manager returns the signed certificate to Device Manager.

Device Manager makes the certificate requests in order to generate device identity for mobile device management (MDM) mutual authentication, or to generate user credential certificates to be used in conjunction with WiFi, VPN, and Exchange ActiveSync profiles for both iOS and Android devices.

Prerequisites

Citrix recommends the following prerequisites:

  • Install the RSA Adapter on its own server, separate from the server running Device Manager and that you use a 32-bit instance of Tomcat 6.0.
  • Device Manager Versions 7.0, 7.1, or 8.0.1.
  • JAVA SDK 1.6 or later.

XenMobile RSA Adapter Certificate Manager Requirements

To install the XenMobile RSA Adapter, the following RSA Certificate Manager configurations are required. For the proper settings, consult your RSA Certificate Manager Installation Guide.

RSA Certificate Manager Installable Elements
  • RSA CA Manager version 6.8 build 519 or later
  • RSA Certificate Authority Version 6.8 Build 519 or later
  • No special OSI-level privileges
RSA Certificate Manager Configurable Elements
  • Configuration of CRL publishing: N/A
  • Configuration of OCSP responder: N/A
  • Configuration of certificate publishing: N/A
Partner Product Installable Elements
  • Tomcat 6.0 or later, 32 bit
  • Java SDK 1.6 or later
Partner Product Configurable Elements
  • CRL checking mechanism: N/A
  • OCSP checking mechanism: N/A
  • Trust validation: N/A
  • Enrollment: N/A
  • General modifications to the partner product: N/A

Installing and Configuring the XenMobile RSA Adapter

The XenMobile RSA Adapter provides a mechanism for Device Manager to sign and revoke certification against an RSA Certificate Authority Version 6.8. The RSA Adapter enables device identity for mobile device management (MDM) mutual authentication and user credential certificates for use in conjunction with WiFi, VPN, and Exchange ActiveSync profiles. You perform the following tasks to install the RSA Adapter:

  1. Set the Java SDK path on the Windows-based computer where you will install the RSA Adapter.
  2. Configure the correct port (80) on your Tomcat server
  3. Copy the RSA Adapter installation and configuration files into a target installation directory.
  4. Edit the RSA Adapter properties file with values obtained from the RSA Certificate Authority Manager Console.
  5. Copy the RSA Certificate Authority Manager .cert and .key files to the installation computer.
  6. Execute the RSA Adapter installation executable to install the software.
  7. Verify the installation in a browser.

You perform the following tasks to configure the RSA Adapter:

  1. Create and configure a PKI entity profile in Device Manager to be able to connect to the RSA Web Services Description Language (WSDL).
  2. Create an iOS profile to enable use of the Certificate Authority.
  3. Add a new logger in the log4j configuration to ensure proper error handling and auditing.
  4. Configure the new PKI profile so it can be deployed to an iOS device and validated.

To install the RSA Adapter on Windows Server

Make sure you have access to the zenadapter.war file that is included as part of the RSA Adapter product distribution.

  1. On the Windows server where you are installing the RSA Adapter, set the path to include the JAVA SDK 1.6+. For example, \Program Files (x86)\Java\jdk1.6.0_29\bin.
  2. Next, configure the Tomcat server to run on port 80, instead of the default port of 8080:
    1. Navigate to %TOMCAT_HOME%/conf directory.
    2. Edit the server.xml file as follows:
      • Change non-SSL to:
        <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -- 
         
        <Connector port="80" … />
      • Change SSL to:
        <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> 
         
        <Connector port="443" … />
  3. On the installation computer, create a new directory named C:\zenprise.
  4. Unzip and copy the entire contents of the RSA Adapter zip package to the directory named C:\zenprise.
  5. Create a passphrase file that stores a passphrase that will be used by the RSA Adapter. Before you execute this command, make sure you are logged in as the Service Account user. The Service Account user you log in as must be the same Service Account that the Tomcat server runs as.
  6. Open the Windows command prompt and change directories to the location of the C:\zenprise folder.
  7. From this directory, execute the following command: java -jar WinDPHarness <passphrase filename> <passphrase>
    Note: Note the file path name used in this command <passphrase filename>, because you will need it when you edit the prop.txt file in the following step.
  8. Open the C:\zenprise\prop.txt file in a text editor and set the following attributes in the file, for example:
    • ldapport=636
    • ldaphost= rsa1.kqe.zenprise.com
    • camd5= a2064dd584c7025f03ceb0443ca0fe9e
    • keyfile=C:\\zenprise\\admin.key
    • certfile=C:\\zenprise\\admin.cert
    • protectFlag=0
    • juriID=fe109c4d64430faf6d614c08b75312b0b7e31226
    • passphrasefile=C:\\zenprise\\passcode.txt
    • profileflag-1
    • profileID=AC1E02D427C3D8
    • keepldapopen=1
    Note: These properties are available in your RSA Certificate Authority Manager console. Refer to your RSA Certificate Authority Manager guide for instructions on where to access these properties.
  9. From the RSA Certificate Authority Manager server, copy the two RSA CA Manager files - .cert and .key - to the C:\zenprise folder on the computer where you are installing the RSA Adapter.
  10. Copy the zenadapter.war file to the %TOMCAT_HOME%\webapps folder.
  11. From your command prompt, execute the following commands:
    cd %TOMCAT_HOME%\webapps 
     
    run jar xvf zenadapter.war 
     
    Stop Tomcat  
     
    Start Tomcat
  12. Verify that the installation was successful. In Internet Explorer (8 or later), navigate to http://HOST WITH_ADAPTER_TOMCATINSTANCE/zenadapter.war. A page with the adapter WDSL and link should appear.

To configure the RSA Adapter in the Device Manager web console

To configure the RSA adapter in the Device Manager web console, you first configure a new PKI entity. Next, you create a new iOS profile to enable use of the Certificate Authority.

To configure a new PKI entity

  1. Log on to the Device Manager web console and then click Options.
  2. In the XenMobile Server Options dialog box, under PKI, click Entities.
  3. In the PKI entities configuration screen, click New and then click New generic PKI entity.
  4. Enter a name and then enter a URL for the WSDL that you installed when you finished the RSA Adapter installation. For example: http://zdm.zenprise.com/gpki/sample.
  5. If the adapter is available over HTTPS/SSL, upload the SSL client certificate. If you are not using SSL, skip to the next step.
  6. Click Load.
  7. Test the connection to the adapter. Click the Capabilities tab and then click Ping. A "Ping Successful" message should appear.

To create a new iOS profile

  1. Click the Policies tab, click to expand iOS and then click Configurations.
  2. Create a new policy for the PKI authority that you installed by clicking New Profile.
  3. On the same server running Device Manager, add a new logger in the log4j configuration to ensure proper error handling and auditing. In Internet Explorer, navigate to the following Web address based on your installation: http://<host>/<instance>/log.jsp
  4. Navigate to the bottom of the table and add a new logger entry for the com.sparus.nps.pki.
  5. Set the logging level to TRACE.
  6. Test the deployment profile on a new iOS device by moving the new PKI package into the Resources to Deploy section so you can deploy the package to an iOS device.
  7. Register a new device that is targeted with the package and verify that you see the new certificate on the iOS device. If the package does not deploy, check the log file and then contact IT support.