Product Documentation

Autenticación

Feb 27, 2017

Several components play a role in authentication during XenMobile operations:

  • XenMobile server: The XenMobile server is where you define the security involved in enrollment as well as the enrollment experience. Options for onboarding users include whether to make the enrollment open for all or by invitation only and whether to require two-factor or three-factor authentication. Through client properties in XenMobile, you can enable Citrix PIN authentication and configure the complexity and expiration time of the PIN. 
  • NetScaler: NetScaler provides termination for micro VPN SSL sessions, provides network in-transit security, and lets you define the authentication experience used each time a user accesses an app.
  • Secure Hub: Secure Hub works with XenMobile server in enrollment operations. Secure Hub is the entity on a device that talks to NetScaler: If a session expires, Secure Hub gets an authentication ticket from NetScaler and passes the ticket to the MDX apps. Citrix recommends use of certificate pinning, which prevents man-in-the-middle attacks. For more information, see the section on certificate pinning in the Secure Hub article.

    Secure Hub also facilitates the MDX security container: Secure Hub pushes policies, creates a new session with NetScaler when an app times out, and defines the MDX timeout and authentication experience. Secure Hub is also responsible for jailbreak detection, geolocation checks, and any policies you apply.
  • MDX policies: MDX policies create the data vault on the device. MDX policies direct micro VPN connections back to NetScaler, enforce offline mode restrictions, and enforce client policies, such as time-outs.

For more information about the considerations that come into play when deciding how to configure authentication, including an overview of single-factor, and two-factor methods, see the Deployment Handbook Authentication article.

You use certificates in XenMobile to create secure connections and authenticate users. The remainder of this article discusses certificates. For other configuration details, see the following articles:

Certificates

By default, XenMobile comes with a self-signed Secure Sockets Layer (SSL) certificate that is generated during installation to secure the communication flows to the server. Citrix recommends you replace the SSL certificate with a trusted SSL certificate from a well-known certificate authority (CA).

XenMobile also uses its own Public Key Infrastructure (PKI) service or obtains certificates from the CA for client certificates. All Citrix products support wildcard and Subject Alternative Name (SAN) certificates. For most deployments, you only need two wildcard or (SAN) certificates.

Client certificate authentication provides an extra layer of security for mobile apps and lets users seamlessly access HDX Apps. When client certificate authentication is configured, user enter their Citrix PIN for Single Sign on access to XenMobile-enabled apps. Citrix PIN also simplifies the user authentication experience. Citrix PIN is used to secure a client certificate or save Active Directory credentials locally on the device.

To enroll and manage iOS devices with XenMobile, you need to set up and create an Apple Push Notification service (APNs) certificate from Apple. For steps, see APNs certificates.

The following table shows the certificate format and type for each XenMobile component:

XenMobile component

Certificate format

Required certificate type

NetScaler Gateway

PEM (BASE64)

PFX (PKCS#12)

SSL, Root

NetScaler Gateway converts PFX to PEM automatically.

XenMobile server

.p12 (.pfx on Windows-based computers)

SSL, SAML, APNs

XenMobile also generates a full PKI during the installation process.

StoreFront

PFX (PKCS#12)

SSL, Root

XenMobile supports SSL listener certificates and client certificates with bit lengths of 4096, 2048, and 1024. Be aware that 1024-bit certificates are easily compromised.

For NetScaler Gateway and the XenMobile server, Citrix recommends obtaining server certificates from a public CA, such as Verisign, DigiCert, or Thawte. You can create a Certificate Signing Request (CSR) from the NetScaler Gateway or the XenMobile configuration utility. After you create the CSR, you submit it to the CA for signing. When the CA returns the signed certificate, you can install the certificate on NetScaler Gateway or XenMobile.

Uploading certificates in XenMobile

Each certificate you upload is represented by an entry in the Certificates table, summarizing its contents. When you configure PKI integration components that require a certificate, you are prompted to choose from a list of the server certificates that satisfy the context-dependent criteria. For example, you might want to configure XenMobile to integrate with your Microsoft CA. The connection to the Microsoft CA should be authenticated using a client certificate.

This section provides general procedures for uploading certificates. For details about creating, uploading, and configuring client certificates, see Client certificate or certificate plus domain authentication.

Private key requirements

XenMobile may or may not possess the private key for a given certificate. Likewise, XenMobile may or may not require a private key for certificates you upload.

Uploading certificates to the console

When uploading certificates to the console, you have two main options:

  • You can click to import a keystore and then identify the entry in the keystore repository you want to install, unless you are uploading a PKCS#12 format.
  • You can click to import a certificate.

You can upload the CA certificate (without the private key) that the CA uses to sign requests, and you can upload an SSL client certificate (with the private key) for client authentication. When configuring the Microsoft CA entity, you need to specify the CA certificate, which you can then select from a list of all server certificates that are CA certificates. Likewise, when configuring client authentication, you can select from a list of all the server certificates for which XenMobile has the private key.

To import a keystore

By design, keystores, which are repositories of security certificates, can contain multiple entries. When loading from a keystore, therefore, you are prompted to specify the entry alias that identifies the entry you want to load. If you do not specify an alias, the first entry from the store is loaded. Because PKCS#12 files usually contain only one entry, the alias field does not appear when you select PKCS#12 as the keystore type.

1. In the XenMobile console, click the gear icon in the upper-right corner of the console. The Settings page appears.

2. Click Certificates. The Certificates page appears.

localized image

3. Click Import. The Import dialog box appears.

4. Configure these settings:

  • Import: In the list, click Keystore. The Import dialog box changes to reflect available keystore options.
localized image
  • Keystore type: In the list, click PKCS#12.
  • Use as: In the list, click how you will use the certificate. The available options are:
    • Server. Server certificates are certificates used functionally by the XenMobile server that are uploaded to the XenMobile web console. They include CA certificates, RA certificates, and certificates for client authentication with other components of your infrastructure. In addition, you may use server certificates as a storage for certificates you want to deploy to devices. This use especially applies to CAs used to establish trust on the device.
    • SAML. Security Assertion Markup Language (SAML) certification allows you to provide single sign-on (SSO) access to servers, websites, and apps.
    • APNs. Apple Push Notification service (APNs) certificates from Apple enable mobile device management via the Apple Push Network.
    • SSL Listener. The Secure Sockets Layer (SSL) Listener notifies XenMobile of SSL cryptographic activity.
  • Keystore file: Browse to find the keystore you want to import of the file type .p12 (or .pfx on Windows-based computers).
  • Password: Type the password assigned to the certificate.
  • Description: Optionally, type a description for the keystore to help you distinguish it from your other keystores.

5. Click Import. The keystore is added to the Certificates table.

To import a certificate

When importing a certificate, either from a file or a keystore entry, XenMobile attempts to construct a certificate chain from the input, and imports all certificates in that chain (creating a server certificate entry for each). This operation only works if the certificates in the file or keystore entry really do form a chain, such as if each subsequent certificate in the chain is the issuer of the previous certificate.

You can add an optional description for the imported certificate for heuristic purposes. The description only attaches to the first certificate in the chain. You can update the description of the remaining certificates later.

1. In the XenMobile console, click the gear icon in the upper-right corner of the console and then click Certificates.

2. On the Certificates page, click Import. The Import dialog box appears.

3. In the Import dialog box, in Import, if it is not already selected, click Certificate.

4. The Import dialog box changes to reflect available certificate options. In Use as, click how you will use the keystore. The available options are:

  • Server. Server certificates are certificates used functionally by the XenMobile server that are uploaded to the XenMobile web console. They include CA certificates, RA certificates, and certificates for client authentication with other components of your infrastructure. In addition, you may use server certificates as a storage for certificates you want to deploy to devices. This option especially applies to CAs used to establish trust on the device.
  • SAML. Security Assertion Markup Language (SAML) certification allows you to provide single sign-on (SSO) access to servers, websites, and apps.
  • SSL Listener. The Secure Sockets Layer (SSL) Listener notifies XenMobile of SSL cryptographic activity.

5. Browse to find the keystore you want to import of the file type .p12 (or .pfx on Windows-based computers).

6. Browse to find an optional private key file for the certificate. The private key is used for encryption and decryption in conjunction with the certificate.

7. Type a description for the certificate, optionally, to help you identify it from your other certificates.

8. Click Import. The certificate is added to the Certificates table.

Updating a certificate

XenMobile only allows one certificate per public key to exist in the system at any given time. If you attempt to import a certificate for the same key pair as an already imported certificate, you have the option to either replace the existing entry or to delete the entry.

To most effectively update your certificates, in the XenMobile console, click the gear icon on the upper-right corner of the console to open the Settings page and then click Certificates. In the Import dialog box, import the new certificate.

When you update a server certificate, components that were using the previous certificate automatically switch to using the new certificate. Likewise, if you have deployed the server certificate on devices, the certificate automatically updates on the next deployment.

XenMobile Certificate Administration

We recommend that you keep track of the certificates you use in your XenMobile deployment, especially on their expiration dates and associated passwords. This section intends to help you make certificate administration in XenMobile easier.

Your environment may include some or all of the following certificates:

XenMobile Server
SSL Certificate for MDM FQDN
SAML Certificate (For ShareFile)
Root & Intermediate CA Certificates for the preceding certificates and any other internal resources (StoreFront/Proxy, etc.)
APNS Certificate for iOS Device Management
Internal APNs Certificate for XenMobile server Secure Hub Notifications
PKI User Certificate for connectivity to PKI

MDX Toolkit
Apple Developer Certificate
Apple Provisioning Profile (per application)
Apple APNS Certificate (for use with Citrix Secure Mail)
Android KeyStore File
Windows Phone – Symantec Certificate

NetScaler
SSL Certificate for MDM FQDN
SSL Certificate for Gateway FQDN
SSL Certificate for ShareFile SZC FQDN
SSL Certificate for Exchange Load Balancing (offload configuration)
SSL Certificate for StoreFront Load Balancing
Root & Intermediate CA Certificates for the preceding certificates

XenMobile Certificate Expiration Policy

If you allow a certificate to expire, the certificate becomes invalid, and you can no longer run secure transactions on your environment and you cannot access XenMobile resources.

Nota

The Certification Authority (CA) will prompt you to renew your SSL certificate prior to the expiration date.

APNs certificate for Citrix Secure Mail

Because the Apple Push Notification service (APNs) certificates expire every year, make sure to create a new Apple Push Notification service SSL Certificates and update it in Citrix portal before the certificate expires. If the certificate expires, users face inconsistency with Secure Mail push notifications. Also, you can no longer send push notifications for your apps.

APNs certificate for iOS device management

In order to enroll and manage iOS devices with XenMobile, you need to set up and create an APNs certificate from Apple. If the certificate expires, users cannot enroll in XenMobile and you cannot manage their iOS devices. For details, see APNs certificates.

You can view the APNS certificate status and expiration date by logging on to the Apple Push Certificates Portal. Make sure to log on as the same user who created the certificate.

You will also receive an email notification from Apple 30 and 10 days before the expiration date with the following information:

"The following Apple Push Notification Service certificate, created for AppleID CustomersID will expire on Date. Revoking or allowing this certificate to expire will require existing devices to be re-enrolled with a new push certificate.

Please contact your vendor to generate a new request (a signed CSR), then visit https://identity.apple.com/pushcert to renew your Apple Push Notification Service certificate.

Thank You,

Apple Push Notification Service"

MDX Toolkit (iOS distribution certificate)

Any app that runs on a physical iOS device (other than apps in the Apple App Store) must be signed with a provisioning profile and a corresponding distribution certificate.

To verify that you have a valid iOS distribution certificate, do the following:

1. From the Apple Enterprise Developer portal, create an explicit App ID for each app you plan to wrap with the MDX Toolkit. An example of an acceptable App ID is: com.CompanyName.ProductName.
2. From the Apple Enterprise Developer portal, go to Provisioning Profiles > Distribution and create an in-house provisioning profile. Repeat this step for each App ID created in the previous step.
3. Download all provisioning profiles. For details, see Wrapping iOS Mobile Apps.

To confirm that all XenMobile server certificates are valid, do the following:

  1.  In the XenMobile console, click Settings and then click Certificates
  2. Make sure that all certificates including APNS, SSL Listener, Root and Intermediate certificate are valid.

Android keystore

The keystore is a file that contains certificates used to sign your Android app.When your key's validity period expires, users can no longer seamlessly upgrade to new versions of your app.

Enterprise certificate from Symantec for Windows phones

Symantec is the exclusive provider of code signing certificates for Microsoft App Hub service. Developers and software publishers join App Hub to distribute Windows Phone and Xbox 360 applications for download through the Windows Marketplace. For details, see Symantec Code Signing Certificates for Windows Phone in the Symantec documentation.
 
If the certificate expires, Windows phone users cannot enroll, install an app published and signed by the company, or start a company app that was installed on the phone.

NetScaler

For details on how to handle certificate expiration for NetScaler, see How to handle certificate expiry on NetScaler in the Citrix Support Knowledge Center.

An expired NetScaler certificate prevents users from enrolling, accessing the Store, connecting to Exchange Server when using Secure Mail, and enumerating and opening HDX apps (depending on which certificate expired). 

The Expiry Monitor and Command Center can help you to keep track of your NetScaler certificates and will notify you when the certificate expires. These two tools assist to monitor the following Netscaler certificates:

SSL Certificate for MDM FQDN
SSL Certificate for Gateway FQDN
SSL Certificate for ShareFile SZC FQDN
SSL Certificate for Exchange Load Balancing (offload configuration)
SSL Certificate for StoreFront Load Balancing
Root and Intermediate CA Certificates for the preceding certificates