Product Documentation

Configuring Device Manager with Microsoft Active Directory Certificate Services

Jan 31, 2011
You can configure Device Manager with Microsoft Active Directory Certificate Services (Microsoft Certificate Services) to generate user certificates for certificate-based authentication. Device Manager can also be configured as a registration authority to generate requests and to issue device identity certificates with Microsoft Certificate Services. In addition, you can configure Device Manager to use external SSL server certificates and digital signature certificates from other PKI-trusted certificate authorities.
Important: Changing the digital signature certificate or the SSL certificate authority disables the management of currently enrolled devices and requires reenrollment of all devices.

Device Manager makes certificate requests to Microsoft Certificate Services through web enrollment, acting as a client to Microsoft Certificate Services and requesting certificates on behalf of users with enrolled devices. This section describes how to create a Microsoft Certificate Server entity and how to configure Device Manager to request certificates for users.

Prerequisites

  • The server providing Microsoft Certificate Services must be running on the following platforms.
    • Windows Server 2012 Enterprise and Standard editions
    • Windows Server 2008 R2 Service Pack 1 Enterprise and Standard editions
  • If your Microsoft Certificate Services server is running on Windows Server 2008 R2, you must install Microsoft update KB980436. For details, see http://support.microsoft.com/kb/980436.
  • Ensure that communication is possible between Device Manager and the Microsoft Certificate Services server. The default port is 443.
  • Enable web enrollment for Microsoft Certificate Services.
  • Configure Microsoft Internet Information Services (IIS) to use the SSL protocol and to accept client certificate authentication.
  • Export to the Device Manager server the client certificate in .p12 format that is used to authenticate against Microsoft Certificate Services and make it accessible.

To enable Web enrollment for Microsoft Certificate Services

  1. In Administrative Tools, click Server Manager.
  2. Under Active Directory Certificate Services, check to see if Certificate Authority Web Enrollment is installed.
  3. Select Add Role Services to install Certificate Authority Web Enrollment, if needed.
  4. Select Certificate Authority Web Enrollment and then click Next.
  5. Click Close or Finish when the installation is complete.

To enable IIS Web services

  1. Go to Administrative Tools and then click Server Manager.
  2. Select Server Roles.
  3. Select the Active Directory Certificate Services role and the Web Server IIS role and then click Install.
  4. Close the Server Manager.

To configure Microsoft Internet Information Services (IIS) for self-signed or external certificates

  1. Go to Administrative Tools and then click Server Manager.
  2. Under Web Server (IIS), under Internet Information Services (IIS), select the host or top of the root and then click Server Certificates.
  3. Create a self-signed certificate or import an external certificate.

To configure Microsoft Internet Information Services

  1. In Administrative Tools, select Server Manager.
  2. Under Web Server (IIS), under Role Services, verify that Client Certificate Mapping Authentication and IIS Client Certificate Mapping Authentication are installed. If not, install these role services.
  3. In Administrative Tools, click Internet Information Services (IIS) Manager.
  4. In the left-hand pane of the IIS Manager window, select the server running the IIS instance for web enrollment and then click Authentication.
  5. Make sure Active Directory Client Certificate Authentication is Enabled.
  6. Click Sites and then in the right pane, click Bindings.
  7. Add an HTTPS binding if one does not exist.
  8. Go to Web Server (IIS) > Sites > Default Web Site > CertSrv
  9. Click SSL Settings and then click Accept for Client Certificates.

To create a certificate template for XenMobile certificate requests

  1. Open the an MMC Console with a domain administrator account and then add a Snap-In for Certificate Templates.
  2. Open Certificate Templates.
  3. Right-click the User template and then click Duplicate Template.
  4. Select Windows 2003 Server for the template type and then click OK.
  5. In Template Display Name, enter a certificate. Note the actual Template Name because you will need it later in the configuration.
  6. Optionally, select Publish certificate in Active Directory.
  7. Click the Request Handling tab and then specify Signature and Encryption.
  8. Enable or disable Allow private key to be exported.
  9. Select Enroll subject without requiring any user input.
  10. Select Supply in the request.
  11. Click OK on the warning window.
  12. Click the Security tab.
  13. Grant enroll permissions to a user account that will be making the certificate requests from Device Manager.
  14. Open MMC and add a Snap-In for Certification Authority. Expand the CA server and then right-click Certificate Templates.
  15. Make sure that the user template exists within Certificate Templates. Make sure that the user template exists; otherwise, the server will be unable to issue a user certificate.
  16. Click New and then click Certificate Template to Issue. Select the certificate template you created in the preceding steps.

To generate the XenMobile client certificate

You can request a certificate from any system in the domain; however, make sure to log on using domain service account credentials. The domain account must have local administrator rights to the system requesting a certificate from the Certificate Server.
  1. Either run as a domain user or initiate a Remote Desktop session to a system using Domain User credentials.
  2. Open a web browser and open the web enrollment page for Microsoft Certificate Services. This page is usually https://server.company.com/certsrv (certsrv is case-sensitive).
  3. Click Request a Certificate.
  4. Click User Certificate and then click Submit.
  5. Click Install the Certificate.

To export the client certificate

The client certificate that you request must be exported as a .p12 or PKCS12 certificate and copied to the Device Manager server.
  1. Export the certificate as a .p12 or PKCS12 certificate from the web browser or from the Certificates console on the CA server.
  2. Open an MMC Console and add the Certificates Snap-in.
  3. Right-click the certificate that you requested and then click All Tasks and Export.
  4. In the Certificate Export window, click Next.
  5. Click Yes to export the private key.
  6. Enter a password for the exported certificate. You will need to remember this password.
  7. Enter a file name for the certificate export and then click Next.
    Note: The file name cannot contain spaces.
  8. Click Finish.
  9. Copy the filename.pfx or filename.p12 to the Device Manager server and specify a location.

To configure a Microsoft certificate server entity

  1. In the Device Manager web console, click Options.
  2. In the Options dialog box, on the left side, select PKI > Entities.
  3. Click New > New MsCertSrv entity.
  4. In the Add a MsCertSrv entity dialog box, on the General tab, enter the following information:
    1. Entity name. Type a name for your new entity, which you’ll use later to refer to that entity. Entity names must be unique.
    2. Service root URL. The base URL of your Microsoft CA web enrollment service; for example, https://192.168.2.113/certsrv/. The URL may use plain HTTP or HTTP-over-SSL.
    3. certnew.cer page name. The name of the certnew.cer page, if you have renamed it for some reason. If not, you can leave this field empty.
    4. certfnsh.asp page name. The name of the certfnsh.asp page, if you have renamed it for some reason. If not, leave this field empty.
    5. Authentication type. Select No authentication, HTTP-Basic Authentication, or SSL client certificate authentication. For the latter, you will have to upload the SSL client certificate to the repository with its private key and then select it.
  5. Click the Templates tab. List the Certificate templates for your Microsoft CA. Note that those must be the internal names, not the display names.
  6. Click the Custom HTTP parameters tab. On this tab, you can specify custom parameters that XenMobile should inject in the HTTP request to the Microsoft Web Enrollment interface. This will only be useful if you have customized scripts running on the CA.
  7. Click the CA Certificates tab. On this tab, you will be required to inform XenMobile of the signers of the certificates that the system will obtain through this entity. When your CA certificate is renewed, all you need to do is update it in the repository and then the change will be applied to the entity transparently.
  8. Click Create.

To configure a Microsoft certificate services policy

Before you configure a Microsoft certificate services policy, you need to configure a Microsoft CA credential provider in the Device Manager Options dialog box. Then, you can create the policy that references the provider. For details, see To create a Credential Provider using external PKI entities.

  1. Click the Policies tab.
  2. On the left-hand pane, under iOS, click Configuration profiles.
  3. Click New Configuration > Profiles and Settings > Credentials.
  4. In the Credential configuration creation dialog box, on the General tab, enter the following information:
    1. Identifier. Type a name for the profile that identifies it uniquely to the user. This name must be unique and not in use by any other profile, or if this name matches the name of another policy, the first policy will be overwritten.
    2. Display name. Type a name of the profile as it will appear in the Device Manager web console.
    3. Organization. Type your company or organization name.
    4. Description. Type an optional description to describe the policy.
    5. In the Allow Profile Removal section, choose one of the following:
      • Always. Allows the profile to always be removable.
      • Authentication. Allows you to enter a required password that is used when profile is removed. Requires a password.
      • Never. Prevents the profile from ever being removed.
    6. Select the Automatic Removal Date check box if you want to select a specific date on which to remove the profile.
    7. Select the Duration until removal (in days) check box to specify a set a period of time after which the profile will automatically be removed.
  5. Click the Credential tab and then configure the following settings:
    1. Credential Type. Select Credential Provider.
    2. Credential Provider. Select the Microsoft CA credential provider you previously configured in the Device Manager Options dialog box.
  6. Click Create.

This policy can now be deployed to iOS devices. For information, see Creating Deployment Packages

Configuring an OpenTrust PKI Adapter for Device Manager

XenMobile OpenTrust Adapter was validated with OpenTrust PKI Version 4.7.1 (r131349).

The XenMobile OpenTrust Adapter is a web application running on Tomcat:

  • Windows Server 2008 R2
  • Java Standard Edition 7 Development Kit (32-bit version) or Java Standard Edition 6 Development Kit (32-bit version; minimum version 1.6.0_29)
  • Apache Tomcat 7.0.27
Note: You only need Tomcat core features. The manager and documentation are optional. After installation, you can also delete the directory <tomcat_dir>/webapps/ROOT.
The XenMobile OpenTrust Adapter provides an interface that allows Device Manager to submit certificate requests for a signature to an OpenTrust Certificate Manager server. Device Manager submits a request to the OpenTrust adapter to sign a certificate. The OpenTrust Certificate Manager receives the request, signs the certificate, and returns it to Device Manager. Device Manager makes these certificate requests in order to generate device identity for mobile device management mutual authentication, or user credential certificates to be used in conjunction with Wi-Fi, VPN, and Exchange ActiveSync profiles for iOS devices. XenMobile recommends that the OpenTrust Adapter is installed on a separate server from the Device Manager host, using its own instance of Tomcat 7.0.

To install OpenTrust Adapter

  1. Copy the provided WAR file to the Tomcat webapps directory. You can change the WAR file name to fit the usage of this adapter instance (wifi_certificate, exchange_certificate, and so on).
  2. Start Tomcat. It will automatically expand and install the web application in its directory.
  3. To check that the adapter is properly running, connect to: http://<server_name>:<port>/<adapter_name/. An available SOAP services page appears.

To obtain an authentication certificate from OpenTrust PKI

The authentication between the OpenTrust Adapter is secured by using a client certificate that needs to be generated from OpenTrust PKI server.
  1. Log in to the OpenTrust PKI server, browse to Enrollment Entity and then click Request a Certificate.
  2. Select Other and then click Next.
  3. Select Authentication and then click Next.
  4. Enter the required parameters and then click Next.
  5. You now need to validate the certificate request. Navigate to Registration Authority > Enrollment > List Certificate Requests.
  6. Select your certificate request and then click Process selected requests.
  7. Click Approve.
  8. You now need to retrieve the certificate. Navigate to Enrollment Entity > Search for a Certificate > Enrollment.
  9. Enter your search criteria and then click Search.
  10. Find your certificate and then click the name.
  11. Click Integrate this certificate into your browser (or smartcard).
  12. Open the certificate store of your web browser. For example, with Firefox, navigate to Options, click the Encryption tab and then click View Certificates.
  13. In the Certificate Manager, click the Your Certificates tab.
  14. Select your certificate and then click Backup.
  15. Enter the password and save the resulting p12 file. You will need the file and password when you configure the adapter.

To set up access rights on OpenTrust PKI

You need to provide the required access rights to the generated identity.
  1. Navigate to Access Control.
  2. Select the User.
  3. If you already have a group defined to allow SOAP access to the Registration Authority, you can add this user to the group. Select the group and then click Save.
  4. To give individual rights to that user, click the Rights on Modules tab.
  5. Select the Execute check box to give access rights to the Registration Authority.
  6. Click the Rights on Zones & Profiles tab.
  7. For each profile you want the user to be able to control, next to Enrollment, select the Execute check box.
  8. Click Save.

To configure the OpenTrust adapter

  1. Open the file opentrust_adapter.properties in tomcat/webapps/<adapter_name>/WEB_INF/classes and edit it accordingly:
    Key Value

    OpenTrust.RA.Url

    Web address used to access the SOAP interface of the OpenTrust PKI server

    Enrollment.Profile

    OpenTrust Profile name used by this instance

    KeyPair.FileName

    Path to the key pair used to authenticate to the OpenTrust PKI SOAP interface

    KeyPair.Psw

    Password of the above mentioned key pair

To set the connection to the adapter

  1. To configure Device Manager with your adapter, on the Options menu, click PKI Entity.
  2. Click New and then enter the required information:
    Parameter Value

    Entity Name

    Name the adapter connection.

    URL

    Enter the URL of the adapter web services interface: http://<server>:<port>/<adapter_name>/GpkiAdapter?wsdl

    Certificate path

    If you are using an authenticated HTTPS connection, select your client cert (p12).

    Certificate password

    Enter the password for the p12.

  3. Click Load to initiate the connection with the adapter.
  4. Click Ping to check the connectivity.
  5. Click Create to save the adapter configuration.

To configure an iOS profile to deliver certificates to iOS devices

To deliver certificates to iOS devices, you need to configure an iOS profile in Device Manager. For more information about configuring PKI integration with Device Manager, see About XenMobile PKI.
  1. Click the Policies tab.
  2. On the left side, under iOS, click Configurations.
  3. Create a new policy for the PKI authority that you installed by clicking New Configuration > Profiles and Settings > Credentials.
  4. On the General tab, enter the following information:
    1. Identifier. Enter a unique identifier to distinguish the certificate policy.
    2. Display name. Enter a name that will be used to label the policy on the device.
    3. Organization. Enter your company name here.
    4. Descriptions. Type an optional description.
  5. In Allow profile removal operation, click one of the following options:
    • Always: This option allows the profile to always be removable.
    • Authentication: Allows you to enter a required password that is used when profile is removed. Requires a password
    • Never: Prevents the profile from ever being removed.
  6. Select the Allows you to select a specific date check box to specify a date you want to remove the profile.
  7. Select the Duration until removal (in days) check box to enable you to set a period of time after which the profile will automatically be removed.
  8. On the Credential tab, enter the following information:
    1. Credential name. Provide a unique name for the credential.
    2. Description. Optionally, type a description for the credential.
    3. Credential Type. Select a credential type according to the PKI configuration you have set up for Device Manager, such as a certificate, a keystore, a server certificate, or a credential provider.
    4. Credential file path, Server certificate, or Credential provider. Select the path or the name of the credential you are adding to the policy. If you are using a Keystore file, you need to provide the keystore password.
  9. Click Create.

To configure an OpenTrust adapter to use HTTP by using a self-signed certificate

If you want the adapter to be accessible using HTTPS, you need to configure the Tomcat connector accordingly. You can configure the adapter by using a self-signed certificate. This process uses openssl and java keytool.

  1. Create a directory called certs. In that directory, create another directory called ca.
  2. Create a root CA. You need to adapt the subject name and passwords to fit your needs. In the certs directory, issue the following commands:
    openssl genrsa -aes256 -passout pass:zenprise -out ca/ca.key 1024 
     
    openssl req -new -x509 -passin pass:zenprise -key ca/ca.key -out ca/ca.pem -days 3650 -subj "/C=US/ST=CA/L=RWC/O=Zenprise/OU=Zenprise/CN=ZenTestCA/emailAddress=none@zenprise.com" 
     
    openssl x509 -inform PEM -in ca/ca.pem -outform DER -out ca.crt
  3. Create an HTTPS certificate using that CA. Change at least the CN to fit the XenMobile OpenTrust Adapter server name. For example:
    openssl genrsa -aes256 -passout pass:zenprise -out server-key.pem 1024 
     
    openssl req -new -passin pass:zenprise -subj "/C=US/ST=CA/L=RWC/O=Zenprise/OU=Zenprise/CN="MyServerName.zenprise.com"/emailAddress=none@zenprise.com" -days 3650 -key server-key.pem > server.csr 
     
    openssl x509 -req -passin pass:zenprise -in server.csr -out server-crt.pem -CA ca/ca.pem -CAkey ca/ca.key -CAcreateserial -CAserial ca.srl
  4. Create a p12 containing your key and certificate.
    openssl pkcs12 -export -in server-crt.pem -inkey server-key.pem -out MyServerName.p12 -name server
  5. Create a java keystore containing that PKCS12 file.
    keytool -importkeystore -deststorepass changeit -destkeypass changeit  -destkeystore keystore.jks -srckeystore MyServerName.p12  -srcstoretype PKCS12 -alias server
  6. Modify the Tomcat server.xml file to create the HTTPS connector. The file needs to reference the keystore previously created.
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" 
     
    maxThreads="150" scheme="https" secure="true" 
     
    clientAuth="false" sslProtocol="TLS" 
     
    keystoreFile="C:\Zenprise\Apache Software Foundation\Tomcat 7.0\conf\keystore.jks" keystorePass="changeit"/>
  7. Import the root cert in the java keystore of Device Manager so that this server certificate can be trusted. On the Device Manager server, issue the following command:
    ke​ytool -import -trustcacerts -alias root -file ca.crt -keystore cacerts
    The keystore file used by Java (cacerts) is usually located in: C:\Program Files\Java\jdk1.6.0_22\jre\lib\security

To configure Device Manager to generate identity certificates from OpenTrust adapter

You need to generate a certificate from OpenTrust with the following keyUsage:

  • keyEncipherment
  • digitalSignature

In addition, you need an OpenTrust root certificate and a CA certificate.

Caution: This procedure will invalidate all certificates used previously by Device Manager. All devices using a certificate to authenticate, such as iOS and Android, Symbian, and Windows Mobile using Strong Authentication mode will need to be reenrolled.
  1. Modify pki.xml. This file is located in tomcat/webapps/zdm/WEB-INF/classes. Open it with a text editor, and modify it as follows (the modified parts are in bold text). Keep in mind the following considerations:
    • Path to the certificates
    • keyUsage of the certs
    • Name of the OpenTrust connector in the console
    • The CSR template that has to match your profile definition on the OpenTrust PKI Server
    <?xml version="1.0" encoding="UTF-8"?> 
     
    <beans xmlns="http://www.springframework.org/schema/beans" 
     
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     
    xmlns:p="http://www.springframework.org/schema/p" 
     
    xsi:schemaLocation=" 
     
    http://www.springframework.org/schema/beans     http://www.springframework.org/schem...-beans-3.0.xsd 
     
    "> 
     
      
     
        <bean id="legacyRoot" class="com.sparus.nps.pki.def.PublicCertFileParams" 
     
              p:certificateFilePath="${ios.mdm.pki.ca-root.certificatefile}" 
     
              p:publiclyTrusted="false" 
     
        /> 
     
      
     
        <bean id="legacyIOsDevicesCa" class="com.sparus.nps.pki.def.KeyStoreParams" 
     
              p:keyStoreType="${ios.mdm.pki.ca-mdm.keystoretype}" 
     
              p:keyStorePath="${ios.mdm.pki.ca-mdm.certificatefile}" 
     
              p:entryAlias="" 
     
              p:keyStorePass="${ios.mdm.pki.ca-mdm.privatekey.password}" 
     
              p:publiclyTrusted="false" 
     
              p:issuerParams-ref="legacyRoot" 
     
        /> 
     
      
     
        <!-- SHTP is the proprietary protocol ZDM uses to communicate 
     
            with Windows and Android devices --> 
     
      
     
        <bean id="legacyShtpDevicesCa" class="com.sparus.nps.pki.def.KeyStoreParams" 
     
              p:keyStoreType="${secure.device.keystore.type}" 
     
              p:keyStorePath="${secure.device.certificate.file}" 
     
              p:entryAlias="${secure.device.alias}" 
     
              p:keyStorePass="${secure.device.private.key.password}" 
     
              p:publiclyTrusted="false" 
     
              p:issuerParams-ref="legacyRoot" 
     
        /> 
     
      
     
        <alias alias="legacyDigitalSigner" name="legacyIOsDevicesCa" /> 
     
      
     
        <bean id="legacySslCert" class="com.sparus.nps.pki.def.KeyStoreParams" 
     
              p:keyStoreType="${ios.mdm.pki.ssl.keystoretype}" 
     
              p:keyStorePath="${ios.mdm.pki.ssl.certificatefile}" 
     
              p:entryAlias="" 
     
              p:keyStorePass="${ios.mdm.pki.ssl.privatekey.password}" 
     
              p:publiclyTrusted="false" 
     
        /> 
     
      
     
      
     
        <bean id="OT_Root_cert" class="com.sparus.nps.pki.def.PublicCertFileParams" 
     
              p:certificateFilePath="C:\Program Files\Zenprise\Zenprise Device Manager\tomcat\conf\otroot.cer" 
     
              p:publiclyTrusted="false" 
     
        /> 
     
      
     
        <bean id="OT_CA_cert" class="com.sparus.nps.pki.def.PublicCertFileParams" 
     
              p:certificateFilePath="C:\Program Files\Zenprise\Zenprise Device Manager\tomcat\conf\otinter.cer" 
     
              p:publiclyTrusted="false" 
     
              p:issuerParams-ref="OT_Root_cert" 
     
        /> 
     
      
     
        <bean id="OT_RA_cert" class="com.sparus.nps.pki.def.KeyStoreParams" 
     
              p:keyStoreType="PKCS12" 
     
              p:keyStorePath="C:\Program Files\Zenprise\Zenprise Device Manager\tomcat\conf\otadmin.p12" 
     
              p:entryAlias="" 
     
              p:keyStorePass="opentrust" 
     
              p:issuerParams-ref="OT_CA_cert" 
     
        /> 
     
      
     
        <bean class="com.sparus.nps.pki.spi.impl.GpkiCa" id="OT_CA"> 
     
            <property name="caCertificate"> 
     
                <description> 
     
                    This CA's certificate. 
     
      
     
                    WARNING! In order for tomcat to accept clients presenting identities 
     
                    issued by this CA, tomcat's truststore has to be modified accordingly 
     
                     (e.g. installing in it the certificate referred to here). 
     
                </description> 
     
                <bean factory-bean="certFactory" factory-method="buildPublic"> 
     
                    <constructor-arg ref="OT_CA_cert" /> 
     
                </bean> 
     
            </property> 
     
            <property name="entityName" value="OTAdapter"> 
     
                <description> 
     
                    This is the GPKI entity name as defined in the console. 
     
                </description> 
     
            </property> 
     
            <property name="requestProperties"> 
     
                <description> 
     
                    If the adapter defines user parameters (i.e., non-injected parameters), 
     
                    then they can be defined here. EMC adapter currently does not define 
     
                    any parameters. 
     
                </description> 
     
                <bean class="com.sparus.nps.pki.gpki.util.SimpleRequestProperties"> 
     
                    <constructor-arg index="0" type="java.util.Map"> 
     
                        <map key-type="java.lang.String" value-type="java.lang.String"> 
     
                            <!--<entry key="[PARAMETER NAME]" value="[PARAMETER VALUE]" />--> 
     
                        </map> 
     
                    </constructor-arg> 
     
                </bean> 
     
            </property> 
     
            <property name="raEncryptionCert"> 
     
                <description> 
     
                    RA encryption cert. MUST be issued by the certificate referred to 
     
                    in property caCertificate, i.e. the CA certificate, i.e. the certificate 
     
                    that will sign device identities. 
     
      
     
                    This cert MUST have keyUsage: keyEncipherment. 
     
      
     
                    RA encryption cert may be the same one as RA signing cert. 
     
                </description> 
     
                <bean factory-bean="certFactory" factory-method="buildPrivate"> 
     
                    <constructor-arg ref="OT_RA_cert" /> 
     
                </bean> 
     
            </property> 
     
            <property name="raSigningCert"> 
     
                <description> 
     
                    RA signing cert. MUST be issued by the certificate referred to 
     
                    in property caCertificate, i.e. the CA certificate, i.e. the certificate 
     
                    that will sign device identities. 
     
      
     
                    This cert MUST have keyUsage: digitalSignature. 
     
      
     
                    RA signing cert may be the same one as RA encryption cert. 
     
                </description> 
     
                <bean factory-bean="certFactory" factory-method="buildPrivate"> 
     
                    <constructor-arg ref="OT_RA_cert" /> 
     
                </bean> 
     
            </property> 
     
            <property name="csrTemplate"> 
     
                <bean class="com.sparus.nps.pki.spi.impl.CsrMacroTemplate"> 
     
                    <description> 
     
                        Template for the CSR. 
     
      
     
                        WARNING! Macros have to be specified using '%{...}', instead 
     
                        of '${...}', in XML files. 
     
                    </description> 
     
                    <property name="dnFields"> 
     
                        <list> 
     
                            <description> 
     
                                The following are samples. Remove or add others as you like. 
     
                            </description> 
     
                            <bean class="com.sparus.nps.pki.def.DNFieldBean" p:oid="CN" p:value="%{user.loginname}" /> 
     
                            <bean class="com.sparus.nps.pki.def.DNFieldBean" p:oid="OU" p:value="aeotn" /> 
     
                            <bean class="com.sparus.nps.pki.def.DNFieldBean" p:oid="O" p:value="noise" /> 
     
                            <bean class="com.sparus.nps.pki.def.DNFieldBean" p:oid="C" p:value="DE" /> 
     
                        </list> 
     
                    </property> 
     
                    <property name="altnames"> 
     
                        <list> 
     
                            <description> 
     
                                The following are samples. Remove or add others as you like. 
     
                            </description> 
     
                            <bean class="com.sparus.nps.pki.def.AltNameBean" p:sanType="rfc822Name" p:value="%{user.mail}" /> 
     
                            <bean class="com.sparus.nps.pki.def.AltNameBean" p:sanType="userPrincipalName" p:value="%{user.username}@home.net" /> 
     
                        </list> 
     
                    </property> 
     
                </bean> 
     
            </property> 
     
        </bean> 
     
      
     
      
     
        <!-- 
     
            The new PkiSpi infrastructure is designed to support all the PKI 
     
            capabilities we can reasonably be expected to need in the average term. 
     
            However, the rest (installer / business process) isn't up to par 
     
            yet; as such, we're retrofitting this infrastructure to work with 
     
            our current setup. That's the meaning behind the word "legacy" 
     
            in this context. 
     
        --> 
     
      
     
        <bean id="certFactory" class="com.sparus.nps.pki.def.ZdmCertificateFactory"> 
     
            <description> 
     
                The ZdmCertificateFactory builds public key certificate objects 
     
                from either PublicCertFileParams, PrivateCertFileParams or 
     
                KeyStoreParams; and private key certificate objects (public 
     
                key + private) from PrivateCertFileParams and KeyStoreParams. 
     
      
     
                Factory method for the former is: buildPublic; for the latter: buildPrivate. 
     
            </description> 
     
        </bean> 
     
      
     
        <bean id="serialNumberGen" class="com.sparus.nps.pki.gen.CertificateSerialNumberSequenceImpl" /> 
     
      
     
        <bean id="com.everywan.security.PkiSpi.internal" class="com.sparus.nps.pki.spi.impl.PluggablePki" lazy-init="true"> 
     
            <property name="digitalSignatureRoot"> 
     
                <bean factory-bean="certFactory" factory-method="buildPublic"> 
     
                    <constructor-arg ref="legacyRoot" /> 
     
                </bean> 
     
            </property> 
     
            <property name="sslRoot"><null /></property> <!-- We don't have the config for this... --> 
     
      
     
            <property name="digitalSigningCertificate"> 
     
                <bean factory-bean="certFactory" factory-method="buildPrivate"> 
     
                    <constructor-arg ref="legacyDigitalSigner" /> 
     
                </bean> 
     
            </property> 
     
            <property name="sslCertificate"> 
     
                <bean factory-bean="certFactory" factory-method="buildPrivate"> 
     
                    <constructor-arg ref="legacySslCert" /> 
     
                </bean> 
     
            </property> 
     
      
     
            <property name="shtpCa" ref="OT_CA" /> 
     
      
     
            <property name="iosMdmCa" ref="OT_CA" /> 
     
        </bean> 
     
      
     
        <bean id="com.everywan.security.PkiSpi" factory-bean="com.everywan.security.PkiSpi.factory" factory-method="getBean" /> 
     
      
     
        <bean id="com.everywan.security.PkiSpi.factory" class="com.sparus.nps.pki.def.PkiSpiFacade"> 
     
            <property name="enabled" value="${zdm.pki.enable}" /> 
     
            <property name="enabledBeanId"><idref local="com.everywan.security.PkiSpi.internal" /></property> 
     
        </bean> 
     
       </beans>

To add certificates to the Device Manager keystore

You now need to add the intermediate and root ca certificates to the Device Manager keystore.

  1. Use the java keytool command (adapt the path to your environment): "C:\Program Files\Java\jdk1.6.0_23\jre\bin\keytool" -importcert -trustcacerts -alias "externalCA" -file "C:\Program Files\Zenprise\Zenprise Device Manager\tomcat\conf\mycert.cer" -keystore "C:\Program Files\Zenprise\Zenprise Device Manager\tomcat\conf\cacerts.pem.jks" -storepass notMeaningFul
  2. Restart the Device Manager service to activate the new PKI usage.

To activate logging on Device Manager for the adapter

Logs from the adapter can be found in the tomcat/logs directory of the adapter.
  1. Add a new logger in the log4j configuration to ensure proper error handling and auditing. In Internet Explorer, navigate to the following URL based on your installation: http://<host>/<instance>/log.jsp
  2. Navigate to the bottom of the table and in Add New Logger, add an entry for the com.sparus.nps.pki
  3. Set the logging level to TRACE.