INTRODUCTION
Starting in Strategy Mobile 9.2.1, administrators can configure the Strategy Certificate Server to setup client certificate authentication for mobile devices accessing the Strategy Mobile server. This feature provides an additional layer of security by allowing administrators to remotely revoke access requests from specific mobile devices. In order to deploy the Strategy Certificate Server, administrators should be knowledgeable in the client certificate authentication workflow in general.
This technote provides a high level description of how Strategy Certificate Server should be deployed and configured. Information can also be found in the Strategy Mobile Design and Administration Guide product manual under the section Client authentication with a Certificate Server.
DEPLOYMENT
Deploy the Strategy Certificate Server application on a supported application server.
For ASP environments, the default location of the Certificate Server application is C:\Program Files (x86)\Strategy\Mobile Server ASPx\CertificateServer. Create a new Application in Microsoft IIS pointing to this directory (do not move the CertificateServer folder outside of the Mobile Server ASPx folder).
For JSP environments, the default location of the Certificate Server application is C:\Program Files (x86)\Strategy\Mobile Server JSP. Deploy the CertificateServer.war file on a supported JSP application server.
After deploying the application, administrators should work with their network administrators to enable SSL on both the Certificate Server application and the Strategy Mobile server application. In addition, administrators should make sure that client certificate authentication is enabled on the Mobile server application.
CONFIGURATION
The purpose of the Certificate Server is to issue client certificates to mobile devices attempting to connect to the Strategy Mobile Server. In this way, administrators can revoke access from specific mobile devices by revoking their respective client certificates. In order to serve client certificates to mobile devices, the Certificate Server must possess a signing certificate. This certificate will be used to sign the client certificates that it issues, making them valid for use.
Obtaining a signing certificate
Obtain a signing certificate (this can be the same certificate used for SSL on the application server). The signing certificate should be stored in a Java keystore (.jks) or as a certificate encoded in DER (.der). The keystore or DER-encoded certificate can be stored anywhere within the Certificate Server application. Its location is referenced by the JKSLocation or DERCertificateLocation parameter in certificateServerConfig.xml, but by default the location is CertificateServer/WEB-INF.
Configuration certificateServerConfig.xml
The certificateServerConfig.xml file is used by the Certificate Server to connect to the Strategy Intelligence Server, access the signing certificate, and use the client revocation list (optional). The fields in the file contain descriptions next to them in order to help administrators understand each property.
The following parameters enable the Certificate Server to connect to the Strategy Intelligence Server in order to generate certificates for particular users and must be specified:
This is the target panel’s key
<pr n="IntelligenceServer" v="ISERVER_NAME" desc="The Intelligence Server to use for authentication when creating a certificate" /><pr n="IntelligenceServerPort" v="0" desc="Intelligence Server port - 0 means use the default port" /><pr n="ProjectName" v="PROJECT_NAME" desc="The project to use for authentication" /><pr n="AuthMode" v="1" desc="The Intelligence Server authentication mode" /><pr n="JKSLocation" v="WEB-INF/myKeystore.jks" desc="The JKS containing the signing certificate" /><pr n="JKSAlias" v="myCertificate" desc="The alias of the signing certificate in the key store" /><pr n="JKSPassword" v="password" desc="The password of the JKS keystore" /><pr n="DERCertificateLocation" v="WEB-INF/pub.der" desc="The certificate to use for signing, in DER format" /><pr n="DERPrivateKey" v="WEB-INF/prv.der" desc="The private key of the signing certificate, in DER format" /><pr n="X509Country" v="US" desc="The country to use in the certificate's DN" /><pr n="X509Organization" v="MSTR" desc="The organization to use in the certificate's DN" /><pr n="X509Location" v="vienna" desc="The location to use in the certificate's DN" /><pr n="CRLFile" v="cert-srv.crl" desc="Name of the CRL file - it will be created at the top level of the application path" /><pr n="CDPLocation" v="http://machinename:port/cert/cert-srv.crl" desc="CRL Distribution Point URL is required by some application servers (e.g. IIS). If empty, no CDP will added to new certificates. We also recognize the %HOST% macro (case sensitive), which will be replaced by the Certificate Server's fully qualified host name, e.g. http://%HOST%:8080/CertificateServer/cert-srv.crl" /> |
This is the target panel’s key
<pr n="IntelligenceServer" v="ISERVER_NAME" desc="The Intelligence Server to use for authentication when creating a certificate" /><pr n="IntelligenceServerPort" v="0" desc="Intelligence Server port - 0 means use the default port" /><pr n="ProjectName" v="PROJECT_NAME" desc="The project to use for authentication" /><pr n="AuthMode" v="1" desc="The Intelligence Server authentication mode" /><pr n="JKSLocation" v="WEB-INF/myKeystore.jks" desc="The JKS containing the signing certificate" /><pr n="JKSAlias" v="myCertificate" desc="The alias of the signing certificate in the key store" /><pr n="JKSPassword" v="password" desc="The password of the JKS keystore" /><pr n="DERCertificateLocation" v="WEB-INF/pub.der" desc="The certificate to use for signing, in DER format" /><pr n="DERPrivateKey" v="WEB-INF/prv.der" desc="The private key of the signing certificate, in DER format" /><pr n="X509Country" v="US" desc="The country to use in the certificate's DN" /><pr n="X509Organization" v="MSTR" desc="The organization to use in the certificate's DN" /><pr n="X509Location" v="vienna" desc="The location to use in the certificate's DN" /><pr n="CRLFile" v="cert-srv.crl" desc="Name of the CRL file - it will be created at the top level of the application path" /><pr n="CDPLocation" v="http://machinename:port/cert/cert-srv.crl" desc="CRL Distribution Point URL is required by some application servers (e.g. IIS). If empty, no CDP will added to new certificates. We also recognize the %HOST% macro (case sensitive), which will be replaced by the Certificate Server's fully qualified host name, e.g. http://%HOST%:8080/CertificateServer/cert-srv.crl" /> |
This is the target panel’s key
<pr n="IntelligenceServer" v="ISERVER_NAME" desc="The Intelligence Server to use for authentication when creating a certificate" /><pr n="IntelligenceServerPort" v="0" desc="Intelligence Server port - 0 means use the default port" /><pr n="ProjectName" v="PROJECT_NAME" desc="The project to use for authentication" /><pr n="AuthMode" v="1" desc="The Intelligence Server authentication mode" /><pr n="JKSLocation" v="WEB-INF/myKeystore.jks" desc="The JKS containing the signing certificate" /><pr n="JKSAlias" v="myCertificate" desc="The alias of the signing certificate in the key store" /><pr n="JKSPassword" v="password" desc="The password of the JKS keystore" /><pr n="DERCertificateLocation" v="WEB-INF/pub.der" desc="The certificate to use for signing, in DER format" /><pr n="DERPrivateKey" v="WEB-INF/prv.der" desc="The private key of the signing certificate, in DER format" /><pr n="X509Country" v="US" desc="The country to use in the certificate's DN" /><pr n="X509Organization" v="MSTR" desc="The organization to use in the certificate's DN" /><pr n="X509Location" v="vienna" desc="The location to use in the certificate's DN" /><pr n="CRLFile" v="cert-srv.crl" desc="Name of the CRL file - it will be created at the top level of the application path" /><pr n="CDPLocation" v="http://machinename:port/cert/cert-srv.crl" desc="CRL Distribution Point URL is required by some application servers (e.g. IIS). If empty, no CDP will added to new certificates. We also recognize the %HOST% macro (case sensitive), which will be replaced by the Certificate Server's fully qualified host name, e.g. http://%HOST%:8080/CertificateServer/cert-srv.crl" /> |
This is the target panel’s key
<pr n="IntelligenceServer" v="ISERVER_NAME" desc="The Intelligence Server to use for authentication when creating a certificate" /><pr n="IntelligenceServerPort" v="0" desc="Intelligence Server port - 0 means use the default port" /><pr n="ProjectName" v="PROJECT_NAME" desc="The project to use for authentication" /><pr n="AuthMode" v="1" desc="The Intelligence Server authentication mode" /><pr n="JKSLocation" v="WEB-INF/myKeystore.jks" desc="The JKS containing the signing certificate" /><pr n="JKSAlias" v="myCertificate" desc="The alias of the signing certificate in the key store" /><pr n="JKSPassword" v="password" desc="The password of the JKS keystore" /><pr n="DERCertificateLocation" v="WEB-INF/pub.der" desc="The certificate to use for signing, in DER format" /><pr n="DERPrivateKey" v="WEB-INF/prv.der" desc="The private key of the signing certificate, in DER format" /><pr n="X509Country" v="US" desc="The country to use in the certificate's DN" /><pr n="X509Organization" v="MSTR" desc="The organization to use in the certificate's DN" /><pr n="X509Location" v="vienna" desc="The location to use in the certificate's DN" /><pr n="CRLFile" v="cert-srv.crl" desc="Name of the CRL file - it will be created at the top level of the application path" /><pr n="CDPLocation" v="http://machinename:port/cert/cert-srv.crl" desc="CRL Distribution Point URL is required by some application servers (e.g. IIS). If empty, no CDP will added to new certificates. We also recognize the %HOST% macro (case sensitive), which will be replaced by the Certificate Server's fully qualified host name, e.g. http://%HOST%:8080/CertificateServer/cert-srv.crl" /> |
The next parameter configures the Certificate Server to write to disk a list of certificates and registered users. By default, the Certificate Server writes to certificateData.xml stored in /WEB-INF
<pr n="CatalogLocation" v="/WEB-INF/xml/certificateData.xml" desc="The location to store lists of certificates and users registered" />
The next parameter specifies whether the signing certificate is stored in a Java keystore (.jks) or is stored as a DER-encoded certificate and private key pair and must be specified:
<pr n="SigningCertificateType" v="jks" desc="The certificate format, either jks or der" />
If the signing certificate is stored in a Java keystore as type jks, then the next three parameters must be specified:
This is the target panel’s key
<pr n="IntelligenceServer" v="ISERVER_NAME" desc="The Intelligence Server to use for authentication when creating a certificate" /><pr n="IntelligenceServerPort" v="0" desc="Intelligence Server port - 0 means use the default port" /><pr n="ProjectName" v="PROJECT_NAME" desc="The project to use for authentication" /><pr n="AuthMode" v="1" desc="The Intelligence Server authentication mode" /><pr n="JKSLocation" v="WEB-INF/myKeystore.jks" desc="The JKS containing the signing certificate" /><pr n="JKSAlias" v="myCertificate" desc="The alias of the signing certificate in the key store" /><pr n="JKSPassword" v="password" desc="The password of the JKS keystore" /><pr n="DERCertificateLocation" v="WEB-INF/pub.der" desc="The certificate to use for signing, in DER format" /><pr n="DERPrivateKey" v="WEB-INF/prv.der" desc="The private key of the signing certificate, in DER format" /><pr n="X509Country" v="US" desc="The country to use in the certificate's DN" /><pr n="X509Organization" v="MSTR" desc="The organization to use in the certificate's DN" /><pr n="X509Location" v="vienna" desc="The location to use in the certificate's DN" /><pr n="CRLFile" v="cert-srv.crl" desc="Name of the CRL file - it will be created at the top level of the application path" /><pr n="CDPLocation" v="http://machinename:port/cert/cert-srv.crl" desc="CRL Distribution Point URL is required by some application servers (e.g. IIS). If empty, no CDP will added to new certificates. We also recognize the %HOST% macro (case sensitive), which will be replaced by the Certificate Server's fully qualified host name, e.g. http://%HOST%:8080/CertificateServer/cert-srv.crl" /> |
This is the target panel’s key
<pr n="IntelligenceServer" v="ISERVER_NAME" desc="The Intelligence Server to use for authentication when creating a certificate" /><pr n="IntelligenceServerPort" v="0" desc="Intelligence Server port - 0 means use the default port" /><pr n="ProjectName" v="PROJECT_NAME" desc="The project to use for authentication" /><pr n="AuthMode" v="1" desc="The Intelligence Server authentication mode" /><pr n="JKSLocation" v="WEB-INF/myKeystore.jks" desc="The JKS containing the signing certificate" /><pr n="JKSAlias" v="myCertificate" desc="The alias of the signing certificate in the key store" /><pr n="JKSPassword" v="password" desc="The password of the JKS keystore" /><pr n="DERCertificateLocation" v="WEB-INF/pub.der" desc="The certificate to use for signing, in DER format" /><pr n="DERPrivateKey" v="WEB-INF/prv.der" desc="The private key of the signing certificate, in DER format" /><pr n="X509Country" v="US" desc="The country to use in the certificate's DN" /><pr n="X509Organization" v="MSTR" desc="The organization to use in the certificate's DN" /><pr n="X509Location" v="vienna" desc="The location to use in the certificate's DN" /><pr n="CRLFile" v="cert-srv.crl" desc="Name of the CRL file - it will be created at the top level of the application path" /><pr n="CDPLocation" v="http://machinename:port/cert/cert-srv.crl" desc="CRL Distribution Point URL is required by some application servers (e.g. IIS). If empty, no CDP will added to new certificates. We also recognize the %HOST% macro (case sensitive), which will be replaced by the Certificate Server's fully qualified host name, e.g. http://%HOST%:8080/CertificateServer/cert-srv.crl" /> |
This is the target panel’s key
<pr n="IntelligenceServer" v="ISERVER_NAME" desc="The Intelligence Server to use for authentication when creating a certificate" /><pr n="IntelligenceServerPort" v="0" desc="Intelligence Server port - 0 means use the default port" /><pr n="ProjectName" v="PROJECT_NAME" desc="The project to use for authentication" /><pr n="AuthMode" v="1" desc="The Intelligence Server authentication mode" /><pr n="JKSLocation" v="WEB-INF/myKeystore.jks" desc="The JKS containing the signing certificate" /><pr n="JKSAlias" v="myCertificate" desc="The alias of the signing certificate in the key store" /><pr n="JKSPassword" v="password" desc="The password of the JKS keystore" /><pr n="DERCertificateLocation" v="WEB-INF/pub.der" desc="The certificate to use for signing, in DER format" /><pr n="DERPrivateKey" v="WEB-INF/prv.der" desc="The private key of the signing certificate, in DER format" /><pr n="X509Country" v="US" desc="The country to use in the certificate's DN" /><pr n="X509Organization" v="MSTR" desc="The organization to use in the certificate's DN" /><pr n="X509Location" v="vienna" desc="The location to use in the certificate's DN" /><pr n="CRLFile" v="cert-srv.crl" desc="Name of the CRL file - it will be created at the top level of the application path" /><pr n="CDPLocation" v="http://machinename:port/cert/cert-srv.crl" desc="CRL Distribution Point URL is required by some application servers (e.g. IIS). If empty, no CDP will added to new certificates. We also recognize the %HOST% macro (case sensitive), which will be replaced by the Certificate Server's fully qualified host name, e.g. http://%HOST%:8080/CertificateServer/cert-srv.crl" /> |
If the signing certificate is stored as a DER-encoded certificate and private key pair, then the next two parameters must be specified:
This is the target panel’s key
<pr n="IntelligenceServer" v="ISERVER_NAME" desc="The Intelligence Server to use for authentication when creating a certificate" /><pr n="IntelligenceServerPort" v="0" desc="Intelligence Server port - 0 means use the default port" /><pr n="ProjectName" v="PROJECT_NAME" desc="The project to use for authentication" /><pr n="AuthMode" v="1" desc="The Intelligence Server authentication mode" /><pr n="JKSLocation" v="WEB-INF/myKeystore.jks" desc="The JKS containing the signing certificate" /><pr n="JKSAlias" v="myCertificate" desc="The alias of the signing certificate in the key store" /><pr n="JKSPassword" v="password" desc="The password of the JKS keystore" /><pr n="DERCertificateLocation" v="WEB-INF/pub.der" desc="The certificate to use for signing, in DER format" /><pr n="DERPrivateKey" v="WEB-INF/prv.der" desc="The private key of the signing certificate, in DER format" /><pr n="X509Country" v="US" desc="The country to use in the certificate's DN" /><pr n="X509Organization" v="MSTR" desc="The organization to use in the certificate's DN" /><pr n="X509Location" v="vienna" desc="The location to use in the certificate's DN" /><pr n="CRLFile" v="cert-srv.crl" desc="Name of the CRL file - it will be created at the top level of the application path" /><pr n="CDPLocation" v="http://machinename:port/cert/cert-srv.crl" desc="CRL Distribution Point URL is required by some application servers (e.g. IIS). If empty, no CDP will added to new certificates. We also recognize the %HOST% macro (case sensitive), which will be replaced by the Certificate Server's fully qualified host name, e.g. http://%HOST%:8080/CertificateServer/cert-srv.crl" /> |
This is the target panel’s key
<pr n="IntelligenceServer" v="ISERVER_NAME" desc="The Intelligence Server to use for authentication when creating a certificate" /><pr n="IntelligenceServerPort" v="0" desc="Intelligence Server port - 0 means use the default port" /><pr n="ProjectName" v="PROJECT_NAME" desc="The project to use for authentication" /><pr n="AuthMode" v="1" desc="The Intelligence Server authentication mode" /><pr n="JKSLocation" v="WEB-INF/myKeystore.jks" desc="The JKS containing the signing certificate" /><pr n="JKSAlias" v="myCertificate" desc="The alias of the signing certificate in the key store" /><pr n="JKSPassword" v="password" desc="The password of the JKS keystore" /><pr n="DERCertificateLocation" v="WEB-INF/pub.der" desc="The certificate to use for signing, in DER format" /><pr n="DERPrivateKey" v="WEB-INF/prv.der" desc="The private key of the signing certificate, in DER format" /><pr n="X509Country" v="US" desc="The country to use in the certificate's DN" /><pr n="X509Organization" v="MSTR" desc="The organization to use in the certificate's DN" /><pr n="X509Location" v="vienna" desc="The location to use in the certificate's DN" /><pr n="CRLFile" v="cert-srv.crl" desc="Name of the CRL file - it will be created at the top level of the application path" /><pr n="CDPLocation" v="http://machinename:port/cert/cert-srv.crl" desc="CRL Distribution Point URL is required by some application servers (e.g. IIS). If empty, no CDP will added to new certificates. We also recognize the %HOST% macro (case sensitive), which will be replaced by the Certificate Server's fully qualified host name, e.g. http://%HOST%:8080/CertificateServer/cert-srv.crl" /> |
The next parameters must correspond to the information stored in the signing certificate:
This is the target panel’s key
<pr n="IntelligenceServer" v="ISERVER_NAME" desc="The Intelligence Server to use for authentication when creating a certificate" /><pr n="IntelligenceServerPort" v="0" desc="Intelligence Server port - 0 means use the default port" /><pr n="ProjectName" v="PROJECT_NAME" desc="The project to use for authentication" /><pr n="AuthMode" v="1" desc="The Intelligence Server authentication mode" /><pr n="JKSLocation" v="WEB-INF/myKeystore.jks" desc="The JKS containing the signing certificate" /><pr n="JKSAlias" v="myCertificate" desc="The alias of the signing certificate in the key store" /><pr n="JKSPassword" v="password" desc="The password of the JKS keystore" /><pr n="DERCertificateLocation" v="WEB-INF/pub.der" desc="The certificate to use for signing, in DER format" /><pr n="DERPrivateKey" v="WEB-INF/prv.der" desc="The private key of the signing certificate, in DER format" /><pr n="X509Country" v="US" desc="The country to use in the certificate's DN" /><pr n="X509Organization" v="MSTR" desc="The organization to use in the certificate's DN" /><pr n="X509Location" v="vienna" desc="The location to use in the certificate's DN" /><pr n="CRLFile" v="cert-srv.crl" desc="Name of the CRL file - it will be created at the top level of the application path" /><pr n="CDPLocation" v="http://machinename:port/cert/cert-srv.crl" desc="CRL Distribution Point URL is required by some application servers (e.g. IIS). If empty, no CDP will added to new certificates. We also recognize the %HOST% macro (case sensitive), which will be replaced by the Certificate Server's fully qualified host name, e.g. http://%HOST%:8080/CertificateServer/cert-srv.crl" /> |
This is the target panel’s key
<pr n="IntelligenceServer" v="ISERVER_NAME" desc="The Intelligence Server to use for authentication when creating a certificate" /><pr n="IntelligenceServerPort" v="0" desc="Intelligence Server port - 0 means use the default port" /><pr n="ProjectName" v="PROJECT_NAME" desc="The project to use for authentication" /><pr n="AuthMode" v="1" desc="The Intelligence Server authentication mode" /><pr n="JKSLocation" v="WEB-INF/myKeystore.jks" desc="The JKS containing the signing certificate" /><pr n="JKSAlias" v="myCertificate" desc="The alias of the signing certificate in the key store" /><pr n="JKSPassword" v="password" desc="The password of the JKS keystore" /><pr n="DERCertificateLocation" v="WEB-INF/pub.der" desc="The certificate to use for signing, in DER format" /><pr n="DERPrivateKey" v="WEB-INF/prv.der" desc="The private key of the signing certificate, in DER format" /><pr n="X509Country" v="US" desc="The country to use in the certificate's DN" /><pr n="X509Organization" v="MSTR" desc="The organization to use in the certificate's DN" /><pr n="X509Location" v="vienna" desc="The location to use in the certificate's DN" /><pr n="CRLFile" v="cert-srv.crl" desc="Name of the CRL file - it will be created at the top level of the application path" /><pr n="CDPLocation" v="http://machinename:port/cert/cert-srv.crl" desc="CRL Distribution Point URL is required by some application servers (e.g. IIS). If empty, no CDP will added to new certificates. We also recognize the %HOST% macro (case sensitive), which will be replaced by the Certificate Server's fully qualified host name, e.g. http://%HOST%:8080/CertificateServer/cert-srv.crl" /> |
This is the target panel’s key
<pr n="IntelligenceServer" v="ISERVER_NAME" desc="The Intelligence Server to use for authentication when creating a certificate" /><pr n="IntelligenceServerPort" v="0" desc="Intelligence Server port - 0 means use the default port" /><pr n="ProjectName" v="PROJECT_NAME" desc="The project to use for authentication" /><pr n="AuthMode" v="1" desc="The Intelligence Server authentication mode" /><pr n="JKSLocation" v="WEB-INF/myKeystore.jks" desc="The JKS containing the signing certificate" /><pr n="JKSAlias" v="myCertificate" desc="The alias of the signing certificate in the key store" /><pr n="JKSPassword" v="password" desc="The password of the JKS keystore" /><pr n="DERCertificateLocation" v="WEB-INF/pub.der" desc="The certificate to use for signing, in DER format" /><pr n="DERPrivateKey" v="WEB-INF/prv.der" desc="The private key of the signing certificate, in DER format" /><pr n="X509Country" v="US" desc="The country to use in the certificate's DN" /><pr n="X509Organization" v="MSTR" desc="The organization to use in the certificate's DN" /><pr n="X509Location" v="vienna" desc="The location to use in the certificate's DN" /><pr n="CRLFile" v="cert-srv.crl" desc="Name of the CRL file - it will be created at the top level of the application path" /><pr n="CDPLocation" v="http://machinename:port/cert/cert-srv.crl" desc="CRL Distribution Point URL is required by some application servers (e.g. IIS). If empty, no CDP will added to new certificates. We also recognize the %HOST% macro (case sensitive), which will be replaced by the Certificate Server's fully qualified host name, e.g. http://%HOST%:8080/CertificateServer/cert-srv.crl" /> |
The next parameter specifies how long issued certificates should be valid for:
<pr n="CertificateExpirationInDays" v="360" />
The next parameters are only necessary if the client revocation feature is used. If the CRLFile doesn't exist in the specified location, an empty one should be created manually, then activated by using the Certificate Server URL API, listed below the table:
This is the target panel’s key
<pr n="IntelligenceServer" v="ISERVER_NAME" desc="The Intelligence Server to use for authentication when creating a certificate" /><pr n="IntelligenceServerPort" v="0" desc="Intelligence Server port - 0 means use the default port" /><pr n="ProjectName" v="PROJECT_NAME" desc="The project to use for authentication" /><pr n="AuthMode" v="1" desc="The Intelligence Server authentication mode" /><pr n="JKSLocation" v="WEB-INF/myKeystore.jks" desc="The JKS containing the signing certificate" /><pr n="JKSAlias" v="myCertificate" desc="The alias of the signing certificate in the key store" /><pr n="JKSPassword" v="password" desc="The password of the JKS keystore" /><pr n="DERCertificateLocation" v="WEB-INF/pub.der" desc="The certificate to use for signing, in DER format" /><pr n="DERPrivateKey" v="WEB-INF/prv.der" desc="The private key of the signing certificate, in DER format" /><pr n="X509Country" v="US" desc="The country to use in the certificate's DN" /><pr n="X509Organization" v="MSTR" desc="The organization to use in the certificate's DN" /><pr n="X509Location" v="vienna" desc="The location to use in the certificate's DN" /><pr n="CRLFile" v="cert-srv.crl" desc="Name of the CRL file - it will be created at the top level of the application path" /><pr n="CDPLocation" v="http://machinename:port/cert/cert-srv.crl" desc="CRL Distribution Point URL is required by some application servers (e.g. IIS). If empty, no CDP will added to new certificates. We also recognize the %HOST% macro (case sensitive), which will be replaced by the Certificate Server's fully qualified host name, e.g. http://%HOST%:8080/CertificateServer/cert-srv.crl" /> |
This is the target panel’s key
<pr n="IntelligenceServer" v="ISERVER_NAME" desc="The Intelligence Server to use for authentication when creating a certificate" /><pr n="IntelligenceServerPort" v="0" desc="Intelligence Server port - 0 means use the default port" /><pr n="ProjectName" v="PROJECT_NAME" desc="The project to use for authentication" /><pr n="AuthMode" v="1" desc="The Intelligence Server authentication mode" /><pr n="JKSLocation" v="WEB-INF/myKeystore.jks" desc="The JKS containing the signing certificate" /><pr n="JKSAlias" v="myCertificate" desc="The alias of the signing certificate in the key store" /><pr n="JKSPassword" v="password" desc="The password of the JKS keystore" /><pr n="DERCertificateLocation" v="WEB-INF/pub.der" desc="The certificate to use for signing, in DER format" /><pr n="DERPrivateKey" v="WEB-INF/prv.der" desc="The private key of the signing certificate, in DER format" /><pr n="X509Country" v="US" desc="The country to use in the certificate's DN" /><pr n="X509Organization" v="MSTR" desc="The organization to use in the certificate's DN" /><pr n="X509Location" v="vienna" desc="The location to use in the certificate's DN" /><pr n="CRLFile" v="cert-srv.crl" desc="Name of the CRL file - it will be created at the top level of the application path" /><pr n="CDPLocation" v="http://machinename:port/cert/cert-srv.crl" desc="CRL Distribution Point URL is required by some application servers (e.g. IIS). If empty, no CDP will added to new certificates. We also recognize the %HOST% macro (case sensitive), which will be replaced by the Certificate Server's fully qualified host name, e.g. http://%HOST%:8080/CertificateServer/cert-srv.crl" /> |
URL API for activiate the CRLFile for
- ASP: https://fully_qualified_domain_name:port/CertificateServer/asp/CertificateAdmin.aspx?action=RevokeCertificate&serialNumber=(dummy_number_here)
- JSP: https://fully_qualified_domain_name:port/servlet/ certificateAdmin?action=RevokeCertificate&serialNumber=(dummy_number_here)
Testing the Certificate Server
The Certificate Server functionality is accessed via URL API. To test if the Certificate Server is able to generate client certificates successfully, use the following URL from a web browser, replacing the parameters with correct values:
- ASP: http://fully_qualified_domain_name:port/CertificateServer/asp/certificate.aspx?action=GetCertificate&loginParams=<auth><device_id>mobile_device_id</device_id><pkcs12_password>keystore_password</pkcs12_password><field n="pwd" v="MSTR_password"/><field n="login" v="MSTR_login"/></auth>
- JSP: http://fully_qualified_domain_name:port/CertificateServer/servlet/certificate?action=GetCertificate&loginParams=<auth><device_id>mobile_device_id</device_id><pkcs12_password>keystore_password</pkcs12_password><field n="pwd" v="MSTR_password"/><field n="login" v="MSTR_login"/></auth>
List of parameters:
- mobile_device_id: dynamically generated depending on the mobile device which initiated the request. For testing purposes, use any fake alphanumeric string.
- keystore_password: the password used to create the keystore
- MSTR_login: the username the Certificate Server sends to the Intelligence Server to check if the user making the request for a client certificiate is a valid Strategy user
- MSTR_password: the password the Certificate Server sends to the Intelligence Server in order to authenticate the MSTR_login user
A successful test will initiate downloading a client certificate onto the web browser machine. If the test fails, check the page source (right-mouse click on the page > View Source) and review the embedded error message.
FINAL STEPS
If after testing the Certificate Server (see above) administrators find that the Certificate Server is able to successfully generate and serve client certificates, configure a Strategy Mobile configuration to use the Certificate Server by following the steps below:
- Create a Mobile configuration that references the Certificate Server URL. Check the "Use certificate server" setting, and in the text field, specify the URL of the Certificate Server, like shown in the example below:
