Certificate Enrollment for the Atlas Platform

Similar documents
Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Symantec Managed PKI. Integration Guide for AirWatch MDM Solution

Echidna Concepts Guide

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

PKI is Alive and Well: The Symantec Managed PKI Service

Table of Contents. VMware AirWatch: Technology Partner Integration

VMware AirWatch: Directory and Certificate Authority

Table of Contents HOL-1757-MBL-6

VMware AirWatch - Workspace ONE, Single Sign-on and VMware Identity Manager

The StrideLinx Remote Access Solution comprises the StrideLinx router, web-based platform, and VPN client.

Check Point Mobile VPN for ios

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Configuring Aggregate Authentication

Configuring L2TP over IPsec

Apple Inc. Apple IOS 11 VPN Client on iphone and ipad Guidance Documentation

ipad in Business Deployment Scenarios and Device Configuration Overview April 2010 Microsoft Exchange IMAP, CalDAV, and LDAP

Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. Microsoft Windows Family of Operating Systems

AirWatch Mobile Device Management

OPC UA Configuration Manager PTC Inc. All Rights Reserved.

BlackBerry UEM Configuration Guide

Configuration Guide. BlackBerry UEM. Version 12.9

Xceedium Xsuite. Secured by RSA Implementation Guide for 3rd Party PKI Applications. Partner Information. Last Modified: February 10 th, 2014

Use EMS to protect your mobile data and mobile app

Integrating AirWatch and VMware Identity Manager

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

CA SSO Cloud-Enabled with SSO/Rest

CONFIGURING BASIC MACOS MANAGEMENT: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

SAP Security in a Hybrid World. Kiran Kola

Sentinet for Microsoft Azure SENTINET

VMware AirWatch Integration with SecureAuth PKI Guide

Next Generation Authentication

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Digital Certificates. About Digital Certificates

VMware Tunnel on Windows. VMware Workspace ONE UEM 1810

TeamViewer Security Statement

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Citrix SSO for ios. Page 1 18

VMware Tunnel Guide for Windows

PKI Configuration Examples

Comodo Certificate Manager

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

Authentication, Encryption, Transport, IP Version and VPN Routing

SSH Communications Tectia SSH

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

VMware Tunnel Guide Deploying the VMware Tunnel for your AirWatch environment

Vodafone Secure Device Manager Administration User Guide

Venafi Platform. Architecture 1 Architecture Basic. Professional Services Venafi. All Rights Reserved.

Securing Office 365 with MobileIron

Yubico with Centrify for Mac - Deployment Guide

App Gateway Deployment Guide

The Device Has Left the Building

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

Security Guide Zoom Video Communications Inc.

NCP Secure Enterprise macos Client Release Notes

Mavenir Systems Inc. SSX-3000 Security Gateway

Building a More Secure Cloud Architecture

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

OVERVIEW... 3 WHAT'S NEW... 3 COMPATIBILITY WITH MDM PRODUCTS... 5 CONFIGURE AN MDM MANAGED VPN PROFILE FOR CITRIX SSO... 5

VMware Enterprise Systems Connector Installation and Configuration

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

VMware Tunnel Guide for Windows

QuickStart Guide for Mobile Device Management. Version 8.7

Managing Site-to-Site VPNs

Certificate Enrollment- and Signing Services for the Cloud. A behind-the-scenes presentation of a successful cooperation between

VMware Enterprise Systems Connector Installation and Configuration. Modified 29 SEP 2017 VMware AirWatch VMware Identity Manager 2.9.

Configuration Guide. BlackBerry UEM. Version 12.7 Maintenance Release 2

VMware Tunnel on Linux. VMware Workspace ONE UEM 1811

WHITE PAPER. VeriSign Architecture for Securing Your VPN Go Secure! For Check Point Overview

Managing Site-to-Site VPNs: The Basics

HP Instant Support Enterprise Edition (ISEE) Security overview

How to Configure S/MIME for WorxMail

VMware Tunnel Guide for Windows Installing the VMware Tunnel for your AirWatch environment

Configuration Guide. BlackBerry UEM Cloud

Workspace ONE UEM Certificate Authority Integration with Microsoft ADCS Using DCOM. VMware Workspace ONE UEM 1811

ipad authentication with Symantec MPKI and Active Sync connections

Introduction to ISE-PIC

Numerics I N D E X. 3DES (Triple Data Encryption Standard), 48

Introducing. Secure Access. for the Next Generation. Bram De Blander Sales Engineer

The Modern Web Access Management Platform from on-premises to the Cloud

PrecisionAccess Trusted Access Control

vshield Administration Guide

Managing Site-to-Site VPNs: The Basics

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

Managing AON Security

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Secure wired and wireless networks with smart access control

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

VMware AirWatch Integration with Microsoft ADCS via DCOM

Security for Mobile Instant Messaging

Mobile Devices prioritize User Experience

Configuring SSL Security

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

This chapter describes how to configure digital certificates.

Transcription:

Certificate Enrollment for the Atlas Platform Certificate Distribution Challenges Digital certificates can provide a secure second factor for authenticating connections from MAP-wrapped enterprise apps when enrolled and stored securely. Unfortunately, existing mobile management options for distributing digital certificates to end-users are cumbersome and insecure: 01 02 03 Manual distribution of PKCS#12 files transmits private keys over the network and requires end-users to input complex passphrases on mobile devices Mobile Device Management (MDM) solutions are expensive and can only install system certificates that cannot be used by apps Using the Simple Certificate Enrollment Protocol (SCEP) from a mobile device risks exposing critical enterprise Certificate Authority (CA) servers on the corporate edge Simplified Distribution Using Atlas The Atlas Platform makes certificate distribution transparent, seamless and secure by introducing the concept of a one-time enrollment for each administrator-defined group of apps on a device. When an Atlas-enabled enterprise app initiates a connection, the Atlas Platform can detect that it has not been enrolled with a certificate, and begin the process of onboarding the app. Using dynamic prompts provided to the app by Atlas, the user is guided through the process in two simple steps.

2 Simple Steps 01 First, the user is prompted for their standard enterprise login credentials, which are checked against the corporate identity management infrastructure. Once validated, the user s identity is verified out of band by entering a PIN that is sent to their corporate email account. 02 Once the user is fully verified, the Atlas Platform defines the appropriate certificate template and instructs the app to generate the key pair and certificate signing request, which it then sends to Atlas. Atlas takes this information and interacts with the corporate certification authority (CA) to receive the resulting certificate, which it sends back to the enrolling app. All transactions between the client and gateway are protected with the Internet Key Exchange (IKE) protocol, and the private key is never transmitted over the network. In addition, the issuing CA is left fully protected inside the corporate network. Finally, the Atlas-enabled app encrypts the certificate information, locking it to the app, or group of apps, so that it cannot be accessed or removed. All subsequent connections from the app or other federated apps, automatically use the issued certificate when authenticating with the gateway. To the end user, this enhanced security is completely transparent there are no settings to change or confusing terminology presented to the user.

Architecture Overview Atlas is designed to integrate into existing corporate infrastructure. For certificate enrollment, Atlas interoperates with the following enterprise servers: Active Directory Corporate email Certificate Authority / SCEP or EST Server (Entrust, Microsoft Network Device Enrollment Services, Symantec Cloud) Active Directory is used by Atlas for user authentication and email lookups. Atlas is tested with Active Directory for Windows Server 2003 R3, Windows Server 2008, and Windows Server 2012. An existing email server is used to send an enrollment invitation email containing a 4-digit PIN to the email address associated with the user s Active Directory account. Any mail server that supports the Simple Mail Transport Protocol (SMTP) can be used. The Atlas Platform communicates with the Simple Certificate Enrollment Protocol (SCEP) or Enrollment over Secure Transport (EST) server to obtain a certificate on behalf of the end user. SCEP / EST are only used between Atlas and the enrollment server. The mobile app and device do not participate in any of the SCEP / EST transactions and never have direct access to internal resources in the process. The initial release of Atlas supports Microsoft Network Device Enrollment Services (NDES) with Microsoft Certification Authority and Entrust Authority Enrollment Server for VPN version 7.0.165547 with Entrust Security Manager version 8.1. The end-to-end architecture is designed to reduce the exposure of internal servers and limit changes to existing network infrastructure. All communications from Atlas-enabled apps are terminated by 4 Atlas, and secured by IKE. No internal servers are exposed on the perimeter of the corporate network. Certificate Signing Requests (CSRs) that are received from apps are validated on the Atlas Platform for compliance with configured acceptable parameters before being sent to the Certificate Authority (CA) through the SCEP / EST server.

IKE Connect to Atlas (udp/4500) IKE Connect to Atlas (udp/4500) Atlas to AD (tcp/389,445) Atlas SCEP to Entrust (tcp/80) Blue Cedar Secure Browser (MAP Wrapped) Internet Atlas Certificate Authority (CA) Atlas SMTP to mail server (tcp/25) FIGURE 1: Network Diagram of Certificate Enrollment Solution Email Technical Details Between the app and Atlas an IKE-protected channel carries the Blue Cedar proprietary policy protocol, called PERP. IKE is used because of its flexibility, allowing extensions and enhancements staying within the authentication frameworks defined in the IKE standard. PERP enables Atlas to be aware of and control the app s run state, authentication state and security posture. PERP and IKE together form the secure management channel used to control the enrollment flow, and following enrollment PERP is used to control and track the app s behavior. Prior to enrollment the app s connection to the Atlas Platform is authenticated using hybrid RSA for IKE phase-1, with Atlas authenticated to the app. Following setup of the phase-1 channel the PERP protocol is used to prompt for and exchange the user s credentials, first the AD username and password and second the enrollment PIN. Communication over this channel continues until the app has received and securely stored the user certificate.

The certificate request itself starts with the key pair being created on the device. By default an RSA 2048 key pair is used. The app generates a certificate-signing request that is passed through the IKE-secured channel to Atlas. At this point, Atlas has identified the user with multiple factors. It also has collected information about the app, the app version, the device, its operating system and jailbreak/root posture and a host of other information. This information is collected every time the app is used. The Atlas Platform checks the request format and begins its interaction with the CA to retrieve the certificate. The interaction between the Atlas Platform and the SCEP server (MS NDES or Entrust Authority) is transported via HTTP. The SCEP protocol, however, defines session security similar to HTTPS, and the actual payloads use PCKS7 enveloped data to ensure integrity and authenticated endpoints. All of this communication is network isolated from the mobile device until the SCEP session completes, when Atlas sends the resulting certificate response to the app. After enrollment completes the entire communication channel is restarted and the user certificate is used to establish mutual authentication between the app and the Atlas Platform. The username and password are provided to Atlas to complete the two factor authentication and IKE phase-2, allowing the app to obtain a VPN IP address. From this point on all of the app s communication is tunneled through the Atlas Platform and has all the network benefits associated with VPN. Also, the enrolled app is permitted to pass network traffic through Atlas to configured resources required by the app. The VPN-tunneled nature of the resulting communication simplifies the app and the controls needed on internal services. Mobile Devices 1 IKE Handshake (Hybrid RSA Phase 1) 2 Auth Request 3 Send PERP Auth 4 Request Enroll PIN 5 Send PIN from corporate email 6 Request Cert Enroll 8 PERP w/pemcertificate {Base64{DER{x509}}} 9 IKE Handshake (Certificate Phase 1) 10 Auth Request 11 Send Resumed PERP udp/4500 Atlas 7 Send PKCS#10 Cert Request w/ Challenge PW

SCEP PKI Message Signer Info Signature Enveloped Data Recipient Info FIGURE 2: SCEP PKIOperation payload, showing signature / encryption of enveloped data Authenticated Attributes Content Info Mobile certificate enrollment using the Atlas Platform is simple and secure. Users experience just two simple screens to enroll a user certificate from the corporate certificate authority. This happens only once in the lifetime of the corporate apps on their device. Because it is user initiated and leverages existing corporate infrastructure, like AD and the corporate certificate authority, it is simple to administer, maintain and scale. The result is seamless multi-factor authentication for mobile apps to access sensitive corporate information.

About Blue Cedar Networks Blue Cedar Networks was founded on the principle that the app is the optimal control endpoint for the modernorganization. The Atlas platform provides our customers with the most secure, scalable, and user-friendly capabilities to safely and seamlessly connect and protect their enterprise apps across the extended enterprise the user population comprised of employees and non-employees that can drive or derive value from those apps and data. Blue Cedar Networks has over 150 customers spanning every major industry vertical, including some of the largest banking, wireless and telco, insurance, healthcare, and government organizations in the world. Contact us today if you re interested in seeing a live demo of the certificate enrollment. Contact Us

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback