Installation, Setup, and Configuration ......................................................................................... 2
System Requirements ............................................................................................................................................. 2 Generating a Symantec Registration Authority Certificate .................................................................................... 2 Retrieving Certificate from Symantec Certificate Authority................................................................................... 4 Setup Certificate Template for Symantec CA Type ................................................................................................. 5 Deploying a Certificate Profile to a Device ............................................................................................................. 6
Configuring a PKI Credential Payload ................................................................................................................................................... 6 Configuring a SCEP Payload .................................................................................................................................................................. 7
Testing and Troubleshooting ...................................................................................................... 8
Verifying Ability to Perform Certificate Authentication without AirWatch ........................................................... 8 Verifying Ability to Perform Certificate Authentication with AirWatch ................................................................. 8
If SSL TLS errors are received while creating a template ..................................................................................................................... 8 If the Profile Name drop-down fails to populate while creating an AirWatch Certificate Template ................................................... 8 If the AirWatch Certificate Profile fails to install on the device ........................................................................................................... 8 If the Certificate is not Populated in the ‘View XML’ option of the profile .......................................................................................... 8
Appendix A: Creating a Certificate Signing Request from a Windows Server & Mac ................... 9
Create a Certificate Signing Request from a Windows Server ............................................................................... 9 Create a Certificate Signing Request from a Mac ................................................................................................. 12
Appendix B: Completing a CSR and Exporting a Certificate from a Windows Server or Mac ..... 13
Completing the CSR and Exporting the Certificate from a Windows Server ........................................................ 14 Instructions for Generating a New RA Certificate using OpenSSL...................................................................................................... 14 IIS Method .......................................................................................................................................................................................... 14
Completing the CSR and Exporting the Symantec RA Certificate from a Mac ..................................................... 15
Appendix E: Viewing Symantec Profiles and Attributes with PKI Manager ................................ 17
Managing Certificate Profiles ................................................................................................................................ 17 How to View the SCEP URL ................................................................................................................................... 18 Configuring a Symantec Profile and Important Details ........................................................................................ 19
Integration with Symantec MPKI | v.2014.09 | September 2014
AirWatch is flexible with PKI integration by being able to request certificates from either internal or external certificate authorities (CA). This document explains how to integrate with Symantec MPKI services to issue certificates for your AirWatch MDM solution.
Implementation Approach
In order for AirWatch to communicate with Symantec as a Registration Authority (RA), you must first establish an account with Symantec. After your Symantec account is active, you can generate a RA certificate and store it on the RA server. AirWatch can then be configured to use the certificate to communicate with the Symantec MPKI CA. Once communication is successfully established, you can define which certificate AirWatch will deploy to the device.
Installation, Setup, and Configuration
System Requirements • A Symantec MPKI account
• AirWatch version 7.0 +
• When using PKI protocol, verification that the Symantec certificate profile(s), under Primary certificate options, within Authentication method, has 3rd party application selected. This gives AirWatch the ability to deploy certificate profiles through APIs. For more information, see Appendix E: Viewing Symantec Profiles and Attributes with PKI Manager.
• When using SCEP protocol, verification that the Symantec certificate profile(s), under Primary certificate options, within Authentication method, has Enrollment Code selected. This gives the SCEP server the ability to deploy certificate profiles through APIs. For more information, see Appendix E: Viewing Symantec Profiles and Attributes with PKI Manager.
Generating a Symantec Registration Authority Certificate First, request Symantec to generate a Registration Authority (RA) certificate. After Symantec creates the certificate, it is stored on the server, which can be any server you choose. The following are the steps to generate an RA certificate:
Note: This section assumes your local machine is using Windows operating system. If your local machine is using a different operating
system, follow procedures necessary to generate a private key and CSR using that operating system.
1. Generate a Certificate Signing Request (CSR) from a local machine. Detailed instructions on how to generate a CSR from a Windows or Mac machine can be found in Appendix A: Creating a Certificate Signing Request from a Windows Server & Mac.
2. Save the file on the local machine or in an accessible network location.
3. Navigate to the Symantec PKI Manager portal.
4. Click the Settings icon.
5. Click Get an RA Certificate.
Integration with Symantec MPKI | v.2014.09 | September 2014
6. Copy and paste the CSR you generated in the previous step into the Paste your CSR field.
7. Click Continue to generate the .CSR file.
8. Complete the CSR on the local machine you used to generate the CSR and export the certificate as a .PFX file for later use. Detailed instructions on how to complete a CSR and export a certificate from both a Windows and Mac workstation can be found in Appendix B: Completing a CSR and Exporting a Certificate from a Windows Server or Mac.
Integration with Symantec MPKI | v.2014.09 | September 2014
Retrieving Certificate from Symantec Certificate Authority Now that you have generated a Symantec MPKI RA certificate, AirWatch can be configured to communicate with Symantec.
1. Navigate to Devices ► Certificates ► Certificate Authorities.
2. Click Add.
3. Select Symantec MPKI from the Authority Type drop-down menu.
4. Enter a unique name and description that identifies the Symantec certificate authority in the Certificate Authority and Description fields.
5. Enter https://pki-ws.symauth.com/pki-ws in the Server URL field if it is not populated by default. This allows AirWatch to have sufficient access to request and issue certificates. To find out how to view the Symantec Server URL, see How to View the SCEP URL.
Note: The URL is the same for all customers.
6. Select either the PKI or SCEP radio button to specify the Certificate Authority Protocol. If you select SCEP, enter the URL for the SCEP End Point in the data entry field that appears. This allows your SCEP server to have sufficient access to request and issue certificates. To find out how to view the Symantec Server SCEP URL, see How to View the SCEP URL.
7. Click Upload and select the RA’s certificate (PFX file) that you exported from the local machine in order to communicate with Symantec.
8. Enter the password Symantec provided previously in the Certificate Password field.
Note: The password you need in this step was created when you completed and exported the CSR process Appendix B: Completing a CSR and Exporting a Certificate from a Windows Server or Mac.
9. Click Save.
10. Click Test Connection when complete to verify the test is successful. An error message appears indicating the problem if the connection fails.
Setup Certificate Template for Symantec CA Type Now that you have completed Step 2: Retrieving Certificate from Symantec Certificate Authority, AirWatch is able to communicate with Symantec. The next step is to define which certificate will be deployed to devices by setting up a certificate template in AirWatch. Use the following steps whether you are setting up a template for PKI or SCEP.
1. Navigate to Devices ► Certificates ► Certificate Authorities.
2. Select the Request Templates tab.
3. Click Add.
4. Select the Symantec Certificate Authority you created in Step 2: Retrieving Certificate from Symantec Certificate Authority from the Certificate Authority drop-down menu.
5. Enter the name for the Symantec Request Template.
6. Enter a Description to help you identify the Symantec certificate template.
7. Select the Symantec profile you created previously from the Profile Name drop-down menu. For more information, see Managing Certificate Profiles.
8. Select the Automatic Certificate Renewal checkbox if AirWatch is going to automatically request the certificate to be renewed by Symantec when it expires. If you select this option, enter the number of days prior to expiration before AirWatch automatically requests Symantec to reissue the certificate in the Auto Renewal Period (days) field. This requires the certificate profile on Symantec to have Duplicate Certificates enabled.
9. Select the Enable Certificate Revocation checkbox if AirWatch should automatically remove the certificate if the device is unenrolled, if the applicable profile is removed, or if the device is deleted from AirWatch. When you delete a profile or a device the SCEP certificate is removed from the device but it is not automatically revoked from the CA.
10. For Key Type, configuration occurs in the Symantec PKI Manager. This indicates whether the public-private key pair is generated by AirWatch or by Symantec. AirWatch loads this setting from Symantec based on the selected OID and uses this value to determine the type of certificate request to send. Absolutely no configuration in AirWatch is needed by the customer.
11. Enter Lookup Values in each of the Mandatory Fields that complement those fields in the Symantec profile. These fields can change depending on which Symantec profile you choose since the information within the Symantec profile may be different. For a list of Lookup Values, see Appendix D: Lookup Values.
Note: The lookup values you enter in the AirWatch Certificate Template Mandatory Fields above are used as attributes for certificate generation. The seat_id is the unique user identifier. Make sure the lookup value for seat_id matches the seat_id configuration in your Symantec Portal. For example, if your seat_id in Symantec Portal is email address then use the {EmailAddress} lookup value for seat_id in the AirWatch certificate template. If the seat_id lookup value does not match, Symantec will create a new user. If you would like to view Symantec profiles to help understand how to match lookup values with AirWatch, then see Appendix E: Viewing Symantec Profiles and Attributes with PKI Manager. For a list of Lookup Values, see Appendix D: Lookup Values.
12. Click Save.
Integration with Symantec MPKI | v.2014.09 | September 2014
Deploying a Certificate Profile to a Device Now that the Symantec Certificate Authority and Certificate Template settings have been properly configured in AirWatch, the final step is to configure AirWatch profiles (payloads) for either PKI or SCEP. If in Step 2: Retrieving Certificate from Symantec Certificate Authority, you chose PKI then you only need to configure a Credentials profile, but if you chose SCEP, you only need to configure a SCEP profile. Once either of these profiles are created, you can create additional payloads that the Symantec certificate can use, such as Exchange ActiveSync (EAS), VPN, or Wi-Fi services.
Configuring a PKI Credential Payload 1. Navigate to Devices ► Profiles ► List View.
2. Click Add.
3. Select the applicable platform for the device type.
4. Specify all General profile parameters for organization group, deployment type, etc.
5. Select Credentials from the payload options.
6. Click Configure.
7. Select Defined Certificate Authority from the Credential Source drop-down menu.
8. Select the external Symantec CA you created previously in Step 2: Retrieving Certificate from Symantec Certificate Authority from the Certificate Authority drop-down menu.
9. Select the Certificate Template for Symantec you created previously in Step 3: Setup Certificate Template for Symantec CA Type from the Certificate Template drop-down menu.
At this point, Saving and Publishing the profile would deploy a certificate to the device. However, if you plan on using the certificate on the device for Wi-Fi, VPN, or email purposes, then you should also configure the respective payload in the same profile to leverage the certificate being deployed.
Integration with Symantec MPKI | v.2014.09 | September 2014
Configuring a SCEP Payload Follow all instructions in Configuring a PKI Credential Payload, except for one modification: 1. Select SCEP from the payload area on the left rather than configuring Credentials.
2. Select Defined Certificate Authority from the Credential Source drop-down menu.
3. Select the external Symantec CA you created for using SCEP previously in Step 2: Retrieving Certificate from Symantec Certificate Authority from the Certificate Authority drop-down menu.
4. Select the Certificate Template for Symantec you created for using SCEP previously in Step 3: Setup Certificate Template for Symantec CA Type from the Certificate Template drop-down menu.
At this point, Saving and Publishing the profile would deploy a certificate to the device. However, if you plan on using the certificate on the device for Wi-Fi, VPN, or Email purposes, then you should also configure the respective payload in the same profile to leverage the certificate being deployed.
Integration with Symantec MPKI | v.2014.09 | September 2014
These testing and troubleshooting techniques are for SaaS, rather than on-premise deployments. Verifying Ability to Perform Certificate Authentication without AirWatch
Remove AirWatch from the configuration and manually configure a device to connect to your network server using certificate authentication. This should work outside of AirWatch and until this works properly, AirWatch will not be able to configure a device to connect with a certificate.
Verifying Ability to Perform Certificate Authentication with AirWatch
You can confirm that the certificate is usable by pushing a profile to the device and testing whether or not the device is able to connect and sync to the configured EAS, VPN, or Wi-Fi access-point. If the device is not connecting and shows a message that the certificate cannot be authenticated or the account cannot connect then there is a problem in the configuration. Below are some helpful troubleshooting checks.
If SSL TLS errors are received while creating a template This error can occur when you attempt to: • Create an AirWatch Certificate Template by clicking on the Retrieve Profiles button or
• Retrieve a certificate via the AirWatch console from the Symantec certificate authority by clicking on the Test Connection button.
The troubleshooting technique that usually resolves this problem is: • Adding the required server certificate chain in the console servers trusted root key store.
If the Profile Name drop-down fails to populate while creating an AirWatch Certificate Template • Inform AirWatch Professional Services of the error and request they:
o Turn On Verbose Mode to capture additional data.
o Retrieve web console log.
• AirWatch analyzes the log and works with customer to resolve the problem.
If the AirWatch Certificate Profile fails to install on the device • Inform AirWatch Professional Services of the error and request they:
o Turn On Verbose Mode to capture additional data.
o Retrieve web console log.
• AirWatch analyzes the log and works with customer to resolve the problem.
If the Certificate is not Populated in the ‘View XML’ option of the profile
• Confirm that the look up values configured on the Symantec certificate profile match the look up values in the AirWatch console’s Request Template.
Integration with Symantec MPKI | v.2014.09 | September 2014
• Confirm that look up values in AirWatch Request Template are actually populated in the user information being pulled from AD.
• Confirm you are pointing to the right profile in Symantec.
Appendix A: Creating a Certificate Signing Request from a Windows Server & Mac
The following instructions are for creating a certificate signing request from a Windows or Mac server. This can be performed on ANY server and it does not have to be performed on the AirWatch server. Create a Certificate Signing Request from a Windows Server
1. Navigate to Start ► Administrative Tools ► Internet Information Services (IIS) Manager.
2. Select the server name (for example, ATL01DEVAPP40).
3. Double-click the Server Certificates icon in the Security section from the center menu.
Integration with Symantec MPKI | v.2014.09 | September 2014
You have now created a CSR request and are ready to upload it to the AirWatch Certificate Portal.
Create a Certificate Signing Request from a Mac 1. Navigate to Applications ► Utilities ► Keychain Access to generate a Certificate Signing Request (CSR).
2. Select Keychain ► login from the left sidebar.
3. Select Category ► Certificates from the left sidebar.
4. Select Keychain Access ► Certificate Assistant ► Request a Certificate From a Certificate Authority from the top menu. The certificate wizard launches.
5. Enter the User Email Address and Common Name fields.
6. Select the Saved to disk radio button in Request is:
Integration with Symantec MPKI | v.2014.09 | September 2014
8. Save the .certsigningrequest file to your desktop or somewhere convenient on your computer.
Note: For a Mac, this is saved as a .certsigningrequest file.
You have now created a CSR request and are ready to upload it to the AirWatch Certificate Portal.
Appendix B: Completing a CSR and Exporting a Certificate from a Windows Server or Mac
The following instructions are for completing a Certificate Signing Request (CSR) and exporting the certificate from a Windows or Mac server. This can be performed on ANY server and it does not have to be performed on the AirWatch server.
Integration with Symantec MPKI | v.2014.09 | September 2014
Completing the CSR and Exporting the Certificate from a Windows Server You can perform this step using one of two options. You can use OpenSSL if you are comfortable with it, or you can use IIS.
Instructions for Generating a New RA Certificate using OpenSSL
1. Generate a new RSA key pair. Command: openssl req -new -newkey rsa:2048 -nodes -out AirWatch.csr -keyout AirWatch.key -subj
3. Click on Tasks (gear icon). Click on “Get a RA Certificate”.
4. Paste the CSR into the field, submit, and download a new certificate.
5. Convert the .p7b format certificate into .pem. Command: openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
6. Create a pkcs12 with the private key and pem. openssl pkcs12 -export -out certificate.pfx -inkey AirWatch.key -in certificate.pem
7. Upload the new certificate to Symantec CA in AirWatch and validate that it works.
8. Update testing documentation with the new certificate and password.
IIS Method After you copied the signed CSR from the Symantec MPKI Manager to your Windows Server, do the following:
1. Navigate to Internet Information Services (IIS) Manager ► Server Certificates.
2. Select Complete Certificate Request. This opens the Complete Certificate Request wizard.
3. Browse to the signed CSR that was provided to you from the Symantec MPKI Manager and enter a friendly name.
Note: The friendly name is not part of the certificate itself, but is used by the server administrator to easily distinguish the certificate. For example, you could call it Symantec RA Certificate.
4. Select OK to installs the certificate on the server.
Integration with Symantec MPKI | v.2014.09 | September 2014
5. Right-click the certificate you imported and select Export to upload the Symantec RA certificate onto the AirWatch server.
6. Save the file to your Desktop in the .pfx format.
Note: If you only have the option to save as a .cer file rather than a .pfx then most likely you right-clicked on something other than the certificate. Verify you selected the certificate to export and repeat the steps above until you are able to save in .pfx format.
7. Enter a required password for this certificate in the fields when the dialog box appears.
Note: Make sure you make note of this password since it will be needed when you upload the certificate to the AirWatch server.
8. Click OK.
You are now ready to upload your certificate to the AirWatch server. Please refer to Step 2: Retrieving Certificate from Symantec Certificate Authority for an explanation.
Completing the CSR and Exporting the Symantec RA Certificate from a Mac 1. Double-click the file to upload it to Keychain Access and complete the CSR.
2. Verify that you can see your Symantec RA Certificate as shown in the screen below.
3. Click to expand the arrow on the left and verify that below the Symantec RA Certificate displays the private key associated with that certificate.
Integration with Symantec MPKI | v.2014.09 | September 2014
Note: If you do not see your Symantec RA Certificate and the private key, verify you selected Keychain ► login and then selected
Category ► Certificates and you clicked on the arrow to expand the certificate. If you completed these three steps and do not see the certificate and private key, then for whatever reason it was not created so you need to go back to regenerating the CSR again. If so, refer to Create a Certificate Signing Request from a Mac and repeat the procedure.
4. Right-click on the private key and select Export to export the Symantec RA Certificate so it can be uploaded into the AirWatch server.
5. Save the file to your Desktop in the .p12 format.
Note: If you only have the option to save as a .cer file rather than a .p12 then most likely you right-clicked on something other than the private key. Verify you selected the private key to export and repeat the steps above until you are able to save in .p12 format.
6. Enter a required password for this certificate in the fields when the dialog box appears.
Note: Make sure you make note of this password since it will be needed when you upload the certificate to the AirWatch server.
7. Click OK.
You are now ready to upload your certificate to the AirWatch server. Please refer to Step 2: Retrieving Certificate from Symantec Certificate Authority for an explanation.
Integration with Symantec MPKI | v.2014.09 | September 2014
This protocol is used by a device to obtain the required credentials from a PKI system, which is typically independent of AirWatch. During this process, AirWatch authenticates the device and hands-off further credential negotiation to the device and the PKI end-point. Currently, only iOS devices implement this protocol.
Appendix D: Lookup Values
Lookup values are special tokens that are used to represent various properties of the enrollment users and their devices. These tokens are replaced by actual enrollment values at runtime and are typically used in text fields. For example for DN text field: CN={EnrollmentUser}.{EnrollmentUser} is the lookup token and represents the username of the incoming enrollment user. The following is an alphabetical list of Lookup Values that can be used in certain AirWatch fields {CompanyName} {DeviceAssetNumber} {DeviceFriendlyName} {DeviceModel} {DeviceOperatingSystem} {DevicePlatform} {DeviceReportedName} {DeviceSerialNumber} {DeviceSerialNumberLastFour} {DeviceUid} {DeviceUidLastFour} {DeviceWLANMac} {DynamicScepChallenge} {EmailAddress} {EmailDomain} {EmailPassword} {EmailUserName} {EnrollmentUser} {EnrollmentUserId} {FirstName} {GroupIdentifier} {LastName} {SessionToken} {UserPrincipalName}
Appendix E: Viewing Symantec Profiles and Attributes with PKI Manager
Managing Certificate Profiles 1. Click the Settings icon.
2. Click Manage certificate profiles.
Integration with Symantec MPKI | v.2014.09 | September 2014
How to View the SCEP URL When your Symantec account was set up, Symantec issued a specific SCEP URL. You will need this Symantec SCEP URL to enter the AirWatch Certificate Authority screens.
1. Select a Symantec Certificate Profile for SCEP that is being used by your AirWatch server under Certificate profiles.
Integration with Symantec MPKI | v.2014.09 | September 2014
2. Locate the Symantec SCEP URL under Manage this profile.
Configuring a Symantec Profile and Important Details
1. Click a Symantec Certificate Profile being used by your AirWatch server under Certificate profiles.
2. View on the right side of the window and make note of information regarding the Symantec Certificate
Profile. For example, the number of times it was issued, revoked, etc.
3. Scroll down to view the seat_id used in the Symantec Certificate Profile. This is also used in the AirWatch Certificate Template Mandatory Fields. The seat_id must match the lookup value used in Symantec and AirWatch.
4. Click Customize Options located in the center pane.
Integration with Symantec MPKI | v.2014.09 | September 2014
The sole intent of this document is to provide AirWatch customers with initial guidance to technical issues. The suggestions given herein are provided as a courtesy and are not intended to replace specific personalized advice provided by the reader’s network administrators, computer security personnel, or other technical experts and consultants. References in this document to any specific service provider, manufacturer, company, product, service, or software do not constitute an endorsement or recommendation by AirWatch. Under no circumstances shall AirWatch be liable to you or any other person for any damages, including without limitation, any direct, indirect, incidental, special or consequential damages, expenses, costs, profits, lost savings or earnings, lost or corrupted data, or other liability arising out of or related in any way to information, guidance, or suggestions provided in this document.
