Hi Dilshan, Have we considered passing the SCEP requests from the devices through the MDM and validate those.. There is a separate mail on that..
Thanks & regards, -Prabath On Sun, Aug 4, 2013 at 10:11 AM, Dilshan Edirisuriya <[email protected]>wrote: > Yes Prabath our MDM needs not to work as a SCEP server. Right now its a > separate WEBRick web server and the code is written in Ruby. SCEP server > can be any third party server like EJBCA etc. I had a offline discussion > with Azeez and came into a conclusion that the SCEP server part needs to be > separated out to a web app written in Java. So any time it can be replaced > with anything. Ideally which I believe this part needs to be handle by IS > and MDM only communicate with it through the information provided at the > deployment time. > > Regards, > > Dilshan > > > On Sun, Aug 4, 2013 at 7:09 AM, Prabath Siriwardena <[email protected]>wrote: > >> Just had a look at how this works with iOS [1].. >> >> I may be totally wrong (please correct me in that case) - I just went >> through the doc quickly.. >> >> In the Response from the MDM - it has the following.. Which in fact >> giving details to connect to a different SCEP server.. so our MDM needs not >> to work as a SCEP server.. >> >> <array> >> <dict> >> <key>PayloadContent</key> >> <dict> >> <key>URL</key> >> <string>https://scep.example.com/scep</string> >> <key>Name</key> >> <string>EnrollmentCAInstance</string> >> <key>Subject</key> >> <array> >> <array> >> <array> >> <string>O</string> >> <string>Example, Inc.</string> >> </array> >> </array> >> <array> >> <array> >> <string>CN</string> >> <string>User Device Cert</string> >> </array> >> </array> >> </array> >> <key>Challenge</key> >> <string>...</string> >> <key>Keysize</key> >> <integer>1024</integer> >> <key>Key Type</key> >> <string>RSA</string> >> <key>Key Usage</key> >> <integer>5</integer> >> </dict> >> >> Thanks & regards, >> -Prabath >> >> [1]: >> http://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/iPhoneOTAConfiguration.pdf >> >> >> On Sun, Aug 4, 2013 at 6:36 AM, Prabath Siriwardena <[email protected]>wrote: >> >>> >>> >>> On Sat, Aug 3, 2013 at 9:04 PM, Sanjiva Weerawarana <[email protected]>wrote: >>> >>>> Dilshan & Prabath, should the SCEP server code ship with IS by default? >>>> >>>> Prabath I remember a long discussion about certificate issuing and >>>> distribution 3-4 years ago but don't think we ended up implementing yet .. >>>> is this a lightweight solution? >>>> >>> >>> Yes.. we didn't make any progress with the CA implementation.. >>> >>> SCEP server plays the middle-man role in enrolling and getting a >>> certificate to a network device (which basically does not have any account >>> with the CA). >>> >>> SCEP server will know how to talk to a CA (could be the existing >>> cooperate CA) and gets the certificate.. >>> >>> My understanding is MDM needs not to be a SCEP server (please correct me >>> if not).. It only has to know how to talk to a SCEP server.. (which may be >>> IS, EJBCA or Microsoft CA). >>> >>> Mobile devices, when getting registered with the MDM, will get a profile >>> with all the details to connect to the SCEP server... and these devices >>> will connect to the SCEP server directly and do the enrollment.. The role >>> of MDM is to embed the OTP and the server URL of the SCEP server in to the >>> profile... >>> >>> Thanks & regards, >>> -Prabath >>> >>> >>>> >>>> Dilshan have u guys already implemented it? >>>> >>>> Sanjiva. >>>> >>>> On Wed, Jul 31, 2013 at 9:01 PM, Dilshan Edirisuriya >>>> <[email protected]>wrote: >>>> >>>>> Hi, >>>>> >>>>> Attached is the architecture of mobile device management. The MDM >>>>> build is compiled on top of carbon by using necessary features. Build >>>>> consist of these layers modules/components. >>>>> >>>>> 1) MDM web console - MDM Jaggery app where you have the MDM core >>>>> functionality. >>>>> >>>>> 2) MDM admin console - This is for creating tenants and admins. At >>>>> present this is done via carbon admin console. >>>>> >>>>> 3) Public store - Public store Jaggery app. >>>>> >>>>> 4) Publisher - Publisher Jaggery app. >>>>> >>>>> 5) Store admin console - Admin console for store. >>>>> >>>>> 6) iPhone interface - This will run the SCEP server[1] which is needed >>>>> for iPhone provisioning. >>>>> >>>>> 7) Android interface - GCM related functionality goes here. >>>>> >>>>> 8) User module - User authentication, register, roles etc. will be >>>>> handled here. For this we will be using WSRequest in Jaggery or directly >>>>> calling the OSGI bundle from Jaggery. >>>>> >>>>> 9) Tenant management module - Tenants will be handled in this module. >>>>> >>>>> 10) Configuration management module - MDM related configurations. >>>>> >>>>> 11) Security module - SAML based login etc. >>>>> >>>>> 12) Device module - Device related functions. >>>>> >>>>> 13) Policy module - XACML related functions to handle MDM policies. >>>>> >>>>> >>>>> Main MDM app will be developed as a Jaggery app and it will use an >>>>> external mysql database. Jaggery will handle all the database functions >>>>> related to MDM. Data level isolation of the tenants will also be done >>>>> using >>>>> the Jaggery code. >>>>> >>>>> >>>>> [1] - >>>>> http://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol >>>>> >>>>> >>>>> Regards, >>>>> >>>>> Dilshan >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Sanjiva Weerawarana, Ph.D. >>>> Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/ >>>> email: [email protected]; phone: +94 11 763 9614; cell: +94 77 787 6880| +1 >>>> 650 265 8311 >>>> blog: http://sanjiva.weerawarana.org/ >>>> >>>> Lean . Enterprise . Middleware >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Thanks & Regards, >>> Prabath >>> >>> Mobile : +94 71 809 6732 >>> >>> http://blog.facilelogin.com >>> http://RampartFAQ.com >>> >> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> Mobile : +94 71 809 6732 >> >> http://blog.facilelogin.com >> http://RampartFAQ.com >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
