Hi Prabath , Currently SCEP server is within the MDM domain itself . Where validation will be done based on the user challenge before it gets passed to it. The validation part is not done. Also there is a performance issue in the time taken enroll a device , Mayuran is working on that along with the validation.
Thanks, -Shan On Sun, Aug 4, 2013 at 1:38 PM, Prabath Siriwardena <[email protected]>wrote: > Hi Dilshan, > > Have we considered passing the SCEP requests from the devices through the > MDM and validate those.. There is a separate mail on that.. > > Thanks & regards, > -Prabath > > > On Sun, Aug 4, 2013 at 10:11 AM, Dilshan Edirisuriya <[email protected]>wrote: > >> Yes Prabath our MDM needs not to work as a SCEP server. Right now its a >> separate WEBRick web server and the code is written in Ruby. SCEP server >> can be any third party server like EJBCA etc. I had a offline discussion >> with Azeez and came into a conclusion that the SCEP server part needs to be >> separated out to a web app written in Java. So any time it can be replaced >> with anything. Ideally which I believe this part needs to be handle by IS >> and MDM only communicate with it through the information provided at the >> deployment time. >> >> Regards, >> >> Dilshan >> >> >> On Sun, Aug 4, 2013 at 7:09 AM, Prabath Siriwardena <[email protected]>wrote: >> >>> Just had a look at how this works with iOS [1].. >>> >>> I may be totally wrong (please correct me in that case) - I just went >>> through the doc quickly.. >>> >>> In the Response from the MDM - it has the following.. Which in fact >>> giving details to connect to a different SCEP server.. so our MDM needs not >>> to work as a SCEP server.. >>> >>> <array> >>> <dict> >>> <key>PayloadContent</key> >>> <dict> >>> <key>URL</key> >>> <string>https://scep.example.com/scep</string> >>> <key>Name</key> >>> <string>EnrollmentCAInstance</string> >>> <key>Subject</key> >>> <array> >>> <array> >>> <array> >>> <string>O</string> >>> <string>Example, Inc.</string> >>> </array> >>> </array> >>> <array> >>> <array> >>> <string>CN</string> >>> <string>User Device Cert</string> >>> </array> >>> </array> >>> </array> >>> <key>Challenge</key> >>> <string>...</string> >>> <key>Keysize</key> >>> <integer>1024</integer> >>> <key>Key Type</key> >>> <string>RSA</string> >>> <key>Key Usage</key> >>> <integer>5</integer> >>> </dict> >>> >>> Thanks & regards, >>> -Prabath >>> >>> [1]: >>> http://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/iPhoneOTAConfiguration.pdf >>> >>> >>> On Sun, Aug 4, 2013 at 6:36 AM, Prabath Siriwardena <[email protected]>wrote: >>> >>>> >>>> >>>> On Sat, Aug 3, 2013 at 9:04 PM, Sanjiva Weerawarana >>>> <[email protected]>wrote: >>>> >>>>> Dilshan & Prabath, should the SCEP server code ship with IS by >>>>> default? >>>>> >>>>> Prabath I remember a long discussion about certificate issuing and >>>>> distribution 3-4 years ago but don't think we ended up implementing yet .. >>>>> is this a lightweight solution? >>>>> >>>> >>>> Yes.. we didn't make any progress with the CA implementation.. >>>> >>>> SCEP server plays the middle-man role in enrolling and getting a >>>> certificate to a network device (which basically does not have any account >>>> with the CA). >>>> >>>> SCEP server will know how to talk to a CA (could be the existing >>>> cooperate CA) and gets the certificate.. >>>> >>>> My understanding is MDM needs not to be a SCEP server (please correct >>>> me if not).. It only has to know how to talk to a SCEP server.. (which may >>>> be IS, EJBCA or Microsoft CA). >>>> >>>> Mobile devices, when getting registered with the MDM, will get a >>>> profile with all the details to connect to the SCEP server... and these >>>> devices will connect to the SCEP server directly and do the enrollment.. >>>> The role of MDM is to embed the OTP and the server URL of the SCEP server >>>> in to the profile... >>>> >>>> Thanks & regards, >>>> -Prabath >>>> >>>> >>>>> >>>>> Dilshan have u guys already implemented it? >>>>> >>>>> Sanjiva. >>>>> >>>>> On Wed, Jul 31, 2013 at 9:01 PM, Dilshan Edirisuriya <[email protected] >>>>> > wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Attached is the architecture of mobile device management. The MDM >>>>>> build is compiled on top of carbon by using necessary features. Build >>>>>> consist of these layers modules/components. >>>>>> >>>>>> 1) MDM web console - MDM Jaggery app where you have the MDM core >>>>>> functionality. >>>>>> >>>>>> 2) MDM admin console - This is for creating tenants and admins. At >>>>>> present this is done via carbon admin console. >>>>>> >>>>>> 3) Public store - Public store Jaggery app. >>>>>> >>>>>> 4) Publisher - Publisher Jaggery app. >>>>>> >>>>>> 5) Store admin console - Admin console for store. >>>>>> >>>>>> 6) iPhone interface - This will run the SCEP server[1] which is >>>>>> needed for iPhone provisioning. >>>>>> >>>>>> 7) Android interface - GCM related functionality goes here. >>>>>> >>>>>> 8) User module - User authentication, register, roles etc. will be >>>>>> handled here. For this we will be using WSRequest in Jaggery or directly >>>>>> calling the OSGI bundle from Jaggery. >>>>>> >>>>>> 9) Tenant management module - Tenants will be handled in this module. >>>>>> >>>>>> 10) Configuration management module - MDM related configurations. >>>>>> >>>>>> 11) Security module - SAML based login etc. >>>>>> >>>>>> 12) Device module - Device related functions. >>>>>> >>>>>> 13) Policy module - XACML related functions to handle MDM policies. >>>>>> >>>>>> >>>>>> Main MDM app will be developed as a Jaggery app and it will use an >>>>>> external mysql database. Jaggery will handle all the database functions >>>>>> related to MDM. Data level isolation of the tenants will also be done >>>>>> using >>>>>> the Jaggery code. >>>>>> >>>>>> >>>>>> [1] - >>>>>> http://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol >>>>>> >>>>>> >>>>>> Regards, >>>>>> >>>>>> Dilshan >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Sanjiva Weerawarana, Ph.D. >>>>> Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/ >>>>> email: [email protected]; phone: +94 11 763 9614; cell: +94 77 787 6880| +1 >>>>> 650 265 8311 >>>>> blog: http://sanjiva.weerawarana.org/ >>>>> >>>>> Lean . Enterprise . Middleware >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Prabath >>>> >>>> Mobile : +94 71 809 6732 >>>> >>>> http://blog.facilelogin.com >>>> http://RampartFAQ.com >>>> >>> >>> >>> >>> -- >>> Thanks & Regards, >>> Prabath >>> >>> Mobile : +94 71 809 6732 >>> >>> http://blog.facilelogin.com >>> http://RampartFAQ.com >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://RampartFAQ.com > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Shanmugarajah (Shan) Director Architecture - WSO2Mobile Mob: + 94 714944295
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
