I guess user challenge it self is not enough.. We also need to validate the SCEP request..
Thanks & regards, -Prabath On Mon, Aug 5, 2013 at 10:32 AM, Shanmugarajah Sinnathamby <[email protected]>wrote: > Hi Prabath , > > Currently SCEP server is within the MDM domain itself . Where validation > will be done based on the user challenge before it gets passed to it. The > validation part is not done. > Also there is a performance issue in the time taken enroll a device , > Mayuran is working on that along with the validation. > > > > Thanks, > -Shan > > On Sun, Aug 4, 2013 at 1:38 PM, Prabath Siriwardena <[email protected]>wrote: > >> Hi Dilshan, >> >> Have we considered passing the SCEP requests from the devices through the >> MDM and validate those.. There is a separate mail on that.. >> >> Thanks & regards, >> -Prabath >> >> >> On Sun, Aug 4, 2013 at 10:11 AM, Dilshan Edirisuriya <[email protected]>wrote: >> >>> Yes Prabath our MDM needs not to work as a SCEP server. Right now its a >>> separate WEBRick web server and the code is written in Ruby. SCEP server >>> can be any third party server like EJBCA etc. I had a offline discussion >>> with Azeez and came into a conclusion that the SCEP server part needs to be >>> separated out to a web app written in Java. So any time it can be replaced >>> with anything. Ideally which I believe this part needs to be handle by IS >>> and MDM only communicate with it through the information provided at the >>> deployment time. >>> >>> Regards, >>> >>> Dilshan >>> >>> >>> On Sun, Aug 4, 2013 at 7:09 AM, Prabath Siriwardena <[email protected]>wrote: >>> >>>> Just had a look at how this works with iOS [1].. >>>> >>>> I may be totally wrong (please correct me in that case) - I just went >>>> through the doc quickly.. >>>> >>>> In the Response from the MDM - it has the following.. Which in fact >>>> giving details to connect to a different SCEP server.. so our MDM needs not >>>> to work as a SCEP server.. >>>> >>>> <array> >>>> <dict> >>>> <key>PayloadContent</key> >>>> <dict> >>>> <key>URL</key> >>>> <string>https://scep.example.com/scep</string> >>>> <key>Name</key> >>>> <string>EnrollmentCAInstance</string> >>>> <key>Subject</key> >>>> <array> >>>> <array> >>>> <array> >>>> <string>O</string> >>>> <string>Example, Inc.</string> >>>> </array> >>>> </array> >>>> <array> >>>> <array> >>>> <string>CN</string> >>>> <string>User Device Cert</string> >>>> </array> >>>> </array> >>>> </array> >>>> <key>Challenge</key> >>>> <string>...</string> >>>> <key>Keysize</key> >>>> <integer>1024</integer> >>>> <key>Key Type</key> >>>> <string>RSA</string> >>>> <key>Key Usage</key> >>>> <integer>5</integer> >>>> </dict> >>>> >>>> Thanks & regards, >>>> -Prabath >>>> >>>> [1]: >>>> http://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/iPhoneOTAConfiguration.pdf >>>> >>>> >>>> On Sun, Aug 4, 2013 at 6:36 AM, Prabath Siriwardena >>>> <[email protected]>wrote: >>>> >>>>> >>>>> >>>>> On Sat, Aug 3, 2013 at 9:04 PM, Sanjiva Weerawarana >>>>> <[email protected]>wrote: >>>>> >>>>>> Dilshan & Prabath, should the SCEP server code ship with IS by >>>>>> default? >>>>>> >>>>>> Prabath I remember a long discussion about certificate issuing and >>>>>> distribution 3-4 years ago but don't think we ended up implementing yet >>>>>> .. >>>>>> is this a lightweight solution? >>>>>> >>>>> >>>>> Yes.. we didn't make any progress with the CA implementation.. >>>>> >>>>> SCEP server plays the middle-man role in enrolling and getting a >>>>> certificate to a network device (which basically does not have any account >>>>> with the CA). >>>>> >>>>> SCEP server will know how to talk to a CA (could be the existing >>>>> cooperate CA) and gets the certificate.. >>>>> >>>>> My understanding is MDM needs not to be a SCEP server (please correct >>>>> me if not).. It only has to know how to talk to a SCEP server.. (which may >>>>> be IS, EJBCA or Microsoft CA). >>>>> >>>>> Mobile devices, when getting registered with the MDM, will get a >>>>> profile with all the details to connect to the SCEP server... and these >>>>> devices will connect to the SCEP server directly and do the enrollment.. >>>>> The role of MDM is to embed the OTP and the server URL of the SCEP server >>>>> in to the profile... >>>>> >>>>> Thanks & regards, >>>>> -Prabath >>>>> >>>>> >>>>>> >>>>>> Dilshan have u guys already implemented it? >>>>>> >>>>>> Sanjiva. >>>>>> >>>>>> On Wed, Jul 31, 2013 at 9:01 PM, Dilshan Edirisuriya < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> Attached is the architecture of mobile device management. The MDM >>>>>>> build is compiled on top of carbon by using necessary features. Build >>>>>>> consist of these layers modules/components. >>>>>>> >>>>>>> 1) MDM web console - MDM Jaggery app where you have the MDM core >>>>>>> functionality. >>>>>>> >>>>>>> 2) MDM admin console - This is for creating tenants and admins. At >>>>>>> present this is done via carbon admin console. >>>>>>> >>>>>>> 3) Public store - Public store Jaggery app. >>>>>>> >>>>>>> 4) Publisher - Publisher Jaggery app. >>>>>>> >>>>>>> 5) Store admin console - Admin console for store. >>>>>>> >>>>>>> 6) iPhone interface - This will run the SCEP server[1] which is >>>>>>> needed for iPhone provisioning. >>>>>>> >>>>>>> 7) Android interface - GCM related functionality goes here. >>>>>>> >>>>>>> 8) User module - User authentication, register, roles etc. will be >>>>>>> handled here. For this we will be using WSRequest in Jaggery or directly >>>>>>> calling the OSGI bundle from Jaggery. >>>>>>> >>>>>>> 9) Tenant management module - Tenants will be handled in this module. >>>>>>> >>>>>>> 10) Configuration management module - MDM related configurations. >>>>>>> >>>>>>> 11) Security module - SAML based login etc. >>>>>>> >>>>>>> 12) Device module - Device related functions. >>>>>>> >>>>>>> 13) Policy module - XACML related functions to handle MDM policies. >>>>>>> >>>>>>> >>>>>>> Main MDM app will be developed as a Jaggery app and it will use an >>>>>>> external mysql database. Jaggery will handle all the database functions >>>>>>> related to MDM. Data level isolation of the tenants will also be done >>>>>>> using >>>>>>> the Jaggery code. >>>>>>> >>>>>>> >>>>>>> [1] - >>>>>>> http://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol >>>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> Dilshan >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Sanjiva Weerawarana, Ph.D. >>>>>> Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/ >>>>>> email: [email protected]; phone: +94 11 763 9614; cell: +94 77 787 >>>>>> 6880 | +1 650 265 8311 >>>>>> blog: http://sanjiva.weerawarana.org/ >>>>>> >>>>>> Lean . Enterprise . Middleware >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks & Regards, >>>>> Prabath >>>>> >>>>> Mobile : +94 71 809 6732 >>>>> >>>>> http://blog.facilelogin.com >>>>> http://RampartFAQ.com >>>>> >>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Prabath >>>> >>>> Mobile : +94 71 809 6732 >>>> >>>> http://blog.facilelogin.com >>>> http://RampartFAQ.com >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> Mobile : +94 71 809 6732 >> >> http://blog.facilelogin.com >> http://RampartFAQ.com >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > > Shanmugarajah (Shan) > > Director Architecture - WSO2Mobile > > Mob: + 94 714944295 > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
