Embed Size (px)
Citation preview
EM L19 Symantec Mobile Management and Managed PKI Hands-On Lab
Description Building and Managing a Certficate Authority infrastructure to support your Mobile Management infrastructure can be time consuming and cost prohibitive. Utilizing a VeriSign managed PKI infrastructure can help to alleviate these burdens. In this hands on lab students will have the opportunity to configure the Symantec Mobile Management environment to work with the hosted mPKI solution and understand the benefits and advantages associated with it‟s use.
This lab assumes a basic familiarity with SMM 7.1 and the SMP platform.
At the end of this lab, you should be able to
Understand the advantages of hosted PKI services
Understand the requirements for working with a managed PKI account
Be able to submit a CSR request to the PKI portal
Import the required certificates for use with managed PKI
Configure SMM to use a hosted SCEP configuraton profile
Notes A brief presentation will introduce this lab session and discuss key concepts.
The lab will be directed and provide you with step-by-step walkthroughs of key features.
Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace.
Be sure to ask your instructor any questions you may have.
Thank you for coming to our lab session.
2 of 12
Getting Started
Before you begin, you will need to be sure that the SMM-Exchange and SMM-Server virtual machines have been started (in that order). Once the VM‟s have finished loading, you will be ready to begin. Unless otherwise stated, all of the exercises should be done from the SMM-Server virtual machine.
Setup a Symantec Managed PKI Account
Installing the Managed PKI Account follows a series of steps. The Symantec PKI client is installed first. The PKI client enables you to install the PKI Manager Sign-in Certificate, which is required to securely access the PKI Manager portal. An administrator of the managed account needs to setup the Symantec Managed PKI Account. You need to configure access to your PKI account from the machine you will use to manage the service. The required certificate for account access will be installed on your workstation. For purposes of these lab exercises, the required account and access certificate and Certificate profile have already been installed and created for you.
Verify the Symantec PKI client installation
In these next step we will verify that the above requirements are installed and ready for use.
1. On the SMM-Server virtual machine, open Start > Control Panel
2. Select Programs > Programs and Features
3. Verify that the Symantec PKI Client is listed
Verify that the PKI Manager Sign-in Certificate is installed
Open a MMC certificates snap-in to the „Current User‟ account
1. Open the MMC console by clicking Start, type MMC in Search box, and the click Return when mmc.exe appears.
2. Select File > Add/Remove Snap-in…, Highlight „Certificates‟ and move to Selected snap-ins with the Add button.
3. Leave default setting of My user account and click Finish.
4. Click OK to save changes.
5. Expand Certificates > Personal and select Certificates
6. Verify that the EMM TFE Mobile Certificate, issued by Symantec Test Drive Admin… is installed
Note: This certificate is used for authentication to the PKI portal, and must be installed on the machine you will use to manage the service
3 of 12
Verify the Certificate Profile
To be able to issue certificates from the PKI manager you must first configure the certificate profile that can be used to generate certificates. In this exercise we will walk through the configuraton of this profile, but will not create it as one has already been created for this lab.
1. Open a browser and navigate to the Symantec Managed PKI Portal page https://testdrive-pki-manager.symauth.com/pki-manager/
2. Click OK to confirm the Test Drive – Admin Certifcate (previously viewed)
3. Enter the required PIN: mpkilab
4. Click OK to login
5. Click on the “Manage Certificate Profiles” icon on the bottom of the screen.
6. Verify the lab created Profile is already created called TFE Lab, under the „Certifcate Profiles found‟ column.
The following steps will walk through how this profile was created, we will not need to save an additional profile.
1. Click on the “Add Certficate profiles” link at the top left hand of the page.
2. The Managed PKI Portal displays the “Create Profile” wizard with the “Select Mode” page first.
3. Select “Production mode” and click Continue
4 of 12
4. The Managed PKI Portal displays the “Select Template” page.
5. Select “Secure Sign-in (Test Drive)” and then click Continue.
6. The Managed PKI Portal displays the “Customize certificate options” page.
7. Enter a “Certificate Friendly Name”.
8. Under Primary certificate options, select „Enrollment method‟ box and change the “Enrollment Method” drop box setting to “SCEP”
9. Click Continue to accept the change in enrollment method
10. Click on Advanced Options and verify that the “SubjectAltName” contains a field called “otherName (UPN)” and it‟s source is set to “SCEP Request”
11. Click “Cancel” We do not need to save this particular profile as one has already been created.
5 of 12
Generate a Certificate Signing Request
In order to work with the Symantec managed PKI certificate you need to generate a CSR that can be submitted to VeriSign to create the required RA certificate. This request is generated from a trusted machine running IIS. This does not have to be the Mobile Management Server. You can create the RA certificate on a different computer and export it to be used on the Mobile Management Server. You can also create the RA certificate on the Mobile Management Server to avoid needing to export/import the certificate. We will follow that scenario in the following exercise.
1. Open IIS Manager, Select Start > Control Panel > Administrative Tools > Internet Information Services (IIS) Manager, or use the Start menu shortcut.
2. Under Connections, Select the SMM-Server, and then double-click Server Certificates under IIS in the SMM-Server Home column.
3. Click on “Create Certificate Request” under the Action tab on the far right pane.
4. The system displays the “Request Certificate” wizard starting with the “Distinguished Name Properties” page.
5. Enter the following information and click “Next”:
Common Name - The name that is attached to your certificate request, this can be any name you will recognize to identify the certificate.
Organization - The name of your organization.
Organizational unit - The name of the group or department within your
organization
City/locality - The city or locality where your organization is located.
State/province - The state or province where your organization is located.
Country/region - The country or region where your organization is located.
6. Leave the default “Microsoft RSA SChannel Cryptographic Provider” for the “Cryptographic service provider” and select “2048” for the “Bit length”
7. Click “Next”
8. Click the ellipsis button to browse to a file location
9. Select Desktop as the file locaton, enter a file name, (e.g. csrreq.txt), and Click Open
10. Click Finish, certificate request file will be saved on the desktop.
6 of 12
Create and install the Intermediate and RA Certificates
You must now create an RA Certificate to secure communications and identify yourself to Managed PKI. In communications with Managed PKI, the RA certificate is used as a TLS/SSL client authentication certificate. The steps to configure are as follows:
Creating your Certificate request
1. In your browser, navigate back to the Symantec Managed PKI Portal page: https://ptnr-pki-manager.bbtest.net/pki-manager if not still open.
2. Click on the “Tasks” icon and select “Get an RA certificate”
3. The Managed PKI Portal displays the “Get an RA Certificate” wizard displaying the “Enter CSR” page.
4. Open the CSR file previously created on the server desktop
5. Hit CTRL+A to „Select All‟ text
6. Hit CTRL+C to copy and then paste the CSR text into the provided form in the PKI portal
7. Click the “Cancel” button. We do not need to submit this request as one has already been created for this lab.
Note: Hitting continue would create the certificate file and provide you an opportunity to download the file. For purposes of this lab environment that file has already been created and downloaded to your VM environment.
7 of 12
Completing the certificate request
We will now walk through the steps reguired to complete the certificate request in preparation for installing the certifcates.
Export and install the Intermediate Certificate
1. On the SMM-Server VM, navigate to C:\EM L19 MPKI
2. Open the RA-Certificate.p7b certificate file (This is the file that would be downloaded from the PKI portal in the previous step)
3. Navigate to the “Certificates” sub-folder.
Note: The certificate file contains 2 files, the RA certificate (Registration Authority ###########) and an intermediate certificate. Certificates need to be installed on the SMM server. If the certificate request was generated on a server other than the SMM server, you would need to complete the certificate process for the RA certificate and export that certificate to be installed on the SMM server.
4. Right-click the intermediate certificate to export it > All Tasks > Export to open the certificate export wizard.
5. Click Next
6. Leave the default DER encoded binary X.509 (.CER) file type selection and click Next
7. Browse to a file path location such as Desktop to name the file and save it, click Next
8. Click Finish to export the file.
9. Open an MMC certificates snap-in for the Local Computer, right click “Intermediate Certification Authorities” > All Tasks > Import
10. Click Next
11. Browse to the intermediate certificate location, click Next
12. Click Next after verifying the correct certificate store location (Intermediate Certification Authorities)
13. Click Finish
8 of 12
14. Click OK to close the certificate import wizard
Export and install the RA Certificate
Follow the steps 4 - 8 above to export the RA certificate to the desktop as a .CER file. Then complete the following:
1. Open IIS. I.e. Select Start > Control Panel > Administrative Tools > Internet Information Services (IIS) Manager.
2. Select the server, and then double-click Server Certificates.
3. Click on “Complete Certificate Request” under the Action tab on the far right pane.
4. Click the ellipsis button and browses to the RA certificate that was previously exported.
5. Enter a certificate friendly name in the “Friendly name” field and click OK.
6. The certificate will now be shown in the IIS Server Certificates page.
7. Select the certificate and click the „Export‟ link on the right hand side
8. Browse to save the file to the Desktop and give the certificate a password. The file will have a .pfx extension.
9. Install the certificate into the „Local Computer > Personal” certificate store by right clicking on the certificate store > All Tasks > Import, browse to the certificate file and enter the password.
Note: To browse to the file on your desktop you will need to change the default dropdown to search for „Personal Information Exchange (*.pfx,*.p12)‟ file format.
Make sure that the root certificate and intermediate certificate are installed on the servers trusted and intermediate certificate stores respectively. The certificate can be verified after importing, by opening it and selecting the “Certification Path” tab and looking at the Certification status to ensure it is set to “This certificate is OK.” The entire chain can be verified by clicking on each certificate in the path. Each certificate‟s status needs to be verified.
9 of 12
Grant Network Service Account Access to the RA certificate
1. In the MMC certificate snap-in console under Local Computer, Right click on the installed RA Cert
2. Select All Tasks > Manage Private Keys.
3. Click Add
4. Add NETWORK SERVICE under Group or user names. Press Check Names to verify that it is spelt correctly.
5. Click OK
6. Give the “NETWORK SERVICE” account read permission
Activate VeriSign Integration Code
The code base installed with SMM 7.1 SP1, the current release, contains the required code to support the managed PKI integration. Due to timing with this release and the desire to implement this functionality as quickly as possible, a tool has been created to automate the required steps for its use. In this lab setting we are using a pre-release version of SMM 7.2 where the MPKI integration has been added to the console UI. The following steps outline the remaining steps to integrate this functionality in SMM 7.2.
1. In the SMP console navigate to Mobile Management > Settings > Mobile Management Server Settings.
2. Click on the Symantec MPKI tab
3. Click the “Enable VeriSign Integration” checkbox to turn integration on
10 of 12
4. In the Certificate snap-in console, open the Local Computer > Personal certificates store
5. Double click the previously installed RA certificate to open it.
6. Click on the Details tab
7. Using the scroll bar, find and certificate Thumbprint
8. Copy the certificate Thumprint value and paste it into the SMP console in the Root authority certificate thumbprint field
9. Leave the default Symantec MPKI URL set to: https://pki-ws.symauth.com/pki-ws/userManagementService
10. Click the “Save” button to save changes to configuration files.
11. VeriSign integration is activated and ready to use.
Configure SCEP Profile
1. In your browser, navigate back to the Symantec Managed PKI Portal page: https://ptnr-pki-manager.bbtest.net/pki-manager if not still open.
2. Click on the “Manage Certificate Profiles” icon.
3. Select the „TFE Lab‟ Certificate profile previously created.
11 of 12
4. Select and copy the endpoint URL found under „Manage this profile‟
E.g. http://pki- scep.symauth.com/scep/2.16.840.1.113733.1.16.1.2.3.5.1.1364019/cgi-bin/pkiclient.exe
5. Open the SMM console from the shortcut on the desktop and navigate to Home > Mobile Management
6. Select Configuration > iOS Configuration Editor. (This may take a minute to open)
7. Under the iOS Configuration column, Click on SCEP and then click on the new payload icon (yellow asterisk) in the right pane.
8. Enter a name and description for the new SCEP payload
9. Paste the certificate profile endpoint as the URL.
10. In addition, enter the following:
Enter the Subject field as CN=Authentication Certificate
Leave the challenge field blank.
Set key size to 2048.
Enable both boxes: Use as digital signature, use for key encipherment.
(See screenshot on next page)
11. Click Save Changes
12. In the console, navigate to IOS MDM Enrollment Configuration.
13. For “Cryptographic credential used for authentication” select the name of the SCEP profile just configured.
14. Save Changes.
15. Open Services and Restart the Symantec Mobile Management Agent.
16. SMM is now configured to use the Symantec PKI services for SCEP certificate enrollment
12 of 12
