MobileIron Tunnel v1.0.1 update requirements Tech Series 6/17/2014 Written by Ulrik Van Schepdael – Mobco bvba www.mobco.be 1. Table of contents 1. Table of contents ................................................................................................................................. 2 2. Overview ............................................................................................................................................. 3 3. Guide ................................................................................................................................................... 3 4. Additional resources ............................................................................................................................ 6 Mobco bvba Kerkberg 5 1700 DILBEEK VAT 0830714829 Represented by Ulrik Van Schepdael [email protected] +32 475 515102 2 www.mobco.be 2. Overview The MobileIron Tunnel v1.0.1 for iOS 7 app adds another layer of security by authenticating the Standalone Sentry. If you are using a self-signed or an untrusted certificate for the Standalone Sentry, the certificate must also be pushed to the device in order for Tunnel v1.0.1 for iOS 7 to authenticate the Standalone Sentry and establish a per app VPN session. If the certificate is changed, you must push the changed certificate to the device, otherwise there may be a disruption in service. 3. Guide How to Push the Standalone Sentry Certificate to the Device: 1. Enter the following command from the command prompt on your computer to view the Standalone Sentry certificate. openssl s_client -prexit -connect <StandaloneSentryFQDN>:443 –showcerts 2. Copy the second section in the certificate chain, include the parts containing “Begin Certificate” and “End Certificate”. This is the section before the Server Certification section. Example: openssl s_client -connect tunnelsentry.mobco.be:443 -prexit -showcerts CONNECTED(00000003) depth=1 /C=US/ST=California/L=Sunnyvale/O=MobileIron/OU=Support/CN=ActiveSyncProxyCA/emailAddress=suppo [email protected] verify error:num=19:self signed certificate in certificate chain verify return:0 32165:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s23_lib.c:182: --Certificate chain 0 s:/C=US/ST=California/L=Sunnyvale/O=MobileIron/OU=Support/CN=tunnelsentry.mobco.be/emailAddress [email protected] i:/C=US/ST=California/L=Sunnyvale/O=MobileIron/OU=Support/CN=ActiveSyncProxyCA/emailAddress=sup [email protected] -----BEGIN CERTIFICATE----MIIDwjCCAqoCCQDVreJF+3V37TANBgkqhkiG9w0BAQUFADCBoDELMAkGA1UEBhMC VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTETMBEG A1UEChMKTW9iaWxlSXJvbjEQMA4GA1UECxMHU3VwcG9ydDEaMBgGA1UEAxMRQWN0 aXZlU3luY1Byb3h5Q0ExJTAjBgkqhkiG9w0BCQEWFnN1cHBvcnRAbW9iaWxlaXJv bi5jb20wHhcNMTQwNDE2MDkxODE3WhcNNDQwNDA4MDkxODE3WjCBpDELMAkGA1UE BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTET MBEGA1UEChMKTW9iaWxlSXJvbjEQMA4GA1UECxMHU3VwcG9ydDEeMBwGA1UEAxMV 3 www.mobco.be dHVubmVsc2VudHJ5Lm1vYmNvLmJlMSUwIwYJKoZIhvcNAQkBFhZzdXBwb3J0QG1v YmlsZWlyb24uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArqCW Ub9RdKc5E4svtTduQTv32SbjdlLx5c1EUrSq6/vZq964Z5feavDZZQnV9HqVIM/B cm4bsXjptH90jfhcsam777dlVakd/yQkfsFfk140E75TtQMvQ3Q/YpqzK1DCxdXb 3nO7n0HOCEiBzYlT070FsfNF+eGJYrXE2MaAIpXeOPhsLNNGvCgrfos0jeK6wlrg 6dyX12wDCz0GRQ+VcjWK217ALFefYfJFc1gIzAm+v3AofmUJul2/fu8zefnwcnAm HXEQFlTRfCfPzyXEXBqOicowSyA6SkqWOk2+s8WJzpNcJPql6ktXXCjXxt23Vjna Rb065kNQWJ0P4D/eCwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQALxB6XDGc406Xd i3Z/GXlZyorEpl+oDubPLAcjw8WsqRfFNl+0sH0roUmBWryVNnn7U1QJVrVJrvDq +Ggk+ctiJveGS/tQSM4J2BGqhbONkPK1stiTzac0EiSODGj+kks6srcUmqwL80Xn iiTjySIakr9ItaPlZwtlliibnmRnwfEbQKC6FCxbUTrMT6SPB/MMTzwZ+vp6fZNu hzj+6yUGHIfwXBML3Qvfj9W7tAyrU9DOcZxzDm7wKdqdNYQBQkTuS+1npOIrlt8s 9rKGBPVetRfqsyCD53AJyJq4VEMLSyuzJVxYStMKvufRlldGqIghDNs7xY2npEC0 1j76pwLH -----END CERTIFICATE----1 s:/C=US/ST=California/L=Sunnyvale/O=MobileIron/OU=Support/CN=ActiveSyncProxyCA/emailAddress=sup [email protected] i:/C=US/ST=California/L=Sunnyvale/O=MobileIron/OU=Support/CN=ActiveSyncProxyCA/emailAddress=sup [email protected] -----BEGIN CERTIFICATE----MIIE0DCCA7igAwIBAgIJANsu81dMt8NcMA0GCSqGSIb3DQEBBQUAMIGgMQswCQYD VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxl MRMwEQYDVQQKEwpNb2JpbGVJcm9uMRAwDgYDVQQLEwdTdXBwb3J0MRowGAYDVQQD ExFBY3RpdmVTeW5jUHJveHlDQTElMCMGCSqGSIb3DQEJARYWc3VwcG9ydEBtb2Jp bGVpcm9uLmNvbTAeFw0xNDA0MTYwOTE4MTdaFw00NDA0MDgwOTE4MTdaMIGgMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2 YWxlMRMwEQYDVQQKEwpNb2JpbGVJcm9uMRAwDgYDVQQLEwdTdXBwb3J0MRowGAYD VQQDExFBY3RpdmVTeW5jUHJveHlDQTElMCMGCSqGSIb3DQEJARYWc3VwcG9ydEBt b2JpbGVpcm9uLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3l 3QcP/UGkdqdhFSk+pMKYrlRciObZVzyL5nG8cRH/mmc0i0sYpXq4Zd8xCXWhcfWc DcmYHLC27fd1AMbjACismG3tPcxdUwCgo4RwANWD4rP35RjRNGSPeLyR9vn30UM9 ZMoC1aqwIl+CYSTOe2UsMow7iIgIVJeFhv7Eo3riaXLTwqeA0/9eE9FmOzcdvKQv l2T2y9op10syBsh4Dh/Pv3Z74SHCNjqNpMw8qLtupaK9S+kaFgFZXI2md+SVKgO/ wNoOfokgz1jUzv4Rz40gDKngzikC9aY8udbPDPnYCBOWQqNXOyzb0zA+Ld1xncZ3 yMkzOtDFPYabch/0PqsCAwEAAaOCAQkwggEFMB0GA1UdDgQWBBR4kXoiihSKd7S9 8cr6LmiH9hboKDCB1QYDVR0jBIHNMIHKgBR4kXoiihSKd7S98cr6LmiH9hboKKGB pqSBozCBoDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNV BAcTCVN1bm55dmFsZTETMBEGA1UEChMKTW9iaWxlSXJvbjEQMA4GA1UECxMHU3Vw cG9ydDEaMBgGA1UEAxMRQWN0aXZlU3luY1Byb3h5Q0ExJTAjBgkqhkiG9w0BCQEW FnN1cHBvcnRAbW9iaWxlaXJvbi5jb22CCQDbLvNXTLfDXDAMBgNVHRMEBTADAQH/ MA0GCSqGSIb3DQEBBQUAA4IBAQAyXvSEabuDCLN9bI00kC7zEwwFafWe8QmFliq9 Dx/sbn36djYrt6GEFYCicO/DUvojNvcDwQST9uEggqJSMeok4wAGhUDc+Jjw24Lw Jmg8i/Jq1LJyGCUxP5z1AI1HR1uboGq/pPmssdAwSYVXh1z3J8CY6qcpmfS8zZlR DmfjlxOWCahe2sW5PQ2CUGQnr8HNGdkkIe/IYHOLgLDUuuDn6rCQapILNgYeDLCJ BvIP8aUXzIb3VRnpwd3kA5NOxoB+YK+a6JddlcV4m1n0Uz7KHor1M7Q5/mEPKk3g wOxPMLO+vI50JqIu2UDIxkxXY6dvfWnaigbAK7CMsjFAIt2L -----END CERTIFICATE------Server certificate subject=/C=US/ST=California/L=Sunnyvale/O=MobileIron/OU=Support/CN=tunnelsentry.mobco.be/emailA [email protected] issuer=/C=US/ST=California/L=Sunnyvale/O=MobileIron/OU=Support/CN=ActiveSyncProxyCA/emailAddres [email protected] --Acceptable client certificate CA names /CN=Demo Local CA 4 www.mobco.be --SSL handshake has read 2343 bytes and written 338 bytes --New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 53A0185333197C661EBFBC8E1DC21D256B6A41046BE06876A046F1BA7A86FAC8 Session-ID-ctx: Master-Key: C71F69FB1CC00782FAC58BF83CB616347942338F5D54A25EFE5B66D2D6910539F7D0959605EDAB541F383172A86A02D 1 Key-Arg : None Start Time: 1402996866 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- 3. Paste it into a text program like Notepad, and save it with a .pem extension. 4. Upload the .pem file to the VSP. (Admin Portal > Policies & Configs > Configurations > Add New > Certificates). In the Certificate setting, leave the password fields blank. 5 www.mobco.be 5. Apply the certificate setting to a label containing the desired set of devices. The certificate is the pushed to the device at the next sync. 4. Additional resources https://mobileiron-support.force.com/customer/articles/MI_Article/Authenticating-theStandalone-Sentry-for-MobileIron-Tunnel-v101-for-iOS-7 https://support.mobileiron.com/docs/vsp/6.0.1/AdminGuideVSP60_Rev30May2014.pdf https://support.mobileiron.com/docs/vsp/6.0.1/PerAppVPNTunnel.pdf https://www.openssl.org/docs/apps/s_client.html 6
© Copyright 2024 ExpyDoc
