Security Officer Configuration Guide Final v2 · 2. DerivID and AirWatch DerivID is fully...
Transcript of Security Officer Configuration Guide Final v2 · 2. DerivID and AirWatch DerivID is fully...
©2019Route1Inc. Page1of18
SecurityOfficerConfigurationGuide
DerivIDwithAirWatchEMM
©2019Route1Inc. Page2of18
TableofContents
1.DerivID.............................................................................................................................................................................................4
2.DerivIDandAirWatch................................................................................................................................................................5
3.DerivIDCredentialIssuanceProcess...................................................................................................................................5
4.UserApplicationsExplained...................................................................................................................................................7
5.CryptoPath:DerivIDCP............................................................................................................................................................7
6.DerivIDCredentialGenerationProcess.............................................................................................................................8
7.ConfigurationSettingsRecord...............................................................................................................................................9
8.DerivIDExampleConfigurationRecord...........................................................................................................................13
9.ApplicationReference.............................................................................................................................................................15
10.ContactUs....................................................................................................................................................................................18
©2019Route1Inc. Page3of18
©2019Route1Inc.Allrightsreserved.Route1Inc.istheownerof,orlicenseduserof,allcopyrightinthisdocument,includingallphotographs,productdescriptions,designsandimages.Nopartofthisdocumentmaybereproduced,transmittedorotherwiseusedinwholeorinpartorbyanymeanswithoutpriorwrittenconsentofRoute1Inc. Seehttps://www.route1.com/terms-of-use/fornoticeofRoute1’sintellectualproperty.
SecurityOfficerConfigurationGuide
January2019
©2019Route1Inc. Page4of18
ANewErainSecureMobileUserIdentityValidationDerivedCredentialsforPIVandCAC
DerivIDisapatentpending,first-of-its-kindderivedPIV/CACcredentialssolutionthatvalidatestheidentityofmobileusersseamlessly,simplyandsecurely.ItexceedsNISTandDISAsecuritystandardsandeliminatestheneedforanexternalcardreader.Ourcredentialissuanceprocessguaranteesthehighestlevelofassurance.
1.DerivID
DerivIDcredentialsprovideaconvenientreplacementforyourCACorPIVcard.Theneedforaphysicalcardreaderiseliminated.WithDerivIDCredentialsyouwillhavethesamesecureaccesstoyourgovernmentresourcesbutwithouttheinconvenience. Theend-userportionoftheDerivIDsolutionconsistsoftwoAppsonyourmobiledevice andanenrollmentapplication:
DerivID:ThefirstAppenablesyoutoinitiallygeneratecredentialsforyourdevice. DerivIDCP:ThesecondApppermitstheestablishmentofahighlysecureCryptoPathtunnelforaccessingthegovernmentnetwork. DerivIDEnrollment:AWindowsapplicationthatisusedtoinitiallyauthenticateyoubasedonyourCACorPIVcard.ItissuesanActivationCodethatpermitsyoutogeneratetheDerivIDCredentialsforyourmobiledevice. ThecapabilitiesoftheDerivIDtechnologyareenabledthroughtheDEFIMNETinfrastructure.DEFIMNETisRoute1’sfullyaccrediteduniversalidentitymanagementandservicedeliveryplatformthatisdeployedwithingovernmentfacilities.
©2019Route1Inc. Page5of18
2.DerivIDandAirWatch
DerivIDisfullyintegratedwiththeAirWatchEnterpriseMobilityManagementsolution,providingaseamlessprocessfortheissuanceofyournewidentification. AspartoftheinitialenrollmentofamobiledeviceintoAirWatch,itisrecommendedthattheDerivIDandDerivIDCPAppsbeinstalledonthemobiledevice.ThatcanbeaccomplishedbyprovidingthelinkstotheAppswithinGooglePlayStoreortheAppleAppStore,oralternatively,Route1canprovidetherequiredAPKorIPAfiles. TheconfigurationoftheDerivIDCredentialsthatwillbeissuedtotheusersisperformedthroughtheAirWatchconsole.DEFIMNETcommunicateswiththeAirWatchMobile-CloudArchitectureinordertoorchestratetheDerivIDCredentialgeneration.
3.DerivIDCredentialIssuanceProcess
DEFIMNETProvisioningandIntegration
ToenabletheIssuanceofDerivIDCredentials,DEFIMNETrequiresinterconnectivitywith:
• PertinentAgencyorFederalBridgeCertificateAuthorities • PertinentIDMSandICAMsystems • LDAP/ActivDirectoryServices(toupdateuseraccountwithissuedcertificates) • MDM/EMMSystems
TheintegrationandprovisioningprocessiscoordinatedbytheRoute1CustomerSupportTeam.
OnecomponentoftheprovisioninginvolvesassociatingyourEMMsystemorsystemswithyouroneormoreUPN-suffixes.TheUPNisextractedfromtheUser’sCACorPIVAuthenticationcertificateduringtheenrolmentsprocess.Thesuffixisusedtolocatetheuser’smobiledevice(identifiedbyaUDID)inasetofassociatedMDM/EMMsystems.
Dependingonthedesiredtopology,youwillbeissuedaDEFIMNETDomainKeythatisrequiredtoauthenticatetheconfigurationsettings.
DerivIDCustomSettingsRecord
AConfigurationSettingsrecordiscreatedandplacedwithinabaselineProfilethatneedstobeinstalledontheuser’sdeviceaspartoftheinitialMobileDeviceenrolment. TheConfigurationSettingsrecorddefines,amongstotherthings,whatcredentialswillbegenerated
©2019Route1Inc. Page6of18
fortheuser.
SCEPServerConfigurationLeveragingtheAirWatchCertificateAuthorityIntegrationcapabilities,theDEFIMNETSCEPProxyServicemustbeconfigured.
CertificateAuthorityRequestTemplateConfiguration
OneelementofthecredentialgenerationprocessinvolvestheMDM/EMMsystem,asaconsequenceofinstallingcertainprofilesthatrequestcredentials,providingdatatothemobiledevicethatmustbepartoftheCertificateSigningRequest.Specificsyntaxandattributesarerequired–theconfigurationisdonethroughaCertificateAuthorityRequestTemplate.
TheAirWatchadministratorexecutesthefollowingsteps:
1. CopythescriptinSection8wewillneedtouseitlater.
2. OpentheAirWatchConsole. 3. GototheDevicesTab. 4. GototheProfilesandResourcesTab. 5. GototheProfilesTab. 6. SelectaddProfileoreditonanexistingprofile. 7. FillintheGeneralSection. 8. GotoCustomSettings. 9. SelectConfigure. 10.Pastethescriptfromstep1intotheCustomsettingsfield. 11.SelectSaveandPublishtosavethechanges.
©2019Route1Inc. Page7of18
4.UserApplicationsExplained
Theprocessconsistsofaseriesofstepsthatwillbeexplainedindetailinthesubsequent
sections.
DerivIDEnrollment
TheDerivIDEnrollmentprogramauthenticatesyouridentityagainstthecredentialsonyour
CACorPIVCard.TheDerivIDenrollmentprogramcreatesanactivationcodeusedto
authenticateyourcredentialsonamobiledevicethroughtheDerivIDApp.
DerivIDCredentialGenerationusingtheDerivIDApp
TheDerivIDAppcreatesasetofsoftcredentialsonceanactivationcodefromtheDerivID
Enrollmentprogramisentered.Thesesoftcredentialsarebasedoffofthecredentialsonyour
CACorPIVcardandcanbeusedinallofthesameapplications.
ProfileconfigurationwiththeDerivIDCPApp
UponopeningtheDerivIDAppyouwillbepromptedforaPINnumber.OncethePINisentered
aDerivIDCPconfigurationprofilewillbecreatedbasedonyourorganization’sAirWatch
settings.Youalsohavetheoptiontocreateyourownprofilesandchangethesettingsas
needed.
5.CryptoPath:DerivIDCP
DerivIDCPisanenhancedVPNClientthatleveragestheDerivIDVirtualSmartCardtechnology
oftheDerivIDtoprovideasecureconnectiontotheservicesprovidedbyyourorganization.
©2019Route1Inc. Page8of18
6.DerivIDCredentialGenerationProcess
1. TheuserlaunchestheDerivIDEnrollmentApplication.2. TheuserinsertstheirCACorPIVCard.3. TheuserenterstheirPINassociatedwiththeirCACorPIVCard.4. TheCACorPIVCardisregisteredtotheDEFIMNET.5. AnactivationCodeisissuedbytheenrollmentapplication.6. TheuserentersActivationCodeintheDerivIDApp.7. TheDerivIDAppauthenticatestheActivationCodewithDEFIMNET.8. OnceauthenticatedthistriggersapushofprofilestothedevicethroughtheEMM.9. ThedevicemakesadirecttorequestforCertificatestotheMDM.10. TheDEFIMNETregistersacertificatefromtheFederalCertificateAuthority.11. TheDEFIMNETregistersCertificateinActiveDirectory.12. CertificatesareissuedbytheDEFIMNETtotheDerivIDApp.
©2019Route1Inc. Page9of18
7.ConfigurationSettingsRecord
OneormoreConfigurationSettingsRecordsneedstobeinstalledwithintheAirWatchMDM/EMMsystem.TheConfigurationSettingsRecordprovidesauthenticationofthe configuration,associatestheuserdeviceswithaDEFIMNETDomain,defineswhatDerivIDCredentialswillormaybeissued,andprovidesadditionalsettings.MultipleConfigurationSettingsRecordscanbecreatedandassociatedwithdifferentbaselineProfilesthatareinstalledatthetimeofuserdeviceenrollment.Suchapproachenablesgranularcontrolovertheconfigurationsrequiredfordifferentgroupsofusersormobiledevices.
TheinstructionsforinstallingtheConfigurationSettingsRecordsareasfollows:
1. Copythebelowscript,wewillneedtouseitlater.
CN={UDID}[email protected]
OU=DerivID.Route1(constant)OU=MDM.AirWatch{MDM.MaaS360}OU=Type.Email{Type.Authentication|Type.Offline|Type.Email-Offline|Type:Key-Encipherment}
2. OpentheAirWatchConsole.3. GototheDevicesTab.4. GototheCertificatesTab.5. GototheCertificateAuthorityTab.6. SelectRequestTemplates.7. Selectadd(+)atthetopofthewindoworeditonanexistingtemplate.8. GototheSubjectNamefield.9. Pastethescriptfromstep1intotheSubjectNamefield.10. SelectSavetosaveyourchanges.
TheConfigurationSettingsRecordConsistsofasetofelementsrepresentedusingJSON,asfollows:
CredentialDeploymentCredentialDeploymentisassignedasaeithertheDerivID-ContainerortheAirWatch-SCEPthisdetermineshowthecredentialswillbemanaged.
©2019Route1Inc. Page10of18
CredentialDeployment:DerivID-Container
CredentialsofthistypewillbemanagedbytheDerivIDapp.ThesecredentialswillbeaccessibletoanycustomappsdevelopedusingtheDerivIDSDK.Inadditiontwotypesofcredentialsaretreatedspecially.ThecredentialoftypeTunnelisusedtoestablishthecryptopathbetweentheDerivIDappsandthecredentialoftypeofflinecanbesavedintothesystemkeychain.PleaserefertotheDerivIDUserManualformoredetail.
CredentialDeployment:AirWatch-SCEP
CredentialsofthistypearemanagedbyAirWatchEMM.
defimnetDomain
ThedefimnetDomainestablishestheparametersofthedomainthroughthedomainNameanddomainKeyvariables.
defimnetDomain:domainName
ThedomainNamedeterminesthenameofthedomain.Thisisabc.govintheexample
configurationscript.
defimnetDomain:domainKey
ThedomainKeywillbegeneratedandprovidedbyaRoute1administrator.ThiscreatesauniqueIdentifierforthedomain.
vpnTunnel
ThevpnTunnelestablishestheparametersoftheVPNconnectionthroughthetunnelConfigvariable.
vpnTunnel:tunnelConfig
ThetunnelConfigvariableestablishesapathfortheVPNconnection.
credentialProfiles
ThecredentialProfilesestablishtheparametersoftheVPNConnectionProfilethroughtheprofileNamevariable.
credentialProfiles:profileName
TheprofileNamevariablecanbesettoeitherDerivID-CredentialsorActivSync-Boxer.
©2019Route1Inc. Page11of18
derivedCredentials
derivedCredentialsestablishestheparametersofthecredentialsthroughthecredentialTypevariable.
derivedCredentials:credentialType
ThecredentialtypevariablewillbedifferentbasedontherequirementsofyourorganizationbutcanincludethetypesofAuthentication,Offline,andEmail
credentialDeployment
ThecredentialDeploymentvariablecanbeeithersettoeitherDerivIDorAirWatch-SCEPdependingontherequirementsofyourorganization.
issuingCA
Thisreferstotheissuingcertificateauthorityofthecredentials,whichinthecaseoftheexampleconfigurationfile,isRoute1Inc.
addToAD
TheaddToADisaBooleanthatstandsforaddtoActiveDirectory,itcanbetrueorfalse.
aDDomain
TheaDDomainvariablewillchangebasedontherequirementsofyourorganization.aDDomainstandsforactivedirectorydomain,thiswillbethedomaininwhichtheCACorPIVcardwillberegistered.
addCnPrefix
TheaddCnPrefixvariablewilladdthespecifiedprefixtothecommonname.Yourcommonnameisbasedonyourcredentials.
addCnSufffix
TheaddCnSuffixvariablewilladdthespecifiedsuffixtothecommonname.Yourcommonnameisbasedonyourcredentials.
addUpnPrefix
TheaddUpnPrefixvariablewilladdthespecifiedprefixtoyourUniversalPrincipalNamebeforetheemailaddress.ForexampleifaddUpnPrefixwassetto“LT.”[email protected].
©2019Route1Inc. Page12of18
addUpnSufffix
TheaddUpnSufffixvariablewilladdthespecifiedsuffixtoyourUniversalPrincipalNamebeforethe@sign.ForexampleifaddUpnSufffixwassetto“.CTR”[email protected].
CredentialTypes
CredentialType:Authentication
Theauthenticationcertificateisusedduringtheloginprocesstoverifyyouridentity.
CredentialType:Email
Theemailcertificateisusedtodigitallysignemailsonyourmobiledevice.
CredentialType:Offline
Theofflinecertificatecanbeinstalledlocallyforuseonyourmobiledevice,evenwhennotconnectedtoacarrierorWi-Finetwork.
CredentialType:Tunnel
ThetunnelcertificateisusedtocreatethesecuredCryptoPathbetweenDerivIDapplications.
CredentialType:Storage
Thestoragecertificateisusedfortheencryptionofdataatrest.
CredentialType:Email-Offline
Theemail-offlinecertificateisusedduringtodigitallysignemailsonyourmobiledevice,evenwhennotconnectedtoacarrierorWi-Finetwork.
CredentialType:Key-Encipherment
Thekey-enciphermentCertificateisprimarilyusedtofortasksuchasemailencryption.
©2019Route1Inc. Page13of18
8.DerivIDExampleConfigurationRecordThefollowingisanexampleofanAirWatchconfigurationscript: <DerivIDCustomConfig> {
"testDomain":{
"domainName":"abc.com", "domainKey":"XXXX-XXXX-XXXX-XXXX"
}, "vpnTunnel": {
"tunnelConfig":"client\ndev tun\nfloat\nproto udp\nremote 123.678.12.456.123\nresolv-retry infinite\nkey-direction 1\nnobind\npersist- key\npersist-tun\nca \"trust.pem\"\ntls-auth \"ta.key\" 1\nauth-user- pass\nauth-nocache\ncipher AES-256-CBC\nverb 3\nRoute1DCType Tunnel\nabcProfileEditable 0"
},
"credentialProfiles": [
{"profileName":"QA - Others"}, {"profileName":"QA - Airwatch Inbox"}
], "derivedCredentials": [ {
"credentialType":"Authentication", "credentialDeployment":"AirWatch-SCEP", "issuingCA":"ABCCO", "addToAD": "T", "aDDomain":"abc.com", "addCnPrefix":".", "addCnSufffix":".", "addUpnPrefix":"", "addUpnSufffix":".offline" }, { "credentialType":"Email",
"credentialDeployment":"AirWatch-SCEP", "issuingCA":"ABCco", "addToAD": "T", "aDDomain":"abc.com", "addCnPrefix":".", "addCnSufffix":".", "addUpnPrefix":"", "addUpnSufffix":".offline" },
{ "credentialType":"Authentication", "credentialDeployment":"DerivID-Container", "issuingCA":"ABCCO", "addToAD": "T", "aDDomain":"abc.com"
©2019Route1Inc. Page14of18
},
{ "credentialType":"Offline",
"credentialDeployment":"DerivID-Container",
"issuingCA":"ABCCO",
"addToAD": "T",
"aDDomain":"abc.com"
},
{
"credentialType":"Email",
"credentialDeployment":"DerivID-Container",
"issuingCA":"ABCCO",
"addToAD": "T",
"aDDomain":"abc.com",
"addCnPrefix":"",
"addCnSufffix":"",
"addUpnPrefix":"",
"addUpnSufffix":""
},
{
"credentialType":"Tunnel",
"credentialDeployment":"DerivID-Container",
"issuingCA":"ABCCO",
"addToAD": "T",
"aDDomain":"abc.com",
"addCnPrefix":"",
"addCnSufffix":"",
"addUpnPrefix":"",
"addUpnSufffix":""
}
]
}
</DerivIDCustomConfig>
©2019Route1Inc. Page15of18
9.ApplicationReference
DerivIDEnrollment
AboutButtonClickingthe“About”buttonwillbringuptheDerivIDIPnotice,copyrightinformationandsupportteamcontactinformation.
LoginButton
Clickingthe“Login”buttonwillauthenticatetheenteredPINagainsttheCACorPIVcardinsertedinthecomputer.
HelpButton
Selectingthe"Help"buttonwillgivetheoptiontouseChromeorInternettoviewthewww.route1.com/support.htmlpage.
ExitButton
Clickingthe“Exit”buttonclosestheapplication.
DerivID
PlusButton(+)
Clickingthe"+"symboldisplaystheActivationcodetextbox.EnteringarandomvalueintoActivationcodedisplays"Activationcodeinvalid". Addingthecorrectactivationcodedisplays"generatingmanagementcredential"followedbythe"generatingderivedcredential"message. Pressing"+"aftercredentialsarealreadypresentdisplays"Credentialsexist".
QuestionMarkButton(?)
Pressingthe"?"ButtonbringsyoutotheRoute1supportwebsite.
LogoutButton
Selectingthe"Logout"buttonbringsthedevicebacktotheDerivIDpinprompt.
©2019Route1Inc. Page16of18
DeleteallcredentialsButton
Pressingthe"Deleteallcredentials"buttonwhennocertificatesarepresentwilldisplaythemessage"Nothingtodelete".Withcertificatespresent,themessage"Areyousureyouwanttodeleteallcredentials"isdisplayed. Pressing"ok"immediatelydeletesallCredentialsinDerivID.Cancelingexitsdialogueboxandnocertificatesaredeleted.
ThreeDotsButton(…)
Pressingthe“...”buttonandselecting"About"displaystheEULA
DerivIDCP
Profiletab
TheVPNProfileisdownloadedandlistedunderthe"Profiles"tab.Whentheprofileisclicked"RetrieveCredential"isdisplayedandyoumustenterthepinyousetinDerivID.AconnectionthroughtheVPNshouldthenbeinitiatedandestablished. Clickingtheicontotherightofthenameoftheprofileandthenclickingthethreedotsinthetoprightwilldisplay2options"RemoveVPN"and"DuplicateVPN”.
SettingsTab
AllowsyoutochangetheapplicationandVPNbehavior.
Abouttab
ClickingtheabouttabdisplaystheDerivIDCPversionandcopyrightinformation.ThesourcecodelicenseinformationforprogramsusedwithDerivIDCPisalsolisted.
FullLicensesButton
Pressingthe"FullLicenses"buttonwilldisplayallthelicenseinformationforallprogramsbeingused.
ThreeDotsButton(…)
Whenthe“...”buttonisclickedthebuttons“logwindow”and“Help”willappear.
©2019Route1Inc. Page17of18
HelpButton
Selectingthe"Help"buttonwillgivetheoptiontouseChromeorinternettoviewthewww.route1.com/support.htmlpage.
ShowlogwindowButton
Selectingthe“Showlogwindow"buttonwilldisplaytheloginformationfortheVPNconnectionthatwasmade.Clickingthe"..."againwilldisplaytheoptions“Clearlog”,“Sendlogfile”and“DisconnectVPN”.
ClearLogButton
Selectingthe"ClearLog"buttonwillerasethecontentsofthespecifiedlogfile.
SendLogFileButton
Selectingthe"SendLogFile"buttonwilldisplayanapplicationselectionwindowforthefiletobesentwith.Thiscanincludemessagingandemailingapplications,asanexample.
DisconnectVPNButton
Selectingthe"DisconnectVPN"buttonwillbringadisconnectconfirmationwindow,whereyouwillbeaskedifyouwouldliketodisconnectfromtheVPNorcanceltheconnectionattempt.
©2019Route1Inc. Page18of18
10.ContactUs
Canada:
8KingSt.East,Suite600Toronto,OntarioM5C1B5Telephone:+1416-848-8391TollFree:+1866-286-7330SalesInquiries:[email protected] +1866-371-1780+1416-814-2608
USA:951BrokenSoundParkwayNW,Suite108BocaRaton,Florida33487Telephone:+1866-286-73309962BrookRoad,Suite607GlenAllen,Virginia23059Telephone:+1703-919-1353NetworkOperationsSupport:[email protected] +1866-371-1781+1416-804-6760