Mobile access to the Flex System Manager requires certificates signed by a Certificate Authority (CA)
IBM Flex System Manager for Android, BlackBerry, and iOS all require a secure HTTPS connection to connect to the IBM Flex System Manager and manage systems. To ensure that the connection is secure, the certificate installed on the IBM Flex System Manager must be a valid certificate for the URI that will be used to access the IBM Flex System Manager and be signed by a separate Certificate Authority (CA), self-signed certificates are not accepted by IBM Flex System Manager for Android, BlackBerry, and iOS. In addition, there is a current issue with importing certificates that were signed by an intermediate CA instead of a root CA into the default keystore on the IBM Flex System Manager which requires creating a new keystore on a separate system (with Java installed) from the Flex System Manager and replacing the existing keystore with the new one. In order to replace the existing keystore, the IBM Flex System Manager must be at level 1.2.0 or higher.
Generating a Java keystore and Certificate Signing Request to submit to a CA
Java ships with a utility named keytool in its bin directory that can be used to create and edit keystore files. The first step is to create a keystore using the following command (replacing specific options with the ones for your keystore):
keytool –genkey –alias <keystore_alias> -keyalg <encryption_algorithm> –keystore <path_to_the_keystore_being_created> –keysize <size_of_encryption_key>
An example is:
keytool –genkey –alias Flex_Manager -keyalg RSA –keystore flexStore.jks –keysize 2048
This will prompt you to create a password for the keystore being generated, remember this password because it will be required later when replacing the keystore on the IBM Flex System Manager and will be requested for each subsequent keytool command run against the created keystore. In addition, it will prompt for organization and location information to create the keystore, and finally it will prompt for a password for the alias specified, which can be the same or different from the previous password. In this example the alias was “Flex_Manager” and the keystore file was “flexStore.jks”. Using a strong keysize is recommended since some mobile operating systems have restrictions on the keysize they will accept.
Once a keystore has been generated, a Certificate Signing Request (CSR) can be created from the keystore by using the following command:
keytool -certreq -alias <keystore_alias> -keystore < path_to_the_keystore> -file <path_to_the_csr_file_being_created>
An example is:
keytool -certreq -alias Flex_Manager -keystore flexStore.jks -file mydomain.csr
The Certificate Signing Request generated can be submitted to a CA to create a certificate signed by the CA. Send the certificate-signing request file to the CA. See the CA Web site for specific instructions about requesting a new certificate. You can request either a test certificate or a production certificate from the CA. However, in a production environment, you must request a production certificate.
The next steps involve installing the CA root and any intermediate certificates into the keystore, and then finally installing the generated server certificate into the keystore. These certificates can be acquired from the CA used to generate the server certificate. To install root and intermediate certificates (start with the root certificate first) run the following command:
keytool -import -trustcacerts -alias <root_certificate_alias> -file <path_to_the_root_certificate> -keystore <path_to_the_keystore>
An example is:
keytool -import -trustcacerts -alias root -file root.crt -keystore flexStore.jks
Where “root.crt” is the CA root or intermediate certificate and “flexStore.jks” is the name of the previously generated keystore. When prompted to, select to trust the certificate being installed. Run this command for each certificate in the certificate chain.
Finally, import the server certificate returned from the CA by running the following command:
keytool -import -trustcacerts -alias <server_certificate_alias> -file <path_to_server_certificate> -keystore <path_to_the_keystore>
An example is:
keytool -import -trustcacerts -alias Flex_Manager_Server -file mydomain.crt -keystore flexStore.jks
Where the alias used is the alias for the server certificate, and the file provided is the server certificate file.
Installing the keystore into the IBM Flex System Manager
To install the keystore into the IBM Flex System Manager follow the following steps.
2. Log into the Flex System Manager using SSH.
3. Run ‘smstop’ on the IBM Flex System Manager to stop the webserver.
updcert -I -n <password of the keystore > -f <path to the keystore file>
where –f parameter is the location of the keystore file copied over with SCP, for example:
updcert –I –n password –f /home/USERID/flexStore.jks
5. The webserver should restart automatically, but its progress can be checked by using the ‘smstatus’ command.
Installation on Android
Installation of custom CA certificates on Android 2.3 is only supported on Motorola devices. Motorola allows you to install custom CA certificates through its custom certificate manager (more info here: https://motorola-enterprise.custhelp.com/app/answers/detail/a_id/57093/~/android---root-certificate-management).
To use IBM Flex System Manager for Android with Android 2.3 devices by manufacturers other than Motorola, the certificate installed on the IBM Flex System Manager must be recognized by one of the pre-installed certificate authorities on the Android device. Installing a certificate that is trusted by one of these pre-installed certificates should allow a successful connection to an IBM Flex System Manager with the Android device.
Starting with Android 4.0, installing CA certificates is supported by Android natively, see:
On Android 4.0 the installed certificates can be seen inside “Trusted Credentials” in the “Security” section of “Settings”.
It should now be possible to connect to IBM Flex System Manager systems that have a server certificate signed by the CA certificate installed using the IBM Flex System Manager for Android application.
If the Android device doesn't connect successfully after installation of a CA certificate, try restarting the Android device.
Installation on Blackberry
Blackberry does not require a CA certificate to make a connection to the IBM Flex System Manager. If no certificate is on the BlackBerry device, the device will prompt the user that a connection can be made in an insecure fashion. Selecting Continue will make the connection, but does not allow validation that the connection is to the correct server.
There are two ways to get a CA certificate onto a Blackberry device. They can be installed using Blackberry Desktop Software or by importing it directly to the device.
To import the certificate using the Blackberry Desktop Software, download the certificate onto a device management system. Import the certificate onto the management system via the web browser. Connect to the device using Blackberry Desktop Software. Select “Tools -> Desktop Options”. In the dialog that displays, Select the “General” tab. Put a check beside “Use certificate synchronization” and select “OK”. In the left hand pane, select “Certificates”. Select the store the CA certificate was imported into. Put a check mark next to the certificate and select “Sync Certificates”.
To install the certificate directly, download the CA certificate to the device. Opening the file should prompt to import the certificate. Click “Import”, and then create a password for the keystore (this can be anything you want, and is used if you want to uninstall the certificate later on). Click “Okay” after setting the password and the BlackBerry should show the certificate details and a green checkmark indicating it is successfully installed.
To verify the certificate was installed, go to “Home->Options->Security->Advanced Security->Certificates-><CA Certificate>”. It should now be possible to connect to IBM Flex System Manager systems that have a server certificate signed by the CA certificate installed using the IBM Flex System Manager for BlackBerry application without a warning message appearing
Installation on iOS
Acquire the CA root certificate on the iOS device through email, a website link, or another method. After clicking the link or file iOS should automatically bring you to another screen labeled "Install Profile", at this screen press "Install", then "Install Now". To verify the certificate was installed, open iOS Settings and go to “General->Profiles” and the imported CA certificate should be listed. It should now be possible to connect to IBM Flex System Manager systems that have a server certificate signed by the CA certificate installed using the IBM Flex System Manager for iOS application.