Multitenancy Setup for the Self Service Portal, SSP

This page has not been liked. Updated 10/15/13, 3:40 PM by Dan_IBMTags:


When setting up a multitenant environment with a Self Service Portal, or SSP, the SSP must be manually configured. The Trusted Service Provider, or TSP, must also be manually configured to allow communication to the SSP.


The multitenancy installation process is the same as with a regular SSP deployment. From this point on, the rest of the configuration steps are completed outside of content. This configuration is completed using a command-line utility located in “<program files>\BigFix Enterprise\Management Extender\MDM Provider\utils\ssp.bat”. Open a command prompt with administrator privileges to the “MDM Provider\utils” folder to perform any of the following configuration steps.

Note: Any text in monospace font indicates a command to run on this command line. The iOS extender should not have to be restarted before/after these commands.


Turning on multitenant mode

You must set your MDM deployment to “multi-tenant” mode. To do this, use the following steps:
  1. Launch the Tivoli Endpoint Manage Administration Tool.
  2. Click Advanced Options.
  3. Add an advanced option mdmAppsUsePrivate with a value of “1”.
  4. Set the server to “multitenant mode” for the rest of multitenancy to work:

    ssp.bat config multitenant true


Configuring SSL Certificates and Hostname

If the SSP was installed on a computer that does not also include a Management Extender, you may need to configure the SSP's SSL certificate. The installation process might have provided an incorrect default hostname / DNS name.

NOTE: You must stop the service to run these commands.

To change the hostname of the SSP and create new SSL certs to match this hostname, run the following command (replacing with the actual hostname you want to use):

ssp.bat recreate_certs

If you are using officially signed SSL certificates, rename the SSL private key as "ssl_key.pem", the certificate should be named "ssl_cert.pem", and if you have an intermediate certificate bundle, it should be named "ssl_bundle.pem". After putting these files in place, you must run the following command:

ssp.bat recreate_keystore

Adding an Enrollment Tag

Adding an enrollment tag is equivalent to adding a customer / tenant to this extender. This process requires specifying three values: the tag ID, the URL tag, and the tag display name / organization name.

ssp.bat tag_init <tag id> <url tag> <organization name>

The tag ID value is the value that is meaningful to your organization, and is the value that the device will later report as its “enrollment tag”. The URL tag corresponds to enrollment URL that maps to this tag.
ssp.bat tag_init "12" "foo" "Foo, Inc"
ssp.bat tag_init "24" "blah" "Blah Corporation"
This creates two tags with IDs "12" and "24", which are mapped to by external URLs "/ssp/c/foo" and "/ssp/c/blah". These tags perform the following actions:
  • Creates a directory "MDM Provider\tags\<tag id>" to store tag-specific files
  • Configures the main config.yaml to be aware of the new enrollment tag

NOTE: The Enrollment Tags created here must match the Enrollment Tags created on the Management Extender when you set up the Extender for Multitenancy.

Various Enrollment Tag Specific URLs

The URL tag is the means by which the enrollment server decides which configuration to assume your management extender is at URL "".


Removing an enrollment tag

To remove an enrollment tag, run the following command:

ssp.bat tag_remove <tag id>

Note: This will delete this tag's folder under the "tags" directory and removes its configuration.

Configuring Authenticated Enrollment

There are two different options when configuring authenticated enrollment as a step up from basic mode: LDAP or SAML. LDAP authentication is identical to what has been supported by the TSP since MDM 1.1 and can be run in either "password" or "pin" mode.

Configuring SSP for LDAP / TSP authentication:


You must first configure the SSP to require authentication, and then point it to the TSP which will perform the authentication.

ssp.bat tag_config 12 auth_type LDAP
ssp.bat tag_config 12 tsp_host
If the TSP is not unique per customer, there does not need to be a specific TSP configuration for this tag. It will inherit it from the master config.yaml setting.
ssp.bat tag_config 12 auth_header_text "Enter your email address and your password"
ssp.bat tag_config 12 auth_user_label "Email"
ssp.bat tag_config 12 auth_pass_label "Password"

SAML Authentication

See the SAML Authentication page for more details about configuring the SSP for SAML authentication. Note that SAML Authentication may be used in single tenant environments and any config commands used during SAML Authentication will, by default, apply to the entire enrollment server. This may not be the desired behavior in a multitenancy environment.

When configuring the SSP for SAML authentication in a multitenancy environment change any config commands into tag_config commands so they apply to specific enrollment tags only and do not apply to the entire enrollment server. The Tag ID must be included after the tag_config command, for example:

ssp.bat config auth_type SAML

would become:

ssp.bat tag_config foo auth_type SAML

where foo is the Tag ID.

In addition, when setting up SAML Authentication in a multitenant environment, note the use of the auth_enrollment_tag_attribute. This attribute is discussed in greater detail within the SAML Authentication documentation.

Configuring the TSP

Communication from the IBM Endpoint Manager server and WebReports to the SSP passes through the TSP. The TSP must have these credentials manually configured. Run the following commands replacing the examples in brackets < >.

 tsp.bat config tem_server <>
 tsp.bat config tem_user <username>
 tsp.bat config tem_pass <password>
 tsp.bat config wr_path "<>"
 tsp.bat config wr_user <username>
 tsp.bat config wr_pass <password>

Finally, you need to configure the SAML cert fingerprint for each of the enrollment tags that you want the TSP to recognize for SAML authorization.

 tsp.bat saml_cert set "<enrollment tag>" "<saml certificate file or fingerprint>"

The fingerprint can be found using the openssl tool:

openssl x509 -in your-cert.pem -fingerprint -sha1

NOTE: The fingerprint entered here must match the one entered during SAML configuration exactly: SAML Authentication


Accessing a Multitenant SSP

A multitenant SSP can be accessed at the following URL, substituting the appropriate values for <domain> and <tag>: