Multitenancy Setup for the Self Service Portal, SSP
When setting up a multitenant environment with a Self Service Portal, or SSP, the SSP must be manually configured. The Trusted Service Provider, or TSP, must also be manually configured to allow communication to the SSP.
The multitenancy installation process is the same as with a regular SSP deployment. From this point on, the rest of the configuration steps are completed outside of content. This configuration is completed using a command-line utility located in “<program files>\BigFix Enterprise\Management Extender\MDM Provider\utils\ssp.bat”. Open a command prompt with administrator privileges to the “MDM Provider\utils” folder to perform any of the following configuration steps.
Note: Any text in monospace font indicates a command to run on this command line. The iOS extender should not have to be restarted before/after these commands.
Turning on multitenant mode
- Launch the Tivoli Endpoint Manage Administration Tool.
- Click Advanced Options.
- Add an advanced option mdmAppsUsePrivate with a value of “1”.
Set the server to “multitenant mode” for the rest of multitenancy to work:
ssp.bat config multitenant true
Configuring SSL Certificates and Hostname
If the SSP was installed on a computer that does not also include a Management Extender, you may need to configure the SSP's SSL certificate. The installation process might have provided an incorrect default hostname / DNS name.
NOTE: You must stop the service to run these commands.
To change the hostname of the SSP and create new SSL certs to match this hostname, run the following command (replacing with the actual hostname you want to use):
ssp.bat recreate_certs mdm.company.com
If you are using officially signed SSL certificates, rename the SSL private key as "ssl_key.pem", the certificate should be named "ssl_cert.pem", and if you have an intermediate certificate bundle, it should be named "ssl_bundle.pem". After putting these files in place, you must run the following command:
Adding an Enrollment Tag
Adding an enrollment tag is equivalent to adding a customer / tenant to this extender. This process requires specifying three values: the tag ID, the URL tag, and the tag display name / organization name.
ssp.bat tag_init <tag id> <url tag> <organization name>
- Creates a directory "MDM Provider\tags\<tag id>" to store tag-specific files
- Configures the main config.yaml to be aware of the new enrollment tag
NOTE: The Enrollment Tags created here must match the Enrollment Tags created on the Management Extender when you set up the Extender for Multitenancy.
Various Enrollment Tag Specific URLs
The URL tag is the means by which the enrollment server decides which configuration to assume your management extender is at URL "mdm.company.com".
Removing an enrollment tag
To remove an enrollment tag, run the following command:
ssp.bat tag_remove <tag id>
Note: This will delete this tag's folder under the "tags" directory and removes its configuration.
Configuring Authenticated Enrollment
There are two different options when configuring authenticated enrollment as a step up from basic mode: LDAP or SAML. LDAP authentication is identical to what has been supported by the TSP since MDM 1.1 and can be run in either "password" or "pin" mode.
Configuring SSP for LDAP / TSP authentication:
See the SAML Authentication page for more details about configuring the SSP for SAML authentication. Note that SAML Authentication may be used in single tenant environments and any config commands used during SAML Authentication will, by default, apply to the entire enrollment server. This may not be the desired behavior in a multitenancy environment.
When configuring the SSP for SAML authentication in a multitenancy environment change any config commands into tag_config commands so they apply to specific enrollment tags only and do not apply to the entire enrollment server. The Tag ID must be included after the tag_config command, for example:
ssp.bat config auth_type SAML
ssp.bat tag_config foo auth_type SAML
where foo is the Tag ID.
In addition, when setting up SAML Authentication in a multitenant environment, note the use of the auth_enrollment_tag_attribute. This attribute is discussed in greater detail within the SAML Authentication documentation.
Configuring the TSP
Communication from the IBM Endpoint Manager server and WebReports to the SSP passes through the TSP. The TSP must have these credentials manually configured. Run the following commands replacing the examples in brackets < >.
tsp.bat config tem_server <hostname.domain.com> tsp.bat config tem_user <username> tsp.bat config tem_pass <password> tsp.bat config wr_path "<http://hostname.domain.com>" tsp.bat config wr_user <username> tsp.bat config wr_pass <password>
Finally, you need to configure the SAML cert fingerprint for each of the enrollment tags that you want the TSP to recognize for SAML authorization.
tsp.bat saml_cert set "<enrollment tag>" "<saml certificate file or fingerprint>"
The fingerprint can be found using the openssl tool:
openssl x509 -in your-cert.pem -fingerprint -sha1
NOTE: The fingerprint entered here must match the one entered during SAML configuration exactly: SAML Authentication
Accessing a Multitenant SSP
A multitenant SSP can be accessed at the following URL, substituting the appropriate values for <domain> and <tag>: