Setting up a cluster of Certificate Integration modules enabled with distributed certificate caching

The Certificate Integration module supports a cluster mode that allows administrators to group multiple Cloud Extender® Certificate Integration modules into a single group or cluster to enhance the current caching capabilities of Cloud Extender.

When an administrator configures a certificate template from the Cloud Extender Configuration Tool that specifies how a certificate is issued to a device, those certificate templates are automatically synchronized between all the Cloud Extender Certificate Integration modules that are members of the cluster, which reduces the load on the Certificate Authority server and prevents the reissuing of certificates if the user switches policies on a device. Administrators no longer need to manually apply certificate templates to each Cloud Extender Certificate Integration module that are members of the cluster. All Cloud Extender Certificate Integration modules in the cluster can also access cached certificates that can be stored on the MaaS360® Portal in an encrypted format, instead of using a shared network drive to access those certificates.

Requirements

  • IBM® MaaS360 platform release 10.89 or later, Cloud Extender Certificate Integration module 3.000.100 or later, Cloud Extender agent 3.000.100 or later, and Cloud Extender Configuration Tool 3.000.100 or later
  • Microsoft .NET Framework 4.5 or later

Supported devices

  • Android
  • iOS

About this feature

Certificate cluster
  • The administrator can create a Cloud Extender cluster from any Cloud Extender enabled with the Certificate Integration setting in their environment.
  • For this process, MaaS360 generates a cluster certificate. This certificate shares data securely across the Cloud Extender Certificate Integration modules in the cluster.
  • The administrator can export the certificate from the first Cloud Extender that is set up in the cluster and then import this certificate to other Cloud Extenders that join the cluster.
  • All the Cloud Extenders should be a member of the cluster.
  • The synchronization of certificate templates is automatically enabled after the cluster is created with multiple Cloud Extenders.
Distributed certificate caching
  • The administrator can enable certificate caching globally in the Cloud Extender Configuration Tool and apply this setting across all certificate templates.
  • Certificates are encrypted on the MaaS360 platform and can be decrypted only on a Cloud Extender.
  • This feature supports the IBM MaaS360 platform only as an encrypted cache store. Support for other types of encrypted cache stores will be added in future MaaS360 releases.

Procedure

Follow the steps to set up the first node of the cluster.
  1. Open the Cloud Extender Configuration Tool and select Certificate Integration.
  2. From the configuration screen, click Create (if this is the first Cloud Extender in the cluster), enter the name of the cluster (non-editable), and then click OK.
  3. After the cluster is successfully created, Cloud Extender generates a certificate (p12 format) that you can use if you want to set up multiple servers for load balancing scenarios. Click Export Certificate to store the certificate file for future use. (Make sure that you also make a backup copy of the certificate file on your local system just in case the original file goes missing or becomes corrupted.)
  4. From the configuration screen, click Settings and enable the caching of the certificates in the IBM MaaS360 Portal.
  5. Install the Cloud Extender Certificate Integration module on other servers in the cluster.
  6. From the configuration screen, click Join to join these servers to the cluster.
  7. From the Join Cluster screen, import the certificate file (p12 format) that you exported from the original Cloud Extender in the cluster in step 3 and then join this server to the cluster.
  8. Repeat steps 4 - 6 for the other servers in the cluster. All members of the cluster use the same cluster name. The IBM MaaS360 Portal handles the synchronization of the certificate templates between the servers in the cluster.
    Note: Manually re-import Symantec certificates, the RA Certificate PEM file, and the RA Certificate Key file into Cloud Extender after the server joins the cluster. The template synchronization in the IBM MaaS360 Portal does not import these files. For user certificates, you must update the MDM service account after the template synchronization.

What to do next: Follow the steps in the topic at Cloud Extender Certificate Integration configuration.