Configuring a certificate template on the Cloud Extender

Configure the certificate template on the Cloud Extender®.

Procedure

  1. Open the Cloud Extender Configuration Tool and select the Certificate Integration module. If it is your first template, you are prompted to create a new template. If you are adding another template, select Add New Template.
  2. Enter the Certificate Authority Server details.
    Parameter Description
    Template Name The name of your template. The template name is displayed in the IBM® MaaS360® policies under various configuration sections that use identity certificates.
    Hostname of SCEP server The hostname of your NDES server.
    SCEP Server challenge type NDES requires a challenge password to authenticate certificate requests before the service issues an identity certificate.

    Use a static password each time or a dynamic challenge password that the Cloud Extender parses from the MSCEP Admin page.

    Use one of the following values.
    • Dynamic is the default value for Basic mode.
    • Static is used for Verizon MCS integration.
    Challenge Username The credentials of the Device Administrator for SCEP transactions.
    Challenge Password The credentials of the Device Administrator for SCEP transactions.
  3. Enter the following certificate properties.
    Option Description
    Subject Name Use the subject name to configure the certificate template to pass specific attributes of the user or device to the certificate request so that the returned certificate uses these values.

    The default string for the subject name is /CN=%uname%/emailAddress=%email%.

    The template supports any of the following dynamic parameters.
    Parameter name Description
    %udid% The UDID of the device.
    %csn% The MaaS360 device ID.
    %uname% The username of the device owner.
    %domain% The domain of the user.
    %email% The email address for the user.
    %imei% The IMEI number of the device.
    %model% The device model.
    %sim% The SIM number of the device.
    %phnumber% The phone number of the device.
    User Visibility module attributes
    • %ou% (Organizational Unit)
    • %cn% (Common Name)
    • %dc% (Domain Component)
    • %dn% (Distinguished Name)
    The template also supports the following static values.
    • CN (commonName)
    • C (countryName)
    • L (localityName)
    • ST (stateOrProvinceName)
    • O (organizationName)
    • OU (organizationUnitName)
    • G (givenName)
    • S (Surname)
    • I (Initials)
    • UID (uniqueIdentifier)
    • SN(serialNumber)
    • T (title)
    • D (description)

    The Cloud Extender also supports User Custom Attribute variable names for the subject name of the certificate. The User Custom Attribute value can pass to the certificate request when the value is defined and read from LDAP, or if it is set on IBM MaaS360 locally.
    Subject Alternate Name Use this field to uniquely identify the user for authentication. This field is one of the most common fields that is used for the subject alternative name.
    Use one of the following values in this field.
    • None
    • UPN
    • UPN and Email
    • Other is for an open ended configuration that supports all variables such as the subject name.
    Cache certs on Cloud Extender If the user enrolls an already enrolled device, Cloud Extender repurposes and caches the certificates locally, instead of contacting CA for a new certificate.

    Use this option to select a local storage path or a UNC network path that stores certificates.
    Location of Certificate Cache The local storage path or a UNC network path that stores certificates.
  4. Click Save and Test to test your configuration.
    If your test is successful, a prompt is displayed stating that the Certificate is generated and validated successfully, with an option to download the certificate for a mobile device.

What to do next

Configuring IBM MaaS360 policies to use the Cloud Extender certificate templates