1. No category

iOS Distribution Certificate

IBM® MaaS360® On-Premises Updating
Passwords and Certificates, and
Increasing Filesystem space
IBM SECURITY SUPPORT OPEN MIC
Reminder: You must dial-in to the phone conference to listen to the panelists.
The web cast does not include audio.
USA toll-free: 866-803-2141
USA toll: 1-203-607-0460
Participant passcode: 7402573
Slides and additional dial in numbers: http://ibm.biz/Maas360onpremOpenMic1
NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR
IRREVOCABLE CONSENT TO IBM TO RECORD ANY STATEMENTS THAT
YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM’S USE OF SUCH
Wednesday, August 24, 2016
RECORDING IN ANY AND ALL MEDIA, INCLUDING FOR VIDEO POSTINGS
ON YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECT TO THIS CALL.
Panelists
Janet Taylor – Presenter – Level 2 Support Engineer
Stefano Spognetta – Level 2 Support Engineer
Adam Case – MaaS360 Services Engineer
John Nielsen – Product Manager for MaaS360
Eli Shapurov – Technical Sales Manager
Kevin Reinstein – Moderator – Level 2 Support Manager
2
IBM Security
Goal of session
Instruction on finding and resolving the following situations:
Virtual Machine filesystem space
Database users locked or expired
Update MaaS360 when DB system password is changed
Update Expiring iOS certificates
3
IBM Security
Agenda
• Updating expiring Certificates
• How do detect an expired MaaS360 database account and how to update
• How to increase filesystem space on the MaaS360 Virtual Machine
4
IBM Security
Updating Expiring iOS
Certificates
MaaS360 On-Prem iOS Certificate Renewal Procedure
The expiry of the certificates is notified in the portal and via email as well. The expiry of MDM and SSL
certificates are notified under Setup -> Services workflow and the expiry of provisioning profile is notified
in Apps->Catalog workflow. The certificates should be renewed before they are expired to avoid any
consequences.
• Types of Certificates:
1.Apple MDM (APNS) Certificate
2.Provisioning Profile
3.MaaS360 App APNS Certificate
4.Distribution/Production certificate for App Signing
6
IBM Security
Explanation of each certificate
7
Certificate
Purpose (Why?)
Type of
certificate
Impact, if Expires
Validity
Apple MDM
certificate
It is used to push
notifications to MDM client
on the Apple devices.
.p12
1. No new enrollments will work
2. Existing / already enrolled devices will stop
receiving any MDM notifications and no new data will
be uploaded in the portal
1 Year
Provisioning
Profile
It bundles certificates, app
ID pattern, validity and
entitlements.
.mobileprovision
1. Existing apps will not load
2. New apps will not install.
3. Enrollments will not be affected.
1 Year
MaaS360 App
APNS Certificate
It is used to push
notifications to MaaS360
app on the Apple devices.
.p12
1. Real time notification for MaaS360 app will not
work.
2. No impact on existing enrolled devices.
3. No impact on new enrollments.
1 Year
Distribution/Produ
ction certificate
for App Signing
It is used for signing all the
maas360 apps.
.pem
1. New installation of agents will fail.
2. Existing apps will keep crashing as certificate is
expired.
3 Year(s)
IBM Security
Create a New CSR for the Apple MDM Certificate Renewal
• This certificate is used to manage your iOS Devices and allows for the iOS device and portal to trust
each other.
• Generate a Certificate Signing Request (CSR) with Mac OS X
8
1.
Launch the Keychain Access application in your Mac OS X
2.
Select Keychain Access > Certificate Assistant > Request a Certificate From a Certificate
Authority
IBM Security
Apple MDM Certificate, continued
a. Enter the email address associated with the Apple iTunes Account for enterprise.
b. Ideally, you will use the same Developer ID that you are using for the other certificates.
c. Note: Use an Apple ID that can be used to renew the certificate on a yearly basis.
d. Note: Do not use a personal Apple ID.
e. In the Common Name field, enter in the Apple Developer Account Name that is associated with your account.
i.
Log into the Apple Developer Member Center.
ii.
This screen will display the common name you should use.
f. Click “Saved to Disk” and click Continue.
9
IBM Security
Apple MDM Certificate, continued
10
g.
Save your CSR as “iOS_MDM.certSigningRequest” for easy distinction between the other CSRs.
3.
The CSR now has to be Vendor signed by IBM. Send your CSR to IBM for signing by opening a
PMR and attach the CSR to be signed.
4.
Once you have received your signed CSR, you may continue to Renew the Apple MDM certificate
from Apple.
IBM Security
Renew Apple MDM Certificate
1.
To begin the process, see http://identity.apple.com/pushcert/. This process ties the MDM
certificate to an Apple ID. Ideally, you will use the same Developer ID that you are using for the other
certificates
Note: Use an Apple ID that can be used to renew the certificate on a yearly basis.
Note: Do not use a personal Apple ID.
2.
11
Now click the Renew button next to your certificate. For example:
IBM Security
Renew Apple MDM Certificate
3.
12
Choose the IBM signed CSR file and click Upload.
IBM Security
Renew Apple MDM Certificate, continued
4.
Click Download to obtain your Apple signed MDM Certificate which is in the .pem format.
5.
Double Click the “*.pem” file to install it into your Mac’s keychain.
6.
In keychain, we must now export the private key and certificate together into a .p12 file for later use
by choosing the “Keys” category at the bottom left of the Keychain screen.
7.
The Common Name should now show up in the list with an arrow next to it. Choose the private key,
right click, and select Export <Common Name>.
8.
Save this file as “MaaS360_iOS_MDM_Renew” or something similar for distinction.
9.
Enter a password to protect the certificate (this will later be used to upload in the portal).
10. You may be prompted to enter in your MacOS user password.
11. Verify your new .p12 file has been created.
13
IBM Security
Upload Renewed Apple MDM Certificate to MaaS360
1.
2.
3.
4.
5.
6.
7.
8.
14
Log into your MaaS360 portal as an Administrator with Full Permissions.
Go to Setup > Services.
Click on Mobile Device Management.
Expand the Apple MDM Certificate section.
Click Browse next to Apple MDM Certificate and browse to your MaaS360 iOS MDM .p12 file you
created.
Enter your password you set for the p12 file when you exported the certificate.
Click Save to upload the certificate to the portal.
If successful you should see something similar to the image below. Make sure expiry date is
changed.
IBM Security
Renew of Provisioning Profile
2 Steps:
• Create a new provisioning profile.
• Update the new provisioning profile in the portal.
15
IBM Security
Renew of Provisioning Profile, continued
Create a new provisioning profile
1.
16
Login to Apple enterprise developer account and select Provisioning Profiles > All and click the +
at the top right
IBM Security
Renew of Provisioning Profile, continued
17
2.
Choose the In-house profile selection. Click Continue
3.
Select the App ID(s) for the MaaS360 app for which the provisioning profile is about to expire
IBM Security
Renew of Provisioning Profile, continued
4.
18
Select the iOS Distribution Certificate you want to use with this provisioning profile and this
certificate should be same certificate with which the MaaS App was signed before
IBM Security
Renew of Provisioning Profile, continued
19
5.
Select the platforms that the App works on (ie. All). Click Continue.
6.
Enter a name for this provisioning profile (ideally the same as the App ID name).
7.
Click Generate to create the .mobileprovision file.
8.
The mobileprovision file is created. Download and save the file.
IBM Security
Update the Provisioning Profile in the Portal
1. Login to portal
2. Go to Apps->Catalog
3. Navigate to the MaaS360 app and click on More
20
IBM Security
Update the Provisioning Profile in the Portal, continued
21
4.
Browse to the new provisioning profile that was generated and update
5.
Click on view MaaS360 App and check for updated expiry date for provisioning profile
IBM Security
Renew MaaS360 APP APNS Certificate
• A new certificate must be generated and the process remains same as shown previously.
• Save your CSR as “iOS_APNS_SSL.certSigningRequest” for easy distinction between the other
CSRs.
22
IBM Security
Renew MaaS360 APP APNS Certificate
• Enables Push Notifications
Note: This section is only valid for the MaaS360 Agent App ID as Push Notifications are not required for the Secure
Editor and Secure Browser.
23
1.
Log into your developer account: https://developer.apple.com/membercenter
2.
Click on Certificates, Identifiers, and Profiles
IBM Security
Renew MaaS360 APP APNS Certificate
24
3.
Ensure the drop down list at the top left of your screen is set to iOS Apps
4.
Underneath the Identifiers section, click on App IDs
5.
Select the App ID for which we have to generate the APNS certificate
6.
At the bottom of the page, click Edit
IBM Security
Renew MaaS360 APP APNS Certificate
7.
Scroll down the page, Check the checkbox to enable Push Notifications option and click the 'Create Certificate‘.
8.
Click through the steps and when prompted, upload the CSR (iOS_APNS_SSL.certSigningRequest). Click
Generate.
Click Download to APNS SSL certificate (aps_production.cer).
Click Download to retrieve the certificate. The file name should be “aps_production.cer”.
Double Click the “aps_production.cer” file to install it into your Mac’s keychain.
In keychain, you must now export the private key and certificate together into a .p12 file for later use by choosing the
“Keys” category at the bottom left of the Keychain screen.
The Common Name should now show up in the list with an arrow next to it. Choose the private key, right click, and
select Export <Common Name>.
Save this file as “MaaS360_iOS_APNS” or something similar for distinction.
Enter a password to protect the certificate (this will later be used in the portal).
You may be prompted to enter in your MacOS user password.
Verify your new .p12 file has been created.
9.
10.
11.
12.
13.
14.
15.
16.
17.
25
IBM Security
Renew MaaS360 APP APNS Certificate
Upload Apple Push Notification SSL Certificate to MaaS360
26
1.
Log into the MaaS360 portal as an Administrator with Full Permissions
2.
Go to Setup > Services
3.
Click on Mobile Device Management
4.
Expand the Apple Push Notification SSL Certificates section
5.
Click Browse next to “Apple Push Notification SSL Certificate” and browse to your
MaaS360_iOS_APNS.p12 file
6.
Enter your password you set for the p12 file when you exported the certificate
7.
Click Save to upload the certificate to the portal
8.
If successful you should see something similar to the below image with an expiration date
IBM Security
Renew Distribution/Production Certificate
If the distribution certificate expires then the app has to be re-signed with the new distribution certificate
and new provisioning profile.
Follow the steps in the MaaS360 Configuration Guide Code Sign the IBM MaaS360 iOS apps
(http://www.ibm.com/support/knowledgecenter/SS54PL_2.3.0/com.ibm.maas.doc/Config_Guide/t_step_10_code_sign_ios
_maas360.html#t_step_10_code_sign_ios_maas360 ) Note: that the app id should be same (Need not be
generated again).
After we have a re-signed the app, we can follow the steps to upload the same in the portal.
1. Login to portal and navigate to Apps -> Catalog
2. Go to view of MaaS360 iOS app.
3. Remove all the checks in security policies.
27
IBM Security
Renew Distribution/Production Certificate
4.
5.
6.
7.
28
Note down your distributions and Click on save.
Now go to Apps->Catalog and Delete the app.
Upload the new re-signed app in the portal.
Distribute the app for all groups/devices as noted in step 4 with “Instant Install” checked.
IBM Security
How to detect locked / expired
MaaS360 database account
and how to update
Oracle Database password has Expired or is Locked
• In many of the application catalina logs you can see an error similar to:
org.apache.naming.NamingContext lookup
WARNING: Unexpected exception resolving reference
java.sql.SQLException: ORA-28001: the password has expired
• To get a list of all DB users and the status of their account you can use this query while connected
using sqlplus with a user having the appropriate grants:
SELECT username, account_status FROM dba_users;
30
IBM Security
Resolving the Problem
• The DBA needs to set these users passwords to never expire.
• PASSWORD_LIFE_TIME 180
change it to unlimited
PASSWORD_LIFE_TIME UNLIMITED
• restart the Oracle server and the MaaS360 application.
• Login to the database using the following command (from the Oracle server) to confirm there is no error about
expired password :
export ORACLE_SID=vpn2
sqlplus fortress_user/<password>
where <password> use the one contained in the "APP_PASS" (from the db_update.ini)
•
31
Run this command to list the status of all accounts:
SELECT username, account_status FROM dba_users;
IBM Security
Update Database System Password in MaaS360
• If the Oracle database system password is changed it must be changed in the MaaS360 application
• To update MaaS360 application find the db_update.ini file located on your Oracle server. The file will be
located in the directory where you extracted the database artifacts from the installation media.
• Oracle system password is stored as "DB_SYSTEM_PASS" in db_update.ini (on Oracle Server), update it
then run the update_db_password.sh
- Edited the "APP_PASS" variable within the db_update.ini
- As the ‘oracle’ user execute run the script "update_db_password.sh”
Restart the MaaS360 application.
32
IBM Security
How to increase filesystem
space on a MaaS360 Virtual
Machine
Errno 28 No space left on device
• If you have monitoring enabled you may receive an alert reporting a problem with file system space
• You may also find an error in the Application logs
"IOError : [Errno 28] No space left on device"
34
IBM Security
Determine the Current disk space available
• Login as root to each Virtual Machine using the console on the vSphere client
35
IBM Security
Find and Remove unnecessary Files
As the root user
• Investigate the “/home/automation_prod/config_ui/configtool/static” directory
• Note that this directory and its child "log" usually keeps the logs of infra box. So the first step is to
view the size in that directory:
du -h /home/automation_prod/config_ui/configtool/static
• Remove any file *tgz (f.i. debug_logs.tgz and application_logs.tgz)
• Then go to /home/automation_prod/config_ui/configtool/static/logs and truncate the files *log
• - for instance you use the command ">"
> install.log
• In case you still have problems with space you may collect the output of:
ls / | while read a; do du --max-depth=2 -k $a; done | sort -rn | egrep -v "^0" > /tmp/out
• which returns in /tmp/out the size of root filesystem with depth 2
36
IBM Security
Steps to Increase the size of the file system
• Perform these steps as “root” user to increase /u001 size by 5 GB.
1.
Increase the size of /u001, the volume group (vg01) must have free space available. Command to
check free space - vgs
2.
Run the lvextend command to extend the size of /u001 by 5 GB
lvextend -L+5G /dev/mapper/vg01-u001
3.
“df –h” command still shows old size of /u001 (20GB).
4.
To reflect the new size, update the partition table with the new value of LVM
resize2fs /dev/mapper/vg01-u001
37
IBM Security
Questions for the panel
Now is your opportunity to ask questions of our panelists.
To ask a question now:
Press *1 to ask a question over the phone
or
Type your question into the IBM Connections Cloud Meeting chat
To ask a question after this presentation:
You are encouraged to participate in the dW Answers forum on this topic https://developer.ibm.com/answers/questions/291686/where-can-maas360-on-premise-userslearn-about-res/
38
IBM Security
Where do you get more information?
Questions on MaaS360 SaaS topics can be directed to the product forum:
MaaSters Center on IBM developerWorks.
More articles you can review:
•
Technote 1974971: Updating expired DB Passwords
http://www.ibm.com/support/docview.wss?uid=swg21974971
•
Technote 1983849: No Space Left on Device http://www.ibm.com/support/docview.wss?uid=swg21983849
•
IBM developerWorks articles: MaaS360 on IBM developerWorks
•
IBM Knowledge Center:
http://www.ibm.com/support/knowledgecenter/SS54PL_2.4.0/com.ibm.maas.doc/maas_landing.html
Useful links:
Get started with IBM Security Support
IBM Support Portal | Sign up for “My Notifications”
Follow us:
39
IBM Security
Question
• If Apple MDM certificate expires, will enrolled devices need to be re-enrolled? Or will the act of
renewing the expired certificate be sufficient to get them working again?
Answer:
Unfortunately if certificate expires, the devices have to be re-enrolled.
40
IBM Security
THANK YOU
FOLLOW US ON:
https://www.facebook.com/IBM-Security-Support-221766828033861/
youtube/user/ibmsecuritysupport
@askibmsecurity
securityintelligence.com
xforce.ibmcloud.com
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informati onal purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz