Hi, We had a discussion about this today. The final conclusion is to have a pass through from MDM to SCEP server. Every request goes to SCEP server needs to be go via the MDM interface. Hence it will be easy to validate the request from MDM using a one time password.
Initially we agreed to have a separate web app (I had an offline discussion with Azeez) to hold the SCEP implementation together with the CA implementation. Now after the discussion with Prabath we were encouraged to have the SCEP functionality within the Identify server. Therefore SCEP and CA will be developed as totally independent components. By default MDM will use the IS provided SCEP and CA implementations. If anyone needs to point to any 3rd party SCEP servers or CAs its only a matter of changing the necessary configurations in the MDM. For the implementation we may use jscep [1] which is MIT and Creative commons 3. [1] - http://code.google.com/p/jscep/ Regards, Dilshan On Mon, Aug 5, 2013 at 3:56 PM, Prabath Siriwardena <prab...@wso2.com>wrote: > Hi Shan, > > Even here - it uses SCEP server, which is a separate entity. And this > video too explains the vulnerability of SCEP - as it is designed for closed > systems.. > > That is one reason we need to validate the SCEP request against the > profile we passed to the device... > > It has to validate device identity as well as - the certificate CN and the > rest.. > > Thanks & regards, > -Prabath > > > On Mon, Aug 5, 2013 at 2:46 PM, Shanmugarajah Sinnathamby > <s...@wso2.com>wrote: > >> Hi Prabath, >> >> Hope u had a look at this >> >> http://www.youtube.com/watch?v=SfMeKnch3YA >> >> >> >> On Mon, Aug 5, 2013 at 1:41 PM, Shanmugarajah Sinnathamby >> <s...@wso2.com>wrote: >> >>> Hi Prabath , >>> >>> The challenge is a random number generated and associated with a user >>> and device. So when the SCEP request hits in, we check the Challenge and >>> the associated user device and a flag is set. >>> Also this gives a flexibility for the user to enroll 1 or more device, >>> since the challenge is for the device. >>> >>> Lets say the challenge is stolen by another user or same user, if he >>> tries to get the certificate using the same challenge, there is a >>> validation against the user and device. Do you think this can help us to >>> secure ? . >>> If not what is the best method to overcome the SCEP vulnerability. >>> >>> >>> >>> >>> >>> On Mon, Aug 5, 2013 at 10:39 AM, Prabath Siriwardena >>> <prab...@wso2.com>wrote: >>> >>>> I guess user challenge it self is not enough.. We also need to validate >>>> the SCEP request.. >>>> >>>> Thanks & regards, >>>> -Prabath >>>> >>>> >>>> On Mon, Aug 5, 2013 at 10:32 AM, Shanmugarajah Sinnathamby < >>>> s...@wso2.com> wrote: >>>> >>>>> Hi Prabath , >>>>> >>>>> Currently SCEP server is within the MDM domain itself . Where >>>>> validation will be done based on the user challenge before it gets passed >>>>> to it. The validation part is not done. >>>>> Also there is a performance issue in the time taken enroll a device , >>>>> Mayuran is working on that along with the validation. >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> -Shan >>>>> >>>>> On Sun, Aug 4, 2013 at 1:38 PM, Prabath Siriwardena >>>>> <prab...@wso2.com>wrote: >>>>> >>>>>> Hi Dilshan, >>>>>> >>>>>> Have we considered passing the SCEP requests from the devices through >>>>>> the MDM and validate those.. There is a separate mail on that.. >>>>>> >>>>>> Thanks & regards, >>>>>> -Prabath >>>>>> >>>>>> >>>>>> On Sun, Aug 4, 2013 at 10:11 AM, Dilshan Edirisuriya < >>>>>> dils...@wso2.com> wrote: >>>>>> >>>>>>> Yes Prabath our MDM needs not to work as a SCEP server. Right now >>>>>>> its a separate WEBRick web server and the code is written in Ruby. SCEP >>>>>>> server can be any third party server like EJBCA etc. I had a offline >>>>>>> discussion with Azeez and came into a conclusion that the SCEP server >>>>>>> part >>>>>>> needs to be separated out to a web app written in Java. So any time it >>>>>>> can >>>>>>> be replaced with anything. Ideally which I believe this part needs to be >>>>>>> handle by IS and MDM only communicate with it through the information >>>>>>> provided at the deployment time. >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> Dilshan >>>>>>> >>>>>>> >>>>>>> On Sun, Aug 4, 2013 at 7:09 AM, Prabath Siriwardena < >>>>>>> prab...@wso2.com> wrote: >>>>>>> >>>>>>>> Just had a look at how this works with iOS [1].. >>>>>>>> >>>>>>>> I may be totally wrong (please correct me in that case) - I just >>>>>>>> went through the doc quickly.. >>>>>>>> >>>>>>>> In the Response from the MDM - it has the following.. Which in fact >>>>>>>> giving details to connect to a different SCEP server.. so our MDM >>>>>>>> needs not >>>>>>>> to work as a SCEP server.. >>>>>>>> >>>>>>>> <array> >>>>>>>> <dict> >>>>>>>> <key>PayloadContent</key> >>>>>>>> <dict> >>>>>>>> <key>URL</key> >>>>>>>> <string>https://scep.example.com/scep</string> >>>>>>>> <key>Name</key> >>>>>>>> <string>EnrollmentCAInstance</string> >>>>>>>> <key>Subject</key> >>>>>>>> <array> >>>>>>>> <array> >>>>>>>> <array> >>>>>>>> <string>O</string> >>>>>>>> <string>Example, Inc.</string> >>>>>>>> </array> >>>>>>>> </array> >>>>>>>> <array> >>>>>>>> <array> >>>>>>>> <string>CN</string> >>>>>>>> <string>User Device Cert</string> >>>>>>>> </array> >>>>>>>> </array> >>>>>>>> </array> >>>>>>>> <key>Challenge</key> >>>>>>>> <string>...</string> >>>>>>>> <key>Keysize</key> >>>>>>>> <integer>1024</integer> >>>>>>>> <key>Key Type</key> >>>>>>>> <string>RSA</string> >>>>>>>> <key>Key Usage</key> >>>>>>>> <integer>5</integer> >>>>>>>> </dict> >>>>>>>> >>>>>>>> Thanks & regards, >>>>>>>> -Prabath >>>>>>>> >>>>>>>> [1]: >>>>>>>> http://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/iPhoneOTAConfiguration.pdf >>>>>>>> >>>>>>>> >>>>>>>> On Sun, Aug 4, 2013 at 6:36 AM, Prabath Siriwardena < >>>>>>>> prab...@wso2.com> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Sat, Aug 3, 2013 at 9:04 PM, Sanjiva Weerawarana < >>>>>>>>> sanj...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> Dilshan & Prabath, should the SCEP server code ship with IS by >>>>>>>>>> default? >>>>>>>>>> >>>>>>>>>> Prabath I remember a long discussion about certificate issuing >>>>>>>>>> and distribution 3-4 years ago but don't think we ended up >>>>>>>>>> implementing yet >>>>>>>>>> .. is this a lightweight solution? >>>>>>>>>> >>>>>>>>> >>>>>>>>> Yes.. we didn't make any progress with the CA implementation.. >>>>>>>>> >>>>>>>>> SCEP server plays the middle-man role in enrolling and getting a >>>>>>>>> certificate to a network device (which basically does not have any >>>>>>>>> account >>>>>>>>> with the CA). >>>>>>>>> >>>>>>>>> SCEP server will know how to talk to a CA (could be the existing >>>>>>>>> cooperate CA) and gets the certificate.. >>>>>>>>> >>>>>>>>> My understanding is MDM needs not to be a SCEP server (please >>>>>>>>> correct me if not).. It only has to know how to talk to a SCEP >>>>>>>>> server.. >>>>>>>>> (which may be IS, EJBCA or Microsoft CA). >>>>>>>>> >>>>>>>>> Mobile devices, when getting registered with the MDM, will get a >>>>>>>>> profile with all the details to connect to the SCEP server... and >>>>>>>>> these >>>>>>>>> devices will connect to the SCEP server directly and do the >>>>>>>>> enrollment.. >>>>>>>>> The role of MDM is to embed the OTP and the server URL of the SCEP >>>>>>>>> server >>>>>>>>> in to the profile... >>>>>>>>> >>>>>>>>> Thanks & regards, >>>>>>>>> -Prabath >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Dilshan have u guys already implemented it? >>>>>>>>>> >>>>>>>>>> Sanjiva. >>>>>>>>>> >>>>>>>>>> On Wed, Jul 31, 2013 at 9:01 PM, Dilshan Edirisuriya < >>>>>>>>>> dils...@wso2.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> Attached is the architecture of mobile device management. The >>>>>>>>>>> MDM build is compiled on top of carbon by using necessary features. >>>>>>>>>>> Build >>>>>>>>>>> consist of these layers modules/components. >>>>>>>>>>> >>>>>>>>>>> 1) MDM web console - MDM Jaggery app where you have the MDM core >>>>>>>>>>> functionality. >>>>>>>>>>> >>>>>>>>>>> 2) MDM admin console - This is for creating tenants and admins. >>>>>>>>>>> At present this is done via carbon admin console. >>>>>>>>>>> >>>>>>>>>>> 3) Public store - Public store Jaggery app. >>>>>>>>>>> >>>>>>>>>>> 4) Publisher - Publisher Jaggery app. >>>>>>>>>>> >>>>>>>>>>> 5) Store admin console - Admin console for store. >>>>>>>>>>> >>>>>>>>>>> 6) iPhone interface - This will run the SCEP server[1] which is >>>>>>>>>>> needed for iPhone provisioning. >>>>>>>>>>> >>>>>>>>>>> 7) Android interface - GCM related functionality goes here. >>>>>>>>>>> >>>>>>>>>>> 8) User module - User authentication, register, roles etc. will >>>>>>>>>>> be handled here. For this we will be using WSRequest in Jaggery or >>>>>>>>>>> directly >>>>>>>>>>> calling the OSGI bundle from Jaggery. >>>>>>>>>>> >>>>>>>>>>> 9) Tenant management module - Tenants will be handled in this >>>>>>>>>>> module. >>>>>>>>>>> >>>>>>>>>>> 10) Configuration management module - MDM related configurations. >>>>>>>>>>> >>>>>>>>>>> 11) Security module - SAML based login etc. >>>>>>>>>>> >>>>>>>>>>> 12) Device module - Device related functions. >>>>>>>>>>> >>>>>>>>>>> 13) Policy module - XACML related functions to handle MDM >>>>>>>>>>> policies. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Main MDM app will be developed as a Jaggery app and it will use >>>>>>>>>>> an external mysql database. Jaggery will handle all the database >>>>>>>>>>> functions >>>>>>>>>>> related to MDM. Data level isolation of the tenants will also be >>>>>>>>>>> done using >>>>>>>>>>> the Jaggery code. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [1] - >>>>>>>>>>> http://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> >>>>>>>>>>> Dilshan >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Architecture mailing list >>>>>>>>>>> Architecture@wso2.org >>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Sanjiva Weerawarana, Ph.D. >>>>>>>>>> Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/ >>>>>>>>>> email: sanj...@wso2.com; phone: +94 11 763 9614; cell: +94 77 >>>>>>>>>> 787 6880 | +1 650 265 8311 >>>>>>>>>> blog: http://sanjiva.weerawarana.org/ >>>>>>>>>> >>>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> Architecture@wso2.org >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thanks & Regards, >>>>>>>>> Prabath >>>>>>>>> >>>>>>>>> Mobile : +94 71 809 6732 >>>>>>>>> >>>>>>>>> http://blog.facilelogin.com >>>>>>>>> http://RampartFAQ.com >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thanks & Regards, >>>>>>>> Prabath >>>>>>>> >>>>>>>> Mobile : +94 71 809 6732 >>>>>>>> >>>>>>>> http://blog.facilelogin.com >>>>>>>> http://RampartFAQ.com >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> Architecture@wso2.org >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> Architecture@wso2.org >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks & Regards, >>>>>> Prabath >>>>>> >>>>>> Mobile : +94 71 809 6732 >>>>>> >>>>>> http://blog.facilelogin.com >>>>>> http://RampartFAQ.com >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> Architecture@wso2.org >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Shanmugarajah (Shan) >>>>> >>>>> Director Architecture - WSO2Mobile >>>>> >>>>> Mob: + 94 714944295 >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> Architecture@wso2.org >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Prabath >>>> >>>> Mobile : +94 71 809 6732 >>>> >>>> http://blog.facilelogin.com >>>> http://RampartFAQ.com >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> Architecture@wso2.org >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> >>> Shanmugarajah (Shan) >>> >>> Director Architecture - WSO2Mobile >>> >>> Mob: + 94 714944295 >>> >> >> >> >> -- >> >> Shanmugarajah (Shan) >> >> Director Architecture - WSO2Mobile >> >> Mob: + 94 714944295 >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://RampartFAQ.com > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
