7.32. The IDERI note Gateway component in detail¶
The IDERI note Gateway is an optional component within the IDERI note product suite that is required for the operation of mobile device connectivity within your IDERI note infrastructure.
Attention
Active Directory® settings for a successful implementation
In a standard Active Directory® configuration, no additional efforts are required to set up an IDERI note Gateway server for a successful implementation of mobile client connectivity. However, as a hardening measure, many organizations strive to reduce the number of members in the builtin “Pre-Windows 2000 Compatible Access” group. Membership in this group ensures that a principal has access rights to read the group membership of each other principal in Active Directory®. In a standard Active Directory® configuration, “Authenticated Users” are a member of this group. If this is the case in your Active Directory® configuration, no additional configuration is required. However, if this is not the case, you have to add the computer account of the IDERI note Gateway server to the “Pre-Windows 2000 Compatible Access” group or otherwise have to make sure that the computer account of the IDERI note Gateway server has read access to the group membership attribute of each principal in Active Directory® that should be enabled to use mobile connectivity to your IDERI note infrastructure.
7.32.1. Responsibilities of the IDERI note Gateway¶
As its name implies, the IDERI note Gateway is a component that serves as a transition facility from mobile client requests into an Active Directory® based environment. Apart from the purely technical protocol transition of the mobile devices’ webservice based communication via https from the internet or an intranet into the RPC based LAN protocols of a classic IDERI note environment, the IDERI note Gateway also employs a protocol transition with respect to the clients’ authentication. To begin with, during the course of a mobile client connection setup, the IDERI note Gateway serves the purpose of classic user authentication with user credentials (user name, domain name, password), in order to present an X.509 certificate to the client after successful authentication. The common name of this individual client certificate contains the SID of the user having been authenticated, so subsequent requests by a client using this certificate can be ascertained by the IDERI note Gateway to originate from the user represented by the SID. Using this information, the IDERI note Gateway now can perform an authentication transition/conversion for all synchronization requests of clients with their respective certificates authenticated by the IDERI note Gateway, using Kerberos-S4U extensions and constrained delegation (both introduced with Windows Server 2003), in order to create a network logon session on behalf of the mobile user on the IDERI note server that is associated with the IDERI note Gateway.
The client certificates that are presented to mobile users after a successful authentication during connection setup on the mobile device, are valid only on the IDERI note Gateway itself, since they have been issued by a local certificate authority on the IDERI note Gateway. In addition, the network logon sessions that are created by the IDERI note Gateway on the IDERI note server during mobile client synchronization using certificate based authentication, can only be created by the IDERI note Gateway to its associated IDERI note server and no other computer in Active Directory®, thanks to the constrained delegation that is set up from the IDERI note Gateway to the IDERI note service.
After this conceptual introduction, the following paragraphs will give an overview of the IDERI note Gateway setup and configuration process.
7.32.2. Configuration of the IDERI note Gateway¶
To use the IDERI note Gateway component in a productive environment the IDERI note Gateway first has to be installed as described in chapter 3.9. Afterwards the application named “IDERI note Gateway Configuration” can be started via the start menu.
When you first start the IDERI note Gateway Configuration you will see that all the steps are marked as “Status: incomplete” as shown in figure 7.100.
Follow the individual steps in order to configure the IDERI note Gateway accordingly.
7.32.2.1. Step 1: Setup the connection to your IDERI note Server¶
Set up the connection to the IDERI note server in step 1. Specify the Full qualified domain name (FQDN) and the NetBIOS name of the server where the IDERI note service in installed and running. To connect successfully you also have to define the TCP ports for the administrative and client interface of the IDERI note service as shown in figure 7.101. If these are not configured already you must activate and define them on the IDERI note server according to chapter 7.25.
To check if the server can successfully communicate via these ports you can use the buttons “Test” in the configuration dialog.
7.32.2.2. Step 2: Setup a local certificate authority (CA) for client certificates¶
As IDERI note mobile uses certificates for identifying and authenticating users a certification authority (CA) has to be configured which is responsible for signing these certificates. If there already is such a CA present on the system you could select it by picking the second choice of figure 7.102. It will always use the local certificates store on the system. Alternatively, a new CA can be created by selection the first choice.
If the item “I would like to create a new self-signed certification authority” is selected a wizard opens which leads to the creation of the new CA.
7.32.2.3. Step 3: Setup a certificate for to be used for transport layer security¶
To ensure that the transmission of messages from the IDERI note Gateway to the end user devices is done in a secure and encrypted manner you will have to configure a certificate in step 3. As shown in figure 7.103, there is the possibility to select a certificate already present in the local Windows® certificates store or to create a new one. An existing one may be a certificate from a public certification authority, like e.g., GoDaddy, Strato or LetsEncrypt.
If you decide to create a new certificate you will get to the configuration page of the wizard shown in figure 7.104.
Please note that the “Common name of the server certificate” must be equal to the address with which the clients connect to the IDERI note Gateway later on. If the names differ this will result in a certification error.
7.32.2.4. Step 4: Setup web service endpoint configuration¶
Configure the address an port in step 4 the clients will connect to the IDERI note Gateway later on. (Figure 7.105) Again, please note that the address must match the certificates common name defined in step 3.
If all steps have been configured successfully the configurations made have to be saved by clicking on “Apply”. This results in a message that the IDERI note Gateway service has to be restarted which is mandatory to apply the changes made.
7.32.2.5. Step 5 (optional): Configure server security and other settings¶
The configuration page of step 5 (figure 7.106) holds settings for a dedicated TCP port for managing the IDERI note Gateway remotely. This port gives you the ability to manage the user certificates (respectively client connections) issued by the IDERI note Gateway via the IDERI note Certificates MMC Snap-In from a remote computer.
By selecting the item “Access management” you can define access permissions for the IDERI note Gateway and the default behavior of new certificates. (Figure 7.107)
You can define here e.g., that user certificates for users of a specific Active Directory® group will be approved immediately and not be set to quarantined in the first place, so that these users can instantly receive messages via their IDERI note mobile Client. Furthermore, it can be defined here which users can manage user certificates e.g., to activate quarantined certificates again.
The tab page named “Authentication” (figure 7.108) holds settings for authentication.
With the settings in tab page named “Device Settings”, shown in figure 7.109, you can control how the app on the endusers device will behave. For example, you can enable the quick acknowledgement mode, so that the message will automatically be reported as read as soon as the user opens the message, instead of having to acknowledge the message by pressing the “I have read the message”-Button. Furthermore you can configure what kind of notifications should appear on the users mobile device.
7.32.3. Managing issued user certificates¶
To activate, set to quarantined or delete user certificates issued by the IDERI note Gateway you can use the IDERI note Certificates MMC Snap-In. Read more about the Snap-In in chapter 2.10.
7.32.4. Mobile client connection setup in detail¶
When starting the setup of a new connection on a mobile device, the certificate that is required for subsequent client synchronization operations is not yet on the mobile device. After all, it is the connection setup’s responsibility to deploy this certificate onto the client. The remainder of this paragraph will outline the operations between the mobile device and the IDERI note Gateway during connection setup.
During setup of the mobile client connection, the mobile device will first generate a certificate signing request (CSR) for the certificate to be obtained from the IDERI note Gateway. A byproduct of the CSR generation process is the creation of the private key for the certificate. The private key will never leave the mobile device and is stored in the secure storage facility of the respective mobile platform in use. Using this private key, it will later be possible for the mobile device to prove to the IDERI note Gateway as part of the client certificate authentication process for each client synchronization, that it actually is the client it claims to be. After creation of the CSR and the private key, the mobile client sends the CSR over a web service interface to the IDERI note Gateway and authenticates this web service call with its Active Directory® credentials (user name, password, domain name). Since an SSL/TLS connection to the IDERI note Gateway can only succeed if the IDERI note Gateway presents a valid certificate to the mobile client that is considered trustworthy because it has been created by a certificate authority (CA) that is part of the list of the client’s root CAs, the client knows that it presents its credentials to the correct server. Apart from the server being authenticated to the client, the SSL/TLS connection also guarantees privacy of the credentials while in transit. If the credentials presented to the IDERI note Gateway are correct, the IDERI note Gateway generates a client certificate from the CSR it received from the mobile client using its local certificate authority and sends it back to the mobile client as the response to the webservice request. After that, the mobile client has all required information to start its client synchronization conversation with the IDERI note Gateway. Depending on the newly created certificate already being activated or still in quarantine, this synchronization operation initiated by the mobile client can already succeed or might require an administrative effort to activate the client certificate.
7.32.5. Mobile client communication security aspects¶
All communication between mobile devices and the IDERI note Gateway is protected by SSL/TLS, the version currently being TLS 1.2. The CSR created by the mobile client has a RSA modulus size of 2048 bits. The public key of the client certificates created by the IDERI note Gateway are also 2048 bits and use the SHA256 hashing algorithm with RSA for signature exchange. Both the self-signed root certificate for the local certificate authority and the optional self-signed transport layer certificate use the public key size that is configured when running their certificate creation wizards.