CertLoader How To

Version 4

    Introduction:

    The follow guide is a step by step process for using CertLoader with in SecurePlus. In this scenario in which I am going to describe, I have an Access point using TKIP with EAP-TLS encryption connecting to a radius server for authentication to the network. There are many ways to create a certificate. In this documentation I am only describing one way.

     

    Items Needed:

    Before we begin you will need the following items

    1. Mobile Device

              a. Enabler >= 5.2

              b. Power cables and active Sync cables

      2.  Access point configured to communicate to a Radius Server

              a. TKIP with EAP-TLS encryption

      3.  Server

              a. Radius server

              b. Active Directory and Configured User

              c. Certificate Authority

       4.  AvalancheMC

              a. SecurePlus >=1.1.57.17

              b. Appropriate Licensing

       5.  Active Sync or Mobile Device Center

     

    ____________________________________________________________________

     

    Step 1. Installation and configuration of SecurePlus

    ____________________________________________________________________

     

    In order to start this process you will need to install SecurePlus into AMC

    SecurePl_Installed.png

     

    After installation is complete, select the software, configure and launch.

     

    SecurePl_Config.png

     

    This will launch the SecurePlus Config GUI

     

    SecurePL_GUI.png

     

    For the purpose of this testing I have disabled most of the password options.

    Make sure on the Auth. Servers tab that you have the IP address of the PC that has the SecurePlus Server service running. This is critical and should not be missed.

     

    Next “Configure Client” button:

     

    SecurePL_Client.png

     

    Here uncheck Stop ActiveSync and disable hardware Keys.

    During testing it is a good idea to set the logging level to Debug and for ease of use, and I also make the file size a bit bigger than the defaults.

    1. 1. Keep Current user in Registry
    2. 2. Show Last Logon Information

    Everything else can stay the same.  Click "OK" when finished.

     

    Next “Configure Service” button:

     

    SecurePL_Service.png

     

    You do not have to Fill out the Run As info if you don't want to, just hit the install and follow the prompts, the do the same thing for Start. You maybe prompted for administrator credentials. To uninstall follow the same steps, stop, uninstall..If you just uninstall, it may take a bit longer as it will stop the service first before uninstalling. Click "OK" when finished.

     

    Next “OTA Certs” button:

     

    SecurePL_OTA.png

     

    Be sure to enable the check box feature as this turns this option on.. Fill out the address of where certificate requests are to be sent.

    Check Box.png

     

    Next enter the IP address or FQDN.

     

    FQDN.png

     

    Next is the number of days before the cert expires to request a new one. For testing we have to set this value to 365 + to test the OTA process otherwise we have to wait a year for the cert to expire.

     

    365.png

     

    Next fill out the request time interval and check for new. I usually set these both to 5 mins. for testing purposes. No reason to wait any longer than necessary.

     

    5min.png

     

    Next use the drop down and select one of the 3 options.. This gives the request of a new cert a unique name from other devices..

    ** The cert that is requested will be the same each time a request is sent so be sure to make note of the date and time it was submitted.

     

    TerminalID_Domain_User.Request

    Example request name: 15068699_qatest_cachilli.req

     

    term.png

     

    Next fill out the location of where the cert is to be put and looked for. If you change this make sure the directories are there before saving the changes. Also the default location is the following:

    C:\Users\"USERNAME"\.wavelink\avalanche\_AVA\avapackages\SecurePlus\SecurePl\APPS\SecurePl\    - certificate and requests folders

     

    req.png

     

    Click "OK" when finished.

     

    You can now load your device with SecurePlus..

     

    device.png

     

    ____________________________________________________________________

     

    Step 2. configuration of CertLoader

    ____________________________________________________________________

     

    We are now ready to start the certificate process:

    Active Sync your device to the same PC that has AMC installed on it, along with SecurePlus, once active sync’d, go to AMC and select and configure SecurePlus but this time we are going to launch CertLoader.

     

    certloader.png

     

    The CertLoader GUI should now appear.

     

    cl1.png

     

    First we need to configure a couple options. Select Configuration:

     

    Check the following options:

    Show User Cert Options:

     

    cluser.png

     

    Show Cut/Paste Options:

     

    cp.png

     

    Next go to the Network Tab at the bottom:

    ney.png

     

    Fill out both SSID Fields and appropriate check boxes. Since I am using TKIP I have those checked and they are checked by default.

     

    netpix.png

     

    Click "OK" when finished.

     

    At this stage we can send down the "Network Assignment".

     

    na.png

    The device will reboot during this process you may also see a license error as well if using a anything below version 1.1.57.20.. This is usually pretty consistent about throwing up that error here, however watching the log files through BareTail shows it did get one.

     

    licnesefound.png

     

    Next we start the actual cert creation:

     

    cl1.png

     

    Click on Device Certificate:

     

    devcert.png

     

    The device at this point should still have the SecurePlus logon screen up on the device:

     

    device.png

     

    Click on Create Certificate:

     

    createcert.png

     

    If you get a licensing error try creating again:

    If successful you will see the following image:

     

    certuser.png

     

    For this tutorial my device ID is my domain\User

     

    qauser.png

     

    Then click the green Plus sign:

    It will then update the device and finish to this screen: DO NOT CLOSE THIS OUT.

    You should now see the following image.

     

    clipview.png

     

    Once here, click on view and copy the contents of the window

     

    copy.png

     

    This information is what we need to create the actual Certificate at the Cert Authority!

     

    ____________________________________________________________________

     

    Step 3. Certificate Authority

    ____________________________________________________________________

     

    Navigate to the Cert Authority and select Request a certificate

     

    auth1.png

     

    Next we want to submit an advanced certificate request

     

    auth2.png

     

    On the next screen select the option for using a base 64-encoded

     

    auth3.png

    On the request page paste in the certificate information you copied from certloader after selecting User from the drop down

     

    auth4.png

     

    Now select Submit >:

     

    Once submitted you will be taken to an issue page as shown below

     

    auth5.png

    On this page, select "Base 64 encoded" and "Download certificate chain". you will be prompted to save this certificate.. save and open in word pad or notepad and copy the entire contents.

     

    auth6.png

    auth7.png

     

    auth8.png

     

    We are now ready to go back to CertLoader!

    ______________________________________

    Loading the certificate:

    If you still have the window open with the previous creation, hit the red x on the screen to be taken back to the main menu.

    this time click on assign Certificate:

     

    load1.png

     

    Once this process starts it will open up to a window to paste in the information you copied from the certificate

     

    load3.png

     

    once the certificate information has been pasted in, click on "OK".

     

    At this point the certificate will be placed on the device.. The device should reboot when done.

     

    If we now look at the device we should be connected to the AP with the certificate in place on the device:

    Screen shots from the device, Fusion radio Wavelink Profile

     

    ____________________________________________________________________

     

    Step 4. Verify the Cert took on the device

    ____________________________________________________________________

     

    By all means the device should be connected to the network, however for visual inspection, it should look like the below screen shots.

     

    fusion1.PNG

     

     

    Verify the IP address:

     

    fusion3.png

     

    fusion2.png

     

     

     

    Assumptions:

    This guide assumes that you have knowledge of creating a radius server, Active Directory and configuring your AP accordingly to communicate with the Radius server. You should also have an understanding of basic abilities to install and execute programs and executables, such as AMC, enablers etc.

    Information contained herein is subject to change without notice.