on 01-16-2015 9:29 AM
Hi,
I Have Afaria 7 SPF5 farm. I built it for android. But now we have to Manage iOS devices too.
Here is my brief:
I have Active Directory
I have Enterprise Subordinate CA which NDES role installed
I have two Afaria Server (Master and Slave) member of Active directory
I have two Relay Server on DMZ and not member of Active Directory
Now question:
My iOS clients dont interact with Active directory such as username or password. So , Can I install CA on my Master Afaria server? But nos as "Enterprise", can i install this CA as "Standalone" ?
Hi Ercin,
I have Company's Active Directory and its CA. Its properties like this:
------------------------------------
>certutil -CAInfo
Exit module count: 1
CA name: YasarCA1
Sanitized CA short name (DS name): YasarCA1
CA type: 1 -- Enterprise Subordinate CA
ENUM_ENTERPRISE_SUBCA -- 1
CA cert count: 4
KRA cert count: 3
KRA cert used count: 1
--------------------------------------
I think It is Enterprise subordinate.
I Install NDES role as directives of Afaria. And then so many import export CSR things.
But At the end I try to install APNS certificate to afaria, I get an error:
I didnt find any explanation about this error.
Additionally, In Installation Guide/Installing Enrollment Server/Page 10/ There is an instruction about wizard. It says :
But while I Re-install enrollment, I didnt see this screen.
AS result, iOS things on afaria is always problem
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tevfik,
Did you follow the steps of KBA 1842588 to generate the Apple Push certificate?
"What is the process to follow in order to generate a APNS certificate from the Apple Push Certificates Portal?"
Can you try to create a new APNS certificate again following this steps? The error message says, "Error validating certificate,..." so I could think that there is an issue with this certificate itself. Maybe it is simply corrupt. You need to do all steps of KBA 1842588 with the same IIS . I always use the IIS of the Afaria sever for this while I am logged on as the Afaria service user who is member of the local administrators group.
What you have found on page 10 is a different wizard. It describes what you need to import as root CA certificate into the enrollment server for signing.
The process of importing the APNS certificate into the IOS notification section is described here:
http://help.sap.com/Download/Multimedia/zip-afaria/SP5_Configuring.pdf on page 29
Regards
Ercin Nurol
Active Global Support
But in this case, I have to bind https and port 443 in Relay server IIS. So, relay Server IIS asks me certificate. Which cert?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Tracy, I guessed it.
Thnx.
But, one thing is still blur. iOS use same enrollment RSOE or I need new one?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Tevfik,
Each Afaria server that has all components should have 3 RSOE. One for the server, one for package server and one for enrollment server. If you have installed the enrollment server on this slave, then yes this needs an RSOE. Generally speaking you can copy the RSOE configs from your master server over to the slave, and just edit them so that the connection goes to the local slave server, not the master. Does this make sense?
Hi,
if we assume that We use 443 and my original menrollment RSOE is like this:
------------------------------------------------
-id es-afaria1
-f es-afaria
-cs "host=10.40.1.212;port=80;"
-cr "host=172.31.255.88;port=5007;url_suffix=/ias_relay_server/server/rs_server.dll"
-q
-o c:\Temp\rsoe-enroll.log
----------------------------------------------
So, iOS enrollment will be like this :
-id es-afaria1-ios
-f es-afaria-ios
-cs "host=10.40.1.212;port=80;"
-cr "host=172.31.255.88;port=443;url_suffix=/ias_relay_server/server/rs_server.dll"
-q
-o c:\Temp\rsoe-enroll.log
right?
Last question about that?
Do I have to do all steps for slave afaria server in farm?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Tevfik,
You will use the same certificates etc for the slave server. On install you specify the same database and any farm wide settings will populate in the server. You will need to go into the server configuration and change any local settings ( like Http port) if you are not using the standard ones. A lot of the settings carry over.
Tracy
Last question for Information
I want to send Push Notification Messages to iOS users like Android. But I know that I cant send messages to client which download from Apple Store.
So What should I do from publishing client to enroll and send message to client?
Is there any article to describe step by step?
Regards..
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ercin,
I think you're right. In creation certificate steps on apple.cam step. Something went wrong or cert was corrupted. Now , I can see Name of cert in iOS notification branch of Afari Admin UI.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tevfik,
I definitly suggest to install an Enterprise CA server rather than a standalone CA server.
The Network Device Enrollment Service (NDES) will generate so called RA certificates. These RA certificats expire on a Enterprise CA server after 2 years and on a standalone CA server after 1 year. You can renew the RA certificates of an Enterprise CA server without uninstalling/and installing the NDES server, however for Standalone CA server you need to uninstall/ install the NDES server which however breaks IOS device management with Afaria7SP5. So my suggestion is definitly to install an Enterprise CA server.
Regards
Ercin Nurol
SAP Active Global Support
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Tevfik,
I have seen this configuration used before but generally only in test situations. Most people use their already installed Enterprise CA's if they have them. The CA will add more work to the master server so if it is going to be a big environment I would not put it on the same server. Anywhere you put it, you will need the CA's root cert installed into the Afaria enrollment servers, and most probably the relay servers as well. With iOS having a signed payload this is necessary.
Tracy Barkley
SAP Active Global Support
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
89 | |
10 | |
9 | |
9 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.