cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Afarai 7 SP5 fresh install iOS things

Go to solution
former_member686053
Active Participant

on ‎01-16-2015 9:29 AM

0 Kudos

Hi,

I Have Afaria 7 SPF5 farm. I built it for android. But now we have to Manage iOS devices too.

Here is my brief:

I have Active Directory

I have Enterprise Subordinate CA which NDES role installed

I have two Afaria Server (Master and Slave) member of Active directory

I have two Relay Server on DMZ and not member of Active Directory

Now question:

My iOS clients dont interact with Active directory such as username or password. So , Can I install CA on my Master Afaria server? But nos as "Enterprise", can i install this CA as "Standalone" ?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member686053
Active Participant
‎01-20-2015 9:14 AM
0 Kudos

Hi Ercin,

I have Company's Active Directory and its CA. Its properties like this:

------------------------------------

>certutil -CAInfo

Exit module count: 1

CA name: YasarCA1

Sanitized CA short name (DS name): YasarCA1

CA type: 1 -- Enterprise Subordinate CA

    ENUM_ENTERPRISE_SUBCA -- 1

CA cert count: 4

KRA cert count: 3

KRA cert used count: 1

--------------------------------------

I think It is Enterprise subordinate.

I Install NDES role as directives of  Afaria. And then so many import export CSR things.

But At the end I try to install APNS certificate to afaria, I get an error:

I didnt find any explanation about this error.

Additionally, In Installation Guide/Installing Enrollment Server/Page 10/ There is an instruction about wizard. It says :

But while I Re-install enrollment, I didnt see this screen.

AS result, iOS things on afaria is always problem

Show replies
Show replies
ercin_nurol
Explorer
‎01-20-2015 10:24 AM
0 Kudos

Hi Tevfik,

Did you follow the steps of KBA 1842588 to generate the Apple Push certificate?

"What is the process to follow in order to generate a APNS certificate from the Apple Push Certificates Portal?"

Can you try to create a new APNS certificate again following this steps? The error message says, "Error validating certificate,..." so I could think that there is an issue with this certificate itself. Maybe it is simply corrupt. You need to do all steps of KBA 1842588 with the same IIS . I always use the IIS of the Afaria sever for this while I am logged on as the Afaria service user who is member of the local administrators group.

What you have found on page 10 is a different wizard. It describes what you need to import as root CA certificate into the enrollment server for signing.

The process of importing the APNS certificate into the IOS notification section is described here:

http://help.sap.com/Download/Multimedia/zip-afaria/SP5_Configuring.pdf on page 29

Regards

Ercin Nurol

Active Global Support

Answers (7)

Answers (7)

former_member686053
Active Participant
‎01-21-2015 3:38 PM
0 Kudos

But in this case, I have to bind https and port 443 in Relay server IIS. So, relay Server IIS asks me certificate. Which cert?

Show replies
Show replies
former_member686053
Active Participant
‎01-21-2015 12:35 PM
0 Kudos

Hi,

Tracy, I guessed it.

Thnx.

But, one thing is still blur. iOS use same enrollment RSOE or I need new one?

Show replies
Show replies
tracy_barkley
Employee
Employee
‎01-21-2015 12:40 PM
0 Kudos

Tevfik,

Each Afaria server that has all components should have 3 RSOE.  One for the server, one for package server and one for enrollment server.  If you have installed the enrollment server on this slave, then yes this needs an RSOE.  Generally speaking you can copy the RSOE configs from your master server over to the slave, and just edit them so that the connection goes to the local slave server, not the master.  Does this make sense?

former_member686053
Active Participant
‎01-21-2015 2:31 PM
0 Kudos

Hi,

if we assume that We use 443 and my original menrollment RSOE is like this:

------------------------------------------------

-id    es-afaria1   

-f    es-afaria   

-cs    "host=10.40.1.212;port=80;"   

-cr    "host=172.31.255.88;port=5007;url_suffix=/ias_relay_server/server/rs_server.dll"    

-q

-o c:\Temp\rsoe-enroll.log

----------------------------------------------

So, iOS enrollment will be like this :

-id    es-afaria1-ios 

-f    es-afaria-ios  

-cs    "host=10.40.1.212;port=80;"   

-cr    "host=172.31.255.88;port=443;url_suffix=/ias_relay_server/server/rs_server.dll"    

-q

-o c:\Temp\rsoe-enroll.log

right?

former_member686053
Active Participant
‎01-21-2015 6:46 AM
0 Kudos

Last question about that?

Do I have to do  all steps for slave afaria server in farm?

Show replies
Show replies
tracy_barkley
Employee
Employee
‎01-21-2015 12:31 PM
0 Kudos

Tevfik,

You will use the same certificates etc for the slave server.  On install you specify the same database and any farm wide settings will populate in the server.  You will need to go into the server configuration and change any local settings ( like Http port) if you are not using the standard ones.  A lot of the settings carry over.

Tracy

former_member686053
Active Participant
‎01-20-2015 12:04 PM
0 Kudos

Last question for Information

I want to send Push Notification Messages to iOS users like Android. But I know that I cant send messages to client which download from Apple Store.

So What should I do from publishing client to enroll and send message to client?

Is there any article to describe step by step?

Regards..

Show replies
Show replies
ercin_nurol
Explorer
‎01-20-2015 12:10 PM
0 Kudos

Please have a look at KBA 1931188

Please open a new thread if you have further questions on that.

Thank you.

Regards

Ercin

former_member686053
Active Participant
‎01-20-2015 11:55 AM
0 Kudos

Hi Ercin,

I think you're  right. In creation certificate steps on apple.cam step. Something went wrong or cert was corrupted. Now , I can see Name of cert in iOS notification branch of Afari Admin UI.

Show replies
Show replies
ercin_nurol
Explorer
‎01-20-2015 12:05 PM
0 Kudos

Hi Tevfik,

I am glad I could help you.

Best regards

Ercin

Active Global Support

ercin_nurol
Explorer
‎01-20-2015 8:51 AM
0 Kudos

Hi Tevfik,

I definitly suggest to install an Enterprise CA server rather than a standalone CA server.

The Network Device Enrollment Service (NDES) will generate so called RA certificates. These RA certificats expire on a Enterprise CA server after 2 years and on a standalone CA server after 1 year. You can renew the RA certificates of an Enterprise CA server without uninstalling/and installing the NDES server, however for Standalone CA server you need to uninstall/ install the NDES server which however breaks IOS device management with Afaria7SP5. So my suggestion is definitly to install an Enterprise CA server.

Regards

Ercin Nurol

SAP Active Global Support


Show replies
Show replies
tracy_barkley
Employee
Employee
‎01-16-2015 11:45 AM
0 Kudos

Tevfik,

I have seen this configuration used before but generally only in test situations.  Most people use their already installed Enterprise CA's if they have them.  The CA will add more work to the master server so if it is going to be a big environment I would not put it on the same server.  Anywhere you put it, you will need the CA's root cert installed into the Afaria enrollment servers, and most probably the relay servers as well.  With iOS having a signed payload this is necessary.

Tracy Barkley

SAP Active Global Support

Show replies
Show replies
Ask a Question