Configuring certificate authentication using AppTunnel with TCP tunneling for Android secure apps

Overview

The procedure to configure certificate authentication with AppTunnel with TCP tunneling starts with the procedure to configure AppTunnel with TCP tunneling. In addition, you add key-value pairs to the app’s AppConnect app configuration that specify:

• The AppTunnel TCP services that you configure on the Standalone Sentry that require certificate authentication.

• The user certificate for the app to present to the enterprise server.

  This certificate can be specifically for the enterprise server only, or a default user certificate if you do not require a specific certificate for a service. One other option is to use the same certificate that the app presents to the Standalone Sentry.

• The certificate is either an identity certificate or a group certificate.

The following excerpt from the Standalone Sentry configuration and the AppConnect app configuration for a Finance app and Helpdesk app summarize this additional configuration:

Figure 1. Sample configuration for certificate authentication with TCP tunneling

The Finance app and the Helpdesk app:

• Authenticate to the Standalone Sentry using the certificate defined by the AppTunnelCert Certificate Enrollment setting.

  This Certificate Enrollment setting is specified as the Identity Certificate in the AppTunnel rules for the AppConnect app configuration for each app.

• Use AppTunnel with TCP tunneling to access the TCP_FINANCE service and TCP_HELPDESK service, respectively.

• Use certificate authentication with AppTunnel with TCP tunneling.

  In each app’s AppConnect app configuration, the value of ES_CERT_AUTH_SERVICES lists the service that uses certificate authentication.

The two apps use different certificates to authenticate to their respective enterprise servers. The Finance app uses a specific certificate, defined in the FinanceCert Certificate Enrollment setting. The Helpdesk app uses a a default certificate, defined in the DefaultEnterpriseCert Certificate Enrollment setting, to authenticate to its enterprise server. Other apps that access other enterprise services also can use this certificate.

The following diagram illustrates the use of the certificates:

Figure 2. Certificate usage in certificate authentication with TCP tunneling

High-level tasks for certificate authentication using AppTunnel with TCP tunneling

Do the following tasks to set up certificate authentication using AppTunnel with TCP tunneling:

1. Configure AppTunnel with TCP tunneling for the app.

   See Configuring AppTunnel with TCP tunneling for Android secure apps.

2. Setting up the certificate for authenticating the user to the enterprise server.

3. Specifying the AppTunnel services that use certificate authentication.

4. Specifying which certificate to use to authenticate the user to the enterprise server.

Setting up the certificate for authenticating the user to the enterprise server

You specify the certificate that the app uses to authenticate the user to the enterprise server. The certificate is either an identity certificate or a group certificate.

This certificate can be:

• a specific certificate that is used for a specific enterprise service

• a default certificate used for enterprise services that do not require a specific certificate.

• the same certificate that authenticates the user to the Standalone Sentry.

The app uses the Sentry certificate to authenticate to the enterprise service if you do not specify another certificate, specific or default, for a service.

If you require a specific certificate or an default certificate other than the certificate you already set up for the Standalone Sentry, set up the certificate in the Admin Portal:

1. Go to Policies & Configs > Configurations.

2. Select Add New > Certificate Enrollment.

3. Configure the Certificate Enrollment setting as described in detail in “Certificate Enrollment settings” in the Core Device Management Guide for Android and Android Enterprise Devices.

Specifying the AppTunnel services that use certificate authentication

The AppConnect app configuration specifies the AppTunnel services that your secure app uses. It refers to the AppTunnel services that you configured on the Standalone Sentry as described in Configuring the AppTunnel TCP service in the AppConnect app configuration.

You also specify in the AppConnect app configuration which of those AppTunnel services use certificate authentication. Do the following steps:

1. In the Admin Portal, select Policies & Configs > Configurations.

2. Select the AppConnect app configuration for your secure app.

3. Click Edit.

4. In the App-specific Configurations section, click Add+ to add a key-value pair.

5. For the key, enter ES_CERT_AUTH_SERVICES, which is case sensitive.

6. For the value, enter the list of AppTunnel services that your app uses. Typically apps use only one AppTunnel service, but using multiple AppTunnel services is supported. Separate the services with a semi-colon.

   Examples:

   TCP_HELPDESK

   TCP_HELPDESK;TCP_WIKI;TCP_FINANCE

   In these examples, TCP_HELPDESK, TCP_WIKI and TCP_FINANCE are services defined on the Standalone Sentry in the AppTunnel Configuration section.

   Make sure that each listed serviceexactly matches, including case, the AppTunnel service name.

7. Click Save.

Specifying which certificate to use to authenticate the user to the enterprise server

To specify the certificate for the user to authenticate to the enterprise server, you add a key-value pair to the AppConnect app configuration, as described in the following table:

Table 22.   Certificate authentication key-value pairs

Key	Value
<service_name>_CERT where <service_name> is one of the AppTunnel services that the app uses, which you listed in Specifying the AppTunnel services that use certificate authentication. Example: TCP_HELPDESK_CERT The key is case sensitive. Make sure that the <service_name> exactly matches, including case, the AppTunnel service name.	The Certificate Enrollment setting for a certificate used specifically for this AppTunnel service. The configured Certificate Enrollment settings appear in the value field’s drop-down list. Note the following: If you do not add a <service_name>_CERT key for a service that uses certificate authentication, the certificate specified for the key ES_DEFAULT_CERT is used for that service. If you do not add the ES_DEFAULT_CERT key, the certificate that authenticates the user to the Standalone Sentry is used.
ES_DEFAULT_CERT The key is case sensitive.	The Certificate Enrollment setting for a default certificate used for services that do not require a specific certificate. The configured Certificate Enrollment appear in the value field’s drop-down list.

To specify the certificate in the AppConnect app configuration:

1. In the Admin Portal, select Policies & Configs > Configurations.

2. Select the AppConnect app configuration for your secure app.

3. Click Edit.

4. In the App-specific Configurations section, click Add+ to add a key-value pair.

5. Enter a key named <service_name>_CERT for a certificate used specifically for the AppTunnel service, or enter a key named ES_DEFAULT_CERT for a default certificate.

6. For the value, select the Certificate Enrollment that you configured for the certificate. The Certificate Enrollment settings appear in the value field’s drop-down list.

7. Click Save.