Configuring Symantec Web Services Managed PKI

Integration with Symantec Web Services Managed PKI version 8.x enables you to configure certificate-based authentication. The following describes how to configure Symantec Web Managed PKI in Ivanti EPMM.

Before you begin 

  • Set up your account for Symantec Web Services Managed PKI with Symantec.
  • Create an MDM (Web Service Client) profile in the Symantec PKI manager that you will use for the Ivanti EPMM integration.

    SeatID

    Be sure to include the Symantec SeatID as a required certificate profile field. In a Symantec Web Services Managed PKI environment, Symantec uses the SeatID to track the number of seats for billing purposes.

    To correctly track the number of seats, the SeatID value in the Ivanti EPMM SCEP settings must map to the value you created for the SeatID in the Symantec PKI Manager. For example, if the user's email address is used as the SeatID in Symantec PKI Manager, the Ivanti EPMM SCEP settings should map the Ivanti EPMM email address attribute to the Symantec SeatID.

    Ivanti EPMM associates each issued Symantec certificate to a SeatID in the Symantec PKI Manager. If the SeatID does not exist, a new Symantec user account and SeatID is automatically created for the user at the time the certificate is requested.

  • Gather the following items:
    • The server address for the Symantec Web Services Managed PKI.
      On Ivanti EPMM the default is set to pki-ws.symauth.com.
    • The Registration Authority (RA) certificate Ivanti EPMM will use to authenticate to the Symantec CA.

Procedure 

  1. Go to Policies & Configs > Configurations and click Add New > Certificate Enrollment > Symantec Web Managed PKI.
  2. Use the following guidelines to specify the settings:

    The Required Fields and Optional Fields for the certificate are displayed based on how the MDM (Web Service Client) profile was set up in the Symantec PKI manager.

    • Name: Enter brief text that identifies this group of settings.
    • Description: Enter additional text that clarifies the purpose of this group.
    • Store keys on Ivanti EPMM: Specifies whether Ivanti EPMM stores the private key sent to each device. If you are using a Symantec profile that is set up to store keys on the Symantec server, you typically do not select this option.

      If you select this option after devices have been provisioned, certificates will be re-provisioned for all impacted devices.

    • User Certificate: Specifies that the certificate is distributed to multiple devices assigned to a single user.

      The certificate is revoked when the user is removed from Ivanti EPMM.

    • Device Certificate: Specifies that the certificate is bound to the given device. Make sure the Symantec certificates are unique for each device.

      The certificate is revoked when the device is retired from Ivanti EPMM.

    • API URL: Enter the server address for the Symantec Web Services Managed PKI (received from Symantec).

    The default is set to pki-ws.symauth.com.

    Do not add https:// before the server name, and do not add path information after the server name.
    Only the hostname of the Symantec CA server should be provided.

    • Certificate 1: Navigate and select the RA certificate you received from Symantec. This is usually a.p12 file. Enter the password for the certificate when prompted.
    • Password 1: (Optional if certificate and password are stored in the same file.) Enter the password for the certificate.
    • Add Certificate: Click this link to add one or more certificates, as necessary.
    • Profile: This is the profile to be used for the integration. If you do not see an expected profile, then it most likely contains multiple credentials, a configuration that Ivanti EPMM does not currently support.
    • Profile Description: This is pre-populated based on the profile you select.
    • Application Description: This is populated automatically based on the selected profile.
    • ms_sid: You must use the profile for which Microsoft Security Identifier support has been added by DigiCert. Use $USER_SID$ value from the drop-down list to generate a certificate with the SID extension, provided the LDAP user has the SID value.
    • mail_email: Use drop-down list to select $EMAIL$.
  3. (Optional) Click Issue Test Certificate to verify the configuration by generating a test certificate to ensure there are no errors. Although this step is optional, it is recommended. A real certificate is not generated.
  4. Click Save.

    If values that you enter in fields result in errors, you cannot save the configuration. If values that you enter result in warnings, you can save the configuration after confirming the warning messages. To see configuration errors, go to Services > Overview.

Revoking the certificate

You can revoke a Symantec Web Services Managed PKI certificate.

Revoking a certificate adds the certificate to the CRL (Certificate Revocation List). The certificate is also removed from the Symantec Web Services Managed PKI manager. When a device authenticates with Ivanti EPMM, the system first checks the CRL to verify that the certificate is not on the list. If the certificate is on the list, authentication fails.

Procedure 

  1. Navigate to Logs > Certificate Management.
  2. Select the certificate that you want to revoke.
  3. Click Actions > Revoke.