Configuring certificate-based tunneling for IBM Verse clients on Android enterprise

You can set up certificate-based tunneling for IBM Verse clients using Standalone Sentry on Android enterprise devices. Certificate -based tunneling only supports SyncML traffic. Certificate-based tunneling does not require Ivanti Tunnel or AppConnect.

Before you begin 

Core must be set up for Android enterprise. For more information, see Core Device Management Guide for Android for Work.

Core must be set up as an independent root CA. See the “Configuring Core as an independent root CA (Self-Signed)” section in the Device Management Guide for Android for information on how to create a local CA and the corresponding Local certificate enrollment setting.

Add the following for Subject Alternative Names in the Local certificate enrollment setting:

Type: Uniform Resource Identifier


The URI scheme, cbt,, is case insensitive. is the hostname and can be anything.

Ensure that the Local certificate enrollment setting is applied to a label containing the Android enterprise devices which will use certificate-based tunneling.

Standalone Sentry must be enabled for AppTunnel and set up to do device authentication using Identity certificates. Upload the Core local self-signed CA in Standalone Sentry settings in the  Core Admin Portal.

Both Pass Through and Kerberos are supported for server authentication.


1. In the Core Admin Portal, go to Services > Sentry.
2. Click the edit icon for a Standalone Sentry that is enabled for AppTunnel and configured to use Identity certificates for device authentication.
3. In the AppTunnel Configuration section, add an AppTunnel service in Services.



Service Name

Enter a name for the service in the following format:


The FQDN is for the external hostname assigned to Standalone Sentry.


Server Auth

Select Pass Through.

Server List

Enter the backend resource’s host name or IP address (usually an internal host name or IP address). Include the port number on the backend resource that Standalone Sentry can access.

You can enter multiple servers. Standalone Sentry uses a round-robin distribution to load balance. That is, it sets up the first tunnel with the first resource, the next with the next resource, and so on. Separate each resource name with a semicolon.;

TLS Enabled

Select if the servers listed in the Server List field require SSL.


Select if you want to direct the AppTunnel service traffic through the proxy server.

You must also have configured Server-side Proxy or Advanced Traffic Control (ATC).

Server SPN List

Enter the Service Principal Name (SPN) for each server, separated by semicolons.

4. Click Save.