Advanced: Outgoing SSL Configuration

For outgoing SSL/TLS connections, MobileIron Core supports:

• TLS protocol version TLS v1.2 (TLS v1.0 and TLS v1.1 are not supported)
• a default set of disabled and selected cipher suites.

Use the Security > Advanced > Outgoing SSL Configuration options to configure the cipher suites to use for outgoing SSL/TLS connections from Core to external servers. Use this feature to also:

• configure MobileIron Core to be PCI-DSS 3.1 compliant
• change the cipher suites and for outgoing SSL/TLS connections if you have particular security or performance requirements

The configuration impacts connections to all external servers. Examples of external servers are SCEP servers and Apple Push Notification Service (APNS).

IMPORTANT:

Do not change the cipher suites unless you have specific security or performance requirements. Most customers do not need to take any actions.

NOTE:

MobileIron Core uses a Server Name Extension (SNI) when making outgoing TLS connections. SNI is used by TLS clients (in this case Core) to indicate to a TLS server which hostname the client is attempting to reach. In the case where a single server is responding to multiple hostnames, using a SNI allows the server to respond with the correct TLS certificate to match the client's request. No Core configuration is required for using SNI.

This section includes the following topics:

• Protocols and cipher suites on Core first-time installation
• Protocols and cipher suites on Core upgrades
• Protocol version negotiation for outgoing SSL/TLS connections
• Determining which servers use which protocol versions and cipher suites
• Configuring outgoing SSL/TLS connections
• Changing to the default set of cipher suites for outgoing connections
• External servers connected to with outgoing SSL connections

Protocols and cipher suites on Core first-time installation

On first-time installation, MobileIron Core supports:

• Protocol version TLSv1.2
• Default and selected cipher suites as displayed in the System Manager at Security > Advanced > Outgoing SSL Configuration.

Do not change the cipher suites until you have determined the cipher suites required for your external servers. See Determining which servers use which protocol versions and cipher suites for details.

Protocols and cipher suites on Core upgrades

Protocol versions for outgoing connections on upgrade

When you upgrade to this MobileIron Core version, the selected and disabled protocol versions are as follows, regardless what they were set to before the upgrade:

• Selected: TLSv1.2
• Disabled: None

NOTE:

TLS v1.2 is the only supported protocol and cannot be moved to the disabled list.

Cipher suites for outgoing connections on upgrade

When upgrading MobileIron Core, Core uses the disabled and selected sets of cipher suites that you used in the MobileIron Core from which you upgraded. The exception to this rule is when a Core release removes cipher suites. In that case, the removed cipher suites are no longer available to select after upgrade.

Note that Core has a default set of selected and disabled cipher suites. Core uses these default sets after upgrades only if you use the Reset to Default button. The default sets have changed in various Core releases. Therefore, if your upgrade path took you through a release that changed the default sets, use the Reset to Default button only with caution as described in Changing to the default set of cipher suites for outgoing connections.

The default sets changed in:

• Core 9.0

• Core 10.2.0.0 in which the following cipher suites were removed:

  • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA
  • SSL_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_RC4_128_SHA
  • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

  NOTE:

  If you used these cipher suites for outgoing connections to your external servers, make sure your external servers are configured with cipher suites that MobileIron Core supports.

• Core 10.3.0.0 in which the following cipher suites were moved to the disabled list:

  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA128
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA128
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA

Related topics 

• Determining which servers use which protocol versions and cipher suites
• Changing to the default set of cipher suites for outgoing connections

Protocol version negotiation for outgoing SSL/TLS connections

Because MobileIron Core supports only TLSv1.2, outgoing SSL/TLS connections fail if they are to a server that does not support TLSv1.2.

Determining which servers use which protocol versions and cipher suites

MobileIron Core uses only the TLSv1.2 protocol for outgoing connections to external servers. If an external server is not configured to use TLSv1.2, connections to it from Core will fail. Change the external server to use TLSv1.2.

MobileIron provides a utility that can determine the TLS protocols used in outgoing connections. See https://community.mobileiron.com/docs/DOC-9256.

Regarding cipher suites, before you change which cipher suites to use to connect with external servers, make sure you know what the external servers require.

The System Manager screen at Security > Advanced > Outgoing SSL can help inform you of this information.

The Disabled and Selected lists mean the following:

 

table 1. Available and Selected lists

Fields	Description
Disabled	The cipher suite is available in Core, but it is disabled. Therefore, Core will not use it in any connections to external servers. If the cipher suite is colored red, it is a legacy cipher suite that was in a Core version prior to 9.0 that was in your upgrade path. It is not in the set of the current Core version.
Selected	Core can use the cipher suite in a connection to an external server. If the cipher suite is colored red, it is a legacy cipher suite that was in a Core version prior to 9.0 that was in your upgrade path. It is not in the set of the current Core version.

 

An asterisk (*) on a protocol or cipher suite means the following:

 

table 2. Asterisk, protocol, cipher suite

Asterisk (*)	Description
Asterisk (*) on a Disabled cipher suite protocol	The cipher suite is required by an external server. A connection attempt failed because the external server does not support any of the selected cipher suites. Hover your mouse over the cipher suite. The display lists the external servers to which connections failed because that protocol or cipher suite was not in the Selected set. Example: 2 endpoints have negotiated this protocol or cipher since 4 Feb 2016 01:53:04 GMT Endpoints: mdmenrollment.apple.com/17.146.232.35:443 accounts.google.com/216.58.192.45:443
Asterisk (*) on a Selected cipher suite or protocol	The protocol or cipher suite was used in a connection to an external server. Hover your mouse over the protocol or cipher suite. The display lists the external servers that have connected to Core using that protocol or cipher suite. Example: 1 endpoints have negotiated this protocol or cipher since 4 Feb 2016 01:53:04 GMT Endpoints: appgw.mobileiron.com/199.127.91.250:443

To populate the usage information indicated by the asterisks:

• Run MobileIron Core for a two or three days, giving time to attempt most outgoing SSL/TLS connections.

• In the Admin Portal, go to Services > Overview and click Verify All.

  This action makes connection attempts to many external servers.

After the usage information has been populated, you can determine:

• Cipher suites in the Disabled list that you must move to the Selected list because at least one external server requires it. Alternatively, you can reconfigure the external server to support a selected cipher suite.
• Cipher suites in the Selected list that you can move to the Disabled list, because no external servers use it. Typically, this is because you are using a stronger cipher suite.

Note The Following:  

• MobileIron Core clears the asterisks and associated usage information once a week.
• The weekly collection period begins when you restart MobileIron Core, or when you click Apply to change the cipher suite choices.
• To see up-to-date asterisk information, click on Security > Advanced > Outgoing SSL Configuration.

Configuring outgoing SSL/TLS connections

MobileIron recommends that you use the default cipher suites for outgoing SSL/TLS connections. Most customers do not need to change them. However, if you have specific security or performance requirements, you can change the choices. Before changing the cipher suites used in outgoing SSL/TLS connection, see Determining which servers use which protocol versions and cipher suites for details.

Prerequisites for configuring outgoing SSL/TLS connections

The following conditions must be met to configure outgoing SSL/TLS connections:

• Configure outgoing SSL/TLS connections only from the primary Core for HA configurations. Configuring outgoing SSL connections from the second or third instance of Core is not supported since the Tomcat service will be down in the second and third Core.
• The administrator configuring the outgoing SSL/TLS connections in the System Manager must also be an administrator in the Admin Portal.

Configuring the cipher suites for outgoing SSL/TLS connections

You can configure the cipher suites for outgoing SSL/TLS connections.

NOTE:

You cannot disable the protocol TLSv1.2. If you move it to the Disabled list and click Apply, MobileIron Core displays an error message. Move TLSv1.2 back to the Selected list before reclicking Apply.

Procedure 

To change the cipher suites for outgoing SSL/TLS connections:

1. Log into System Manager.
2. Go to Security > Advanced > Outgoing SSL Configuration.
3. Go to the Cipher Suites section.
4. Click and drag cipher suites between the Disabled and Selected lists to select the cipher suites to use for outgoing SSL/TLS connections.

5. List the cipher suites in order, from highest preference to lowest by dragging each cipher suite up or down in the Selected list.

   Each external server uses the listed order in determining which cipher suite to use of the cipher suites that it supports. Therefore, MobileIron suggests you list the strongest cipher suites first.

6. Click Apply > OK.

   MobileIron Core's Tomcat service, which supports web requests to and from Core, automatically restarts.

Changing to the default set of cipher suites for outgoing connections

When you upgrade MobileIron Core, the set of outgoing SSL/TLS protocols and cipher suites on your MobileIron Core are the ones described in Protocols and cipher suites on Core upgrades.

You can change the cipher suite set to a set of your choice. You can also change to the default MobileIron Core set using the Reset to Default on the System Manager’s Security > Advanced > Outgoing SSL screen.

Most customers do not need to make any changes. However, you can change Core to use the Core default set of cipher suites if you have specific security requirements.

Do not click Reset to Default unless:

• You have specific security or performance requirements to use the MobileIron Core set of cipher suites. Most customers do not need to take any action.
• You have identified the cipher suites required for your external servers, and have confirmed that they are included in the default set of cipher suites.

For example, after an upgrade, an external server that depends on a legacy cipher suite that is not in the default set of cipher suites can connect to MobileIron Core. However, after you click Reset to Default, that server will not be able to connect to Core.

Therefore, see Determining which servers use which protocol versions and cipher suites before you click Reset to Default.

Procedure 

To change the configuration to the MobileIron Core default set of strong cipher suites:

1. Log into System Manager.
2. Go to Security > Advanced > Outgoing SSL Configuration.
3. Click Reset to Default.

4. Click Apply > OK.

   MobileIron Tomcat service, which supports web requests to and from Core, restarts automatically.

External servers connected to with outgoing SSL connections

Core uses outgoing SSL/TLS connections to various external servers. MobileIron Core uses the TLSv1.2 protocol for these connections. If an external server is not configured to use TLSv1.2, change the external server to use TLSv1.2.

Some of these external servers are:

• Standalone Sentry
• Connector
• SCEP servers
• LDAP servers
• MobileIron Gateway
• Apple Push Notification Service (APNS)
• Content Delivery Network servers
• MobileIron support server (support.mobileiron.com)
• Outbound proxy for Gateway transactions and system updates
• SMTPS servers
• Public app stores (Apple, Google, Windows)
• Apple License servers
• Apple Device Enrollment servers
• Android for Work servers

Related topics 

• Determining which servers use which protocol versions and cipher suites
• Configuring outgoing SSL/TLS connections