Advanced: Incoming SSL Configuration

For incoming SSL/TLS connections, MobileIron Core supports:

• TLS protocol version TLS v1.2 (TLS v1.0 and TLS v1.1 are not supported)
• a default set of disabled and selected cipher suites.

Use the Security > Advanced > Incoming SSL Configuration options to configure the cipher suites to use for incoming SSL/TLS connections to Core. These incoming connections include connections initiated to Core from:

• devices
• browsers (to the Admin Portal or System Manager)
• external servers

Use this feature to also:

• configure MobileIron Core to be PCI-DSS 3.1 compliant.
• change the cipher suites for incoming SSL/TLS connections if you have specific security or performance requirements.

IMPORTANT:

Do not change the cipher suites unless you have specific security or performance requirements. Most customers do not need to take any actions.

This section includes the following topics:

• Protocols and cipher suites on Core first-time installation
• Advanced: Incoming SSL Configuration
• Protocol version negotiation for incoming SSL/TLS connections
• Verify server requirements for incoming SSL/TLS connections
• Configuring incoming SSL/TLS connections
• Changing to the default set of cipher suites for incoming connections

Protocols and cipher suites on Core first-time installation

On first-time installation, MobileIron Core supports:

• Protocol version TLSv1.2
• Default and selected cipher suites as displayed in the System Manager at Security > Advanced > Incoming SSL Configuration.

Do not change the cipher suites until you have determined the cipher suites required for incoming connections to Core.

Protocol versions for incoming connections on upgrade

When you upgrade to this MobileIron Core version, the selected and disabled protocol versions are as follows, regardless what they were set to before the upgrade:

• Selected: TLSv1.2
• Disabled: None

NOTE:

TLS v1.2 is the only supported protocol and cannot be moved to the disabled list.

Cipher suites for incoming connections on upgrade

When upgrading MobileIron Core, Core uses the disabled and selected sets of cipher suites that you used in the MobileIron Core from which you upgraded. The exception to this rule is when a Core release removes cipher suites. In that case, the removed cipher suites are no longer available to select after upgrade.

Note that Core has a default set of selected and disabled cipher suites. Core uses these default sets after upgrades only if you use the Reset to Default button. The default sets have changed in various Core releases. Therefore, if your upgrade path took you through a release that changed the default sets, use the Reset to Default button only with caution as described in Changing to the default set of cipher suites for incoming connections.

The default sets changed in:

• Core 9.4

• Core 10.2.0.0 in which the following cipher suites were removed:

  • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA
  • SSL_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_RC4_128_SHA
  • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

  NOTE:

  If you used these cipher suites for incoming connections from your external servers, make sure your external servers are configured with cipher suites that MobileIron Core supports.

• Core 10.3.0.0 in which the following cipher suites were moved to the disabled list:

  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA128
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA128
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA

Protocol version negotiation for incoming SSL/TLS connections

Because MobileIron Core supports only TLSv1.2, incoming SSL/TLS connections fail if they are from a server that does not support TLSv1.2.

Verify server requirements for incoming SSL/TLS connections

Before changing cipher suites used for incoming connections to MobileIron Core, verify the requirements of external servers that make connection requests to Core. The System Manager screen at Security > Advanced > Incoming SSL Configuration indicates which cipher suites are disabled and selected.

The Disabled and Selected sections are described below:

table 1. Disabled and Selected lists

Fields	Description
Disabled	The protocol or cipher suite is available in Core, but it is disabled. Therefore, Core will not use it in any incoming connections. Putting protocols and cipher suites in the Disabled Column disables them when the configuration is saved. NOTE: TLS v1.2 is the only supported protocol and cannot be moved to the disabled list.
Selected	Core can use the protocol or cipher suite in an incoming connection. Putting protocols and cipher suites in the Selected Column enables them when the configuration is saved.

Configuring incoming SSL/TLS connections

MobileIron recommends that you use the default cipher suites for incoming SSL/TLS connections. Most customers do not need to change them. However, if you have specific security or performance requirements, you can change the defaults. Before changing the cipher suites used in incoming SSL/TLS connections, understand the requirements of external servers that make connection requests to Core.

Prerequisites for configuring incoming SSL/TLS connections

The following conditions must be met to configure incoming SSL/TLS connections:

• Configure incoming SSL/TLS connections only from the primary Core for HA configurations. Configuring incoming SSL/TLS connections from the second or third instance of Core is not supported since the Tomcat service will not be running in the second and third Core.
• The administrator (local user) configuring the incoming SSL/TLS connections in the System Manager must also be an administrator (local user) in the Admin Portal.

Configuring the cipher suites for incoming SSL/TLS connections

You can configure the cipher suites for incoming SSL/TLS connections.

NOTE:

You cannot disable the protocol TLSv1.2. If you move it to the Disabled list and click Apply, MobileIron Core displays an error message. Move TLSv1.2 back to the Selected list before re-clicking Apply.

Procedure 

1. Log into System Manager.
2. Go to Security > Advanced > Incoming SSL Configuration.
3. Go to the Cipher Suites section.
4. Click and drag, or select and move using the arrows, cipher suites between the Disabled and Selected lists to select the cipher suites to use for incoming SSL/TLS connections.

5. List the cipher suites in order, from highest preference to lowest by dragging each cipher suite up or down in the Selected list.

   Core uses the listed order in determining which, of the supported cipher suites, to use. Therefore, MobileIron suggests you list the strongest cipher suites first.

6. Click Apply > OK.

   MobileIron Tomcat service, which supports web requests to and from Core, restarts automatically.

Changing to the default set of cipher suites for incoming connections

When you upgrade MobileIron Core, the set of incoming SSL/TLS protocols and cipher suites are the ones described in Advanced: Incoming SSL Configuration.

You can change your cipher suite set to a set of your choice. You can also change to the default MobileIron Core set using the Reset to Default on the System Manager’s Security > Advanced > Incoming SSL Configuration screen.

Most customers do not need to make any changes. However, you can change Core to use the Core default set of cipher suites if you have specific security requirements.

Do not click Reset to Default unless:

• You have specific security or performance requirements to use the MobileIron Core set of cipher suites. Most customers do not need to take any action.
• You have identified the cipher suites required for your external servers, and have confirmed that they are included in the default set of cipher suites.

For example, after an upgrade, an external server that depends on a legacy cipher suite that is not in the default set of cipher suites can connect to MobileIron Core. However, after you click Reset to Default, that server will not be able to connect to Core.

Procedure 

To change the configuration to the Core default set of cipher suites:

1. Log into System Manager.
2. Go to Security > Advanced > Incoming SSL Configuration.
3. Click Reset to Default.

4. Click Apply > OK.

   MobileIron Tomcat service, which supports web requests to and from Core, restarts automatically.