eG Monitoring
 

Measures reported by XMCertificateTest

In XenMobile, certificates are used to create secure connections and authenticate users.

By default, XenMobile comes with a self-signed Secure Sockets Layer (SSL) certificate that is generated during installation to secure the communication flows to the server. Citrix recommends you replace the SSL certificate with a trusted SSL certificate from a well-known certificate authority (CA). XenMobile requires a certificate from the Apple Push Notification service (APNs). XenMobile also uses its own Public Key Infrastructure (PKI) service or obtains certificates from the CA for client certificates.

The following table shows the certificate format and type for each XenMobile component:

XenMobile component Certificate format Required certificate type
NetScaler Gateway PEM (BSAE64) or PFX (PKCS#12) SSL, Root NetScaler Gateway converts PFX to PEM automatically.
XenMobile server PEM or PFX (PKCS#12) SSL, SAML, APNs XenMobile also generates a full PKI during the installation process.
StoreFront PFX (PKCS#12) SSL, Root

All Citrix products support wildcard and Subject Alternative Name (SAN) certificates. For most deployments, you only need two wildcard or (SAN) certificates.

For NetScaler Gateway and the XenMobile server, Citrix recommends obtaining server certificates from a public CA, such as Verisign, DigiCert, or Thawte. You can create a Certificate Signing Request (CSR) from the NetScaler Gateway or the XenMobile configuration utility. After you create the CSR, you submit it to the CA for signing. When the CA returns the signed certificate, you can install the certificate on NetScaler Gateway or XenMobile.

NetScaler Gateway supports the use of client certificates for authentication. Users logging on to NetScaler Gateway can also be authenticated based on the attributes of the client certificate that is presented to the virtual server. Client certificate authentication can also be used with another authentication type, such as LDAP or RADIUS, to provide two-factor authentication.

To authenticate users based on the client-side certificate attributes, client authentication should be enabled on the virtual server and the client certificate should be requested. You must bind a root certificate to the virtual server on NetScaler Gateway.

When users log on to NetScaler Gateway, after authentication, the user name information is extracted from the specified field of the certificate. Typically, this field is Subject:CN. If the user name is extracted successfully, the user is then authenticated. If the user does not provide a valid certificate during the Secure Sockets Layer (SSL) handshake or if the user name extraction fails, authentication fails.

You can authenticate users based on the client certificate by setting the default authentication type to use the client certificate. You can also create a certificate action that defines what is to be done during the authentication based on a client SSL certificate.

The XenMobile Public Key Infrastructure (PKI) integration feature allows you to manage the distribution and life cycle of security certificates used on your devices.

XenMobile creates an internal PKI for device authentication during the installation process.

External PKIs can also be used to issue certificates to devices to be used in configuration policies or for client authentication to NetScaler Gateway.

The main feature of the PKI system is the PKI entity. A PKI entity models a back-end component for PKI operations. That component is part of your corporate infrastructure, such as a Microsoft, RSA, Entrust, Symantex, or OpenTrust PKI. The PKI entity handles the back-end certificate issuance and revocation. The PKI entity is the authoritative source for the certificate’s status. The XenMobile configuration will normally contain exactly one PKI entity per back-end PKI component.

The second feature of the PKI system is the credential provider. A credential provider is a particular configuration of certificate issuance and life cycle. The credential provider controls things like the certificate format (subject, key, algorithms) and the conditions for its renewal or revocation, if any. The credential providers delegate operations to the PKI entities. In other words, although credential providers control when and with what data PKI operations are undertaken, PKI entities control how those operations are performed. The XenMobile configuration normally contains many credential providers per PKI entity.

If an active certificate suddenly expires, applications will no longer be able to communicate with XenMobile and vice-versa. To avoid this, administrators should proactively identify certificates nearing expiry and renew the certificates. This is where the XMCertificateTest test helps. This test captures the expiry date of all active certificates, computes how long each active certificate will remain valid, and proactively alerts administrators if any certificate is nearing expiry.

The measures made by this test are as follows:

Measurement Description Measurement Unit Interpretation
status Indicates the current status of this SSL certificate.   The values that this measure reports and their corresponding numeric values are listed in the table below:

Measure Value Numeric Value
Valid 1
Invalid 0

Note:

By default, this measure reports the Measure Values discussed in the table above. However, in the graph of this measure, the status of the certificate is indicated using the numeric equivalents only.
daysToExpire Indicates how long this certificate will remain valid. Days A high value is desired for this measure. A very low value indicates that the certificate is about to expire very soon. You may want to consider renewing the certificate before this eventuality strikes.

Use the detailed diagnosis of this measure to know the exact date on which the certificate will expire.