2. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Agenda
• IBM Mobile Connect at a glance
• Scenario “Configuration for IBM Traveler (and others)”
• Security considerations – Certificate based authentication
• Security considerations – MDM integration
3. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
About me
IBM Advanced Business Partner
IBM Design Partner (Notes Domino, Mobile, Verse)
Apple Enterprise Developer and MDM Group Member
Samsung Enterprise Alliance Partner
Worldwide Service Offerings
- Enterprise Mobility
- Mobile Device and Application Management
- IBM Traveler and IBM Mobile Connect implementation +
custom addon products
René Winkelmeyer
Head of Development
4. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
About me
Reach out any time
Skype / Twitter / LinkedIn => muenzpraeger
Web
https://blog.winkelmeyer.com
http://www.midpoints.de
Mail
mail@winkelmeyer.com
rene.winkelmeyer@midpoints.deRené Winkelmeyer
Head of Development
5. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
What is this session about?
• Enhancements and new configurations of IBM Mobile connect
to make your live easier.
• If you look for a starter guide please check out my slides from
Lotusphere 2012 and 2013.
6. Make
Every
Moment
Count
2016ConnectThe Premier Social Business and Digital Experience Conference
#ibmconnect
IBM Mobile Connect at a glance
Latest version of this slidedeck is available on
https://slideshare.net/muenzpraeger
7. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
IBM Mobile Connect – Specifications
• Current version:
§ 6.1.5.2
• Server
§ Windows - 2003/2008/2012 Server
§ Linux – Red Hat Enterprise & SuSE Enterprise Server
§ AIX
8. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
IBM Mobile Connect – Specifications
• Mobility (VPN) Clients
§ Microsoft Windows 2000, XP, Vista, 7
§ OS X
§ Linux (Red Hat, SuSE, Novell)
§ Windows Mobile inkl. 6.5, Symbian (ausgewählte Devices), Palm
§ Android
• Browser
§ IE, Firefox, Safari, Chrome
9. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
IBM Mobile Connect – Capabilities
• VPN gateway
§ Clients are available for Windows, Mac, Linux, Android
• WiFi gateway
• Clientless gateway
§ HTTP access, like browsers or mobile apps Focus
10. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Reverse Proxy – why and how?
• A Reverse Proxy acts as a tier between a requester (i. e.
browser) and a backend system.
• In contrast to a Forwarding Proxy a Reverse Proxy acts on
behalf of the web server.
• The Reverse Proxy forwards the incoming request to the
backend system and sends the response back to the user.
11. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Reverse Proxy – why and how?
Backend systemReverse Proxy
12. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
What is a Secure Reverse Proxy?
• Defined endpoint for encrypted communication between
external clients and internal systems.
• Central authentication and Single-Sign-On for all connected
backend systems.
• Access authorisation for the connected backend systems.
13. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
IBM Mobile Connect as Secure Reverse Proxy
• Single-Sign-On using username/password or certificates for
IBM backend systems
• Authentication sources are Domino LDAP or Active Directory
• Single URL access
• Automatic IBM Traveler Pool assignment
14. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Infrastructure scenarios
Traveler
Sametime
Connections
HTTPS HTTP(S)
External URL:
https://mobile.midpoints.net /traveler
/chat
/social Backend
systems
Secure Reverse Proxy
15. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Infrastructure scenarios
Domino Mail
Domino Mail
Domino Mail
Traveler 1
Traveler 2
Traveler 3
HTTPS
Notes
HTTP(S)
External URL:
https://mobile.midpoints.net/traveler
IBM DB2 / MS SQL
IBM DB2 / MS SQL
DB2/SQL
Traveler HA
Service Pool
Secure Reverse Proxy
with Load Balancing
and Failover
16. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Why IBM Mobile Connect – and not others?
• Native integration for all IBM Collaboration products
• Up-to-date TLS stack
• Scaling – one server can handle 10k parallel accesses
• MDM integration
• IBM support
17. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Remember Domino and SHA2?
18. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
IBM Mobile Connect – Components
• Connection Manager
§ The IMC Connection Manager is the main component. He
forwards the client requests to the backend systems.
• Gatekeeper
§ A Java-based administration client for IMC. Can be installed on
the same or another system as the Connection Manager.
19. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
IBM Mobile Connect – Components
• Access Manager
§ Gets installed with the Connection Manager on the server. It is
responsible for pushing the configuration changes (from the
Gatekeeper) to the internal used database. It also updates the
Connection Manager dynamically.
21. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
IBM Traveler and IBM Mobile Connect
• Mobile mail access is a critical component nowadays in every
environment. So is Traveler.
• Different environment setups are possible for Traveler
§ Standalone setup
§ High Availability with one or multiple pools
22. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
IBM Traveler – Pool definition / challenges
• A “Traveler pool” is the logical combination of multiple Traveler
servers that share the same backend database.
§ A single pool can serve up to 10k devices.
§ The Traveler servers handle load balancing internally.
• Different setups are possible, like splitting pools by device type,
user region and more.
§ Without a centralized proxy all will have different entrypoint
URLs.
23. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
IBM Traveler – How IBM Mobile Connect helps
• IMC has four main features that improve the Traveler
experience.
§ Defined proxy rules for Traveler access
§ Session assignment
§ Single URL support
§ Automatic Server/Pool assignment
25. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
IMC workflow (simplified)
Authenticated user connects
Check if Pool assignment is active
Validate user LDAP attribute
set not set
assign don‘t assign
26. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Automatic Server/Pool assignment configuration
• Define within a http-access service which LDAP attribute
should be queried
27. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Automatic Server/Pool assignment configuration
• An “Application server pool” is a dedicated resource type
28. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Automatic Server/Pool assignment configuration
• A “Pool configuration” contains one or multiple backend host
names.
29. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Automatic Server/Pool assignment configuration
• One or multiple strings can be added for the automatic pool
assignment. The value must match the content of the LDAP field.
30. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Automatic Server/Pool assignment configuration
• Multiple server pools can be defined.
31. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Automatic Server/Pool assignment configuration
• Activate the application server pool usage in the http-access
service
32. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Adding more apps
• Besides Traveler all ESS backend systems are supported with
specialized URL and content handling
§ i. e. URL rewriting of transmitted content
• Delivers perfect integration including SSO capabilities
§ IBM Connections
§ IBM Connections Chat
§ IBM Domino
33. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Adding more apps
• Simplified by application specific identifier.
34. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Summary
• The built-in capabilities help to deliver a streamlined
administrative experience.
• Hassle-free connection to IBM ESS backend systems.
§ LTPA1 and LTPA2
36. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Certificates? Certificates!
• A high level of security can be achieved by using certificates for
authentication.
• Certificates are a common practice for verifying clients and
servers. The latter one is mostly known as “SSL hostname
authentication”.
§ Companies are moving more and more to client certificate based
authentication for different services.
§ Domino companies should be familiar with that… ;-)
37. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Why to setup IBM Mobile Connect for this?
• Achieve a higher level of security by using certificate based
authentication for your critical data.
§ Different setup scenarios are available.
• Remove the need of using passwords – make it easier for your
users. But only if you want.
38. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
IMC workflow (simplified)
Client presents certificate
2FA
IMC validates public key and validity
LDAP
Subject string check
SSO
39. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Configuring Certificate based authentication
• The standard authentication process leverages an username/
password combination.
40. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Configuring Certificate based authentication
• Add 2-Factor-Authentication by enforcing additional password
usage.
§ Can be enriched with user id check
41. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Configuring Certificate based authentication
• Trust your certificates and resolve the username based on
certificate criteria.
42. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Configuring Certificate based authentication
• Additional security/alternatives can be added using a custom
string match.
43. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Summary
• Certificate based authentication enhances your backend
applications security.
• Different setups allow to leverage it as you need it.
• Certificate deployment options need to be revisited.
§ Not all IBM ESS apps support certificate based authentication
(yet).
45. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
What is MDM?
• Mobile Device Management (MDM) is used to manage devices
and applications in your mobile workforce
§ Lots of companies still don’t use a MDM. And you?
• Allows remote device configuration, data and device deletion,
app deployment and much more.
46. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Why MDM integration for IBM Mobile Connect?
• A Reverse Proxy authenticates only the user – not the device.
So no control if “unmanaged” devices can access internal
resources.
§ Jailbroken/rooted devices
§ Data Loss Prevention
47. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
IMC / MDM integration infrastructure
Domino Mail
Domino Mail
Domino Mail
IBM Notes Traveler
MDM
HTTPS
Notes
HTTP(S)
External URL:
https://mobile.midpoints.net/traveler
https://mobile.midpoints.net/connections
Services
IBM Mobile Connect
IBM Connections
48. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
How does the MDM integration work?
• Depending on the incoming request different values are
evaluated.
§ Traveler identification is determined by the submitted sync device
id in the URL call.
§ IBM ESS apps are sending custom headers with their
authorization requests. Those headers are set via MDM.
• Custom access definitions, like “allow” or “deny”, are then
applied.
49. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
IMC workflow (simplified)
User is authenticated
allowed
Device information is extracted
not allowed
Device is validated via MDM interface
access no access
50. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Configuring MDM integration
• “MDM Integration” is a separate resource type
51. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Configuring MDM integration
• Validation results (and outcome) are configurable.
52. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Configuring MDM integration
• Enhanced checks are available like compliance re-validation
and user mapping.
53. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Configuring MDM integration
• Custom “tokens” can be used for different setups on the same
vendor.
54. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
IBM Mobile Connect configuration
• Besided tight security you can also go a little bit loose.
§ Great for migration scenarios.
55. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Available MDM integrations
56. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Summary
• MDM integration enhances the security by adding an additional
layer of security.
• Different setup scenarios are available to fit your organizations
needs.
60. 2016ConnectThe Premier Social Business and Digital Experience Conference
MakeEveryMomentCount
Acknowledgements and Disclaimers
Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM
operates.
The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational
purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to
verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM
shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this
presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms
and conditions of the applicable license agreement governing the use of IBM software.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved.
Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect
of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.