Advanced Configuration

Setting up an On-Premises SMTP Service (without UEM)

  1. Install Gaia.

  2. In Installing and Configuring Harmony Mobile Connector , follow all the procedures except the pii protector settings.

  3. Configure your on-premises SMTP service:

    1. In the Harmony Mobile Administrator Portal, go to Settings > Integrations.

    2. Click + and select SMTP.

      The SMTP window appears.

    3. Configure Server Details:

      1. SMTP transport for ports 25 and 587.

      2. SMTPS transport for port 465.

    4. To use the connector with an on-premises UEM without a direct internet connection, select the checkbox under Using Connector section.

    5. Click Test Connectivity.

      If there are no errors, click Apply.

Working with a Proxy

To connect a proxy from the Harmony Mobile Connector to the internet or to the UEM:

  1. Log in to the VM through ssh.

  2. Update the settings to access Harmony Mobile dashboard through the proxy.

    1. Open this settings file:

      vi /opt/CPsbmc/components/pii_protector/application.yml

    2. Update the relevant settings in the file (server > Proxy), for example:

      proxy:
               enabled: true
               host: "myproxy.mydomain.com"
               port: 8080
               authentication-required: true
               user: "proxy_user"
               password: "proxy_password"

  1. Update the settings to access the Harmony Mobile Connector cloud component through the proxy.

    1. Open this settings file:

      vi /opt/CPsbmc/components/api_dispatcher/application.yml

    2. Update the relevant settings in the file:

      1. relay Proxy:

        Example:

        proxy:
                enable: true
                host: "myproxy.mydomain.com"
                port: 8080
                username: "proxy_user"
                password: "proxy_password"

      2. MDM Proxy:
        If there is a proxy to connect to the UEM.

        Example:

        proxy:
                 enable: true
                 host: "myproxy.mydomain.com"
                 port: 8080
                 username: "proxy_user"
                 password: "proxy_password"

Using a UEM with a Self-Signed Certificate

To use a UEM server with a self-signed certificate (not signed with a valid Certificate Authority):

  1. Download the UEM certificate in a Privacy Enhanced Mail (PEM) format and copy it to the Harmony Mobile Connector server.

  2. Connect to the VM through ssh with your user credentials.

  3. Update the settings file to use the self-signed certificate:

    1. Open the settings file:

      vi /opt/CPsbmc/components/api_dispatcher/application.yml

    2. When you connect to the UEM, use the self-signed certificate.
      mdm > ssl > use_self_sign_certificate

      Path to the UEM certificate:
      mdm > ssl > certificate_path

      Example:
      use_self_sign_certificate: true
      certificate_path: "/web/conf/my_uem_certificate.pem"

      Note - The option to disable the SSL verification to the MSD should be used only in Proof of Concept (POC) and not in production.

Setting up High Availability for the Connector

To set up a high availability for the Harmony Mobile Connector:

  1. Create a copy of the existing VM that runs the Harmony Mobile Connector.

  2. Change the new VM IP address (in Gaia).

    In clish:

    show interface eth0
    set interface eth0 ipv4-address <ip> mask length <16/23>
    save config

  3. Add the new IP address to the UEM settings in Harmony Mobile dashboard.

Viewing Connector

To set up a new viewing connector (an instance without API dispatcher. Read-only):

  1. Follow the steps in Setting up High Availability for the Connector to set up the additional Harmony Mobile Connector VM.

  2. In the Expert mode, on the Harmony Mobile Connector, run these commands:

    • To restart SBMC:

      sbmc_stop; sbmc_start

    • To deactivate api_dispatcher:

      • source /opt/CPsbmc/scripts/sbmc_functions.sh 

      • stop_component api_dispatcher

Upgrading Harmony Mobile Connector from R80.40 to R81.20

  1. Create a snapshot of the current R80.40 virtual machine.

  2. Pause MDM sync in Harmony Mobile Administrator Portal:

    1. Sign in to Check Point Infinity Portal.

    2. In the Harmony Mobile Administrator Portal, go to Settings > Integrations.

    3. Hover over the MDM card and click and then click Pause.

  3. In the Harmony Mobile Administrator Portal, go to SettingsAudit Trail and check if there is any active MDM device sync:

    1. Click the icon above the table.

    2. In the Filters panel on the right, expand Category and filter for MDM device sync.

      If there is an active MDM device sync (Event column shows as Started), wait until the sync ends (Event column shows as Succeed).

      Refresh the page to view the current sync status.

      Note - The MDM device sync process may take up to 24 hours depending on the number of devices. If the sync status is not shown as Succeed after 24 hours, you may continue the upgrade process.

       

    Note - If you are setting up Gaia R81.20 on a new VM, skip the steps below and go toUpgrading Harmony Mobile Connector from R80.40 to R81.20 - Setting up a new VM.

  4. Connect to the Gaia virtual machine through ssh and log in to Expert mode with your username and password.

  5. Before you upgrade, make sure the partition /var/log/ has a minimum of 20 GB of free space:

    1. To view partition size, run:

      df -h

    2. Verify whether the partition /var/log/ has a minimum of 20 GB of free space.

    3. If partition resize is required:

      1. Log in to the Gaia VM through ssh and run:

        lvm_manager

      2. Select option 2 resize lv_current/lv_log ligical volume

      3. Select option 2 lv_log

      4. Follow the instructions displayed on the terminal.

        After the process is successfully completed, Gaia notifies it and performs a restart.

      5. To validate whether the partition is resized, run:

        df -h

  6. Verify if you have installed any CA certificates in the Gaia VM Java truststore. For each CA, run:

    keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit | grep <CA SHA1 finger print>

    If you have installed any CA certificates, make a note of them.

    Note - All CA certificates installed in the Gaia VM Java truststore will be deleted during the upgrade process to Gaia R81.20. You must re-install them after you complete the upgrade.

  7. Log in to the Gaia VM through ssh.

  8. Run this script to back up the configuration files:

    SBMCBACKUPDIR=/var/log/SBMCBACKUP
    mkdir $SBMCBACKUPDIR
    cp $SBMCDIR/components/api_dispatcher/application.yml $SBMCBACKUPDIR/api_dispatcher_application.yml
    cp $SBMCDIR/components/pii_protector/application.yml $SBMCBACKUPDIR/pii_protector_application.yml
    cp -r $SBMCDIR/components/pii_filter/conf $SBMCBACKUPDIR/conf
    cp /web/conf/sbmc_private_key.pem $SBMCBACKUPDIR/sbmc_private_key.pem
    cp /web/conf/sbmc_public_key.pub $SBMCBACKUPDIR/sbmc_public_key.pub
    cp $SBMCDIR/components/directory_service/application.yml $SBMCBACKUPDIR/directory_service_application.yml
    cp -r $SBMCDIR/log $SBMCBACKUPDIR/log

  9. Upgrade to R81.20:

    1. Log in to Gaia: https://<gaia_vm_ip>

      Username - The admin username set when you installed Gaia

      Password - The password set when you installed Gaia.

    2. On the left panel, under Upgrades (CPUSE), click Status and Actions.

    3. Right-click R81.20 Gaia Fresh install and upgrade and click Download.

    4. After the file is downloaded, right-click the record and click Upgrade.

      Note - The upgrade process takes about 60 minutes.

      After the upgrade process starts (approximately after two minutes), this warning pop-up may appear. Click Continue.

  10. Install the Harmony Mobile Connector. Follow step 1-9 in Installing and Configuring Harmony Mobile Connector.

    Important - Make sure to install the relevant jumbo hotfix and reboot Gaia after installing Connector hotfix.

  11. Connect to the Gaia VM through ssh and backup R81.20 Connector application yml files. Run:

    SBMCBACKUPDIR=/var/log/SBMCBACKUP
    cp $SBMCDIR/components/api_dispatcher/application.yml $SBMCBACKUPDIR/api_dispatcher_application_r81_20.yml
    cp $SBMCDIR/components/pii_protector/application.yml $SBMCBACKUPDIR/pii_protector_application_r81_20.yml
    cp $SBMCDIR/components/directory_service/application.yml $SBMCBACKUPDIR/directory_service_application_r81_20.yml

  12. Restore the backed up files from previous R80.40 Connector installation. Run:

    SBMCBACKUPDIR=/var/log/SBMCBACKUP
    cp $SBMCBACKUPDIR/sbmc_private_key.pem /web/conf/sbmc_private_key.pem
    cp $SBMCBACKUPDIR/sbmc_public_key.pub /web/conf/sbmc_public_key.pub
    rm -rf $SBMCDIR/components/pii_filter/conf
    cp -r $SBMCBACKUPDIR/conf $SBMCDIR/components/pii_filter/conf

  13. Edit application.yml files:

    Note - Do not change the structure or order of the file content. Copy only the values you updated in the original file and that are mentioned in this guide.

    1. Update the $SBMCDIR/components/api_dispatcher/application.yml configuration file with the relevant values from
      $SBMCBACKUPDIR/api_dispatcher_application.yml

    2. Update the $SBMCDIR/components/pii_protector/application.yml configuration file with the relevant values from
      $SBMCBACKUPDIR/pii_protector_application.yml

    3. Update the $SBMCDIR/components/directory_service/application.yml
      configuration file with the relevant values from
      $SBMCBACKUPDIR/directory_service_application.yml

  14. Restart SBMC:

    sbmc_stop
    sbmc_start

  15. Re-install the CA certificates (noted in step 6) in the Gaia VM Java truststore. See sk182094.

  16. Start MDM sync in Harmony Mobile Administrator Portal:

    1. Go to Settings > Integrations.

    2. Hover over the MDM card and click and then click Sync Now.

Upgrading Harmony Mobile Connector from R80.40 to R81.20 - Setting up a new VM

Important - Before you start the procedure below, make sure you have done steps 1-3 in Upgrading Harmony Mobile Connector from R80.40 to R81.20.

  1. Install Harmony Mobile Connector on the new Gaia R81.20 VM. Follow step 1-9 in Installing and Configuring Harmony Mobile Connector.

  2. Log in to Gaia R81.20 VM through ssh.

  3. Backup R81.20 Connector application yml files and pii_filter conf folder. Run:

    SBMCBACKUPDIR=/var/log/SBMCBACKUP
mkdir $SBMCBACKUPDIR
cp -r $SBMCDIR/components/pii_filter/conf $SBMCBACKUPDIR/conf
cp $SBMCDIR/components/api_dispatcher/application.yml $SBMCBACKUPDIR/api_dispatcher_application_r81_20.yml
cp $SBMCDIR/components/pii_protector/application.yml $SBMCBACKUPDIR/pii_protector_application_r81_20.yml
cp $SBMCDIR/components/directory_service/application.yml $SBMCBACKUPDIR/directory_service_application_r81_20.yml

  4. Log in to your currently configured Connector on Gaia R80.40 VM through ssh.

  5. Stop the Connector to prevent PII data loss. Run:

    sbmc_stop

  6. Backup R80.40 Connector pii_filter conf folder. Run:

    SBMCBACKUPDIR=/var/log/SBMCBACKUP
mkdir $SBMCBACKUPDIR
cp -r $SBMCDIR/components/pii_filter/conf $SBMCBACKUPDIR/conf

  7. Replace the files in $SBMCDIR/components/pii_filter/conf folder on R81.20 VM with the files from Gaia R80.40 VM (same folder).

  8. Follow steps 1-3 in Configure the Harmony Mobile Connector.

  9. Edit these Gaia R81.20 VM Connector application.yml files:

    Note - Do not change the structure or order of the file content. Copy only the values you updated in the original file (on Gaia R80.40 VM) and that are mentioned in this guide.

    • $SBMCDIR/components/api_dispatcher/application.yml

    • $SBMCDIR/components/pii_protector/application.yml

    • $SBMCDIR/components/directory_service/application.yml

  10. Restart SBMC:

    sbmc_stop
    sbmc_start

  11. Verify if you have installed any CA certificates in the R80.40 Gaia VM Java truststore.

    If you have installed any CA certificates, make a note of them. You need to install them on the new R81.20 VM. For more information, see sk182094.

  12. Go to Harmony Mobile Administrator Portal > Settings > Integrations and update the Connector Configuration with R81.20 VM information:

    1. Public key - Upload or copy and paste the public key from Install and Configure Harmony Mobile Connector section.

    2. In Server Address and in HA Server Address (optional), enter the Harmony Mobile Connector Virtual Machine address in this format:

      https://<url or ip_address>/pii_protector

    3. Click Save.

  13. Verify whether all PII data is shown as decrypted in Harmony Mobile Administrator Portal.

    Important - If the PII data is not decrypted properly, do not proceed to the next step. Contact Check Point Support to verify the new Connector configuration. Proceeding without resolving this issue may result in loss of devices' decryption information.

  14. Start MDM sync in Harmony Mobile Administrator Portal:

    1. Go to Settings > Integrations.

    2. Hover over the MDM card and click and then click Sync Now.

 

Saving the Encrypted MDM Password

To save the encrypted MDM password in the Connector configuration files:

  1. Connect to the VM through ssh and log in to Expert mode.

  2. Run this command and replace <mdm_password> with your MDM password:

    curl_cli --request POST 'http://localhost:7777/json_map?action=hide' --header 'Content-Type: application/json' --data-raw '{"fields":[{"id":"PASSWORD","value":"<mdm_password>","type":"USERNAME"}]}'

    The output displayed is the encrypted password.

    Note - To successfully run the command, make sure to enter the correct input parameters and avoid extra space characters.

  1. Edit the settings file
    vi /opt/CPsbmc/components/api_dispatcher/application.yml and paste the output password to the relevant MDM configuration.

    Example:

    mdm: 
    credentials: 
                the relevant mdm you use:
                         password: <paste output password here>