All Kony Fabric Posts

Kony Management - Public-Private key pair rotation

Ajay Bhat - Aug 10, 2017 - EMM

In this post, Bipin Jethwani discusses an important security feature: encryption key rotation.

Kony Management (aka KonyEMM) transparently injects support for 2-Way SSL, SQLite Encryption and other such security features to the mobile apps exposed via its Enterprise Store. And, the security of those enterprise assets/data on enrolled mobile devices is of paramount importance. This blog post will talk about how admins can configure it to get that extra edge.

For people new to this – KonyEMM transparently protects the Enterprise App’s SQLite database with key/passphrase dynamically generated on the device based on some key material generated on EMM server. This way the key for the SQLite/SQLCipher is kept specific to a user for a particular device and at the same time it’s not stored on either the device or the server database, i.e. protected from the mobile end-users, hackers, and the admins.

KonyEMM generates multiple RSA public private key pairs which play a vital role in protecting these managed enterprise resources on mobile devices. These are also used for encrypting the payloads between enrolled mobile devices and the KonyEMM server. This asymmetric encryption is used on top of TLS/SSL.

Hence, in this blog post, we wanted to quickly reiterate that rotation of the RSA public private key pair is important and customers should pick on a nice schedule to trigger that rotation process in KonyEMM server.

Admins must configure the right schedule in /mgmt  console.

Please Note:

  • This blog post is applicable for both EMM and MAM enrollment modes, and also for an MAM-only license.
  • Customers who have been using KonyEMM before EMM 3.5.0 release and have been upgrading their software ever since need to explicitly enable this feature. Here's how to do so:

Navigate to

https://<<konyemm>>/mgmt

Settings >> Application Settings >> Encryption Keys.

Old UI

UI before migrating to key rotation

 

Once an admin uses the “Migrate to Auto-generation Scheme” option shown above, the admin will be provided with a UI similar to below to specify the schedule for next PKI key pair generation.

New UI

 

UI after key rotation is enabled

 

This will trigger re-wrapping of all the Enterprise Apps including our Enterprise Store app (aka Launchpad). Hence, this needs to be planned with other business activities. The end-users will have to take upgrade their apps once KonyEMM server finishes re-wrapping of the app. The older apps on end users' mobile devices will stop working once the wrapping job finishes and server auto publishes that app.

Other features depending on these versioned RSA public private key pair

1. KonyEMM 3.5.1 - 2-Way SSL based client authentication certificate sharing for SSO for Android.

Enterprise Store app (a.k.a Launchpad) creates and manages the PKCS#12 store on device completely controlled and tightly secured by EMM. Based on admin selection on mgmt console, this certificate store is shared across to other Enterprise Apps on the mobile device.

http://community.kony.com/blogs/mobilefabric/kony-app-management-two-way-ssl-authentication-support-enterprise-applications

2. KonyEMM 3.5.1 - App policy protection.

The policy payload is protected in-flight and at-rest in the device.

EMM 3.5.1 Release Notes: http://docs.kony.com/6_5/konylibrary/management/emm_releasenotes/Default.htm

3. KonyEMM 4.2 – Load balancer based 2Way SSL client cert

Protecting passphrase for admin provided load balancer based 2Way SSL client cert. 

Hence, it’s strongly recommended that you move to the newer auto-generation scheme mentioned above. Otherwise, the code flows through a less secure implementation, which is there just for backward compatibility.