Skip to main content

Security Server 3.* Features

Managing Tenants

When you deployed your Security Server installation, you will have a MASTER tenant as a default tenant.

The MASTER tenant is meant as SuperAdministrator and for that you should create a so called "worker-tenant" as a subtenant for your first environment.

Worker Tenant Creation

First thing to do is to login as the MASTER tenant.

In a test install you´ll find the login credentials for the MASTER tenant in the Helm Charts or provided by administrator/ KOBIL team member.

Login

Now you have to create your so called "worker-tenant" as a subtenant.

Addtenant1

Choose a Tenant-ID (case sensitive!)

  • Shared Checkbox: In case you want to have the possibility to use the MASTER tenant as jump-user to the worker-tenant please tick Shared option. (Attention: This means that master tenant users can access this subtenant)

  • Transport Key password: Set a secure Transport Key password as login password and also as import password for certificate login.

  • CA key Password: Enter the CA password given at installation.

    Addtenant2

After adding, you see a confirmation dialogue if action was successful.

added-tenant

The new tenant can be found at:

Administration > Tenants

tenant-list-Security Server

Switching to Worker-tenant

To administrate and configure the new "worker-tenant" you have to switch to it first.

(right top menu: Login as)

switchtenant1

Select worker-tenant name and click switch To Tenant

switchtenant2

See your current selected tenant at the right top corner.

switchtenant3

Adding Versions

Managing the life-cycle of App versions is an important task, when using DIGITANIUM or KOBIL products. This includes provisioning of the apps via the respective app stores (mobile platforms) or download (desktop platforms) and keeping them up to date with respect to security or bug fixes and possibly new features.

The feature OneAppForAll allows for delegating this task to the master tenant, while the apps can be used by any other tenant in the system.

Creating OneAppForAll versions

The Operator of the master tenant, who has the permission ASM_APP_VERSIONS_MANAGE, can mark a version as "One App For All" in the Add Version dialog (1).

oneappforall

This version will then be also be available to users of the other tenants.

⚠️ Please note that "One App For All" version will always be available to all tenants

Registration needs to be done using an App Registration User in the master tenant, as this task belongs to the life-cycle management of the app. All properties of the version including "Disable Integrity Check" affect usage in all tenants.

OneAppForAll versions are shown in the App Versions view and are marked as such in the column One App For All.

⚠️ Please note that it is not possible to change the OneAppForAll property of an existing app version. The respective field will be greyed out in the Edit Version Dialog. However, it is possible to add a new version as an update that changes the behavior. In the example (1) version 0.0.3 introduces the OneAppForAll property and version 0.0.4 reverts it again

oneappforall1

As such an update would also be provided to users of sub-tenants via the app stores, reverting the "OneAppForAll" property should be handled with care!

"OneAppForAll" versions are also shown in the App Versions view in the scope of a sub-tenant, but as read-only. Operators of the sub-tenant cannot modify or delete such versions.

Also we can see a field to enter IAM url. If you also have IAM as a part of setup which is successfully connected to your Security Server, you need to enter the same IAM url and validate it while creating the App-version.

Assigning Version Updates

Version update management allows control over when an available app update is shown to all or a group of users and when the update becomes mandatory. This can be managed individually per tenant in the view Version Update Assignment.

While it is the responsibility of each tenant to plan version updates for their users, master tenant can chose to lock a version. This would immediately lock out any user of any tenant using this app version and enforce a mandatory update to a newer version, if defined.

Activating an app with a OneAppForAll version

Respective apps can be activated by any user of any client.

A user of a sub-tenant can activate such an app by providing the tenantId and a valid activation code in the app activation dialog. All user related data, including the device certificate, is kept in the scope of the sub-tenant.

Actions that require Master Tenant Admin approval

Some actions specifically need approval from administrator of Master tenant for the changes to take place.

  • App bundle Creation
  • Operator Creation
  • Tenant Deletion

App bundle Creation

After login in to your tenant, you can create App bundle File by following below steps.

  • Go to App Security Management tab (menu)

  • Go to Version tab

  • Click on Create App Bundle button

  • You will get pop up with title App Configuration Bundle Creation

  • Make sure you have same URL for the top three textboxes. Please use https in all the urls and enter correct ports.

  • If you dont see option to enter CA Password, it means that the app bundle creation operation needs approval from administrator of Master tenant.

    request-app-bundle

  • You should see a button named Do Request as shown in figure above. You must click it and wait for the request to be approved by Master tenant administrator. Next step is to immediately contact the Master tenant administrator.

⚠️ Please do not close this request, in order to download the App Bundle file

As soon as you make request, the Master Tenant administrator will receive a request in Requests section as shown below

app-bun-request2

So once the Master Tenant administrator, opens and views the request, he will see something like this where he needs to either Approve or Reject the Request of App Bundle Creation, but to do this, he must know Security Server CA password to proceed further with this.

approve-app-bun-2

As soon as the administrator, accepts the request, you must click on Verify and Show Certificates just to refresh the page and then you will see mandatory field to enter CA Password. Please ask administrator to enter Security Server CA Password and then you will see button Download getting Active. Please click on Download button and App_configuration_bundle.zip will then be downloaded in your system.

download-app-bundle

This extra layer of Security is one of the important security feature present in new multi-tenant Security Server.

Operator Creation

In order to create Operator, please login to your tenant and go to the path shown in figure.

create-operator1

Now when you click on Add Operator, you see below fields to fill the Operator ID, Password and role information. Please fill all information as shown below and click on Do Request.

create-operator2

As soon as you make request, the Master Tenant administrator will receive a request in Requests section as shown below

operator-creation-3

So once the Master Tenant administrator, opens and views the request, he will see something like this where he needs to either Approve or Reject the Request of Operator Creation, but to do this, he must use Security Server CA password to proceed further with this.

operator-creation-4

As soon as he approves the request, the operator will be created in your Tenant as shown below.

operator-creation-5

Tenant Deactivation

Removing a tenant involves disabling tenant so it is no longer in use.

  • Firstly, the System Administrator needs to mark a tenant as to-be-deleted.

    deactivetenant0

  • The tenant administrator will then see a deactivation request, which he needs to approve. Until approval, the tenant will remain active. Once approved, the tenant will be marked for deactivation.

    deletetenant-approval

  • Once the tenant administrator opens and approves the request, the tenant will be marked for deactivation.

    approvdeletetenant

  • Now, Master Tenant Administrator can see that the sub tenant is now deactivated.

    disabletenant