B.2 Configuring SSL and HTTP Communication between the ZENworks Handheld Management Access Point and the Handheld Devices

You can configure the SSL and HTTP communication between the ZENworks Handheld Management Access Point and the Handheld devices by using cfgip.exe from the zfhap directory.

We recommend you to use SSL for communication between the ZENworks Handheld Management Access Point and the Handheld devices because SSL provides the following primary security services:

  1. Launch cfgip.exe from zfhap directory.

    Configure IP - ZENworks Handheld Management Access Point dialog box
  2. Obtain a server certificate before using SSL.

    NOTE:Palm devices do not support adding root certificates that are bundled with them by default.

    1. In the Configure IP - ZENworks Handheld Management Access Point dialog box, click Obtain Server Certificate.

    2. Review the information on the Certificate Wizard page, then click Next.

    3. In the Common name option, specify the name of the machine as specified during the installation of the ZENworks Handheld Management Access Point.

      For example, if IP address is specified during the installation of the ZENworks Handheld Management Access Point, you must specify the IP Address in the Common name option. If the DNS name is specified during the installation of the ZENworks Handheld Management Access Point, you must specify the DNS name in the Common name option

      NOTE:If you want to connect your PPC 2000 device using SSL, you must keep in mind the following points:

      • The server address is stored as the IP address because the Domain Name Resolution does not work on PPC 2000 devices.

      • If the PPC 2000 device is connected using IP client through wireless, you must specify the IP address of the ZENworks Handheld Management Access Point instead of the common name when you create the Certificate Signing Request (CSR). This enables the device to validate the Certificate server. But if the device cradle syncs, you can use the common name by selecting the Use Desktop Sync settings option in the ZENworks Console that is available on the device.

    4. Click Next.

    5. Specify information for your geographic location in the Country/Region, State/Providence, and City/Locality text boxes, then click Next.

    6. Specify information about your organization and organizational unit, then click Next.

    7. Specify the location in which you want to save the certificate request, then click Next.

    8. Click Finish, then click OK.

      NOTE:To use NCS: In ConsoleOne, click Tools, click Issue Certificate, then follow the prompts. When having the certificate signed (if given a choice), have it saved in Base64 format.

      Handheld PCs running Windows CE 3.0 and Pocket PC 2000 devices do not support certificates originating from NCS.

  3. Have the certificate signed by a Certificate Signing Authority, such as Novell Certificate Services (NCS) or VeriSign. To have the certificate signed by NCS, continue with Step 4, else skip to Step 5.

  4. (Conditional) Perform the following steps to have the certificate self-signed by NCS:

    1. Launch Consoleone

    2. In the left pane, click Security.

    3. In the right pane, double-click the Certificate Authority for the tree.

    4. In the Properties dialog box that displays, click Certificates. Click Self Signed Certificate.

    5. Click Validate. Ensure that the status in the Certificate Validation dialog box displays Valid, then click OK.

    6. Click Export, then click Next.

    7. Select File in Base64 format then click Finish to save the exported certificate in a Base64 format.

  5. To import a server certificate before using SSL:

    1. In the Configure IP - ZENworks Handheld Management Access Point dialog box, click Import Server Certificate.

    2. Click Next.

    3. Ensure that the Process the Pending Request and Install the Certificate option is enabled, then click Next.

    4. Browse to the location where you saved the certificate during Step 4.g, then click Open.

    5. Click Next.

    6. Click Finish.

  6. You can publish a trusted SSL root certificate that Windows CE clients automatically download when they connect. This should be the root certificate of the Certificate Authority used to sign your server certificate.

    If you are using a third-party Certificate Signing Authority and the root certificate does not already exist on the PC or handheld device (for example, a root certificate from NCS), you can publish the root certificate so that is automatically downloaded.

    To publish a trusted SSL root certificate:

    1. In the Configure IP - ZENworks Handheld Management Access Point dialog box, click Configure Root Certificate.

    2. Browse to and select the signed root certificate, then click Open.

      The root certificate that you get from a Certificate Authority (CA) must be in Base64 format.

    3. Click OK twice.

  7. To enable the SSL on the ZENworks Handheld Management Access Point, select the Enable SSL check box.

  8. To enable HTTP on the ZENworks Handheld Management Access Point, select the Enable HTTP Encapsulation check box.

  9. To enable SSL/HTTP on a handheld device, open the ZENworks console and do the following:

    1. For PalmOS devices, select the server from the drop-down list and select Use SSL.

      or

      For Windows CE devices, click Configure, then click Use SSL.

      If you are publishing a root certificate, click Accept Next Root Certificate.

    2. To enable HTTP for Palm devices, select Server from the drop-down list, then click Use HTTP encapsulation.

      or

      For Windows CE devices, click Configure, then click Use HTTP Encapsulation.

NOTE:If multiple Access Points are configured then repeat Step 1 through Step 9 for every Access Point.