Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Editorial

This article describes additional tasks to upgrade Protocol Gateway from version 8.2.0 or earlier. For the full upgrade instruction, see Upgrade Protocol Gateway.


Expandall

Prerequisites

Expand
titlePrerequisites

The following prerequisites apply:

Step-by-step instruction

The following configurations are done in configuration files in <configroot>

Expand
titleAbout <configroot>
Excerpt Include
NDWM:Configuration files in Protocol GatewayNDWM:
Configuration files in Protocol Gateway
nopaneltrue


Excerpt


Expand
titleConfigure SCEP

The SCEP implementation has been updated in the following ways:

To be able to use the new features, do the following updates: 

  1. If the file <configroot>/scep.properties is unmodified, remove this file and it will be recreated with new defaults when restarting Protocol Gateway.
  2. If the file has been modified, then do the following: 
    1. Open the file <configroot>/scep.properties for editing. 
    2. Add the following lines below default.racachainlength = 0:

      Code Block
      titleExample: scep.properties
      # Changes the response format for the GetCACert call to return the RA
      # certificate in binary format if set to true.
      # Only works if racachainlength is set to 1.
      default.responseasbinary = false
      


    3. Add the following lines below default.ra.signature.keyusage = digitalsignature:

      Code Block
      titleExample: scep.properties
      # SCEP INTUNE
      #
      # SCEP Intune allows for integration with Azure AD to automatically
      # enroll and manage iOS, Android, Windows and Mac devices.
      #
      # tenant - is the Tenant which is the fully qualified domain name (FQDN)
      # of the organization configured in Intune.
      #
      # azure_app_id - specifies the azure application id of the app
      # registration.
      #
      # azure_app_key - specifies the client secret of the app registration.
      #
      # certificateAuthority - specifies the name of the CA performing the
      # requests to Intune.
      


    4. Append the following lines at the end of the file:

      Code Block
      titleExample: scep.properties
      # http://<pgwy-host>:<port>/pgwy/scep/ndeschallenge/
      #
      # Handler for SCEP dynamic challenge endpoint (NDES compliant)
      #
      handler.3.filter = ndeschallenge/
      handler.3.format = scep-ndes
      handler.3.ndesUsername = ndesadmin
      handler.3.ndesPassword = ndespassword
      handler.3.ndesChallengeValidity = PT15M
      # http://<pgwy-host>:<port>/pgwy/scep/ndesrequest
      #
      # Handler for SCEP request using dynamic challenge password
      (NDES compliant)
      #
      handler.4.filter = ndesrequest
      handler.4.format = scep
      handler.4.tokenprocedure = SCEP Registration and Enroll Procedure
      with NDES Challenge
      
      # http://<pgwy-host>:<port>/pgwy/scep/intune/pkiclient.exe
      #
      # Handler for requests that should be validated against a Microsoft
      # Intune server.
      handler.5.filter = intune/pkiclient.exe
      handler.5.format = scep-intune
      handler.5.tenant = tenant
      handler.5.azure_app_id = app-id
      handler.5.azure_app_key = app-key
      handler.5.certificateAuthority = CA


    5. Save the file.


Expand
titleConfigure CMC

Support for CMC revoke request has been added.

  1. If the file <configroot>/cmc.properties is unmodified, remove this file and it will be recreated with new defaults when restarting Protocol Gateway.
  2. If the file has been modified, then do the following:
    1. Open the file <configroot>/cmc.properties for editing.
    2. Add the following lines below default.tokenprocedure = TLS Web Server Token:

      Code Block
      titleExample: cmc.properties
      # ra.keyfile - is the token to sign the fullcmc responses,
      required for CMC Revoke.
      # Not required if CMC Revoke handler is disabled.
      # ra.password - is the password to the keyfile. It is recommended to
      # obfuscate sensitive data with .encrypted.


    3. Append the following lines at the end of the file:

      Code Block
      titleExample: cmc.properties
      handler.2.filter = revoke
      handler.2.filterContentType = application/pkcs7-mime;\h*smime-type\h*=
      \h*CMC-request
      handler.2.format = cmc-revoke
      # fullcmc responses (required as response to Revocation request) require
      an RA token to be signed with
      handler.2.ra.keyfile = protocol-gateway-ra.p12
      handler.2.ra.password = abcd1234


    4. Save the file.


Expand
titleConfigure V2X API

Support for configuring connection properties to the authorization server has been added.

  1. If the file <configroot>/c2x.properties is unmodified, remove this file and it will be recreated with new defaults when restarting Protocol Gateway.
  2. If it has been modified, then do the following:
    1. Open the file <configroot>/c2x.properties for editing.
    2. Replace the line #default.authorizationUrl = <authorization-server-url> with the following lines:

      Code Block
      titlec2x.properties
      # Parameters for the AccessTokenVerifier modifier.
      #
      # default.authorizationUrl = <authorization-server-url>
      # default.authKeyCacheLifeSpan = P365D
      # default.authKeyCacheRefreshTime = P1D
      #
      # Timeout values in ms.
      # default.authKeyConnectTimeout = 1000
      # default.authKeyReadTimeout = 1000


    3. Save the file.



Related information