Configuring the Bravura Security Fabric Server
This chapter describes how to set up your Bravura Security Fabric server for Bravura One and use with the Bravura One app .
The following steps are required:
Set up the Mobile Worker Service
Configuring the self-service rules
Optional:
Configuring the global help desk rules
You can also implement additional configuration options .
Setting up the Mobile Worker Service
The Mobile Worker Service (mobworker) works in conjunction with the Bravura One mobile proxy server to allow for a Bravura One app on mobile devices to access Bravura Security Fabric servers and to send push notifications on a corporate and private network from a home or public WiFi hot spot or a cell phone data plan.
The Mobile Worker Service uses the following components to communicate with the Bravura One mobile proxy server:
Bravura One mobile proxy server authentication encryption key.
Host name or IP address of the Bravura One mobile proxy server.
Bravura One mobile proxy push notification server authentication encryption key.
Host name or IP address of the Bravura One mobile proxy push notification server.
Configure the Mobile Worker Service
Note
If you need the configuration details after the initial installation you can can run setup-mobproxy.sh on the Bravura One mobile proxy server.
To configure the Mobile Worker Service:
Log in to Bravura Security Fabric as a superuser.
Click Manage the system > Maintenance > Services.
Select Bravura Security (mobworker) Mobile Worker Service.
Configure the Proxy server authentication key to be the same as the authentication encryption key that is configured on the Bravura One mobile proxy server.
Configure the Proxy server URL for the URL of the Bravura One mobile proxy server. For example:
https://mobproxy.bravurasecurity.com/your_company/<instance>/
Ensure that the instance name as set for the URL in Proxy server URL is the same as the instance name as configured for the Bravura Security Fabric server.
If a load balancer is being used for the Bravura One mobile proxy servers, the load balancer URL must be specified in Proxy server URL. This is also the public url in which the Bravura One app will communicate with and to locate a Bravura One mobile proxy server as designated by the load balancer.
Configure the Private proxy server URL for this instance for the URL of the Bravura One mobile proxy server that will be used for the persistent connection for communication with this instance for when a load balancer environment is configured for the proxy servers.
This parameter is not required if a load-balanced URL has not been configured for the Proxy server URL.
In load-balanced environments for the Bravura One mobile proxy servers, this value may be a single value for a specific proxy server, or it may be set to multiple Bravura One mobile proxy servers in a comma-separated list. Setting it to multiple proxy servers is to allow for failover for if a Bravura One mobile proxy server is taken offline or is unavailable. The next proxy server as designated by the load balancer and is in this list will be used for the connections to ensure that the Bravura One app may continue to be used uninterrupted. Each Bravura One mobile proxy server used as a failover must in the comma-separated list for Private proxy server URL for this instance.
When the Bravura Security Fabric server is set up for database replication, the value for Private proxy server URL for this instance across the instance nodes may also be either set to the same Bravura One mobile proxy server or they may each be set for their own proxy server.
In all cases, the instance name as defined in each of the URLs for the Private proxy server URL for this instance must be the same as the instance name as configured for the Bravura Security Fabric server.
See Configuring load balancing for the Bravura One mobile proxy for more information on load balancing the Bravura One mobile proxy servers.
Configure the URL of the local instance for the fully qualified URL of the Bravura Security Fabric server that the Mobile Worker Service is currently running on. This must be set on each server when a load balancer environment is configured for the Bravura One mobile proxy servers to ensure that they are unique on each instance and do not fall back to BASE_IDSYNCH_URL, which would end up being the same across all replicated nodes. The server must also be configured for HTTPS for the URL for load-balanced mobile proxy server environments.
Set this using the following format:
https://<fqdn>/<instance_name>Configure the Push notification server authentication key to be the authentication encryption key that is configured for the Bravura One mobile proxy push notification server.
Configure the Push notification server URL for the URL of the Bravura One mobile proxy push notification server.
Contact support@bravurasecurity.com for assistance with the configuration and access of the Bravura One mobile proxy push notification server and for the Push notification server authentication key and Push notification server URL for your environment.
If the Bravura Security Fabric server uses a self-signed certificate for HTTPS encryption, check the checkbox for Ignore all server certificate warnings .
If the Bravura Security Fabric server is configured separately to use a corporate proxy server, such as for Windows updates for example, then set HTTP proxy to use for outgoing connections (address:port) to the corporate proxy server. For this configuration, the Bravura One mobile proxy server will need to be added to a bypass list. For example, using WinHTTP, this may be configured with the following command:
netsh winhttp set proxy proxy-server="http://corporateproxy.bravurasecurity.com:80" bypass-list="https://mobproxy.bravurasecurity.com"
Configure the rest of the parameters as needed. The defaults values may also be used.
The Mobile Worker Service timeout should be a smaller value than the minimum value of the timeout setting for Mobile Proxy Service and any proxy time, or firewall timeout in between the Mobile Worker Service and Mobile Proxy Service.
If Automatically determine proxy server timeout is checked, the Mobile Worker Service will automatically decrease the given setting to an appropriate one if the communication is broken unexpectedly.
Click Update to update the settings.
See Mobile Worker Service for help configuring the Mobile Worker Service (mobworker).
Enable the Mobile Worker Service
After you have configured the Mobile Worker Service, you must enable and start the service. On the Service information page:
Click Enable the service.
Click Start the service.
Configure load balancing for the Bravura One proxy servers
By default, communication between the Bravura One mobile proxy server and the Bravura Security Fabric is established using the Proxy server URL parameter for the Mobile Worker Service.
Load balancing of the Bravura One mobile proxy servers may be configured in order to distribute out the load for use with the Bravura One app s on mobile devices and access to the Bravura Security Fabric servers.
Once a connection has been established, the session should be bound to that server via a "sticky sessions" or persistent connection mechanism. This is because the Bravura Security Fabric server and Mobile Worker Service must maintain a consistent connection with a single Mobile Proxy Service running on a Bravura One mobile proxy server so that it is always using the same server. This must be configured from the load balancer to require persistent connections.
To configure a load balancer from the Mobile Worker Service, set the Proxy server URL to the load balanced url. This will also be the public url that is used by the Bravura One app itself.
The Private proxy server URL for this instance parameter for the Mobile Worker Service must then be specified for the specific Bravura One mobile proxy server that the Bravura Security Fabric will communicate with.
In load balanced environments for the Bravura One mobile proxy servers and when the Bravura Security Fabric server is set up for database replication, the value for Private proxy server URL for this instance may be set to be the same proxy server url across instance nodes to share the same Bravura One mobile proxy server url, each set to unique Bravura One mobile proxy server urls, or set to a comma-separated list of Bravura One mobile proxy servers.
Setting it to multiple proxy servers is to allow for failover for if a Bravura One mobile proxy server is taken offline or is unavailable. The next proxy server as designated by the load balancer and is in this list will be used for the connections to ensure that the Bravura One app may continue to be used uninterrupted. Each Bravura One mobile proxy server used as a failover must in the comma-separated list for Private proxy server URL for this instance.
The URL of the local instance must be set to the fully qualified url of the Bravura Security Fabric server that the Mobile Worker Service is currently running on. It must be for each individual Bravura Security Fabric server so that it doesn’t fall back to using the url set for BASE_IDSYNCH_URL, which would end up being the same across all replicated nodes.
The URL must also be configured for HTTPS for the Bravura Security Fabric server.
Set this using the following format: https://<fqdn_or_ip_address>/<instance_name>
Each Bravura Security Fabric server must also be configured for database replication in order to synchronize the Bravura One app registrations and other information between each of the servers.
See Replication and Recovery Guide for more information on setting up database replication between instances.
The updinst.exe utility may be used to synchronize the registry entries between the replicated servers, as well as the values for the Mobile Worker Service services. The Mobile Worker Service service will still need to be manually enabled and started on each node as well as having the Private proxy server URL for this instance parameter manually defined for each one.
See updinst for more information on the updinst.exe utility.
Without the use of a load balancer, the Bravura One app on a mobile device will communicate directly with the Mobile Proxy Service running on the Bravura One mobile proxy server which will then communicate with the Mobile Worker Service for the Bravura Security Fabric server.
When a load balancer is in place, the Bravura One app on a mobile device will communicate first with the load balancer (as defined by the Proxy server URL parameter for the Mobile Worker Service).
The load balancer will then choose one of the Bravura One mobile proxy servers. Multiple proxy servers may be configured to be contacted by the load balancer.
The Bravura One mobile proxy server that is contacted will then communicate with one of the Bravura Security Fabric servers in which the proxy server has been defined by the Private proxy server URL for this instance for the Mobile Worker Service for that instance.
Configure the self-service rules
You must update user access rules to determine who is allowed to register and activate mobile devices.
To modify the user access rules for Bravura One for users:
Click Manage the system > Security > Access to user profiles.
Select Self-service rules.
Either add a new self-service rule or select ALL_SELF_REQUEST for all users.
Add the "Manage mobile devices" privilege.
Click Update to update the self-service rule.
Configure the global help desk rules
You must update user access rules to determine who is allowed to view or delete mobile devices on behalf of other users.
To modify the global help desk rules for help-desk users to view or delete Bravura One app registrations for other users:
Click Manage the system > Security > Access to user profiles.
Select Global help desk rules.
Either add a new global help desk rule or select GLOBAL_HELP_DESK or HELP_DESK_MANAGERS for one of the help desk rules.
Add the "Manage mobile devices" privilege.
Click Update to update the global help desk rule.
Force users to activate a mobile device
You can force users to register and activate a mobile device as part of the enrollment process. Users are redirected to the Mobile devices page when forced enrollment for mobile devices has been enabled.
From an authentication chain point of view, if mobile devices are going to be required as a form of multi-factor authentication, the mobile authentication module should only be activated for users that have registered devices. This configurations allows users to log in to Bravura Security Fabric without a device, in the event one has not been registered yet. The forced enrollment module can then direct the user to the mobile device registration page.
To force users to activate a mobile device:
Ensure that the Bravura Security Fabric and Bravura One mobile proxy servers have been configured for Bravura One .
Ensure that a self-service rule has been configured so that the users have the "Manage mobile devices" privilege. This may be configured either for a new self-service rule or ALL_SELF_REQUEST for all users.
Add the mobiledevice value to PSF FORCE ENROLLMENT.
Click Manage the system > Modules > Front-End (PSF).
Locate the PSF FORCE ENROLLMENT option.
Add
,mobiledeviceto the existing list of comma-separated values.
Additional configuration for Bravura One
Adjust the mobile activation timeout
Modify the PSF MOBILE REGTIMEOUT system variable if you want to change the amount of time to allow for a user to scan the QR code when they are activating their mobile device with the Bravura One app . By default, the time for activation will expire in 300 seconds.
Set the maximum number of mobile device registrations per user
Modify the MAX MOBILE DEVICES system variable in order to set the maximum number of mobile devices that a user may register for themselves.
Add the Mobile authentication module for an authentication chain
Add an authentication chain for the Mobile authentication module. This will allow for users to authenticate using a QR Code that is provided by this module for two factor authentication.
The QR Code must be scanned from the Bravura One app that is registered for Bravura One for the user.