Setting up and configuring Bravura One
Task checklist for Bravura One implementation
Use this checklist as a guide to ensure that you complete each step in enabling mobile access with Bravura One:
Use setup to install Bravura Security Fabric .
Configure the Bravura Security Fabric server.
Add a least one Source of Profile target.
This will provide the user profiles available to register with Bravura One.
Configure the self-service rules .
This is to determine the access controls for which users are allowed to register mobile devices.
Configure the global help desk rules .
This is to determine the access controls for which help desk users are allowed to view and delete mobile device registrations on behalf of other users.
Configure any additional configuration options for Bravura One .
This includes skin customizations and adjusting activation timeout.
Set up the mobile proxy server.
Install Apache and copy the binaries to the mobile proxy server using one of the following methods:
Install Apache and copy the mobile proxy RPMs on Red Hat Enterprise Linux
Install Apache and copy the mobile proxy DEBs on Debian GNU/Linux
Ensure that the version of the Bravura One mobile proxy server matches the version that is shipped with the Bravura Security Fabric server.
Install the mobile proxy server using the setup-mobproxy script.
During the installation you will be prompted to configure and enable the Mobile Worker Service in Bravura Security Fabric , including adding the Bravura One mobile proxy server URL as well as the authentication key that is configured on the proxy server. The script will not continue until this has been configured and the Mobile Worker Service is restarted.
Install the Bravura One app onto the mobile devices .
The Bravura One app is available for both Android and iOS mobile devices.
Setting up the mobile proxy server
This chapter describes setting up the Bravura One mobile proxy server running the Mobile Proxy Service (mobproxy ). The configuration in this document is based on:
Red Hat Enterprise Linux installation on CentOS 7.x x64 or 8.x x64 architecture.
Debian GNU/Linux installation on the Debian 9.x AMD64 architecture.
Note
If support for another distribution is required, please contact support@bravurasecurity.com.
Additional configuration may be needed depending on your distribution, environment and requirements. Contact support@bravurasecurity.com for assistance with the installation and configuration of the Bravura One mobile proxy server.
Ensure that you keep a record of the following information in a safe location, as it will be required when configuring Mobile Worker Service:
Bravura One mobile proxy server authentication encryption key.
Host name or IP address of the Bravura One mobile proxy server.
Bravura One mobile proxy push notification server authentication encryption key.
Host name or IP address of the Bravura One mobile proxy push notification server.
To set up a Bravura One mobile proxy server on a Red Hat Enterprise Linux (RHEL) or CentOS installation:
Log in to the Unix server with administrative privileges and confirm the following:
Shared memory has been enabled and /dev/shm exists.
The /tmp folder must exist on the RHEL/CentOS server.
The libc package has been installed.
The OpenSSL 1.1 package has been installed.
Install the web server.
The Bravura One mobile proxy server requires a web server. Apache is the most commonly used Web Server on Linux servers. To install Apache2:
At a terminal prompt enter the following command:
sudo yum install httpd
The server must use a pre-fork Multi-Processing Module.
This command installs the default version of Apache for RHEL/CentOS, which may not be the latest version of Apache.
The
setup-mobproxy.shinstallation script will also check the dependencies for the web server and will automatically install any additional required modules.To eliminate any manual intervention, configure Apache2 to start on boot. That way, if the server is ever restarted, Apache2 will automatically start again. The method to do this depends on the version of the distribution. Consult the distribution’s documentation.
Confirm that mod_rewrite and mod_cgi are enabled.
View the default Apache configuration file, /etc/httpd/conf/httpd.conf and confirm that the following lines are uncommented and listed with other LoadModule entries:
LoadModule rewrite_module modules/mod_rewrite.so LoadModule cgi_module modules/mod_cgi.so
Enable and configure SSL for the default site.
Bravura Security requires that you configure the site for HTTPS to secure communications between the Bravura One mobile proxy server and Bravura Security Fabric server.
The following are useful links to get you started:
https://wiki.centos.org/HowTos/Https
https://mozilla.github.io/server-side-tls/ssl-config-generator/
An SSL certificate from a trusted Certificate Authority should be used.
See Configure SSL for more information on configuring SSL for the Bravura One mobile proxy server.
Locate the
idmunixfolder from the Bravura Security Fabric server. By default, it is installed in the addon directory.The Mobile Proxy Service is available for the following RHEL/CentOS distributions:
idmunix-rhel-el7.x64.tar.gz
idmunix-rhel-el8.x64.tar.gz
Copy the idmunix-rhel-<cpu>.x64.tar.gz file from the idmunix directory to a scratch directory, such as /tmp/, on the Unix server.
Log into the Unix server with administrative privileges, and extract the files from the idmunix archive.
For example for CentOS 8.x, at a terminal prompt enter the following commands:
cd /tmp tar -zxvf idmunix-rhel-el8.x64.tar.gz
Locate the following files:
hid-common.rhel-el8.x64.rpm
hid-idapi.rhel-el8.x64.rpm
hid-mobproxy.rhel-el8.x64.rpm
With administrative privileges, extract the files from the rpm archive.
For example, at a terminal prompt enter the following commands for CentOS 8.x:
cd /tmp rpm -i hid-common.rhel-el8.x64.rpm rpm -i hid-idapi.rhel-el8.x64.rpm rpm -i hid-mobproxy.rhel-el8.x64.rpm
Version note
The following module is not shipped with Bravura Security Fabric 12.7 or newer. It can be provided at additional cost.
To set up a Bravura One mobile proxy server on a Debian GNU/Linux installation:
Log in to the Unix server with administrative privileges and confirm the following:
Shared memory has been enabled and /dev/shm exists.
The /tmp folder must exist on the Debian server.
The libc package has been installed.
The OpenSSL 1.1 package has been installed.
Install the web server.
The Bravura One mobile proxy server requires a web server. Apache is the most commonly used Web Server on Linux servers. To install Apache2:
At a terminal prompt enter the following command:
sudo apt-get install apache2 apache2-mpm-prefork
The
setup-mobproxy.shinstallation script will also check the dependencies for the web server and will automatically install any additional required modules.To eliminate any manual intervention, configure Apache2 to start on boot. That way, if the server is ever restarted, Apache2 will automatically start again. The method to do this depends on the version of the distribution. Consult the distribution’s documentation.
Enable the default site.
Run the following command at a terminal prompt to enable the default site:
sudo a2ensite default
Enable mod_rewrite.
Run the following command at a terminal prompt to enable mod_rewrite.
sudo a2enmod rewrite
Enable and configure SSL on the default site.
Bravura Security requires that you configure the site for HTTPS to secure communications between the Bravura One mobile proxy server and Bravura Security Fabric server. The following are useful links to get you started:
http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
https://mozilla.github.io/server-side-tls/ssl-config-generator/
An SSL certificate from a trusted Certificate Authority must be used. A self-signed certificate may not be used for the Bravura One mobile proxy server.
See Configuring SSL for more information on configuring SSL for the Bravura One mobile proxy server.
Check to see if the mpm_prefork module is already installed. This may be verified with the following command:
sudo apache2ctl -M
Look for mpm_prefork_module in the list of enabled modules.
If necessary, at a terminal prompt enter the following command to disable mpm_event and enable mpm_prefork.
a2dismod mpm_event a2enmod mpm_prefork
Locate the
idmunixfolder from the Bravura Security Fabric server. By default, it is installed in the addon directory.Copy the
idmunix-debian-9.x64.tar.gzfile from theidmunixdirectory to a scratch directory, such as /tmp/, on the Unix server.Log into the Unix server with administrative privileges, and extract the files from the idmunix archive.
For example, for Debian 9.x, at a terminal prompt enter the following commands:
cd /tmp tar -zxvf idmunix-debian-9.x64.tar.gz
Locate the following files:
hid-common_12.0.1_amd64.deb
hid-idapi_12.0.1_amd64.deb
hid-mobproxy_12.0.1_amd64.deb
With administrative privileges, extract the files from the deb archive.
For example, at a terminal prompt enter the following commands for Debian 9.x:
cd /tmp sudo dpkg -i hid-common_12.0.1_amd64.deb sudo dpkg -i hid-idapi_12.0.1_amd64.deb sudo dpkg -i hid-mobproxy_12.0.1_amd64.deb
The Mobile Proxy Service may be installed using the setup-mobproxy.sh installation script.
The dependencies for the httpd or apache2 web server will be checked and any additional required modules will be automatically installed.
Usage:
setup-mobproxy.sh proxy-url (syntax: scheme://host[:port]/company/instance)
The authkey parameter may be optionally passed in to specify the authentication key. This is used for the value for Proxy server authentication key in the Mobile Worker Service configuration. If a value is not specified then it will be auto-generated by the install script.
The loglevel parameter may be optionally passed in to specify the log level for the mobile proxy log messages on the Linux server. If this is not specified then the default is to set it to warning. These are the available log levels:
error
warning
info
debug
The proxy URL that is passed in is what is specified for the value for Proxy server URL in the Mobile Worker Service configuration. The host and port are for the mobile proxy server. The default port is 443 if it is omitted.
Example installation command for setup-mobproxy.sh:
authkey="authkeyvalue" loglevel=debug ./setup-mobproxy.sh https://mobile.bravurasecurity.com/hid/pm
Log into the Unix server with administrative privileges. At a terminal prompt enter the following commands to locate the installation script and view the help usage:
cd /usr/local/psunix/mobproxy sudo ./setup-mobproxy.sh
Run the installation script. For example:
authkey="authkeyvalue" loglevel=debug ./setup-mobproxy.sh https://mobile.bravurasecurity.com/hid/pm
When installing with an https address and for SSL, the installation script will prompt you for an SSL/TLS certificate and the private key, or if you wish to allow for the script to generate a self-signed certificate.
The certificate file must contain the site certificate, intermediate certificates and the root certificate. The separated intermediate certificates need to be combined into the certificate file, or manually add the SSLCertificateChainFile config line into the Apache config file. Once the site is up and running, an online SSL certificate checker can be used to verify the site SSL certification.
Wait a few minutes for the script to continue and complete the installation.
The installation will prompt you to apply the settings for the Mobile Worker Service in Bravura Security Fabric . The installation will provide the configuration details. Use the primary Bravura Security Fabric server's WebUI to:
Configure the Mobile Worker Service.
Enable the Mobile Worker Service.
Return to the prompt for the installation script.
Note
To use the primary Bravura Security Fabric server's WebUi, bypass the load balancer to connect directly to the primary node's URL, or RDP to the primary application node and use the WebUI via localhost. Check the page footer to ensure the WebUI is rendered from the primary application node.
After running the installation script, the command output indicates the values that will be used by the installation script for the scheme, mobile proxy server name, company and instance name, proxy server authentication key, and log level. Some of these values will also be used for the rewrite rule in the apache configuration for what will be used to communicate with the Mobile Worker Service service.
Log messages will be shown on the command output indicating connection information to the Mobile Worker Service and Bravura Security Fabric server.
A rollback script is also generated to remove the mobile proxy configuration added by the installation script and undo the changes in case you need to redo the installation or configuration settings.
Once it is complete, the script will indicate that the mobile proxy service has been installed successfully.
The mobproxy-<company>-<instance>.conf configuration file for the mobile proxy is added to /etc/httpd/conf.d on CentOS or /etc/apache2/sites-enabled on Debian.
This file also contains the rewrite rule for configuration parameters used by the Mobile Worker Service.
Optional: Adjust the maximum time difference between the proxy and instance servers in seconds by configuring the MAX_TIME_DIFF CGI environment variable. The default is 3600 seconds.
RewriteRule ^/<company>/<instance>/(.⋆)$ /cgi-bin/logid-<instance>-<company> [L,PT,E=MAX_TIME_DIF:<new_value_sec>,...]
The following is a CentOS example for the mobproxy-<company>-<instance>.conf configuration file added by setup-mobproxy.sh:
<VirtualHost <:443>
ServerName <servername.example.com>
Timeout 600
ScriptAlias "/cgi-bin/" "/var/www/cgi-bin/"
# Enable FollowSymLinks
<Directory "/var/www/cgi-bin/">
AllowOverride None
Options FollowSymLinks
Require all granted
</Directory>
#LogLevel dumpio:trace8 cgi:trace8
CustomLog "/var/log/httpd/mobproxy-<instance>-<company>-access_log" combined
ErrorLog "/var/log/httpd/mobproxy-<instance>-<company>-error_log"
RewriteEngine On
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/certs/<servername.example.com>/selfsigned-<servername.example.com>.pem
SSLCertificateKeyFile /etc/httpd/ssl/private/<servername.example.com>/selfsigned-<servername.example.com>.key
RewriteRule ^/<company>/<instance>/(.⋆)$ /cgi-bin/logid-<instance>-<company> [L,PT,E=BYPASSAUTH:.+\\.(woff|woff2|htm|html|jpg|gif|png|js|css)$,E=DEBUGDUMPENVS:0,E=HTTP_AUTHORIZATION:%{HTTP:Authorization},E=HTTP_MOBPROXY_KEY:<proxyauthenticationkey>]
</VirtualHost>The following is a Debian example for the mobproxy-<company>-<instance>.conf configuration file added by setup-mobproxy.sh:
<VirtualHost ⋆:443>
ServerName <servername.example.com>
Timeout 600
ScriptAlias "/cgi-bin/" "/usr/lib/cgi-bin/"
# Enable FollowSymLinks
<Directory "/usr/lib/cgi-bin/">
AllowOverride None
Options FollowSymLinks
Require all granted
</Directory>
#LogLevel dumpio:trace8 cgi:trace8
CustomLog "/var/log/apache2/mobproxy-<instance>-<company>-access.log" combined
ErrorLog "/var/log/apache2/mobproxy-<instance>-<company>-error.log"
RewriteEngine On
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/certs/<servername.example.com>/selfsigned-<servername.example.com>.pem
SSLCertificateKeyFile /etc/apache2/ssl/private/<servername.example.com>/selfsigned-<servername.example.com>.key
RewriteRule ^/<company>/<instance>/(.⋆)$ /cgi-bin/logid-<instance>-<company> [L,PT,E=BYPASSAUTH:.+\\.(woff|woff2|htm|html|jpg|gif|png|js|css)$,E=DEBUGDUMPENVS:0,E=HTTP_AUTHORIZATION:%{HTTP:Authorization},E=HTTP_MOBPROXY_KEY:<proxyauthenticationkey>]
</VirtualHost>In the mobproxy-<company>-<instance>.conf configuration file:
<company> is your company name.
<instance> is the Bravura Security Fabric instance name.
<proxyauthenticationkey> is the same shared key that the Mobile Worker Service on the Bravura Security Fabric instance is configured to use.
If you installed for https and SSL and chose a self-signed certificate during installation, obtain the necessary SSL/TLS certificate for the mobile proxy server and add them into the mobproxy-<company>-<instance>.conf configuration file.
Syslog configuration is also added to the /etc/rsyslog.d/mobproxy-<instance>-<company>.conf configuration file.
Custom log files are also generated:
CentOS:
/var/log/httpd/mobproxy-<instance>-<company>-access_log /var/log/httpd/mobproxy-<instance>-<company>-error_log /var/log/mobproxy-<instance>-<company>.log
Debian:
/var/log/apache2/mobproxy-<instance>-<company>-access.log /var/log/apache2/mobproxy-<instance>-<company>-error.log /var/log/mobproxy-<instance>-<company>.log
Bravura Security requires that you configure the site for HTTPS to secure communications between the Bravura One mobile proxy server and Bravura Security Fabric server. It is suggested that you use a "Modern" configuration with HSTS enabled for the SSL configuration, although to increase device backwards compatibility, "Intermediate" configuration is suggested.
An SSL certificate from a trusted Certificate Authority must be used. A self-signed certificate may not be used for the Mobile Proxy Service.
Before you begin, ensure the following steps are done:
Install the SSL module and OpenSSL by running the following command:
sudo yum install mod_ssl openssl
Load the SSL module by adding it to the default Apache configuration file,
/etc/httpd/conf.d/httpd.conf:LoadModule ssl_module modules/mod_ssl.so
Optional: add the following to the
mobproxy-<company>-<instance>.confconfiguration file and modify as necessary:# intermediate configuration, tweak to your needs SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder onEnforce Apache to run the configured HTTPS/SSL section by editing
/etc/httpd/conf/httpd.confto comment outListen 80and addListen 443.Restart Apache after configuration:
service httpd restart
Try the following steps to diagnose and recover from faults that may occur on a Bravura One mobile proxy server:
Test that the configuration syntax of the Apache server is correct:
sudo apachectl -t
Restart the server so that you can read the Apache start-up message. If you get an error, you can then do an online search to help you find more details and solutions.
To restart the server, at a terminal prompt enter the following command:
sudo apachectl restart
Check the value for the timeout entry in the mobproxy-<company>-<instance>.conf configuration file.
Timeout 600
This value must be set higher than the value configured for the timeout setting for the Mobile Worker Service on the Bravura Security Fabric server.
In most cases the defaults are sufficient. The timeout values may however need to be adjusted.
Check that the proxy authentication key matches what is specified on the Mobile Worker Service configuration page for the instance.
The key is located in the configured mobile proxy section in
mobproxy-<company>-<instance>.conf.To view the log messages from syslog in real time, run the following from a terminal prompt on the proxy server:
tail -f /var/log/mobproxy-<instance>-<company>.log
The apache logs may also be checked for any warnings or errors. Run the following to see the last few log entries from each of the log files:
RHEL/CentOS:
tail -n 20 /var/log/httpd/mobproxy-<instance>-<company>-access_log tail -n 20 /var/log/httpd/mobproxy-<instance>-<company>-error_log
Debian:
tail -n 20 /var/log/apache2/mobproxy-<instance>-<company>-access.log tail -n 20 /var/log/apache2/mobproxy-<instance>-<company>-error.log
Ensure that the system time of the Bravura One mobile proxy server has been synchronized with the system time of the Bravura Security Fabric server.
If the SELinux module is enabled on RHEL/CentOS, the module may block
mobproxyfrom being accessed by other web servers. A configured SELinux policy file may need to be obtained, or alternatively, SELinux may need to be disabled for httpd.To check the SELinux status, run the following:
sudo getenforce
Known issue
There is a known linking issue when using CentOS 6.8 x84-64. Certain OpenSSL .so files may not be linked properly. Use
straceonmobproxy.linux-glibcandlnto link any missing files appropriately. This issue may be present if the following error message is observed in the logs "Unable to find MTCSPI provider shared library [mtcspi-*]. Please make sure it’s in your PATH".
Troubleshooting: Error "You configured HTTP(80) on the standard HTTPS(443) port"
When configuring the mobile cloud proxy according to our documentation, the following error may be logged: You configured HTTP(80) on the standard HTTPS(443) port.
Root cause
This can happen on certain Linux systems (like CentOS 6) based on how the default configuration of Apache is setup.
Symptoms
The mobile cloud proxy will not be available, and the error above will be in the /var/log/httpd/error_log file.
Solution
Make sure that the configuration:
Is not including extra files that not needed, such as conf.d/ssl.conf
Contains SSLEngine on in the SSL configuration
If the server is making only one site available, do not use VirtualHost statements and instead have a single Listen command.
Troubleshooting integrations that use psunix files
When the correct permissions on *nix systems are not granted to the psunix files copied from the Connector Pack (from the instance's unix\ directory), the integration will fail.
For example, when integrating with an LDAP, syslog may show the following:
May 28 09:16:22 rhds2-idp-master-1-work-es-1 psldap[5486]: [Line: 38, Pos: 1]: Parse error: expected ';' in kvgroup option file [/usr/local/psunix/default/psunix.d/idapi].
May 28 09:16:22 rhds2-idp-master-1-work-es-1 ns-slapd: [28/May/2020:09:16:22.810271756
+0000] - ERR - plugin_setup - Init function "prepasswd_init" for "Psynch Check Password"
plugin in library "/usr/local/psunix/default/64/psldap-sunldap.so" failed
May 28 09:16:22 rhds2-idp-master-1-work-es-1 psldap[5486]: Failed to load configuration informationSolution
Grant permissions on the psunix files to the account that has to run them or access them:
For
mobproxy, the account in question is the one that runs the Apache serverFor
agtunix:If the listener is installed, grant access to the account that runs the internet daemon that
psunixruns under (e.g. inetd, xinetd, etc)If the integration is with a directory server (e.g. LDAP or NIS), grant access to the account that runs that service
chown -R <user>:<usersgroup> </full/path/to/psunix/*>
Migrating mobile device registrations
The migratedata.exe Bravura Security Data Migration Utility may be used during a migration to export and import the mobile device registration data for users so that they are not required to re-register their devices on the Bravura Security Fabric server that the data will be imported into.
When migrating the mobile device registrations and the instance name has changed for Bravura Security Fabric and/or the company name has changed for the Bravura One mobile proxy server Apache configuration, the Proxy server URL address for the Mobile Worker Service may remain the same, however the rewrite rule in the Apache configuration on the Bravura One mobile proxy server will need to be modified. This is to ensure that when one or both of these names have changed, that users will not be required to re-register their mobile devices.
The following will need to be added for the rewrite rule from the previous version in the Apache configuration:
E=COMPANY:<new-company-name>,E=INSTANCE:<new-instance-name>
A second rewrite rule will need to be added that includes the following:
E=PREVURLPATH:<company>/<instance>/
The two rules are required to ensure that mobile devices that were registered with the previous instance will still work with the new instance as well as for when new mobile devices are registered using the new instance.
For example, the rewrite rule from the previous version is removed and replaced with the following two rewrite rules:
RewriteRule ^/<company>/<instance>/(.⋆)$ /cgi-bin/mobproxy-new-version [L,PT,E=COMPANY:<new-company-name>,E=INSTANCE:<new-instance-name>,E=BYPASSAUTH:.+\\.(woff|woff2|htm|html|jpg|gif|png|js|css)$,E=DEBUGDUMPENVS:0,E=HTTP_AUTHORIZATION:%{HTTP:Authorization},E=HTTP_MOBPROXY_KEY:<proxyauthenticationkey>]
RewriteRule ^/<new-company-name>/<new-instance-name>/(.⋆)$ /cgi-bin/mobproxy-new-version [L,PT,E=PREVURLPATH:<company>/<instance>/,E=BYPASSAUTH:.+\\.(woff|woff2|htm|html|jpg|gif|png|js|css)$,E=DEBUGDUMPENVS:0,E=HTTP_AUTHORIZATION:%{HTTP:Authorization},E=HTTP_MOBPROXY_KEY:<proxyauthenticationkey>]
See Migration for more detailed information about migrations and the migratedata.exe Bravura Security Data Migration Utility.
Upgrading a mobproxy service
When Bravura Security Fabric 's configured mobproxy or mobworker service is patched , or when the mobproxy architecture is changed , connections between the mobworker services and mobproxy CGIs have to be reset.
The product logs in newer product versions may record a warning like this:
Failed to initialize the shared memory for nodes keeper
Solution
The sequence of operations for a correct reset of the communication through the mobproxy is:
On all app nodes stop the Mobworker service;
On the linux servers:
Stop the Apache service;
Kill any remaining/stuck/zombified
mobproxyCGI processes;Clear up the
mobproxycache;Start Apache;
On all app nodes start the mobworker service.
On the linux installation you may use a batch script including commands like this:
apachectl stop killall mobproxy rm /dev/shm/* -fr apachectl start
The details may differ for your version of Linux; test each command individually before creating the batch script.
Customizing mobile proxy log files
Optional: Customize the log ID in the system logs and redirect logs to a custom log file.
By default the system logs are located at /var/log/messages. The log ID that is noted in the system logs for the Bravura One mobile proxy server log messages is by default noted as hitachi-id.
The log messages may be redirected to a custom log file. In this case, log messages generated by the Bravura One mobile proxy server will be written both to the system log file as well as a custom log file. The log ID that is noted in the log messages may also be customized to a different value. This would be reflected in the system logs as well as a custom log file, if configured.
In this example, we will use /usr/local/psunix/mobproxy/logid-mobproxy as the mobile proxy binary name and will be redirecting the Bravura One mobile proxy server log messages to /var/log/mobproxy.log .
To customize the log ID:
Ensure that the mobile proxy binary begins with "logid-".
For example if it is named as
/usr/local/psunix/mobproxy/mobproxy,then rename it it to/usr/local/psunix/mobproxy/logid-mobproxy.Ensure that the Apache rewrite rule reflects this change for the mobile proxy binary name.
To customize the log file:
Locate the syslog configuration file. By default this is at
/etc/rsyslog.conf.Add a line such as the following to the system log configuration file (note that the program name does not include " logid- "):
if $programname == 'mobproxy' then /var/log/mobproxy.log
Restart the syslog and apache services:
CentOS:
service rsyslog restart service httpd restart
Debian:
service rsyslog restart service apache2 restart
The Bravura One mobile proxy server logs will now be /var/log/mobproxy.log in addition to the server’s system log file and log entries will contain a log ID of " mobproxy ".
Configuring the Bravura Security Fabric Server
The following sections describeair how to set up your Bravura Security Fabric server for Bravura One and use with the Bravura One app.
The following steps are required:
Set up the Mobile Worker Service
Configure the self-service rules
Optional:
Configure the global help desk rules
Force users to activate a mobile device
Additional configuration options
Setting up the Mobile Worker Service
The Mobile Worker Service (mobworker) works in conjunction with the Bravura One mobile proxy server to allow for a Bravura One app on mobile devices to access Bravura Security Fabric servers and to send push notifications on a corporate and private network from a home or public WiFi hot spot or a cell phone data plan.
The Mobile Worker Service uses the following components to communicate with the Bravura One mobile proxy server:
Bravura One mobile proxy server authentication encryption key.
Host name or IP address of the Bravura One mobile proxy server.
Bravura One mobile proxy push notification server authentication encryption key.
Host name or IP address of the Bravura One mobile proxy push notification server.
Configure the Mobile Worker Service
Note
If you need the configuration details after the initial installation you can can run setup-mobproxy.sh on the Bravura One mobile proxy server.
To configure the Mobile Worker Service:
Log in to Bravura Security Fabric as a superuser.
Click Manage the system > Maintenance > Services.
Select Bravura Security (mobworker) Mobile Worker Service.
Configure the Proxy server authentication key to be the same as the authentication encryption key that is configured on the Bravura One mobile proxy server.
Configure the Proxy server URL for the URL of the Bravura One mobile proxy server. For example:
https://mobproxy.bravurasecurity.com/your_company/<instance>/
Ensure that the instance name as set for the URL in Proxy server URL is the same as the instance name as configured for the Bravura Security Fabric server.
If a load balancer is being used for the Bravura One mobile proxy servers, the load balancer URL must be specified in Proxy server URL. This is also the public url in which the Bravura One app will communicate with and to locate a Bravura One mobile proxy server as designated by the load balancer.
Configure the Private proxy server URL for this instance for the URL of the Bravura One mobile proxy server that will be used for the persistent connection for communication with this instance for when a load balancer environment is configured for the proxy servers.
This parameter is not required if a load-balanced URL has not been configured for the Proxy server URL.
In load-balanced environments for the Bravura One mobile proxy servers, this value may be a single value for a specific proxy server, or it may be set to multiple Bravura One mobile proxy servers in a comma-separated list. Setting it to multiple proxy servers is to allow for failover for if a Bravura One mobile proxy server is taken offline or is unavailable. The next proxy server as designated by the load balancer and is in this list will be used for the connections to ensure that the Bravura One app may continue to be used uninterrupted. Each Bravura One mobile proxy server used as a failover must in the comma-separated list for Private proxy server URL for this instance.
When the Bravura Security Fabric server is set up for database replication, the value for Private proxy server URL for this instance across the instance nodes may also be either set to the same Bravura One mobile proxy server or they may each be set for their own proxy server.
In all cases, the instance name as defined in each of the URLs for the Private proxy server URL for this instance must be the same as the instance name as configured for the Bravura Security Fabric server.
See Configuring load balancing for the Bravura One mobile proxy for more information on load balancing the Bravura One mobile proxy servers.
Configure the URL of the local instance for the fully qualified URL of the Bravura Security Fabric server that the Mobile Worker Service is currently running on. This must be set on each server when a load balancer environment is configured for the Bravura One mobile proxy servers to ensure that they are unique on each instance and do not fall back to BASE_IDSYNCH_URL, which would end up being the same across all replicated nodes. The server must also be configured for HTTPS for the URL for load-balanced mobile proxy server environments.
Set this using the following format:
https://<fqdn>/<instance_name>Configure the Push notification server authentication key to be the authentication encryption key that is configured for the Bravura One mobile proxy push notification server.
Configure the Push notification server URL for the URL of the Bravura One mobile proxy push notification server.
Contact support@bravurasecurity.com for assistance with the configuration and access of the Bravura One mobile proxy push notification server and for the Push notification server authentication key and Push notification server URL for your environment.
If the Bravura Security Fabric server uses a self-signed certificate for HTTPS encryption, check the checkbox for Ignore all server certificate warnings .
If the Bravura Security Fabric server is configured separately to use a corporate proxy server, such as for Windows updates for example, then set HTTP proxy to use for outgoing connections (address:port) to the corporate proxy server. For this configuration, the Bravura One mobile proxy server will need to be added to a bypass list. For example, using WinHTTP, this may be configured with the following command:
netsh winhttp set proxy proxy-server="http://corporateproxy.bravurasecurity.com:80" bypass-list="https://mobproxy.bravurasecurity.com"
Configure the rest of the parameters as needed. The defaults values may also be used.
The Mobile Worker Service timeout should be a smaller value than the minimum value of the timeout setting for Mobile Proxy Service and any proxy time, or firewall timeout in between the Mobile Worker Service and Mobile Proxy Service.
If Automatically determine proxy server timeout is checked, the Mobile Worker Service will automatically decrease the given setting to an appropriate one if the communication is broken unexpectedly.
Click Update to update the settings.
See Mobile Worker Service for help configuring the Mobile Worker Service (mobworker).
Enable the Mobile Worker Service
After you have configured the Mobile Worker Service, you must enable and start the service. On the Service information page:
Click Enable the service.
Click Start the service.
Configure load balancing for the Bravura One proxy servers
By default, communication between the Bravura One mobile proxy server and the Bravura Security Fabric is established using the Proxy server URL parameter for the Mobile Worker Service.
Load balancing of the Bravura One mobile proxy servers may be configured in order to distribute out the load for use with the Bravura One app s on mobile devices and access to the Bravura Security Fabric servers.
Once a connection has been established, the session should be bound to that server via a "sticky sessions" or persistent connection mechanism. This is because the Bravura Security Fabric server and Mobile Worker Service must maintain a consistent connection with a single Mobile Proxy Service running on a Bravura One mobile proxy server so that it is always using the same server. This must be configured from the load balancer to require persistent connections.
To configure a load balancer from the Mobile Worker Service, set the Proxy server URL to the load balanced url. This will also be the public url that is used by the Bravura One app itself.
The Private proxy server URL for this instance parameter for the Mobile Worker Service must then be specified for the specific Bravura One mobile proxy server that the Bravura Security Fabric will communicate with.
In load balanced environments for the Bravura One mobile proxy servers and when the Bravura Security Fabric server is set up for database replication, the value for Private proxy server URL for this instance may be set to be the same proxy server url across instance nodes to share the same Bravura One mobile proxy server url, each set to unique Bravura One mobile proxy server urls, or set to a comma-separated list of Bravura One mobile proxy servers.
Setting it to multiple proxy servers is to allow for failover for if a Bravura One mobile proxy server is taken offline or is unavailable. The next proxy server as designated by the load balancer and is in this list will be used for the connections to ensure that the Bravura One app may continue to be used uninterrupted. Each Bravura One mobile proxy server used as a failover must in the comma-separated list for Private proxy server URL for this instance.
The URL of the local instance must be set to the fully qualified url of the Bravura Security Fabric server that the Mobile Worker Service is currently running on. It must be for each individual Bravura Security Fabric server so that it doesn’t fall back to using the url set for BASE_IDSYNCH_URL, which would end up being the same across all replicated nodes.
The URL must also be configured for HTTPS for the Bravura Security Fabric server.
Set this using the following format: https://<fqdn_or_ip_address>/<instance_name>
Each Bravura Security Fabric server must also be configured for database replication in order to synchronize the Bravura One app registrations and other information between each of the servers.
See Replication and Recovery for more information on setting up database replication between instances.
The updinst.exe utility may be used to synchronize the registry entries between the replicated servers, as well as the values for the Mobile Worker Service services. The Mobile Worker Service service will still need to be manually enabled and started on each node as well as having the Private proxy server URL for this instance parameter manually defined for each one.
See updinst for more information.
Without the use of a load balancer, the Bravura One app on a mobile device will communicate directly with the Mobile Proxy Service running on the Bravura One mobile proxy server which will then communicate with the Mobile Worker Service for the Bravura Security Fabric server.
When a load balancer is in place, the Bravura One app on a mobile device will communicate first with the load balancer (as defined by the Proxy server URL parameter for the Mobile Worker Service).
The load balancer will then choose one of the Bravura One mobile proxy servers. Multiple proxy servers may be configured to be contacted by the load balancer.
The Bravura One mobile proxy server that is contacted will then communicate with one of the Bravura Security Fabric servers in which the proxy server has been defined by the Private proxy server URL for this instance for the Mobile Worker Service for that instance.
Configure the self-service rules
You must update user access rules to determine who is allowed to register and activate mobile devices.
To modify the user access rules for Bravura One for users:
Click Manage the system > Security > Access to user profiles.
Select Self-service rules.
Either add a new self-service rule or select ALL_SELF_REQUEST for all users.
Add the "Manage mobile devices" privilege.
Click Update to update the self-service rule.
Configure the global help desk rules
You must update user access rules to determine who is allowed to view or delete mobile devices on behalf of other users.
To modify the global help desk rules for help-desk users to view or delete Bravura One app registrations for other users:
Click Manage the system > Security > Access to user profiles.
Select Global help desk rules.
Either add a new global help desk rule or select GLOBAL_HELP_DESK or HELP_DESK_MANAGERS for one of the help desk rules.
Add the "Manage mobile devices" privilege.
Click Update to update the global help desk rule.
Force users to activate a mobile device
You can force users to register and activate a mobile device as part of the enrollment process. Users are redirected to the Mobile devices page when forced enrollment for mobile devices has been enabled.
From an authentication chain point of view, if mobile devices are going to be required as a form of multi-factor authentication, the mobile authentication module should only be activated for users that have registered devices. This configurations allows users to log in to Bravura Security Fabric without a device, in the event one has not been registered yet. The forced enrollment module can then direct the user to the mobile device registration page.
To force users to activate a mobile device:
Ensure that the Bravura Security Fabric and Bravura One mobile proxy servers have been configured for Bravura One .
Ensure that a self-service rule has been configured so that the users have the "Manage mobile devices" privilege. This may be configured either for a new self-service rule or ALL_SELF_REQUEST for all users.
Add the mobiledevice value to PSF FORCE ENROLLMENT.
Click Manage the system > Modules > Front-End (PSF).
Locate the PSF FORCE ENROLLMENT option.
Add
,mobiledeviceto the existing list of comma-separated values.
Additional configuration for Bravura One
Adjust the mobile activation timeout
Modify the PSF MOBILE REGTIMEOUT system variable if you want to change the amount of time to allow for a user to scan the QR code when they are activating their mobile device with the Bravura One app . By default, the time for activation will expire in 300 seconds.
Set the maximum number of mobile device registrations per user
Modify the MAX MOBILE DEVICES system variable in order to set the maximum number of mobile devices that a user may register for themselves.
Add the Mobile authentication module for an authentication chain
Add an authentication chain for the Mobile authentication module. This will allow for users to authenticate using a QR Code that is provided by this module for two factor authentication.
The QR Code must be scanned from the Bravura One app that is registered for Bravura One for the user.
Installing the Bravura One app
Before installing the Bravura One app, ensure your mobile device is compatible. The Bravura One app is available for both Android (version 11.0 or higher) and iOS (version 12.0 or higher).
To install from a mobile device:
From either the Google Play Store on Android mobile devices or the Apple app store on iOS mobile devices, search for " Bravura One ", or go to:
Download the Bravura One app from the app store.
Follow the instructions in the app store for installation.
Integrating the Bravura One app with Bravura Security Fabric
Read the following sections to learn how to register and activate a mobile device using the Bravura One app.
Before you begin
Ensure that the Bravura One app has been installed on a mobile device.
The Bravura One mobile proxy server has been configured and is available for use for Bravura One .
The Bravura Security Fabric server has been configured for Bravura One .
The user that is activating a mobile device has the "Manage mobile devices" privilege.
Integration steps
To activate a mobile device using the Bravura One app:
From a workstation, browse to the Front-end (PSF) self-service and login as a user that has the "Manage mobile devices" privilege.
Click the Register mobile device link.
If a device has previously been registered, click Add new…
Click Register.
Open the Bravura One app on the mobile device.
If the mobile device does not have any profiles previously set up, tap through the welcome screens to learn more about the Bravura One app and how to register the mobile device.
Tap through all of the welcome screens or skip the instructions.
If the camera view is not immediately launched, tap the Scan QR Code control or Register Device link from the Connection profile screen to scan a new QR Code.
Using the Bravura One app , scan the QR Code that is shown on the workstation.
Tap the Save control on the Bravura One app .
Enter a unique profile name for the connection for the new user profile and tap OK .
The workstation should indicate that the device is successfully activated and the Bravura One app will be authenticated. The new device is shown in the list of mobile devices on the self-service page.
The Bravura One app opens the instance within the app. The registered user’s userid is automatically passed in and the page lists available authentication methods to log into the Front-end (PSF).
Language pack support
The Bravura One app supports additional languages to be used for the Bravura Security Fabric instances. See Supporting multiple languages and locales .
The languages must be previously installed on the Bravura Security Fabric server.
The language and locale must also be set on the iOS and Android mobile devices.
On iOS this may be modified from Settings > General > Language & Region and checking values for iPhone Language and Region.
On Android, this is modified from Settings > Languages & input > Languages. The first language and locale found in the list that is also installed on the Bravura Security Fabric instance will be used.
If the en-us default skin is compiled and installed, restart the Mobile Worker Service.
Register multiple profiles
The Bravura One app supports multiple user profiles on a mobile device. Each user profile must be from separate Bravura Security Fabric instances with different Bravura One mobile proxy server URLs configured.
To register multiple profiles on the Bravura One app:
Configure another Bravura Security Fabric server for Bravura One .
Follow the same instructions to register the mobile device for another user profile via QR code.
Open the Bravura One app on the device.
The Front-end (PSF) authentication page will be loaded for a user already registered in the app.
Tap the gear or ellipsis icon to go to the page.
Tap the Scan QR Code control or Register Device link to scan a new QR Code.
To delete a profile on the Bravura One app:
Tap the gear or ellipsis icon to go to the page.
Tap the recycle bin icon to delete the profile.
Scan a QR Code for two factor authentication
The Bravura One app supports two factor authentication to be able to scan a QR Code from a user’s mobile device using an authentication chain configured for the Mobile authentication module.
The QR Code must be scanned from the Bravura One app that is registered for Bravura One for the user, to be accepted as a form of authentication.
To login using a QR Code for multi-factor authentication on the Bravura One app:
Configure an authentication chain for the Mobile authentication mobile. Add additional modules as needed for added security and authentication.
Follow the instructions to register the mobile device for a user profile via QR Code.
Log into Bravura Security Fabric from a browser on a desktop for the user that has a registered mobile device.
Choose the authentication chain configured for the Mobile authentication module.
Open the Bravura One app on the device for the user.
Tap the Computer Login unlock icon.
Tap Authenticate User on iOS or the Scan QR Code (wheel) icon on Android.
Scan the QR Code provided on the Front-end (PSF) authentication page.
Scanning the QR Code is bypassed when a user logs in from a mobile device if they choose this authentication option. For this reason, additional modules should be configured for added security.
Push notifications on mobile devices
Push Notifications are available two ways:
Subscribe to the Bravura Security hosted Bravura One mobile proxy server for push notifications:
Bravura Security host the Bravura One mobile proxy server used for the push notifications.
Bravura Security create the Apple and Google store tokens.
The required certificates for the push notifications are also configured on the host Bravura One server.
Bravura Security create custom mobile apps.
The Bravura One app communicates first by contacting the Bravura One mobile proxy server and then to the Bravura Security Fabric server.
The stock mobile apps cannot be used in the above scenario.
Please talk to your Bravura Security Account Manager for further details.
Host your own smart device app delivery infrastructure:
Host a Bravura One mobile proxy server which is configured for the push notifications.
Create the Apple and Google store tokens.
Install the certificates required for the push notifications on the Bravura One mobile proxy server.
Create custom mobile apps that make use of the Apple and Google store tokens.
The Bravura One app communicates first by contacting the Bravura One mobile proxy server and then to the Bravura Security Fabric server.
Bravura Security can provide instructions to the customer’s packaging team for building the Bravura One application packages. Please talk to your Bravura Security Account Manager for more details.
The stock mobile apps cannot be used in the above scenario.
Push notifications sent to mobile devices will appear either on the lock screen or as a drop down from the top of the screen if the device is unlocked.
When the mobile device is locked:
The notification is shown with the title and message body on Android mobile devices.
The notification is shown with the message body on iOS mobile devices.
Swiping to the left or right on the notification on Android mobile devices will dismiss the notification.
Swiping to the right on the notification on iOS mobile devices will launch the Bravura One app .
Swiping to the left on the notification on iOS mobile devices will allow you to dismiss the notification.
Multiple push notifications on iOS mobile devices will each be shown on the lock screen in sequential order.
Only the most recent push notification will be shown on Android mobile devices when multiple notifications are sent to these devices.
When the mobile device is unlocked:
On Android mobile devices, a Bravura Security icon appears on the top left corner. Swiping down will show the notification.
On iOS mobile devices and when the Bravura One app is not currently open, the notification will appear as a drop-down from the top of the screen. Tapping on the notification will launch the Bravura One app .
Push notifications will not appear on iOS mobile devices when the Bravura One app is currently open.
See more information about using mobpushcli to send push notifications to the mobile devices.