Skip to main content
Skip table of contents

Secure Microtunnel profiles (API)

Secure Microtunnel parameters

Use these parameters in the JSON data structure when you apply the Secure Microtunnel policy (POLICY_CODE_SECURE_CONNECTION) to the app with POST app-market/policy.


Required to edit an existing profile. Not used to create a new profile.

The GUID of the Secure Microtunnel profile you want to edit. You can get GUIDs for all available Secure Microtunnel profiles with GET profile/catalog/vpn. (See profile/catalog/{policytype} .)


Required. A unique name for the profile. The profileName cannot match the profileName assigned to any other Secure Microtunnel profile.

Example: Boston Sales


A description for the profile. Default: an empty string

Example: "VPN settings for the Boston Sales office"


To assign the Secure Microtunnel profile to a specific Gateway-defined auth-group, set vpnAuthGroup to the auth-group's name. This group must be configured on the gateway. See "Configuring AAA" in the Gateway IT Administrator's Guide.


Required. The Secure Microtunnel authentication type.

  • key (default): Pre-shared key (PSK) authentication. Also set vpnPsk.
  • cert: Certificate authentication. Also set vpnCaCert and vpnCertProvType.

The path to a PEM-encoded certificate file for the Gateway. (Must be PEM-encoded for Secure Microtunnel.)

Default value: an empty string

Note: This parameter is only available for profiles that use certificate authentication, in other words, when vpnAuthMethod is set to cert.


The method of certificate provisioning that the Gateway performs.

  • 1: You must manually provision certificates by email or another alternative method.
  • 0 (default): Blue Cedar initiates automatic certificate provisioning.

Note: To enable automatic certificate enrollment for the Gateway, set these parameters:

  • vpnProtocol=map
  • vpnAuthMethod=cert
  • vpnCertProvType=0

Note : This parameter is only available for profiles that use certificate authentication, in other words, when vpnAuthMethod is set to cert.


The Diffie-Hellman Group identifier:

  • 0: Default. Let the Gateway select the appropriate setting. This is the default value for a Secure Microtunnel profile (in other words, when vpnProtocol is set to map).
  • 1: Diffie-Hellman Group 1 - 768-bit Modular Exponential (MODP) algorithm

  • 2: Diffie-Hellman Group 2 - 1024-bit MODP

  • 5: Diffie-Hellman Group 2 - 1536-bit MODP

  • 14: Diffie-Hellman Group 2 - 2048-bit MODP


Allows the mobile device user to use the enrolled app while disconnected. See "Offline mode behavior" in Secure Microtunnel for more details.

Valid values:

  • continuousReconnect: Enable offline mode, that is, allow access to the app while continuously attempting to reconnect the Secure Microtunnel in the background.
  • terminateInitial: Disable offline mode, that is, terminate the app if the initial connection cannot be established.

Specifies the protocol to use for connecting to a VPN gateway.

  • ipsec (default): The injectable uses a generic Internet Protocol Security protocol for the VPN gateway.
  • map: The injectable uses the Blue Cedar gateway as the VPN gateway.

Value for the Pre-shared Key. Valid values: a string. Default: null.

Note : This parameter is only available when vpnAuthMethod is set to key.


Required. The IP address or domain name of the VPN gateway.

Default: empty string.

Secure Microtunnel API resources

To manage Secure Microtunnel profiles, use these resources. 

  • profile/catalog/{policytype}: Use "vpn" for "{policytype}". GET returns an array of details for all policy profiles of the specified type.
  • profile/{GUID} : Use the profile ID to specify a policy profile. GET returns details for the specified profile, PUT updates the details in the specified profile, and DELETE archives the profile.
  • app-policy/vpn-profile: POST creates a new Secure Microtunnel profile or edits an existing one.
  • settings/vpn-default-profile ( settings/{policytype}-default-profile ): POST sets one of the Secure Microtunnel profiles as the default. GET returns the GUID of the current default profile. DELETE archives the current default. 

To retrieve details for the policy:

  • app-policy/{GUID} : Use the policy ID to specify a policy. GET returns details for the specified policy.
  • app-policy/code/{code} Use POLICY_CODE_SECURE_CONNECTION to specify the policy. GET returns details for the specified policy.

To secure apps with Secure Microtunnel policy, use these resources:

Creating a Secure Microtunnel profile

These examples create a Secure Microtunnel profile with the app-policy/vpn-profile  API. Before you can secure an app with the Secure Microtunnel policy, you must define at least one Secure Microtunnel profile, including a vpnServerAddr.

Create a Secure Microtunnel profile that uses certificate authentication:


curl -k -v -L -b c.txt -c c.txt -X POST \
 -F profileId="" \
 -F profileName="TestProfile cert" \
 -F profileDesc="" \
 -F vpnServerAddr="" \
 -F vpnCaCert=@CertificateAuthority.pem \
 -F vpnAuthMethod="cert" \
 -F vpnProtocol="map" \
 -F vpnAuthGroup="authGroup" \
 -F vpnDhGroup="14" \
 -F vpnOfflineMode="continuousReconnect" \
 -F vpnCertProvType="0"

Create a Secure Microtunnel profile that uses pre-shared key (PSK) authentication:


curl -k -v -L -b c.txt -c c.txt -X POST \
 -F profileId="" \
 -F profileName="TestProfile psk" \
 -F profileDesc="" \
 -F vpnServerAddr="" \
 -F vpnPsk="psk" \
 -F vpnAuthMethod="key" \
 -F vpnProtocol="map" \
 -F vpnAuthGroup="authGroup" \
 -F vpnDhGroup="14" \
 -F vpnOfflineMode="continuousReconnect"

On this page

Related topics

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.