Secure Microtunnel profiles (API)

Secure Microtunnel parameters

Use these parameters in the JSON data structure when you apply the Secure Microtunnel policy (POLICY_CODE_SECURE_CONNECTION) to the app with POST app-market/policy.

Parameter	Description
profileId	Required to edit an existing profile. Not used to create a new profile. The GUID of the Secure Microtunnel profile you want to edit. You can get GUIDs for all available Secure Microtunnel profiles with GET profile/catalog/vpn. (See profile/catalog/{policytype} .)
profileName	Required. A unique name for the profile. The profileName cannot match the profileName assigned to any other Secure Microtunnel profile. Example: Boston Sales
profileDesc	A description for the profile. Default: an empty string Example: "VPN settings for the Boston Sales office"
vpnAuthGroup	To assign the Secure Microtunnel profile to a specific Gateway-defined auth-group, set vpnAuthGroup to the auth-group's name. This group must be configured on the gateway. See "Configuring AAA" in the Gateway IT Administrator's Guide.
vpnAuthMethod	Required. The Secure Microtunnel authentication type. key (default): Pre-shared key (PSK) authentication. Also set vpnPsk. cert: Certificate authentication. Also set vpnCaCert and vpnCertProvType.
vpnCaCert	The path to a PEM-encoded certificate file for the Gateway. (Must be PEM-encoded for Secure Microtunnel.) Default value: an empty string Note: This parameter is only available for profiles that use certificate authentication, in other words, when vpnAuthMethod is set to cert.
vpnCertProvType	The method of certificate provisioning that the Gateway performs. 1: You must manually provision certificates by email or another alternative method. 0 (default): Blue Cedar initiates automatic certificate provisioning. Note: To enable automatic certificate enrollment for the Gateway, set these parameters: vpnProtocol=map vpnAuthMethod=cert vpnCertProvType=0 Note : This parameter is only available for profiles that use certificate authentication, in other words, when vpnAuthMethod is set to cert.
vpnDhGroup	The Diffie-Hellman Group identifier: 0: Default. Let the Gateway select the appropriate setting. This is the default value for a Secure Microtunnel profile (in other words, when vpnProtocol is set to map). 1: Diffie-Hellman Group 1 - 768-bit Modular Exponential (MODP) algorithm 2: Diffie-Hellman Group 2 - 1024-bit MODP 5: Diffie-Hellman Group 2 - 1536-bit MODP 14: Diffie-Hellman Group 2 - 2048-bit MODP
vpnOfflineMode	Allows the mobile device user to use the enrolled app while disconnected. See "Offline mode behavior" in Secure Microtunnel for more details. Valid values: continuousReconnect: Enable offline mode, that is, allow access to the app while continuously attempting to reconnect the Secure Microtunnel in the background. terminateInitial: Disable offline mode, that is, terminate the app if the initial connection cannot be established.
vpnProtocol	Specifies the protocol to use for connecting to a VPN gateway. ipsec (default): The injectable uses a generic Internet Protocol Security protocol for the VPN gateway. map: The injectable uses the Blue Cedar gateway as the VPN gateway.
vpnPsk	Value for the Pre-shared Key. Valid values: a string. Default: null. Note : This parameter is only available when vpnAuthMethod is set to key.
vpnServerAddr	Required. The IP address or domain name of the VPN gateway. Default: empty string.

Secure Microtunnel API resources

To manage Secure Microtunnel profiles, use these resources.

profile/catalog/{policytype}: Use "vpn" for "{policytype}". GET returns an array of details for all policy profiles of the specified type.
profile/{GUID} : Use the profile ID to specify a policy profile. GET returns details for the specified profile, PUT updates the details in the specified profile, and DELETE archives the profile.
app-policy/vpn-profile: POST creates a new Secure Microtunnel profile or edits an existing one.
settings/vpn-default-profile ( settings/{policytype}-default-profile ): POST sets one of the Secure Microtunnel profiles as the default. GET returns the GUID of the current default profile. DELETE archives the current default.

To retrieve details for the policy:

app-policy/{GUID} : Use the policy ID to specify a policy. GET returns details for the specified policy.
app-policy/code/{code} : Use POLICY_CODE_SECURE_CONNECTION to specify the policy. GET returns details for the specified policy.

To secure apps with Secure Microtunnel policy, use these resources:

app-market/policy : Use the policy GUID to apply the policy to an app.

Creating a Secure Microtunnel profile

These examples create a Secure Microtunnel profile with the app-policy/vpn-profile API. Before you can secure an app with the Secure Microtunnel policy, you must define at least one Secure Microtunnel profile, including a vpnServerAddr.

Create a Secure Microtunnel profile that uses certificate authentication:

Request

BASH

curl -k -v -L -b c.txt -c c.txt -X POST http://bc.qwe.com/mocana-app-control/rest/app-policy/vpn-profile \
 -F profileId="" \
 -F profileName="TestProfile cert" \
 -F profileDesc="" \
 -F vpnServerAddr="remote.qwe.com" \
 -F vpnCaCert=@CertificateAuthority.pem \
 -F vpnAuthMethod="cert" \
 -F vpnProtocol="map" \
 -F vpnAuthGroup="authGroup" \
 -F vpnDhGroup="14" \
 -F vpnOfflineMode="continuousReconnect" \
 -F vpnCertProvType="0"

Create a Secure Microtunnel profile that uses pre-shared key (PSK) authentication: