CCM operations

This topic provides an overview of CCM operations and configurations.

CCM operations

This section captures the key scenarios for enterprises adding CCM operations, such as:

  • Installing a certificate
  • Deleting a certificate
  • Getting CCM package profile
  • Checking whether, or not, a package can access CCM
  • Adding a package to the CCM allowlist
  • Removing a CCM profile
/**** installing certificate (by an application/package in the allowlist) ****/
/* A profile that must be used to control access to this certificate */

CertificateProfile certProfile = new CertificateProfile();
certProfile.isCSRResponse = false; // true, if this is a response to a Cerificate Signing Request
certProfile.allowWi-Fi = false; // true, if this certificate can be used by Wi-Fi 
certProfile.alias = alias; // alias to associate with this certificate

/* either add all packages to the allowlist */ 
certProfile.allowAllPackages = true;

        /* OR */

/* provide the list of packages to be added to the allowlist */
certProfile.packageList = (List<String>)packageList;

/* install the certificate with the following arguments: 
 * certProfile : a Certificate profile
* certBytes : the certificate bytes (byte array)
* certPwd : password to decrypt the private key in the certificate  */

boolean ret = mCCM.installCertificate(profile, object_buffer, certPwd);

/**** delete an existing certificate ****/
boolean ret = mCCM.deleteCertificate(alias); // delete the certificate associated with the alias

/**** get the CCM Profile that was set during CCM initialization ****/
/* get the CCM Profile based on the current container context */

CCMProfile profile = new CCMProfile();
boolean ret = mCCM.getCCMProfile(profile); // profile object contains all the configuration

/**** to know if CCM is accessible for a package ****/
boolean ret = mCCM.isCCMPolicyEnabledForPackage(packageName);

/**** Add a package to the allowlist ****/
boolean ret = mCCM.addPackageToExemptList(packageName);

/**** Remove a package from the allowlist ****/
boolean ret = mCCM.addPackageToExemptList(packageName);

/**** delete the profile to disable usage of CCM - deletes all certificate data too essentialy disabling CCM ****/

/* deletes the profile associated with the current container context */
boolean ret = mCCM.deleteCCMProfile();

CCM configurations

This topic explains the essential scenarios for enterprises along with the associated configuration and operational details.

The following conditions must be present for this use case example:

  • CCM is enabled
  • Upon MDM decision, all certificate-based apps use CCM for their certificate storage
/**** get ClientCertificateManager handle ****/
ClientCertificateManager mCCM = null;

/* get CCM Policy based on container context */
if (mContainerId != Constants.LEGACY_CONTAINER_ID && mContainerId != Constants.DEVICE_CONTAINER_ID) {
                mContMgr = EnterpriseKnoxManager.getInstance()
                mCCM = mContMgr.getClientCertificateManagerPolicy();
} else {
                mCCM = mEKM.getClientCertificateManagerPolicy(Context);

/****** We need to set a profile before we can start using CCM (Initialization) ****/

/* Configure the CCMProfile before we call the setCCMProfile */
CCMProfile profile = new CCMProfile();

/* configure the access control method for this profile . 
 * Refer the Knox SDK for more information on the available 
 * access control methods */
profile.accessControlMethod = CCMProfile.AccessControlMethod.LOCK_STATE;

/* configure the profile with a list of package names to be 
 * allowed to use CCM or set whiteListAllPackages 
 * property of the ccm profile to allow all packages to use CCM */

profile.packageList = (List<String>)packageList;
                                                   /* OR */ 
profile.whiteListAllPackages = true;

/* set the CCM profile using setCCMProfile API */