CCM operations
This feature was deprecated in API level 33 with Knox SDK v3.7. For more information, see Deprecation of TIMA/CCM Keystore support.
This topic provides an overview of CCM operations and configurations.
CCM operations
This section captures the key scenarios for enterprises adding CCM operations, such as:
- Installing a certificate
- Deleting a certificate
- Getting CCM package profile
- Checking whether, or not, a package can access CCM
- Adding a package to the CCM allowlist
- Removing a CCM profile
/**** installing certificate (by an application/package in the allowlist) ****/
/* A profile that must be used to control access to this certificate _/
CertificateProfile certProfile = new CertificateProfile();
certProfile.isCSRResponse = false; // true, if this is a response to a Certificate Signing Request
certProfile.allowWi-Fi = false; // true, if this certificate can be used by Wi-Fi
certProfile.alias = alias; // alias to associate with this certificate
/_ either add all packages to the allowlist _/
certProfile.allowAllPackages = true;
/_ OR _/
/_ provide the list of packages to be added to the allowlist _/
certProfile.packageList = (List)packageList;
/_ install the certificate with the following arguments:
* certProfile : a Certificate profile
* certBytes : the certificate bytes (byte array)
* certPwd : password to decrypt the private key in the certificate */
boolean ret = mCCM.installCertificate(profile, object_buffer, certPwd);
/**** delete an existing certificate ****/
boolean ret = mCCM.deleteCertificate(alias); // delete the certificate associated with the alias
/**** get the CCM Profile that was set during CCM initialization ****/
/* get the CCM Profile based on the current container context */
CCMProfile profile = new CCMProfile();
boolean ret = mCCM.getCCMProfile(profile); // profile object contains all the configuration
/**** to know if CCM is accessible for a package ****/
boolean ret = mCCM.isCCMPolicyEnabledForPackage(packageName);
/**** Add a package to the allowlist ****/
boolean ret = mCCM.addPackageToExemptList(packageName);
/**** Remove a package from the allowlist ****/
boolean ret = mCCM.addPackageToExemptList(packageName);
/**** delete the profile to disable usage of CCM - deletes all certificate data too essentialy disabling CCM ****/
/* deletes the profile associated with the current container context */
boolean ret = mCCM.deleteCCMProfile();
CCM configurations
This topic explains the essential scenarios for enterprises along with the associated configuration and operational details.
The following conditions must be present for this use case example:
- CCM is enabled
- Upon MDM decision, all certificate-based apps use CCM for their certificate storage
/**** get ClientCertificateManager handle ****/
ClientCertificateManager mCCM = null;
/* get CCM Policy based on container context */
if (mContainerId != Constants.LEGACY_CONTAINER_ID && mContainerId != Constants.DEVICE_CONTAINER_ID) {
mContMgr = EnterpriseKnoxManager.getInstance()
.getKnoxContainerManager(this.getApplicationContext(),
mContainerId);
mCCM = mContMgr.getClientCertificateManagerPolicy();
} else {
mCCM = mEKM.getClientCertificateManagerPolicy(Context);
}
/****** We need to set a profile before we can start using CCM (Initialization) ****/
/* Configure the CCMProfile before we call the setCCMProfile _/
CCMProfile profile = new CCMProfile();
/_ configure the access control method for this profile.
* Refer the Knox SDK for more information on the available
* access control methods _/
profile.accessControlMethod = CCMProfile.AccessControlMethod.LOCK_STATE;
/_ configure the profile with a list of package names to be
* allowed to use CCM or set whiteListAllPackages
* property of the ccm profile to allow all packages to use CCM _/
profile.packageList = (List)packageList;
/_ OR _/
profile.whiteListAllPackages = true;
/_ set the CCM profile using setCCMProfile API */
mCCM.setCCMProfile(profile);
On this page
Is this page helpful?