Back to top

This feature was deprecated in API level 33 with Knox SDK v3.7. For more information, see Deprecation of TIMA/CCM Keystore support.

This topic provides an overview of CCM operations and configurations.

CCM operations

This section captures the key scenarios for enterprises adding CCM operations, such as:

  • Installing a certificate
  • Deleting a certificate
  • Getting CCM package profile
  • Checking whether, or not, a package can access CCM
  • Adding a package to the CCM allowlist
  • Removing a CCM profile
/**** installing certificate (by an application/package in the allowlist) ****/
/* A profile that must be used to control access to this certificate _/

CertificateProfile certProfile = new CertificateProfile();
certProfile.isCSRResponse = false; // true, if this is a response to a Certificate Signing Request
certProfile.allowWi-Fi = false; // true, if this certificate can be used by Wi-Fi 
certProfile.alias = alias; // alias to associate with this certificate

/_ either add all packages to the allowlist _/ 
certProfile.allowAllPackages = true;

        /_ OR _/

/_ provide the list of packages to be added to the allowlist _/
certProfile.packageList = (List)packageList;

/_ install the certificate with the following arguments: 
 * certProfile : a Certificate profile
* certBytes : the certificate bytes (byte array)
* certPwd : password to decrypt the private key in the certificate  */

boolean ret = mCCM.installCertificate(profile, object_buffer, certPwd);

/**** delete an existing certificate ****/
boolean ret = mCCM.deleteCertificate(alias); // delete the certificate associated with the alias

/**** get the CCM Profile that was set during CCM initialization ****/
/* get the CCM Profile based on the current container context */

CCMProfile profile = new CCMProfile();
boolean ret = mCCM.getCCMProfile(profile); // profile object contains all the configuration

/**** to know if CCM is accessible for a package ****/
boolean ret = mCCM.isCCMPolicyEnabledForPackage(packageName);

/**** Add a package to the allowlist ****/
boolean ret = mCCM.addPackageToExemptList(packageName);

/**** Remove a package from the allowlist ****/
boolean ret = mCCM.addPackageToExemptList(packageName);

/**** delete the profile to disable usage of CCM - deletes all certificate data too essentialy disabling CCM ****/

/* deletes the profile associated with the current container context */
boolean ret = mCCM.deleteCCMProfile();

CCM configurations

This topic explains the essential scenarios for enterprises along with the associated configuration and operational details.

The following conditions must be present for this use case example:

  • CCM is enabled
  • Upon MDM decision, all certificate-based apps use CCM for their certificate storage
/**** get ClientCertificateManager handle ****/
ClientCertificateManager mCCM = null;

/* get CCM Policy based on container context */
if (mContainerId != Constants.LEGACY_CONTAINER_ID && mContainerId != Constants.DEVICE_CONTAINER_ID) {
                mContMgr = EnterpriseKnoxManager.getInstance()
                mCCM = mContMgr.getClientCertificateManagerPolicy();
} else {
                mCCM = mEKM.getClientCertificateManagerPolicy(Context);

/****** We need to set a profile before we can start using CCM (Initialization) ****/

/* Configure the CCMProfile before we call the setCCMProfile _/
CCMProfile profile = new CCMProfile();

/_ configure the access control method for this profile. 
 * Refer the Knox SDK for more information on the available 
 * access control methods _/
profile.accessControlMethod = CCMProfile.AccessControlMethod.LOCK_STATE;

/_ configure the profile with a list of package names to be 
 * allowed to use CCM or set whiteListAllPackages 
 * property of the ccm profile to allow all packages to use CCM _/

profile.packageList = (List)packageList;
                                                   /_ OR _/ 
profile.whiteListAllPackages = true;

/_ set the CCM profile using setCCMProfile API */

Is this page helpful?