Back to top
Home / Knox SDK / Features / MDM Providers / Keystores / TIMA Keystore /

Android Keystores

This feature was deprecated in API level 33 with Knox SDK v3.7. For more information, see Deprecation of TIMA/CCM Keystore support.

This topic describes how to access Android keystores.

Access the Android Keystore

In this scenario, a customer has deployed a Knox Workspace on enterprise devices. The enterprise wants apps that require certificates, such as a secure browser, VPN, or email, to run inside the Workspace. Apps that don’t require a certificate to run, such as Wi-Fi will run outside of the Workspace. They also want to push certificates, specifically, cert_browser, cert_VPN, cert_email, and cert_Wi-Fi to each device, and then verify that these certificates are stored in the Android Keystore.

  1. Install a certificate into Wi-Fi Keystore.

    boolean result = false;
String Wi-FiAlias = "cert_Wi-Fi";

          // installing into Android Wi-Fi keystore
          result = mSecurityPolicy.installCertificateToKeystore
          (SecurityPolicy.TYPE_PKCS12, cert_Wi-Fi, Wi-FiAlias, "123456",
               SecurityPolicy.KEYSTORE_FOR_WI-FI);

     if (result) {
          Log.d(TAG, "Certificate successfully installed!");
     }

    The first parameter of this API can also be SecurityPolicy.TYPE_CERTIFICATE if the customer needs to install a CERT — with the extensions types .crt and .cer — certificate. In such cases, there is no need to insert a password, passed in the fourth parameter of the API. A certificate installed into Wi-Fi Keystore is visible in both device owner and Knox Workspace.

  2. Verify certificate is stored into Wi-Fi Keystore.

    // retrieving all certificates from Wi-Fi keystore
List certList = mSecurityPolicy
     .getCertificatesFromKeystore(Security.KEYSTORE_FOR_WI-FI);

if (certList != null && !certList.isEmpty()) {
     X509Certificate cert;
     String certAlias;
     int certKeystore;

// iterate over all certificates stored into Wi-Fi keystore

for(CertificateInfo certInfo : certList) {
     cert = (X509Certificate) certInfo.getCertificate();
     certAlias = certInfo.getAlias();
     certKeystore = certInfo.getKeystore();
     }
     }

  3. Install certificates for the secure Browser, VPN, and Email apps inside the Workspace.

    boolean installedBrowser = installedVPN = installedEmail = false;

String browserAlias = "browserCert";
String vpnAlias = "vpnCert";
String emailAlias = "emailCert";

// installing cert_browser into Android VPN and Apps keystore
installedBrowser = mKnoxSecurityPolicy.installCertificateToUserKeystore
     (SecurityPolicy.TYPE_PKCS12, cert_browser, browserAlias, "123456",
     SecurityPolicy. KEYSTORE_FOR_VPN_AND_APPS);

// installing cert_browser into Android Default keystore
installedBrowser &= mSecurityPolicy.installCertificateToKeystore
     (SecurityPolicy.TYPE_PKCS12, cert_browser, browserAlias, "123456",
     SecurityPolicy. KEYSTORE_DEFAULT);

// installing cert_VPN into Android VPN and Apps keystore
installedVPN = mKnoxSecurityPolicy.installCertificateToUserKeystore
     (SecurityPolicy.TYPE_PKCS12, cert_VPN, vpnAlias, "123456",
     SecurityPolicy. KEYSTORE_FOR_VPN_AND_APPS);

// installing cert_Email into Android VPN and Apps keystore
installedEmail = mKnoxSecurityPolicy.installCertificateToUserKeystore
     (SecurityPolicy.TYPE_PKCS12, cert_email, emailAlias, "123456",
     SecurityPolicy. KEYSTORE_FOR_VPN_AND_APPS);

// installing cert_Email into Android Default keystore
installedEmail &= mSecurityPolicy.installCertificateToKeystore
     (SecurityPolicy.TYPE_PKCS12, cert_email, emailAlias, "123456",
     SecurityPolicy. KEYSTORE_DEFAULT);

    In the case of using a CA certificate to validate an SSL connection in a browser, install it to SecurityPolicy.KEYSTORE_DEFAULT. If a user installed PKCS 12 on Default, VPN, and Apps Keystores, the CA certificate is stored into the Default and uses it to create a connection while it stores the USER certificate and the PK in VPN and Apps for authentication matters. Verify installed certificates in VPN and apps and default Keystores.

    // retrieving certificates from VPN and Apps keystore
List vpnList = mKnoxSecurityPolicy
.getCertificatesFromUserKeystore(SecurityPolicy.KEYSTORE_FOR_VPN_AND_APPS);

// retrieving certificates from Default keystore
List defaultList = mSecurityPolicy
     .getCertificatesFromKeystore(SecurityPolicy.KEYSTORE_DEFAULT);

// put the retrieved list all together
List certList = new ArrayList();
certList.addAll(vpnList);
certList.addAll(defaultList);

if (certList != null && !certList.isEmpty()) {
X509Certificate cert;
String certAlias;
int certKeystore;

// iterate over all certificates stored into VPN and Apps and
// Default keystore
for(CertificateInfo certInfo : certList) {
     cert = (X509Certificate) certInfo.getCertificate();
     certAlias = certInfo.getAlias();
     certKeystore = certInfo.getKeystore();
}
}

On this page

Is this page helpful?