Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Integrating with Apple's Global Service Exchange (GSX)

Overview

You can integrate Jamf Pro with Apple's Global Service Exchange (GSX).

Before you can integrate Jamf Pro with GSX, you must have the following:

  • A GSX Account with the "Manager" or "Administrator" role, access to Web Services, and access to coverage/warranty information
  • An Apple certificate

This article explains how to create a GSX account and obtain an Apple certificate.

Creating a GSX Account

  1. Go to http://www.apple.com/support/programs/ssa/ to apply for a GSX account. Note: To apply for a GSX account, you must have a service contract with Apple. Contact your Apple Account Executive to learn more about GSX.
  2. Log in to your GSX account at https://myaccess.apple.com/
  3. Click on My Team.
  4. Select a user from the list.
  5. On the Account Details page, click Global Service Exchange.
  6. Click Update Access.
  7. In the Business role dropdown, choose "Manager."
  8. In the Optional Privilege(s) dropdown, select the Web Services and Warranty Lookup checkboxes.
  9. Click Submit.

Obtaining an Apple Certificate

Obtaining an Apple certificate involves the following steps:

  1. Generate a certificate signing request (CSR).
  2. Send the CSR and your GSX account information to Apple. Apple sends back Apple certificates (.pem).
  3. Convert the Apple certificates to .p12 format.

Step 1: Generate a CSR

You can use OpenSSL to generate a CSR.

Note: You can also generate a CSR using Java Keytool.

  1. Log in to OpenSSL.
  2. Create a key pair by executing the following command:
    sudo openssl genrsa -aes256 -out privatekey.pem 2048
  3. Create a passphrase when prompted. Note: This is the password you will use when accessing the private key.
  4. Create the CSR by executing the following command:
    openssl req -new -sha256 -key privatekey.pem -out certreq.csr
  5. Enter the Country Name, State or Province Name, Locality Name, Organization Name, and Organizational Unit.
  6. When prompted to enter the Common Name, enter the following: -For a test environment CSR, Applecare-APP157-[10DigitSoldTo].Test.apple.com -For a production environment CSR, Applecare-APP157-[10DigitSoldTo].Prod.apple.com (For example, Applecare-APP157-0000098765.Prod.apple.com.)
  7. When prompted for the email address, challenge password, and optional company name, do not enter any information. Press the Enter key for each prompt instead.

Step 2: Send the CSR and GSX Account Information to Apple

Send the unsigned CSR and the following GSX account information to gsxws@apple.com:

  • GSX Sold-To account number
  • Primary IT contact name
  • Primary IT contact email
  • Primary IT contact phone number
  • Outgoing static IP address of the server that sends requests to GSX Production If your environment is hosted on the Jamf Cloud, see the following Knowledge Base article for the IP address: Permitting Inbound/Outbound Traffic with Jamf Cloud

Apple generates the Apple certificate (.pem) and sends a signed certificate and a chain certificate back to you.
(For example, Applecare-APP157-xxxxxxxxxx.Prod.apple.com.cert.pem and Applecare-APP157-xxxxxxxxxx.Prod.apple.com.chain.pem.)
Note: It may be helpful to rename the files “cert.pem” and “chain.pem” for use in final steps.
There may also be a file labeled “issuer” that is not needed for this process.

Step 3: Convert the Apple Certificate (.pem) to .p12 Format

Create a .p12 file using the private key and Apple certificates by executing the following command:

sudo openssl pkcs12 -export -inkey privatekey.pem -in cert.pem -out GSX_Cert.p12

Note: The GSX_Cert.p12 file contains your signed GSX certificate.
If you do not specify a path before the file name when running the above command, the file will be in your working directory.

The certificate is saved as a .p12 file in the location you specified.

Related Information

For instructions on how to integrate Jamf Pro with GSX, see “Integrating with GSX” in the Jamf Pro
Administrator's Guide
.

Like Comment
Order by:
SOLVED Posted: by Seven

If this is your first time to use GSX or if you're having trouble setting up GSX access, this additional information should be helpful. This presumes that you have completed the SSA process and have been granted a GSX account.

Adding a User to GSX

  1. Create a new Apple ID (eg: jamf.gsx@example.com) to use as the JAMF GSX user
  2. After creating the account and verifying the e-mail address, go to http://gsx.apple.com and log in with the newly created Apple ID (ex: jamf.gsx@example.com)
  3. When prompted, enter the Sold-to account number of your SSA/GSX and a Job function (you can fill this with any title you wish)
  4. Accept the terms and click submit
  5. Now log into the GSX as your GSX admin, not the Apple ID that you created in step 1
  6. Click on "Access Requests" under your admin name in the left-hand panel
  7. Select the access request for the account in step 1 and click approve
  8. From the left-hand panel, click the disclosure triangle by "People" and select the Users folder
  9. Select the Apple ID you created in step 1
  10. From the right-hand panel, assign read-only access to the various categories
  11. Click "Save" to save the permission changes

Connecting JAMF to GSX

  1. Open Global Management settings and click "GSX Connection"
  2. Enable a connection to GSX
  3. Enter the e-mail address of the Apple ID that you created in the previous section
  4. Enter and confirm the password
  5. For the GSX Account Number, enter your SSA/GSX Sold-to number
  6. Select the region and the URI should be automatically filled in to match
  7. Click Save
  8. Click Test to go to the testing page
  9. On the testing page, click "Test"

You should receive the message "A connection to the GSX server was successful".

If you receive "Internal Server Error (500) \- Internal Server Error", it means that the GSX permissions for the Apple ID are not sufficient. Go back into GSX and ensure that "Can Access Web Services" is enabled. This error does not typically mean that you're having an internal error with your JAMF instance.

Like
SOLVED Posted: by donmontalvo

We just got the word that our firewall rule was set up. But no-go on first test. The error we are getting:

Communication Error (1001) \- The connector failed to complete the communication with the server

Any idea if this is JSS or the firewall blocking traffic?

Like
SOLVED Posted: by jstrauss

We're experiencing the same issue.

Like
SOLVED Posted: by JB_ITS

I am receiving the following error:

Internal Server Error (500) \- Internal Server Error

So no idea where to even start with that one.

Like
SOLVED Posted: by jstrauss

@donmontalvo our particular issue that resulted in that error was because credentials weren't being passed correctly to our proxy, which requires authentication. I have a support case open on that and I'm waiting to hear back. We worked around this issue by configuring a local unauthenticated proxy on the server. You might be experiencing the same or a similar authentication issue. My suspicion is that authenticated proxies aren't supported by the JSS.

Like
SOLVED Posted: by Seven

@Wellogic-ITS -- See my post above.

If you receive "Internal Server Error (500) \- Internal Server Error", it means that the GSX permissions for the Apple ID are not sufficient. Go back into GSX and ensure that "Can Access Web Services" is enabled. This error does not typically mean that you're having an internal error with your JAMF instance.
Like
SOLVED Posted: by donmontalvo

@jstrauss Circling back to post an update, we confirmed your suspicion is right. Even when a rule is set up on an authenticating proxy to allow GSX traffic without requiring authentication, the proxy gets in JSS's way.

Like
SOLVED Posted: by cdenesha

I just experienced another reason for the Internal Server Error 500, also credentials related.

I had changed my password and GSX did not like certain symbols. In my case I had a right angle bracket > and an ampersand & in it.

It is possible this could be fixed by escaping the password somehow, I am reporting to Support.

thanks,

chris

Like
SOLVED Posted: by jedfrye

@cdenesha][/url
Thank you for that!
I can confirm that it doesn't accept &

Like
SOLVED Posted: by spalmer

I can confirm that it doesn't like _ underscores. We recently upgraded from 9.32, where it was working, directly to 9.61 so a bug was introduced at some point after 9.32. And most likely before 9.61 because the previous reports on this thread occurred before 9.61 was released.

Like
SOLVED Posted: by kamelarc6

What Is The Sold-to Account
And
Job Function
????????????????
How do I get them

Like
SOLVED Posted: by donmontalvo

@kamelarc6 Ask your GSX administrator.

Like
SOLVED Posted: by kamelarc6

how iis the GSX administrator ???
and how do i get The Sold-to Account
And
Job Function

Like
SOLVED Posted: by donmontalvo

@kamelarc6 If you don't have this info ask your manager or lead to get it for you.

GSX sold-to info is confidential/proprietary; you won't find in a public forum.

You'll need to show you are willing to put in the effort or your posts here might start to get ignored. ;)

Like
SOLVED Posted: by etippett

Just saw this notice when logging into GSX:

*Two-step Verification support for GSX

Two-step verification is an additional security feature for your Apple ID that's designed to prevent anyone from accessing or using your account, even if they know your password. Two-step verification is designed to keep your Apple ID and personal information as secure as possible.

See Frequently asked questions about two-step verification for Apple ID to learn how to set up two-step verification and for answers to frequently asked questions.

Accounts should be updated with two-step verification by close of business on Friday, April 20, 2015. If two-step verification is not set after April 20, access to GSX is subject to removal.*

Does anyone have any idea how this will affect the account used in our JSS to access GSX?

Thanks,
Eric

Like
SOLVED Posted: by yellow

@etippett

Good question, I was about to ask the same. I'm also curious about the "corporate email" requirement. I use my personal email as my GSX login since it follows me, regardless of my job. In trying to create a GSX login with my corporate account, I get an "Access for your type of Apple ID is not supported."

Fantastic.

Like
SOLVED Posted: by etippett

@yellow Got this response from my JAMF rep today:
The API that the JSS uses to connect with GSX does not require two step authentication. However, it will be required if you access GSX through their web interface.

I also use a gmail-based AppleID since it is tied to my tech certifications. Sometime soon I'll be opening a case with GSX to discuss how stupid this requirement is. I also tried re-activating my corporate email AppleID, which had already been connected to our sold-to in GSX but was deactivated due to the login once per month requirement, but it is not appearing anywhere in my GSX console. Sigh...

Eric

Like
JAMFBadge
SOLVED Posted: by john.miller

Hey

I wanted to give a quick note regarding GSX and the changes mentioned by @etippett

As others may have noticed, GSX will require two step authentication beginning April 20th. This requirement is only for the Web interface access but does not affect API calls. This means that integration with the Casper Suite is unaffected by this change.

Thanks, everyone!

Like
SOLVED Posted: by leungn

@etippett Inactive accounts are not visible in the GSX user view. However, you can search for all accounts by pressing the plus button and selecting the email field. GSX support pointed this out after they manually reactivated a few accounts for me.

Like
SOLVED Posted: by cdenesha

Aha! I used to be able to see everyone there.. be sure to search for an @ sign to see everybody.

@etippett please let us know what you find out about Corporate accounts. I actually removed my older admin corporate Apple ID from GSX to 'clean it up' and now instead of saying "The User is inactive. Please Click the below Reactivate button to reactivate the User" it says "The request has been rejected". <sigh>

When I was in training a few months ago for my ACMT (third party trainer, not Apple, but very knowledgable) I switched to a personal Apple ID because I needed to set up a GCX/Atlas account, and guess what wasn't allowed to be done to the corporate account? And since the Tech ID is needed by GSX, I am not sure why they would be deactivating non-corporate domain Apple IDs.

chris

Like
SOLVED Posted: by yellow

Same thing here. "The request has been rejected".

Like
SOLVED Posted: by rdwhitt

@yellow I ran into the "Access for your type of Apple ID is not supported" issue when attempting to create the account at applied.apple.com. If you click on "create an apple id" on the GSX login page, it takes you to a slightly different Apple ID registration page.

Like
SOLVED Posted: by yellow

@rdwhitt

Except that the account already exists. It's a fully functional & used AppleID. Well.. fully functional except for me being able to get into GSX with it.

Like
SOLVED Posted: by rdwhitt

@yellow Yep, I ran into the same issue. I had to first go to appleid.apple.com, click "manage your Apple ID", then I was able to edit the Apple ID and Primary Email address and change it to something else, which released the email I wanted to use for GSX. I was then able to go to the GSX login page and use the create account link and finally request access to our sold-to account.

All in all, GSX is a very clunky experience and Apple support never seems to really know how it all works either.

Like
SOLVED Posted: by etippett

@leungn Thanks for the tip on searching to find my deactivated corporate AppleID in GSX. I've got it reactivated and have emailed certifications@apple.com asking that my certifications be moved from my personal AppleID to corporate. I'm not happy about this, but it doesn't seem there's any getting around it.

From the bulk email I received from AppleCare Field Service and Channel Solutions:
"If your certifications are on a private email address- that is okay. Please create a new Apple ID via the GSX login page and then email certifications@apple.com to have your certifications moved to your new corporate domain ID."

Sigh...

Like
SOLVED Posted: by qsodji

Anyone, experiencing Communication Error (1001) - The connector failed to complete the communication with the server when testing GSX connectivity with JSS.
I know the account is valid since I can manually log into GSX.
Q

Like
SOLVED Posted: by spalmer

@john.miller I just received an email from GSX Web Services that there will be an API update along with new SSL requirements that take effect in August. I have pasted the entire email below (bold emphasis is mine):

This summary contains details found in GSX Services News SN2677. GSX WEB SERVICES API UPDATE AND SSL REQUIREMENT Apple will be releasing an update to GSX Web Services (API) in August 2015 that will require changes for all API users. All accounts integrating with web services should review the API Change Log to identify changes that will impact API development and utilization. The update will be deployed on the New Generation WSDL (web services description language). Integrating with this update requires completion of the SSL (Secure Sockets Layer) certificate process. The Legacy WSDL and method of authentication will not be supported following the August update. Transitioning to the SSL certificate WSDL prior to the August release is highly recommended as this will aid in the induction of the August 2015 deployment. SSL Certificate Process All API users must begin the CSR (Certificate Signing Request) process no later than Friday, April 17, 2015. The CSR is used to create the SSL certificate. For more information about the certificates process, please reference the “Certificates” section of the FAQ page within the GSX Web Services documentation. To begin the CSR process, email the following information to gsxws@apple.com: Subject: GSX New Generation WSDL On-boarding Request Message Content: GSX Sold To account number: Primary IT contact’s name: Primary IT contact’s email: Primary IT contact’s phone number: Static outgoing server IP address sending requests to GSX Production: Static outgoing server IP address sending requests to GSX UT: Apple Channel Manager: WSDL Update Information In addition to the SSL requirement, the August 2015 update will introduce several new APIs alongside updates to existing APIs. These changes will cover APIs associated with, but not limited to, repair creation as well as warranty status and other lookups. Test WSDLs containing updated API code will be available for user acceptance testing in June, 2015. Production WSDLs will be available in August prior to the GSX Web Services API release. This change impacts APIs developed in-house as well as third-party API solutions. All API users must induct the updated production WSDLs. Previous API WSDLs will no longer function following the August, 2015 release. Please direct any questions to the API Support Team via email at gsxws@apple.com.

It appears to me to read that this will affect continued Casper integration with GSX warranty lookups. Not to mention are we going to have to start the mentioned CSR process before the April 17th deadline? If so I hope JAMF will be providing some guidance very quickly on how to do this.

Like
SOLVED Posted: by Sandy

Ha!
We have another tech who has hardware certifications and does some warranty repairs, so he is our main GSX admin.
My GSX account has apparently been totally removed so he cannot re-enable me...and so my jss>gsx link is down
EDIT: nope, just hidden now for some silly reason.... now I have two! Too Many Steps!!!
S

Like
SOLVED Posted: by NoahRJ

Another update from Apple today regarding this...

If you are using a personal Apple ID, and do not want to update it with a corporate email address, please follow the steps below to create a NEW Apple ID: You can create a new Apple ID through the GSX log in page (the new ID must be created here to be the correct ID type for GSX use). After the new ID is created, you can escalate to certifications@apple.com to have your certifications moved over. Please include the following information: Current Apple ID: Tech ID: Full Name: Email Associated with New Apple ID: Please continue to use your existing Apple ID until the certifications have been moved over.

So, if they're not mandating a corporate email address in all cases, I'm having a really tough time seeing the point of creating a new Apple ID at all... Immensely frustrating, to say the least.

Like
SOLVED Posted: by qsodji

What they are trying to say is if you don't want to change the email of the current apple ID you are using because, you use it with other apple sites (iTunes, certifications site, apple.com) you can create a new one from within GSX using your corporate email (all gsx account will be required to have corporate domains). Now assuming you have certifications, you will need to have those moved to the new Apple ID (with the corporate domain) since your current Apple ID will no longer work with GSX.
By doing this, you retain the use of your non corporate apple ID for access to iTunes, Apple etc while having a dedicated GSX Apple ID.
I use to keep it all on my personal Apple ID but since you can always login and change the email, you can always update the email address to a new company should you leave your current employer.
Always remove your account from a GSX account prior to applying for a new one.

Like
SOLVED Posted: by patrickmullen

I've found this worked to get moved over:

  1. Login to appleid.apple.com and change your Apple ID to the new, corporate address. This allows you to keep your certifications -- as long as you continue to use this container for your certifications, your Tech ID will follow this Apple ID, even if the e-mail associated with it (and in affect, even the name of the Apple ID because that follows the e-mail address), you keep your certs.
  2. Add your current, non-corporate e-mail you were just using as the rescue e-mail address. That way, if you leave your company, you will continue to have access to your Apple ID and certifications (but you might lose GSX).
  3. I created an alias for my current Google Apps for Business e-mail account. This allowed me to not need to pay for another e-mail just for GSX and makes it so all my normal e-mail goes to my same corporate e-mail address. This also, to Apple, looks like an e-mail address (even though it's just an alias to me) that is unused with any Apple service. That's really the requirement for GSX -- an Apple ID that hasn't been used for anything else, including their business quote portal, App Store, iTunes, etc. As far as I can tell, this is a requirement even if you work for Apple -- they have a mechanism for single sign-on, but that Apple ID even the Geniuses use for GSX is unassociated with any other Apple service.
  4. Login to GSX and setup two-step verification.

If you have issues with your Apple ID or anything like that, svc.authorize@apple.com is the jam -- they can help with most anything related to GSX. It might take a few e-mails, but they've always given me tips when pressed for more than the easy answer.

Like
SOLVED Posted: by cdenesha
Always remove your account from a GSX account prior to applying for a new one.

Is this even possible? I had a Revoked corporate account, but was unable to reuse it for GSX.

I renamed my personal Apple ID to my corporate email address and the various services (GSX, GCX, ATLAS) seamlessly kept working. If I ever need to move to another workplace I'll probably have to create a new Apple ID for GSX (see my first sentence above) so I think I'll go add a Rescue email address of my personal email (good idea patrickmullen!).

thanks,

chris

Like
SOLVED Posted: by cdenesha

It looks like you cannot create a Rescue email address once you have two-step verification enabled. If you already had it when you enabled two-step verification, then the Rescue email address becomes a Notification email address.

https://support.apple.com/en-us/HT201356

Like
SOLVED Posted: by Sandy

Another thing my HW tech uncovered is that Apple will transfer all his certs to his new corp Apple ID, but if he were to work for another ASP on the side (which he has in the past) then he would be required to re-certify in THAT corp Apple ID (and in some cases re-pay... )
This has made him pretty unhappy :(
Also, I'm pretty sure that anyone who used a .mac or .me email account for GSX cannot change to to another email address...though not too likely I guess since the GSX Apple ID has to be a standalone Apple ID....
S

Like
SOLVED Posted: by donmontalvo

I would escalate to your Apple rep, should be no reason for a tech to certify more than once.

Like
SOLVED Posted: by patrickmullen

@cdenesha, that could be true (and the article seems to indicate it is). I added it as a recovery e-mail BEFORE I setup 2-step verification. From the looks of it, it's listing it as an "alternate" address on my Apple ID now, so it appears it has converted mine to a notification address like you're saying.

Good news is, as long as I associate it with my personal cell phone, I'll still have access to it if I need to reset the password or change my Apple ID in some way without access to my corporate e-mail.

Like
SOLVED Posted: by yellow

Keeping on topic with this article, I see there are planned updates to how the GSX API works, hopefully they don't break how Casper integrates and if it does, that it's corrected quickly.

now, OT, @Sandy

Same deal with me. All my certs and whatnot are tied to my personal .Mac email, since that follows me and where I work is irrelevant. Of course my GSX account is tied to that, of course I'm the GSX admin for our operation, of course I reached out to our EDU Rep for help on getting my corp account resurrected, of course it's been crickets. Interested to see what's going to happen.

And I don't the 2 factor authentication. I UNDERSTAND the reasoning, I just find it irritating.

Like
SOLVED Posted: by patrickmullen

@yellow the GSX team at Apple is somewhat clueless how this will affect Casper Suite. If you have a rep at JAMF, I'd reach out to them. This is what the GSX team told me when I inquired more:

I’m not sure how authenticate is being done via Casper Suite, but I think you need to have this escalated to the actual Casper Suite devs first to see if the current build of their software supports SSL authentication or not. technically speaking , all authentication needs to be done in a server where its IP Address is setup as STATIC, at the same time whitelisted in our servers. Certificates that we will be issuing from the CSR file that you will provide will need to be installed on the system as well that is authenticating / transacting via GSX API. Therefore if your network setup doesn’t involve any static IP Address setup, you’ll need to provide one.

In my hunting, when I test my GSX connection, it doesn't appear to say anything about SSL authentication. So that tells me something will need to change.

In addition, it sounds like we'll need to add a certificate to our JSS VM and make it accessible to the outside world to work (neither of these things are how we currently have things setup).

Correct me if you all think I'm reading this wrong.

Like
SOLVED Posted: by mattware

Could anyone comment on how to sign up for the self service account? At the link in the original article, it says to contact your sales rep or email ssa.program@apple.com. I emailed my sales rep and he directed me back to that same article saying the application was there (not very helpful). So I sent an email to the ssa.program@apple.com and got a confirmation back saying they would respond in 2-3 days, but I still haven't heard anything back.

Like
SOLVED Posted: by etippett

@patrickmullen

I reached out to my JAMF account rep about both the 2-factor authentication and SSL API changes. She responded that I didn't need to worry about either. 2-factor auth apparently does not affect the JSS using the GSX API to connect and the SSL changes will apparently be taken care of in a future Casper release.

See additional info in this thread

"We [JAMF] have been working with Apple on impact, and have made some progress. In short, you are right. API access will continue to work without two-factor authentication. However, we are tracking a change coming in August that will require a certificate-based authentication with the API. We hope that will all be backend work, but are uncertain right now if you will need to generate a certificate using Apple’s portal or the JSS at that time. So we are good for now, but there may be changes later in the year that will impact us all. We fully plan to have full support with GSX moving forward, and are on top of researching what it means currently."

Like
SOLVED Posted: by patrickmullen

@mattware I dunno how much help this is, but I did it via this website: http://www.apple.com/lae/support/programs/ssa/

Doesn't appear you can do it anymore. Or I'm not seeing it. But if you submitted your application, you're on the right trail.

If you are close to an Apple Store, I would connect with their Business Team. Mine knew a lot about the process and held our hand through the whole thing. The whole process, with their help, took about 2 weeks for us. Partially because the requirements for the program changed during the process of us attempting to sign up and convert our current terms account to SSA.

Recently, requirements have changed -- it used to be that you needed 100 deployed Macs, now it's 300.

If you don't have 300, you can set up a LTSA (Limited Terms Service Account) and that will get you GSX access plus the ability to do quick-swaps on accessories (keyboard, mice, power adapters, etc.). We initially set that up through our local Apple retail store.

Like
SOLVED Posted: by mattware

@patrickmullen Thanks for the reply. Yeah, there's no application link for me. We haven't submitted it yet. I did email the ssa.program address and got a confirmation response but it's been a week and we haven't heard anything back from them yet.

We're 45 minutes or so from an Apple store but I'm not sure how much help they'd be. We have 50-60 macs and 10-20 iDevices. I'm an ACMT so we are hoping to get parts authorized as well as GSX/diag access.

I'll probably bug my sales rep again about it if I don't hear anything by the end of the day.

Like
SOLVED Posted: by patrickmullen

@mattware Tough to say, as I don't know your region's Apple Retail stores. My business teams may have been particularly helpful in the process (because they help companies do this all the time). I do have some proprietary knowledge of this process and how things work there -- I'm a former Apple employee, so I do know they have resources to talk with people to figure out this process. It's to their advantage to form a relationship with your business, even if you're 45 minutes away. Even if you don't want to spend money with them.

I'd give them a call (every store has one), tell them who you are, and tell them the roadblocks you're encountering (if you still are once you follow the link below). Any business team in Minneapolis would be happy to help in that situation and I'd be surprised if the whole retail fleet isn't like that.

Based upon what you say, you'll only be eligible for a Limited Terms Service Account -- that will get you GSX, but not anything except accessories according to the new rules.

All that said, I found the link to submit the application online: https://channelprograms-a3t.apple.com/webGMACC/gotowelcome.do?method=gotoWelcome&affliationType=SSA&region=USA&langCode=EN

Like
SOLVED Posted: by mattware

@patrickmullen Thanks, that link does work. I may go ahead and apply.

They must have just changed those rules because the application still says 50 computers.

Like
SOLVED Posted: by Jason

I emailed GSX Web Services Support with a few questions and got some clarity back:

Hello Jason, Please find the answers in line: Does this change mean an Apple ID associated with my company will no longer be used to authenticate to the GSX API? Answer: The apple ID still used to authenticate in GSXWS and also in GSX UI If an Apple ID is still used for API authentication, must it have 2-Factor Authentication enabled? Answer: Yes Another article in GSX mentioned that Apple may disable accounts that do not have 2-Factor enabled. If it is not required for an account accessing the API, how would I ensure the account does not get disabled? Please follow the instructions in the article to enable 2SV for all your GSX accounts. Once you enable 2SV for the respective account, you can use GSX Web Services the same way as before. At the moment,2SV doesn’t have an impact on GSX Web Services but it adds an additional layer of security for the used account. Please see the link below for further information about two-step verification: https://support.apple.com/en-us/HT204152
Like
SOLVED Posted: by carltonbrumbelow

Hello All,

Apple recently sent out communication regarding two upcoming changes to GSX service access. JAMF Software is working to ensure there are no disruptions in the Casper Suite’s link to client’s GSX connection, but there are a few requirements that must be handled by the GSX service account holder to completely avoid disruption.

What are the changes?

Beginning on April 22nd, the GSX web portal will require two-factor authentication. This will not affect the JSS’ API call to the service, but it will affect how customers login to the webapp portal.
Beginning in August, the GSX Web Services (API) will require certificate-based authentication, which requires all customers to generate a Certificate Signing Request (CSR) and send it to Apple.

What do clients need to do?

  • Before April 22nd, login into the GSX web portal and enable two-factor authentication.
  • Customers must send a CSR to Apple in order to get a certificate for the certificate-based authentication change. Apple has asked that all CSRs are submitted to gsxws@apple.com by April 17th. The email must include the following information:
  • Subject: GSX New Generation WSDL On-boarding Request
  • Message Content:
    • GSX Sold To account number
    • Primary IT contact’s name
    • Primary IT contact’s email
    • Primary IT contact’s phone number
    • Static outgoing server IP address sending requests to GSX production
    • Static outgoing server IP address sending requests to GSX UT
    • Apple Channel Manager
    • The preferred switch-to date (Do not switch to certificate-based authentication until JAMF notifies the community that this functionality is supported. We will have an official release to support this before August)

The instructions to generate the CSR may be found at https://gsxwsut.apple.com/apidocs/prod/html/WSFaq.html, beneath the Certificates heading.

Thanks All,

Carlton

Like
SOLVED Posted: by CasperSally

They want CSRs by April 17th but haven't communicated that to most people?

Like
SOLVED Posted: by Jason

For the Static Server IP's to GSX Production and GSX UT, is it best practice to do this?:
JSS Production IP = GSX Production
JSS Development IP = GSX UT (for environments that have a dev/testing JSS)

Like
SOLVED Posted: by carltonbrumbelow

@CasperSally We did get confirmation from Apple's GSX team that there are no penalties if the CSR is not in by the 17th, but that the longer a client waits, the bigger chance they have to not getting their certificate by August.

Like
SOLVED Posted: by CasperSally

@Jason we have a NAT pool of external IPs, hopefully apple will accept a range of IPs versus a single one.

Like
SOLVED Posted: by Jason

@CasperSally I was reading that as the internal private IP address since they phrased it as outgoing server IP address, and not public IP address. Now i'm not sure. I'll see if gsxws can clarify (unless someone has already done that).

Like
SOLVED Posted: by cdenesha

At the instructions link from Apple referenced in @carltonbrumbelow's message above (4/14/2015 at 8:58 AM), I expanded the "What information must be sent to Apple?" link. It specifically says:

External outgoing static IP address of all servers that will access the GSX API (Production and Non-production). Please be sure to include proxy servers, if traffic passes through them. IP addresses provided to Apple must be static. Apple does not support dynamic IP addresses. Access to GSX APIs will be allowed only to the IP addresses provided to Apple.

I suggest reading each item in that Certificates section - for example the FQDN needs to be very specific.

I'm confused what my "New Generation WSDL On-boarding date" should be... August 1?

For Apple's purposes, I don't think we as end users will be requesting Certificates for GSX Test environments.. that would be for JAMF themselves.. we would just want to request for the GSX Production environment, correct?

thanks,

chris

Like
SOLVED Posted: by Jason

Just heard back from GSXWS. It is the public internet address for the JSS server. They recommend this approach to identify that IP. This is going to be a major pain I'm expecting.

curl -s ip.appspot.com The response will contain your outgoing IP. Or open http://ip.appspot.com in your Browser and note the IP in the top left corner.
Like
SOLVED Posted: by carltonbrumbelow

@Jason Thank you for the curl command. This will be helpful.

@cdenesha For now, an on boarding date of August 1 is safe. Until we know exactly when we'll have a release to support the changes, we'd hate for folks to give an on boarding date sooner and not have GSX functionality in the JSS for a period of time.

Like
SOLVED Posted: by spalmer

@carltonbrumbelow I am going to reiterate the question posed by @Jason regarding GSX UT. The description on Apple's GSX page reads:

GSX Testing Environments What are the testing environments available in GSX? We have two testing environments for development and acceptance testing, please see the descriptions below for more information. GSXIT: The functionality/bug fixes are applied in GSXIT to verify the changes/fixes with respect to external interfaces. GSXUT: After the functionality is verified and tested in GSXIT, changes are applied to GSXUT for verification from business users.

It seems like this is more for someone like JAMF who is testing actual code against Apple's GSX API services and those of us just running JSS servers, regardless of production or testing, would never use GSXUT and should leave that information blank. Does that sound correct?

Like
SOLVED Posted: by carltonbrumbelow

@spalmer You are correct, the UT server is for vendors who are testing code against a GSX connection.

Like
SOLVED Posted: by carltonbrumbelow

We've had a lot of questions come in regarding a reply clients are receiving from the GSX team asking for the following information:

XML Session ID and error reference tag: Raw XML request and response:

JAMF will be providing this information to Apple that will work for all Casper Suite customers, so there is nothing you all need to do. Please let us know if any further communication comes from Apple stating they still need it.

Like
SOLVED Posted: by spalmer

@carltonbrumbelow I just submitted our initial info to Apple and got an automated response asking for the information you mentioned plus one other piece called "API Consumed". The sanitized contents of the automated response are below:

[PLEASE NOTE -- THIS IS AN AUTOMATED RESPONSE] Hello, Thank you for contacting the AppleCare GSX Web Services Support Team. Your message has been received and assigned to the follow-up ID listed below. You will receive a response within 24 business hours. To assist you, we require the following details: Sold To & Ship To (account numbers): Environment you are attempting to access: AppleID used for authentication: API consumed: XML Session ID and error reference tag: Raw XML request and response: Note: If any of these items are missing from your original request, please reply to this email providing the additional details. Message Subject: GSX New Generation WSDL On-boarding Request Follow-up: XXXXXXXXX Regards, AppleCare GSX Web Services Support Team Apple Inc.

Should we just leave API Consumed, XML Session ID, and Raw XML request info blank or respond with something like "Contact JAMF Software"?

I also assume for the "Environment you are attempting to access" we should just put GSX Production (or just GSX since that is how Apple references their production environment)?

Like
SOLVED Posted: by carltonbrumbelow

@spalmer We are confirming what "API Consumed" means, but for now it is entirely appropriate to refer them to JAMF Software. Additionally, as far as we understand their request "Environment you are attempting to access" does refer to GSX Production. If we hear differently, we will update this thread and inform our Support team.

Like
SOLVED Posted: by CasperSally

Anyone know what they're looking for by 'Apple Channel Manager' ?

Like
SOLVED Posted: by spalmer

I didn't know what they wanted by that either. Our internal GSX contact (the one that granted permissions to our account used by Casper) didn't even know who that would be. When I filled out the form I just put our Apple Education Sales Rep and added a note that if this is not who they want then they need to explain what an Apple Channel Manager is.

Like
SOLVED Posted: by CasperSally

thanks @spalmer. This is the most convoluted process I've had to go through in quite a while. I wonder what percentage of JAMF users who use GSX did it by the deadline (obviously I didn't).

I also wonder if a JAMF upgrade will be required to get this working in August, which we won't be able to do until late fall after testing anyway (and if it's anything like my testing to get to 9.6, it will be months later that I'll actually be able to upgrade probably).

Like
SOLVED Posted: by etippett

@CasperSally My JAMF rep told me 'Apple Channel Manager' only applies to international users (non-US). Not sure if that applies to you or not.

Yes, a JAMF upgrade will be required to get this working; at least that's my understanding.

Eric

Like
SOLVED Posted: by spalmer

So I have received a followup email after submitting my info to Apple. Here is what I got back (info has been sanitized):

Hello YOURNAME, This request reference is dedicated exclusively to GSX API SSL On-boarding process for YOURORGNAME - Sold To: 00000NNNNN. To ensure a prompt and efficient follow up, please make sure to include the follow up number (Follow-up: NNNNNNNNN in the body of the message in all communication related to this thread and addressed to gsxws@apple.com. This will allow all messages related to a thread or a topic to queue up correctly, thus insuring that no data is missed or overlooked. Company Details: ✓ Sold-to: 00000NNNNN Primary IT Contact email: username@company.com Primary IT Contact phone: YOURPHONE#HERE Initial Requirements 1 - List of static IP addresses of outgoing servers calling GSX UT APIs: ✓ => 000.000.000.000 N/A We will whitelist 000.000.000.000 N/A on our end so no other IP will be able to make requests for your GSX UT Sold To. Therefore it’s very important that this is a static outgoing IP address. The same rule apply to the production environment. 2 - List of static IP addresses of outgoing servers calling GSX Production APIs: ✓ => aaa.bbb.ccc.ddd =>3 - Generate separate certificates for test and production environment ( 2 separate CSR and KEY files, one for each environment). Please generate the CSR’s from separate Keys. Instructions to generate certificates are detailed in the Certificates section of the GSX API FAQs - https://gsxwsut.apple.com/apidocs/prod/html/WSFaq.html Please note, it is essential to comply with certificate format requirements as outlined in the above documentation. CN field with the following value "CN=Applecare-APPNNN-00000NNNNN.Prod.apple.com" for the GSX production environment CN field with the following value "CN=Applecare-APPNNN-00000NNNNN.Test.apple.com" for GSX UT test Environment Please note: In order to avoid delays, please send us the CSR files not later than May 11, 2015 (two weeks from today) On-boarding Process Flow Test - Partner to provide data as per above requirements - Apple to provide Test client certificate - Partner to install Apple Test Apple client certificate on Test outgoing servers - Apple to whitelist Test and Production IP addresses / certificates - Partner to test connectivity for Test environment and consume a test golden transaction (e.g. Lookup API) - Partner to provide full raw XML (request and response) for test authentication and golden transaction - Partner to sign off on testing and provide cut-over date and time Production - Apple to provide Production client certificate - Partner to install AppleProduction Apple client certificate on Test outgoing servers - Partner to test connectivity for Production environment and consume a test golden transaction (e.g. Lookup API) - Partner to provide full raw XML (request and response) for test authentication and golden transaction Further details on each stage will be provided as we progress. Please note: Once SSL On-boarding will be successfully completed, you will not be able to use the legacy WSDLs in either of the environments. The on boarding will activate the New Generation WSDL on a Sold To level. Should any further information or assistance be required, please do not hesitate to revert to us.

So far this is a pretty frustrating process as it really seems like Apple really does not understand we are not programmers using their API's to write software and that we are just end users using an MDM server that does simple warranty lookups.

@carltonbrumbelow This brings up several more questions:
1. How do we consume a test golden transaction?
2. How do we provide the raw XML?
3. Based on the statement "The on boarding will activate the New Generation WSDL on a Sold To level." this sounds like this will affect any and all API transactions that occur under our Sold To account, not just Casper's access to it. Is that really the case? If so that is a lot to ask just for warranty lookups from Casper.

Like
SOLVED Posted: by Sandy

LOL! I got one of these too, only they plan to whitelist my phone number!!
(and yes, I did actually fill out the form with a valid static IP).

Like
SOLVED Posted: by spalmer

Also, not sure what this means as far as the deadline is concerned, but I forgot to enable two factor auth by April 22nd and I am still able to log in to the GSX Web App Portal even though I have not yet enabled it.

Like
SOLVED Posted: by yellow

I'm still logging in with my non-corp account.. which is good because Apple cannot seem to figure out how to make my corp account work. They want me to create a 4th Apple ID now to try and make it work for GSX. 4! Now I have applications owned by 3 different Apple IDs. Data owned by 3 different Apple IDs. I'm really keen to make it a 4th.

Like
SOLVED Posted: by cdenesha

I received the exact same email today. :(

Like
SOLVED Posted: by carltonbrumbelow

@spalmer et al,

How do we consume a test golden transaction?
- This cannot be done until we have a Casper Suite release that supports certificate-based authentication to GSX.

How do we provide the raw XML?
- You should not need to provide this. JAMF Software is working with Apple to ensure they have what they need from our software.

Does this change really affect every API transaction that occurs under the Sold To account?
- Yes, this is a sweeping change for Apple's GSX service. If you utilize any other pieces of software that interact with the GSX API, they too will need to be updated to utilize certificate-based authentication. Come August, it is no longer an option to authenticate to the API any other way.

Like
SOLVED Posted: by TomDay

@carltonbrumbelow What "preferred switch-to date" would recommend since Jamf's email to us states "We will have an official release to support this before August"

TIA, Tom

Like
SOLVED Posted: by CasperSally

The email back from GSX is like Greek to me. Apple/JAMF should get together and let us know what we need to do in plain English.

Like
SOLVED Posted: by carltonbrumbelow

@TomDay The preferred switch day should be August 1st. We do not know an exact date that we'll have a release to support this, but we do know we'll have one before August.

@CasperSally I feel your pain. It's somewhat greek to us as well, but this discussion has been helpful in letting us know the proper questions to ask Apple. Once we have all the information we can get, we'll update the community on this thread, and will ensure our Support group is familiar with the same information to be able to answer any questions that arise.

Like
SOLVED Posted: by CasperSally

Apple sent me a link to a PEM file.. without a reason. When I asked what I'm supposed to do with it, they said I should google for instructions. Awesomesauce.

Like
SOLVED Posted: by yellow

@CasperSally

You're kidding?

What is going on in Cupertino?

Like
SOLVED Posted: by donmontalvo

@CasperSally wrote:

Apple sent me a link to a PEM file.. without a reason. When I asked what I'm supposed to do with it, they said I should google for instructions. Awesomesauce.

Sounds phishy.

Like
SOLVED Posted: by carltonbrumbelow

@CasperSally That does seem a little strange. Please hold onto that PEM file for now. If it really is the appropriate certificate, it'll be what you'll upload to the JSS closer to August, once we have a version released to support the new authentication method.

Like
SOLVED Posted: by Sandy

I am getting multiple spam emails DAILY regarding my GSX account getting disabled, which it is not, and other "important notices" from Apple. Language is funky and not Apple like.....
beware

Like
SOLVED Posted: by yellow

Well yes.. clearly Apple had a breech. To my knowledge they've not told us about it. But I presume that it's the reason for all this furious security pushing they're doing. All our techs are getting phishing emails regarding GSX. And it's even coming to service accounts that have NEVER done anything other than use GSX.

I'm losing patience with Apple over this. I've told the GSX service folks repeatedly that my corp account doesn't work. Logging into GSX gives me "Access for your type of Apple ID is not supported." They had me jump through hoops, change the email address so my work apple-id is now.. something else. They had me create a new apple id using my corp address. They had me then try to log into GSX. Guess what? Same error. I'm the site admin for GSX with a personal account that now gets an "unknown error" when I try to login to GSX. Now I have 3 apple ids and none of them can get into GSX. I've patiently explained this repeatedly to them with oodles of screen shots that they ask for. I finally tried to boil it down to basics. "I need soandso@domain.com to be the admin for our GSX site which uses ######## as the sales code."

This morning I got an email:

Hello, We're not finding this account in GSX. If you could please apply to GSX and speak to your admin, they can approve your access request. If you are the admin, please provide a screenshot showing that two-step verification has been enabled and a screenshot of the password reset confirmation page.

OH MY GOD.

Like
SOLVED Posted: by donmontalvo
Like
SOLVED Posted: by stutz

Just so everyone is aware regarding GSX corporate domain email accounts. If you plan to change from a personal GSX Apple ID to a corporate email you can just update your email address of your personal Apple ID to your corporate one. You can do this by going to https://appleid.apple.com.

If you plan to create a new Apple ID you have to use the link from the GSX login page (see screen shot). I made the mistake of creating a new Apple ID by going to the link above and they said that it wouldn't work. Just an FYI. After you gain access to GSX with the new account you will need to move your certifications over to the new account which requires you having to email certifications@apple.com to transfer your tech ID.

Like
SOLVED Posted: by Sandy

@stutz, yes, unless your personal gsx Apple ID is a .mac or .me, in which case you cannot change the email address

Like
SOLVED Posted: by Jason

For anyone who hasn't made it this far yet, Here are the steps I followed to generate a CSR from a Windows machine. This process is similar to the one JAMF documents for importing an SSL cert for Tomcat, so it utilizes the JDK Keytool. This is meant to be done after you receive the email back from GSX Web Services Support that @spalmer pasted above:

1) On JSS Server, open an elevated Command Prompt

2) Type: cd “C:\Program Files\Java\jdk<VERSION>\jre\bin”
Where <VERSION> is the version of the JDK installed

3) Generate a keystore by executing the following command: keytool -genkey -alias mycert -keyalg RSA -keysize 2048 -keystore keystore.jks

4) Enter the following details when prompted pressing Enter after each value is entered:
Enter keystore password: <CREATE_A_PASSWORD>
Re-enter new password: <RE-ENTER_PASSWORD>
What is your first and last name: Applecare-APP157-[10-DIGIT-SOLD-TO#].Prod.apple.com
Note: this is really the "CN" field Apple is talking about in the email they send you.
What is the name of your organizational unit: <YOUR INTERNAL GROUP/DEPARTMENT USUALLY>
What is the name of your organization: <NAME OF YOUR COMPANY>
What is the name of your City or Locality?: <CITY YOUR COMPANY IS LOCATED>
What is the name of your State or Province?: <STATE YOUR COMPANY IS IN>
What is the two-letter country code for this unit?: <COUNTRY CODE>
Is CN=<CN>, OU=<OU>, O=<COMPANY>, L=<CITY>, ST=<STATE>, C=<COUNTRY> correct?: yes
Enter key password for <mycert>: <PRESS RETURN>

5) Generate a certificate signing request (CSR) from the keystore you just created by executing the following command: keytool -certreq -alias mycert -file certreq.csr -sigalg SHA256withRSA -keystore keystore.jks

6) When prompted for keystore password, enter the password that was used to create the keystore above.

7) Copy certreq.csr into a email replying to GSX Web Services Support.

Apple should hopefully respond with a SSL Cert that we can use when JAMF has updated the JSS to support this functionality. @carltonbrumbelow has stated it should be before August 1st, so you should be ready to go when that happens. JAMF will likely have further instructions at that point.

As others have mentioned, https://gsxwsut.apple.com/apidocs/prod/html/WSFaq.html provides some good details on this process if you are not using keytool or on Windows OS.

@carltonbrumbelow Until the JSS is updated to support SSL Cert authentication to GSX's API, could you provide steps to validate that the SSL connection does in fact work? I'm thinking once we have certs back from Apple that we could run some script which attempts to test the connection. This might help reduce support calls once JAMF puts out a release and users find out "oops, my cert isn't working" for whatever reason. Better to test now then August 1st.

Like
SOLVED Posted: by carltonbrumbelow

@Jason There are currently two problems with creating some sort of connection check:
- The certificate is from Apple, which means they'd have to allow some sort of check against the cert, which they currently do not
- Any sort of check would require a company to request to be switched to certificate-based authentication, which cannot be undone, meaning the company would lose all access to GSX information in the JSS until we have a release available that supports the new authentication model.

That's where we stand currently, but it's not definitive. New information is coming into to developers weekly on the changes, and we should know more next week whether or not we could actually build a tool for testing the certificate connection. As soon as we know more, we'll update the JAMF Nation community.

Like
SOLVED Posted: by spalmer

@CasperSally I just submitted my certreq.csr file and got a response back very quickly (within about 20 minutes). My response had a link in it as well to download the PEM file along with two other certs which I am guessing are needed for the chain of trust. The email I received is below (information sanitized):

Thanks for sending the files over to us. Please see the link for the PEM’s below: https://attache.apple.com/... You can download them only 1 time(s). The file(s) will be available from 05/10/2015 22:00 PDT to 06/09/2015 21:59 PDT.

I sure hope I still have good copies of those files and remember where they are two months from now!! I think I will go copy them to about three or four backup locations just in case. :-)

Like
SOLVED Posted: by Jason

My PEM file took approximately 10 days to receive, but I did not submit before their first deadline, so perhaps they're busy processing a larger number of requests now.

Like
SOLVED Posted: by jeremy.logsdon

@CasperSally @spalmer I just received my PEM files today with the same message and little instruction. When I checked out https://gsxwsut.apple.com/apidocs/prod/html/WSFaq.html they had the question, "What do I do with the client certificate that Apple provides?"

Answer, "Work with your system administrator to install the Apple certificate on your server, in a manner that ensures the certificate is automatically attached to each API request sent to Apple. Depending on the technology, this may involve adding the certificate to the trust store."

So all I've done is added the certificates to the trust store in Keychain Access. I'm assuming now we wait until a Casper Suite update?

Like
SOLVED Posted: by spalmer

@carltonbrumbelow I just got a followup email from Apple GSX Services asking if I have had a chance to download and install the certificate. I have downloaded but have not yet installed them. Am I correct in my understanding that based on your previous comments we shouldn't actually install the certificates yet as that will break our existing GSX functionality?

Like
SOLVED Posted: by carltonbrumbelow

@spalmer Yes, if you install the certificate now, you will lose communication between the JSS and the GSX service.

In general, we haven't heard anything new recently about the changes, but when we do we will update the thread.

Like
SOLVED Posted: by donparfet

I'm reading this post above: Posted: 5/1/15 at 2:39 PM by Jason
Where he details generating the Apple requested .csr from from his JSS server...
I followed Apple's instructions to use OpenSSL to create my .csr files from a windows box. Have I potentially shot myself in the foot here?
Also, just received my .pem files from Apple, and since they replied back that they have whitelisted my external server static IP I can now no longer connect to GSX from the JSS

Looking for next steps here. The GSX site documentation on what to do with the .pem files is to "work with your system administrator to install the certificates on your server..." so I'm looking for info on where/how to install these certs on my RHEL JSS server

there are 3 separate .pem files: Prod.apple.com.cert.pem, chain.pem and issuer.pem

Like
SOLVED Posted: by Jason

@donparfet Any method apple detailed to generate the CSR is fine. The method I used was just what worked for me, but OpenSSL is fine as well. It doesn't even have to be on the same server. Any machine can generate a CSR. When i worked with GSX Web Services support they sent me the PEM and whitelisted my IP but did not actually cut me over. This is the last correspondence I received:

Hello Jason, That looks to be a successful test. Once you know your production cut over date/time please let me know and I can schedule it. Thanks

So it sounds like there is something they do on their side to cut over from the old process to the new. I would recommend emailing GSX Web Services Support back and informing them that you have not yet migrated over and see if they can switch you back for now until you provide them with a cut over date (date when JAMF supports the new method and when you plan to install it).

Like
JAMFBadge
SOLVED Posted: by john.miller

Hey everyone

Great conversation and I wanted to chime in with what you can expect from the Casper Suite and our support for GSX and certificate based authentication. As mentioned, mid-August is the expected go-live date from Apple and I'm glad to see so many folks have started the process in getting certificates from Apple. Continue doing so, if you haven't already.

The Casper Suite will certainly integrate with these changes to enable you as the admins to keep using that purchasing information in your inventory, searches, and reporting. Those changes will get incorporated with changes to support the new OSs coming from Apple so admins won't have as many updates to perform in a short period of time.

This begs the question: What happens if those OS updates happen after GSX moves to certificate based authentication? Great question. Here are some things that can help mitigate that timeframe:

  1. As mentioned in the email from Apple, the change will happen on the 15th of August. Before that date, update all purchasing information in your JSS. This can get done to any search results by clicking/tapping "Actions," then chose the option to update the purchasing information. This will get all purchasing info for anything the organization has purchased into the JSS.

  2. For any hardware purchased between the go-live date, you're able to continue using Apple's site to view that information.

  3. Once the update to the Casper Suite is available, upgrade the JSS to the new version and the GSX Connection page in Global Management will have new options to allow you to upload the certificate you received from Apple. We'll have KB articles and updated the Casper Suite Administrators guide to help with the process of uploading, as well.

If you have any questions, please don't hesitate to reach out to your Technical Account Manager and they can get you the help needed.

Thanks, again, everyone!

Like
SOLVED Posted: by watchmanmonitor

Hey all,

Not sure if the right version of the JSS has been posted yet, but we keep running in to subscribers who don't have this API process completed yet - in fact, many don't even know how to begin.

We've create a form on our site that helps you gather just the right information, create the .csr files with just a few copy & paste actions, then send it off to Apple for processing.

The form is here:
https://www.watchmanmonitoring.com/gsx-ssl

Note that any given Sold-To gets just ONE certificate for production, you'll need to use that same one in your JSS, Lightspeed Onsite, PIMS, custom solution, or with our product.

If you have have a clue about SSL this form is only mildly helpful, but if you just need an email with copy & paste instructions which you can forward to someone else in your organization, this is for you.

Hope it helps,
-Allen Hancock

Founder, Watchman Monitoring.
the email template for the resulting .csr files is below.

Subject: GSX New Generation WSDL On-boarding Request
Message Content:
GSX Sold To account number
Primary IT contact’s name
Primary IT contact’s email
Primary IT contact’s phone number
Static outgoing server IP address sending requests to GSX production
Static outgoing server IP address sending requests to GSX UT

Like
SOLVED Posted: by Nesta

excuse me , where can I get GSX account ? there who can help me ?

Like
SOLVED Posted: by Sash

Hi everyone
I am new here i want to ask what can i do to get access to a gsx account because i need it to get my buisiness started Thank you

Like
SOLVED Posted: by TomDay

@john.miller Great info, thank you.

"Once the update to the Casper Suite is available"
Which version should we be looking for that will get this to work on the 15th? Is it 9.7.3 or is something new coming out soon?

Like
SOLVED Posted: by CasperSally

@john.miller I'm also curious how soon we can expect a release that supports new GSX lookups. Is there any estimate?

Like
SOLVED Posted: by cwaldrip

So, it seems that the changes to GSX were made on 8/16. I'm no longer able to update the warranty status through GSX. And no word on an update to support the new Applecare certs.

Like
JAMFBadge
SOLVED Posted: by john.miller

Hey everyone!

As mentioned, the next version of the Casper Suite will have support for certificate based authentication to GSX. This release is expected to coincide with the next OS release from Apple. While we don't have specifics on that date, we know that Apple has released updates to iOS in mid-September the last few releases.

We will have a beta in the coming weeks to show some of the new features coming in the next version of the Casper Suite, and the GSX connection changes are included in that beta.

If you have yet to request the certificate from Apple, please do so as soon as possible. That process can take up to four weeks so making sure that process is started is the best bet to use certificate based authentication to GSX soon after the Casper Suite has been updated with those changes.

Like
SOLVED Posted: by aporlebeke

@john.miller Forgive my ignorance, but how / where can we request a cert for GSX authentication?

Like
SOLVED Posted: by Simmo

@aporlebeke Contact gsxws@apple.com

Like
SOLVED Posted: by watchmanmonitor

Hi @aporlebeke this process assumes that you already have a valid Sold-to account with Apple, and it has been granted access to gsx.apple.com. Without that access, there isn't much to do here,.

For those who have GSX Access (Authorized Service Providers, Resellers, Self-Servicing accounts, etc) you can follow the Apple's instructions here:

https://gsxwsut.apple.com/apidocs/prod/html/WSFaq.html

Or use the "easy button" we've published in our site:

https://www.watchmanmonitoring.com/gsx-ssl

You'll create two key & csr pairs (testing & production) on your computer, and send the .csrs to AppleCare for signing.

AppleCare issues each "Sold-to" one testing and one production certificate. The certificate, and its related key, can be used on any system that Sold-To manages. The systems which use them may be your JSS Server, a Lightspeed On-Site Point of Sale system, PIMs Point of Sale, your own home-brewed system, or in conjunction with a Watchman Monitoring subscription.

Another key point is in addition to certificate based access, the GSX API can only be accessed from static IP Address(es) which are whitelisted by AppleCare. They will whitelist many IP addresses as you need, but will not work with dynamically assigned addresses from your ISP.

For those who have servers at locations without static IP addresses, we have a number of subscribers who have successfully tunneled their solution's access to the 17.0.0.0/8 block over a VPN to a static IP Address they do have.

I trust this information is helpful.

Sincerely,

-Allen Hancock
Founder, Watchman Monitoring

Like
SOLVED Posted: by eagleone

@watchmanmonitor thanks for the directions for expedited setup.

I expected only two cert's back from Apple. However, I got the cert, chain and issuer for both environments as .pem's (6 items total). Not sure how to proceed from here, as the cert shows an October expiration date.

Like
SOLVED Posted: by stutz

Same as eagleone. Need to know the steps after we get the 6 things back from Apple. I'm running a Mac Pro with OS server so I'm going to assume I need to import via the server application or keychain.

Like
SOLVED Posted: by eagleone

I think I have this figured out: You'll need to combine the cert.pem you received and gsx-testing.key (the one you sent to Apple) to form a .p12 file that you will upload to the JSS. Use the following command in terminal:

openssl pkcs12 -export -inkey gsx-production.key -in your-cert.pem -out your.p12
Like
SOLVED Posted: by bvrooman

It looks like the CSRs that 9.8 is generating are not valid. I received this response from Apple, having sent them the file obtained by choosing "Download Unsigned CSR" in the JSS.

The .csr file is returning the following error. "Certificate request is INVALID! The following errors must be addressed before submitting: Organization is required Invalid signature algorithm detected. Signature algorithm must use SHA-2 (Note: SHA-1 and MD5 are too weak and not supported).” Please recreate the .csr file.
Like
SOLVED Posted: by donparfet

I am experiencing the same issue trying to send Apple the JSS generated csr file.



"Certificate request is INVALID! The following errors must be addressed before submitting:
Organization is required
Invalid signature algorithm detected. Signature algorithm must use SHA-2 (Note: SHA-1 and MD5 are too weak and not supported).”

Please recreate the .csr file and I will send the PEM files as soon as I receive the new .csr file.



Is there something that needs to be done in the JSS side to enable the use of SHA-2 algorithm?

Like
SOLVED Posted: by donparfet

thanks to eagleone for this solution:
I followed these instructions below using the ".Prod.apple.com.cert.pem" file (one of the 3 .pem files I received from Apple back in June) and the .key file that I created as part of the csr request I sent to Apple back in June. I uploaded the exported .p12 file and I have a successful connection to GSX!

eagleone said: "I think I have this figured out: You'll need to combine the cert.pem you received and gsx-testing.key (the one you sent to Apple) to form a .p12 file that you will upload to the JSS. Use the following command in terminal:"

openssl pkcs12 -export -inkey gsx-production.key -in your-cert.pem -out your.p12

Like
SOLVED Posted: by cstout

I can confirm that I had the same success as @eagleone and @donparfet combining the two cert files via openssl in terminal.

The steps outlined by JAMF in this article for importing the private key into Keychain Access resulted in "An error has occurred. Unable to import an item. The contents of this item cannot be retrieved."

Using openssl as outlined above resulted in a successful certificate upload to the JSS (9.8).

Like
SOLVED Posted: by cstout

Also, in my test environment I generated a cert request through the JSS (9.8) and submitted it to Apple only to have an experience similar to @bvrooman with Apple stating "The CSR file needs to have a file extension of .csr rather than .certSigningRequest."

JAMF's article doesn't mention anything about modifying the file that the JSS generates and it sounds like based on @bvrooman's experience that the file generated doesn't even contain the proper information.

Like
SOLVED Posted: by watchmanmonitor

For those having trouble generating the .csr - this link will get you going in a hurry:

https://www.watchmanmonitoring.com/gsx-ssl

Our form will send you a "hey check us out" email, and our product works great with the Casper suite. Our EAs are here on Jamfnation.

We won't add you to a mailing list, and the certificate you get back from AppleCare is good in any GSX API using solution. Which is nice, because there's only one signed certificate per sold-to. You're expected to use it & the related key in all your solutions. (Many JSS, etc)

PS When combining certificates, be sure not to cross the streams between production & testing. (Dur, yeah, I know, but it happens, and until you dig in to compare modulus, it's hard to tell.)

Like
SOLVED Posted: by dpenny

I'm running into the same issue reported by bvrooman. We generated a new CSR through the JSS (version 9.81) and emailed it to Apple. Here is the response we received back:

The CSR you sent is returning the following error "Certificate request is INVALID! The following errors must be addressed before submitting: Organization is required Invalid signature algorithm detected. Signature algorithm must use SHA-2 (Note: SHA-1 and MD5 are too weak and not supported).” Please recreate the CSR file with a file extension of .csr rather than .certSigningRequest

We are just trying to setup the certificate-based authentication with GSX for the first time. Is this a new issue with version 9.8 and something that needs to be fixed on JAMF's side?

Like
SOLVED Posted: by TomDay

I have the .pem files from Apple but confused as to where the .key file should be. I sent Apple a .csr file back a while back. Not sure how I would accomplish the fix of openssl pkcs12 -export -inkey gsx-production.key -in your-cert.pem -out your.p12 @eagleone (Thanks for the tip here)

Like
SOLVED Posted: by donparfet

@TomDay I don't recall exactly, but either when you created the original csr following Apple's instructions, or when you downloaded the .pem files from the links Apple sent, the .key file should have been generated at that time. If you can't find it you may need to send a new csr request to Apple

Like
SOLVED Posted: by davechristensen

FYI if you created your original CSR out of Java's keytool, the private key is never exported, only the CSR. You need to load up the keytool and your keystore again to export a private key. This private key can then be combined with Apple's .pem to create the .p12 for upload.

Like
SOLVED Posted: by davechristensen

So we have uploaded our Apple cert to JSS after the upgrade and that part went smoothly. However, when attempting the test connection to Apple's server we receive the following:

ATH.LOG.14: Sold-To entered is not valid. Please enter a valid Sold-To.

Now the Sold-To account entered is the same that Apple authored the cert for... so this doesn't make any sense. Anyone else seeing this issue?

Like
SOLVED Posted: by TomDay

Kudos to the @watchmanmonitor tool, it works excellent. After working on this since April, waiting on keys from Apple and then 9.8 to launch, I pulled my hair out the last few days trying to upload the cert to the JSS. Using the @watchmanmonitor tool, I got this accomplished in 10 minutes.

However, now that the cert is uploaded and working, I too get the "Sold-To entered is not valid. Please enter a valid Sold-To" error @davechristensen . I have an open case and actively working with Jamf Support. Hoping this is fixed very soon, so that I can go to JNUC in a good mood next week!

Like
SOLVED Posted: by watchmanmonitor

Glad it helped @TomDay !

As for the error: ATH.LOG.14: Sold-To entered is not valid. Please enter a valid Sold-To.

Two things to check are:

  • Have you logged in to GSX with the AppleID in question within the last 30 days? If not, do so and try again.
  • Has GSX Admin actually moved your account to the new endpoint? At one point they indicated that this had to be requested, at another we heard that everyone would be moved. Regardless, an email to GSX support might help once you've verified the login account.
Like
SOLVED Posted: by TomDay

@watchmanmonitor Great call on the GSX active account. It just so happens that I noticed the other day I couldn't log into GSX due to 30 days of inactivity. That's a rant i'll save for another time but I barely ever log into that admin account since our techs using GSX everyday with their accounts to open cases with Apple.

I'll work on getting that account active and report back!

Like
SOLVED Posted: by MarkHale


Did we ever decide if we needed to submit anything for the following:
Environment you are attempting to access: API consumed: XML Session ID and error reference tag: Raw XML request and response:

Like
SOLVED Posted: by davechristensen

This also resolved our issue. Failing to login within 30 days will temporarily deactivate your account with Apple. But you can call in to your account manager to regain access.

Like
SOLVED Posted: by JayDuff

Count one more

"Certificate request is INVALID! The following errors must be addressed before submitting:
Organization is required
Invalid signature algorithm detected. Signature algorithm must use SHA-2 (Note: SHA-1 and MD5 are too weak and not supported).” error!

Is there a place to set these within the JSS?

Like
SOLVED Posted: by CasperSally

boy i'm dreading tackling this in the next few weeks.

Like
SOLVED Posted: by seabash

Add me to the "confirmed" list from @eagleone openssl command above

I think this is one of those "day late/dollar short" scenarios, where JAMF delayed* their release of GSX-updates until WAY after most of us had submitted CSRs to Apple. With our Prod/Test .pem files in-hand, we try to upload via JSS, but that fails, since those CSRs we're not thru JSS. Insult to injury seems that CSRs via JSS are too weak for GSX requirements. Yikes!

JAMF will likely fix their CSR process for GSX, but in the meantime, either use...
- @eagleone approach (see earlier post)
- @watchmanmonitor approach (see earlier post)

*Apparently, Apple changed some requirements/process for GSX validation and switch-to, which lead JAMF to delay their implementation.

Like
SOLVED Posted: by stutz

Yep worked for me (on JSS v9.81) using this command (thanks eagleone):

openssl pkcs12 -export -inkey prod-or-test-privatekey.pem -in prod-or-test.apple.com.cert.pem -out certname.p12

You will be prompted to enter the Key Pair Generation pass phrase (hopefully you saved this before sending to Apple). Enter an export password. Once the export is completed upload the certname.p12 to your GSX Connection (Global Management) within the JSS and test by putting a purchase order in one of your inventory items to see if it adds the warranty info.

Like
SOLVED Posted: by andrewh

So I followed eagleone's command and uploaded the .p12 cert to the JSS. However I'm receiving this error when trying to test the connection:

java.net.UnknownHostException: gsxapi.apple.com

<?xml version="1.0" encoding="utf-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:glob="http://gsxws.apple.com/elements/global"><soapenv:Header/><soapenv:Body><glob:Authenticate><AuthenticateRequest><userId>user@email.com</userId><languageCode>EN</languageCode><userTimeZone>PST</userTimeZone><serviceAccountNo>xxxxxxxxxx</serviceAccountNo></AuthenticateRequest></glob:Authenticate></soapenv:Body></soapenv:Envelope>

Any ideas? I'm running 9.81 and selected Americas as the region on the GSX Connection settings page, which automatically populates the URI as https://gsxapi.apple.com/gsx-ws/services/am/asp. From the error message, it would appear the URI is incorrect but I'm not sure what it should be.

Like
SOLVED Posted: by andrewh

Anddddd I figured it out. java.net.UnknownHostException: gsxapi.apple.com is caused by misconfigured DNS on the JSS. Fix DNS and it should work. :)

Like
SOLVED Posted: by CasperSally

thanks to @watchmanmonitor & @eagleone I got this working. I think that JAMF should do some work updating this article.

Glad this thing doesn't expire until 2017!

Like
SOLVED Posted: by Simmo

Managed to get the cert working using the openssl command.

However when I try to test the connection it seems to timeout, giving this error:
org.apache.http.conn.ConnectTimeoutException: Connect to gsxapi.apple.com:443 [gsxapi.apple.com/17.151.129.22] failed: Connection timed out

Like
SOLVED Posted: by watchmanmonitor

@Simmo that's typically going to be a sign that your egress IP isn't blessed by AppleCare

If you don't have one for Apple to bless, having the server VPN tunnel to a host at a static IP works for others.

Like
SOLVED Posted: by Simmo

@watchmanmonitor Oh? Never had this issue before with any Apple services.
How would I go about having that done?

Like
SOLVED Posted: by watchmanmonitor

Yep.. this new policy is special. Any Sold-to can have any number of IPs white listed (there's probably a limit somewhere, but they're good handing out the IPs. an email to gsxws@apple.com will get that going.

That same sold-to, however, will only get one certificate, so keep up with it & its key.

Full details for all this are what I've posted here:

https://www.watchmanmonitoring.com/gsx-ssl

Because, the madness will continue so long as people keep hammering GSX to reset activation/find-my-device locked iOS devices.

Like
SOLVED Posted: by dan-snelson

Keaton, our JAMF TAM, pointed us toward DigiCert's Java Keytool CSR Creation Wizard which generated a .CSR that Apple GSX Support quickly turned around. (You'll need a machine that has Java JDK installed to use the keytool binary.)

We then had to convert the Java Keytool-generated .JKS into a usable private key, before using @eagleone's code to combine all the puzzle pieces into a cert the JSS would accept.

The following examples are for Jenny's test environment.

# DigiCert-generated code from https://www.digicert.com/easy-csr/keytool.htm
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore Applecare-APP157-0008675309_Test_apple_com.jks -dname "CN=Applecare-APP157-0008675309.Test.apple.com,OU=Rock, O=Tommy Tutone, L=Hollywood, ST=CA, C=US" && keytool -certreq -alias server -file Applecare-APP157-0008675309_Test_apple_com.csr -keystore Applecare-APP157-0008675309_Test_apple_com.jks && echo Your certificate signing request is in Applecare-APP157-0008675309_Test_apple_com.csr.  Your keystore file is Applecare-APP157-0008675309_Test_apple_com.jks.  Thanks for using the DigiCert keytool CSR helper.

# Verify the .CSR
openssl req -in Applecare-APP157-0008675309_Test_apple_com.csr -noout -text

# Convert the Java Keytool-generated .JKS to a .P12
# See: http://stackoverflow.com/questions/652916/converting-a-java-keystore-into-pem-format
keytool -importkeystore -srckeystore Applecare-APP157-0008675309_Test_apple_com.jks -destkeystore Applecare-APP157-0008675309_Test_apple_com.p12 -srcstoretype jks -deststoretype pkcs12

# Convert the .P12 to a .PEM private key
openssl pkcs12 -in Applecare-APP157-0008675309_Test_apple_com.p12 -out Applecare-APP157-0008675309_Test_apple_com.pem

# Combine the private key and Apple-supplied certificate 
openssl pkcs12 -export -inkey Applecare-APP157-0008675309_Test_apple_com.pem -in Applecare-APP157-0008675309.Test.apple.com.cert.pem -out gsx_test.p12
Like
SOLVED Posted: by yellow

So I generated the .csr and got 3 .pem files back from Apple. That was unexpected. I'm currently reading the openssl man page to hopefully enlighten me. But I agree, JAMF really needs to update this article as it's completely invalid!

The .pems I got are:

blah.Prod.apple.com.cert.pem
blah.Prod.apple.com.chain.pem
blah.Prod.apple.com.issuer.pem

Presumably I'm only concerned with the .cert.pem.

So for those who are dense (like me), it works out like this:

openssl pkcs12 -export -inkey THE_PEM_YOU_CREATED.pem -in THE_CERT_PEM_APPLE_SENDS_YOU.pem -out WhateverNameYouWant.p12

What I didn't fully understand despite it being explained is that the 'inkey' portion is the pem I created to make the csr to send to Apple.

So the .p12 I imported worked, though I still can't connect to GSX. But I think that's because my IP hasn't been whitelisted yet.

org.apache.http.conn.HttpHostConnectException: Connect to gsxapi.apple.com:443 [gsxapi.apple.com/17.151.129.22] failed: Operation timed out
Like
SOLVED Posted: by donparfet

@yellow in your case you would use the following (this is what worked for me):

openssl pkcs12 -export -inkey (gsx-production.key - this would be the .key file you created as part of the .csr request) -in (your-cert.pem - blah.Prod.apple.com.cert.pem) -out your.p12

You should receive an email from Apple when your IP is whitelisted

Posted: 9/18/15 at 11:16 AM by @eagleone

I think I have this figured out: You'll need to combine the cert.pem you received and gsx-testing.key (the one you sent to Apple) to form a .p12 file that you will upload to the JSS. Use the following command in terminal:

openssl pkcs12 -export -inkey gsx-production.key -in your-cert.pem -out your.p12

Like
SOLVED Posted: by alexissantina

@donparfet Thanks for the tip--I didn't create a .key file as part of the .csr request, I just submitted the .csr that I downloaded from the JSS, so I never sent a .key file to Apple. Do you know of a workaround in this case?

Like
SOLVED Posted: by Simmo

@alexissantina From what I can tell the .csr you download from the jss will not work.

You will have to create a private key and use that to create your .csr

If you have a case open with GSXWS then they will provide similar instructions to these, submit the .csr to apple, and keep the privatekey handy, as you will need it to use the method above.

Using Terminal: (MAC)

Create a privatekey:

  1. sudo su (to get root access)
  2. openssl genrsa -aes256 -out privatekey.pem 2048

You’ll be requested to input a pass phrase, don’t forget it!!!

  1. openssl req -new -sha256 -key privatekey.pem -out certreq.csr

The system will then prompt you to input the following details:

Country Name (2 letter code) :

State or Province Name (full name) [Some-State] : ( input the state or province applicable)
Locality Name (eg. city) [ ] : (input applicable city)
Organization Name (e.g, company) : (input applicable company name)
Organizational Unit Name (eg, section) (input applicable OU name, you can key in the same info inputted in Organization Name here)
Common Name (e.g. server FQDN or your name ) :

Email address: (input applicable email)

Like
SOLVED Posted: by dferrara

@Simmo Alright, dumb question, but what's the benefit of integrating with GSX? Is it just warranty coverage or is there more to it?

Like
SOLVED Posted: by donparfet

@alexissantina Apple's instructions for generating csr and private key pairs:
Instructions to generate certificates are detailed in the Certificates section of the GSX API FAQs - https://gsxwsut.apple.com/apidocs/prod/html/WSFaq.html
Browse down to "Certificates" and expand "How do I generate a CSR file?"

Like
SOLVED Posted: by alexissantina

Ah, got it--my key is in .pem format. Does this command still work? Or is there a way to pull the .key file out of the .pem?

openssl pkcs12 -export -inkey gsx-production.key -in your-cert.pem -out your.p12

Like
SOLVED Posted: by donparfet

@alexissantina when I followed Apple's instructions to create the csr file it gave me both a certificaterequest.csr and a privatekey.key

Like
SOLVED Posted: by alexissantina

@donparfet Hm, the instructions say you'll get a .pem and a .csr, which is what I got. privatekey.pem, no .key.

Like
SOLVED Posted: by donparfet

@alexissantina I followed instructions here
2. Using OpenSSL (on Windows):

which are slightly different than OpenSSL on other platforms. I can only speculate that the PrivateKey.pem and PrivateKey.key are compatible

There are additional instructions under the next heading in the Apple instrictions

What are the instructions to follow when generating the CSR?

But the end result is still a PrivateKey.pem

Like
SOLVED Posted: by Simmo

@dferrara It is mostly for warranty and purchasing information.

I use it for reporting, the information is synced in to our asset management system so it is easy to keep track of devices and their age.

Like
SOLVED Posted: by dferrara

@Simmo Thanks!

Like
SOLVED Posted: by marcusransom

finally got the time to set this up and get it running after requesting the cert months ago. We have a clustered environment and the connection only seems to work on one node of the cluster. If I am connected through a different node I get the error

AUTH.UPL.003: Invalid URL for this SoldTo.

Like
SOLVED Posted: by Simmo

@marcusransom As I remember when I requested my certs the certs for a dev environment and a production environment are different, I got two different certs.

Like
SOLVED Posted: by watchmanmonitor

Hi @marcusransom

Any Sold-To will only get once key/cert pair for testing, and one for production, so yes, you're expected to use that same set on each system you use to talk to GSX.

The fact you're getting AUTH.UPL.003 means you're whitelisted, so that's good too.

What this error means is that your Sold-To isn't allowed to use the new GSX endpoint. An email to gsxws@apple.com asking them to move you over should fix things up for you.

FWIW, and to stave off another volley of emails to GSX,:

An issue we've seen a lot is ATH.LOG.014 which usually means the AppleID hasn't logged in to gsx.apple.com in too long. So, you may want to login to GSX with that Apple ID, just for good measure.

Good luck!

-Allen Hancock

Like
SOLVED Posted: by marcusransom

@Simmo just edited my post as I verified it to be working on both dev and prod systems now - the issue seems to be related to clustering. Only one of the web clusters can connect...

Like
SOLVED Posted: by marcusransom

@watchmanmonitor thanks for the info - logging into GSX and checking the state of the Apple ID we use to connect was the first thing I did as I have been burnt by that particular issue many many times. about every 30 days from memory...

Like
SOLVED Posted: by aporlebeke

So I followed the instructions from the GSX article, @watchmanmonitor instructions, and JAMF KB article, but still can't seem to get this cert-based auth for GSX to work.

I got a total of 6 .pem files from Apple - 3 for production & 3 for test. I have the original .csr files and their corresponding .key files, I did not use the JSS to create the CSRs, as I followed the @watchmanmonitor instructions. However, I don't know what I'm supposed to do once I get the desired cert into Keychain Access as when I try and export the .pem as a .p12 the option is greyed out.

Any thoughts?

Like
SOLVED Posted: by etippett

@aporlebeke : Try these instructions from above to use terminal to create a .p12 file

I used them and had success. My command ended up looking like

openssl pkcs12 -export -inkey PrivateKey.key -in Applecare-APP157-0000011111.Prod.apple.com.cert.pem -out Applecare-APP157-0000011111.Prod.apple.com.cert.p12

Just swap in the names of your files and you should be good to go

Like
SOLVED Posted: by aporlebeke

Thank you @etippett! GSX connection test didn't go through due to an SSLhandshake timeout, but I imagine that's a function of our JSS's external IP not being whitelisted yet?

Like
SOLVED Posted: by Whereismypuding

Hi folks ,

I read all the posts above and i still couldnt create a .p12 file .

I tried this OpenSSL command but it given an error "Loading screen into random state done , unable to load certificates "

openssl pkcs12 -export -inkey PrivateKey.key -in Applecare-APP157-0001111111.Test.apple.com.chain.pem -out your.p12

Any idea What I m doing wrong ?

Like
SOLVED Posted: by lehmanp00

I'm getting:

AUTH.UPL.002: Invalid certificate for the SoldTo.

I'm assuming my cert is bad? My SoldTo number is the number that shows next to your username in GSX no?

Like
SOLVED Posted: by watchmanmonitor

From our experience, this could also mean that your Sold-To has not been migrated to the new API endpoints.

I've heard conflicting first-hand reports about whether AppleCare will auto-move your account, but they probably won't do it just on the fact they've created your certificate pair.

-Allen Hancock

Like
SOLVED Posted: by donmontalvo

(removed)

Like
SOLVED Posted: by jbmiller

After submitting the need info along with a jss generated cert I was told by the apple care rep that my cert does not have organization listed and that because of that problem it is returning as invalid. Has anyone had this issue? If so how does one put in organization into the CSR generated by the jss?

Like
SOLVED Posted: by Ktrojano

I ran into the same issue, but the Apple rep I was working with told me I'd have to create my own cert instead of using the one generated by the JSS becasue "the CSR file that gets auto-generated from CasperSuite isn’t compatible with GSX." He then gave me the following directions on how to create my own cert:

Create a privatekey: (via MAC)

  1. sudo su (to get root access)
  2. openssl genrsa -aes256 -out privatekey.pem 2048

You’ll be requested to input a pass phrase, don’t forget it!!!
3. openssl req -new -sha256 -key privatekey.pem -out certreq.csr

The system will then prompt you to input the following details:

Country Name (2 letter code) [AU] : US ( since you are from United States, US will be your input for this)
State or Province Name (full name) [Some-State] : ( input the state or province applicable)
Locality Name (eg. city) [ ] : (input applicable city)
Organization Name (e.g, company) : (input applicable company name)
Organizational Unit Name (eg, section) (input applicable OU name, you can key in the same info inputted in Organization Name here)
Common Name (e.g. server FQDN ) : Applecare-APP157-0000817461.Prod.apple.com
Email address: (input applicable email)

Like
SOLVED Posted: by watchmanmonitor

Or just use this page:

https://www.watchmanmonitoring.com/gsx-ssl

Then copy & paste the steps in the resulting email.

Talk to you soon,

-Allen

Like