Skip to main content
Older versions of Internet Explorer will not support certain site features. Chrome, Safari, Firefox, and Edge will provide the best experience.
Spok

Pre-Implementation Guide Spok Mobile 4.5

Pre-Deployment

  • Determine who your users are.
    • Who needs to be reached on a smartphone device?
    • Who already has pagers or other communication devices?
    • Determine the applications and/or systems that they need access to. Knowing this information is important when determining the networks that should be utilized.
  • Determine the smartphones and/or table devices that are in use at your organization today.
    • Platform
    • Model
    • Carrier
    • Version
  • Determine who will pay for the cellular device and/or plan.
    • Determine your organization’s policies around BYOD (bring your own device).
    • Will the organization pay for data, voice or hardware?
    • Will the organization bill the services back to the department/personnel?
  • Determine any coverage limitations that you may have.
    • Enable devices to use the cellular plan in your building.
    • Enable devices to use Wi-Fi coverage in your building.
    • Determine how users can join their smartphones and/or tablets to Wi-Fi networks at work and at home.
    • Determine the Wi-Fi networks that the users will use.
    • If a login is required to access the Wi-Fi network, can that process be bypassed? Please note that if a login is required to gain access to the network, it can cause communication issues when users forget to log into the network.
  • Determine if a Mobile Device Manager (MDM) is already in use. If not, determine if you will use a third-party MDM vendor. 
    • Determine who is responsible for managing mobile devices at your site.
    • Determine the process of researching, acquiring, and testing an MDM vendor. Your MDM environment must be completely set up before Spok Mobile can be added and managed.
    • Determine any applicable policies associated with managing mobile devices at your site.
    • Determine best practices and responsible parties regarding testing new installations and updates, and automatically pushing installations and updates to mobile devices.
  • Define success criteria.
    • Understand who will initially use the application and how the success of the trial will be measured.
    • Determine which devices users plan to keep. Do they want messages sent to more than one device? At which point will you phase out the older device? Do you want to keep the old device around for redundancy/emergency preparedness?

Initial Trial

  • Select users for the trial.
    • Choose a cross-section of employees using different devices who work in different areas of the organization.
    • Involve users in the initial deployment, using old messaging processes/devices side-by-side with Spok Mobile on smartphones. This can help build confidence and promote the availability of the Spok Mobile solution within their department.
    • Finding a leader to champion the solution can be extremely beneficial when overcoming obstacles.
  • Perform training.
    • Determine the best way to train new users in your organization
    • Utilize Spok-provided resources (written content, training videos). See Spok Knowledge for more documentation and implementation resources.
    • One-on-one training.
    • Group training.
  • Build operational processes.
    • Determine how users should sign up.
    • Determine what should be done if a device is lost.

Implementing the Solution

  • Establish best practices.
    • Determine device charging protocols.
    • Determine what should be done if a message is not delivered or is ignored.
    • Clearly communicate product use expectations.
      • What are appropriate times to use the product?
      • What are inappropriate times to use the product?
      • When and where are users expected to respond to messages from the product?
      • What message response options are users supposed to use in different situations?
      • Are access codes required?

Rollout

  • Market the application’s availability.
    • Let departments and individuals know the capability now exists for messaging to users carrying smartphones and tablets.
  • Communicate value to users.
    • Updated technology (smartphones vs. pagers).
    • Ability to message anyone in the organization from own phone.
    • Secure and traceable communication.
    • Ability to carry a single device.
  • Monitor usage.
  • Continue to provide users with training resources.

Mobile Device Management (MDM) Recommendations

Spok Mobile High Availability Configuration

Spok_Mobile_4.5_Network_Diagram.png

Why does Spok Mobile require both the Spok Mobile Server and the Care Connect Server?

The Care Connect Server is the heart of Care Connect. All business logic (registration, status, directory searches) and transaction handling of message flows are handled through the Care Connect Server. It also facilitates cross-product integration and communication brokerage between Spok applications.

Beginning with Spok Mobile 4.4, the business logic of Spok Mobile resides in the Care Connect Server to improve security. This way, the APIs and services of the Care Connect Server reside safely within the LAN while the Spok Mobile Server resides in the DMZ for messaging access. The Spok Mobile server only brokers connections between registered devices and the Internet. This configuration ensures the utmost in security by limiting and locking down access.

Why is a High Availability Configuration so important?

Spok highly recommends to customers that the Care Connect Server be set up for high availability since it is the central component of Spok Mobile and Care Connect solutions in general. The Care Connect Server and Spok Mobile Servers support active-passive fault tolerant configurations in the load balancers on the Web server application tier and database storage tier. 

When the Care Connect Server is configured for high availability in an active-passive mode, it does not require human intervention for failover to occur. There is little to no disruption of service as the load balancer easily moves traffic from the primary master server to the secondary passive server.

Preparing for a Spok Mobile Implementation with AlwaysOn

An AlwaysOn configuration is supported across Care Connect 1.9.

Customers who will implement Spok Mobile in a Care Connect 1.8 environment with Smart Suite or Smart Suite and Messenger may opt to use an AlwaysOn configuration.

SQL Server Enterprise Editions

AlwaysOn configurations for Spok Mobile environments require the Enterprise edition of SQL Server. SQL Enterprise meets recommended encryption standards that are not supported by SQL Server Standard.

SQL Server Guidance

When creating a SQL environment for an AlwaysOn configuration for Spok Mobile, follow the following best practices. See Microsoft's documentation for detailed guidance on SQL Server and AlwaysOn configurations.

  • Availability Groups must be used because clustering requires availability groups.
  • Use multiple sub-nets for SQL to enhance redundancy. The number of sub-nets will vary by customer site based on the configuration of the entire implemented solution.
  • Deliver the following, to ensure that messages are delivered across the solution:
    • automatic failover
    • synchronous-commit availability mode

    Using manual failover and/or asynchronous commit mode may result in message/data loss.

F5 Load Balancer Recommendations for Spok Mobile

Typically, customer sites have load balancers in place and configured prior to the start of the Spok Mobile installation. Load balancers must be configured properly to ensure that the system can successfully fail over and be monitored. The supported health monitor for the Spok Mobile environment is tcp_half_open. Note that this only applies to the 2000x MXPP ports.

 

For more information, see the Load Balancer and Server Ports Workbook for CCS 1.9

 

NetScaler Recommendations

When configuring the Spok Mobile service in NetScaler, set the Monitoring Connection Close Bit to RESET. This forces the health monitoring process to close the connection after the initial handshake. After the connection closes, the Spok Mobile Windows service will not generate log entries for any connection attempts from the NetScaler IP addresses. Note that this only applies to the 2000x MXPP ports.

Server Environment Requirements

See Spok Mobile Server Environment.

License Requirements

When you install any Care Connect application, you must provide an XML license file in order to activate application features. The Spok PSG professional is responsible for obtaining this license file before or during the on-site implementation. You will be prompted for the license file after you finish the Care Connect installer.

Database Requirements

The following database server requirements must be met in order for Spok Mobile to function. A database login with “sysadmin” rights must be available prior to installing the Spok Mobile database.

Spok Mobile supports the Clustering, Mirroring, and AlwaysOn High Availability solutions. 

The following table shows the SQL Server selection, configuration, and administration requirements for the Spok Mobile database.

General Database Options

  • SQL Server 2016
  • SQL Server 2014
  • SQL Cluster (SQL Clusters using shared storage SQL 2012 HADRON are not supported)
  • SQL Mirroring
  • AlwaysOn (requires the Enterprise version of SQL)

If you choose the SQL Cluster option, you must provide Spok with the login, password, host name, and instance information.

Database Maintenance Activity

  • Hourly transaction log backups
  • Daily full database backups
  • Daily data archive/delete

Spok Mobile does not include a data archive/delete function, but this feature can be added upon request.

User Permission Requirements

  • Permission to create
  • Permission to alter database
  • Permission to add users
  • “Sysadmin” rights

The Spok Mobile installer uses an “sdc” account by default. This “sdc” account has “sysadmin” privileges and can be revoked as long as the “db_owner” privilege is left intact.

Supported SQL Server Clustering and Mirroring Versions

  • SQL Server 2016 Standard
  • SQL Server 2016 Enterprise
  • SQL Server 2014 Standard
  • SQL Server 2014 Enterprise

Additional SQL Mirroring Specifications

  • The database servers must be at least SQL Server 2014 Standard Edition.
  • All nodes in a database mirroring configuration must be configured with true fully-qualified domain names, not generated names. More specifically, the database mirroring configuration must be configured using the name that can be found in the System area of the Control Panel on your computer.
  • Must be reachable in DNS
  • Must have hosts entries
  • Must be reachable between each other on TCP ports 1433 and 5022

Run Time (After installation)

  • Read access to AmcomAmcPremiseCore database
  • Write access to AmcomAmcPremiseCore database
  • Ability to execute stored procedures
  • Ability to create temporary tables

Firewall and Communication Requirements

Firewall Requirements

The Spok Mobile application depends on communication between in-house servers, smartphones, and tablets on the wireless LAN, and Spok’s hosted server. Ports must be opened within the intranet as well as on the firewall to facilitate the exchange of information via the internet. The firewall can be configured to accommodate outbound access via URL or IP ranges.

Using URLs eliminates the need to update the configuration if any underlying IP address changes.

The Spok Mobile application communicates between servers at your location, and between smartphone and tablet devices on your wireless LAN and Spok’s hosted location. Spok recommends allowing outbound access by URL. However, you can also allow access by IP range. Information for both access types is included below.

You must grant Spok access to the URLs listed below in order for the application to function.

Allowing Outbound Access by URL

  • https://amclr1.amcomamc.com (443/2001/8091)
  • https://amclr2.amcomamc.com (443/2001/8091)
  • https://amccore1.amcomamc.com (443/2001/8091)
  • https://www.amcomamc.com (443/2001/8091)

Allowing Outbound Access by IP Ranges

If you have enabled access by IP address, Spok recommends either using the URL or opening access to the following IP ranges:

  • 107.21.32.168, 107.21.32.169 (East Coast Data Center)
  • 50.112.130.246 (West Coast Data Center)

If you have enabled firewall rules based on URLs, you do not need to make any changes. As we migrate the URLs to new IP addresses by updating the DNS (Domain Name System) records, your systems and devices will automatically connect to the new systems.

Communication Requirements

Spok Mobile sends email messages that are vital to the implementation and use of the overall Spok solution. To ensure that these messages are received, the environment should be configured to allow *@amcomamc.com through any configured email filters. These emails will be sent from the following SMTP servers: planodb1.amcomenotify.com and mspdb1.amcomenotify.com.

Wi-Fi Access Point Requirements

Sites with Spok Mobile clients that use Wi-Fi connections need a wireless router that meets the following requirements:

  • Wireless-N 802.11n router
  • Lower power state Wi-Fi connection
  • Instant reconnect from sleep

Wireless 802.11g routers disconnect when a device goes to sleep, which means that messages will be missed until the device is woken up. Wireless 802.11n routers keep devices connected in a low power mode to support push notifications.

Port Requirements

Source Destination Port Numbers Allowing Outbound Traffic? Purpose
Console Web Server - 1 Spok Mobile Servers via Load Balancer TCP 8091 No Send messages and device registrations to Spok Mobile Server
TCP 2000x No
Console Web Server - 1 MS SQL Server Cluster TCP 1433 No Spok Console or MediCall database connection
Console Web Server - 1 Linux Oracle DB TCP 5555 No Smart Suite database connection

 

Source Destination Port Numbers Allowing Outbound Traffic? Purpose
Console Web Server - 2 Spok Mobile Servers via Load Balancer TCP 8091 No Send messages and device registrations to Spok Mobile Server
TCP 2000x No
Console Web Server - 2 MS SQL Server Cluster TCP 1433 No Spok Console or MediCall web server database connection
Console Web Server - 2 Linux Oracle DB TCP 5555 No Smart Suite web server database connection

 

Source Destination Port Numbers Allowing Outbound Traffic? Purpose
Web Client Console Web Servers via Load Balancer TCP 443 No Console web client connection to console web server
Web Client CTRM TCP 443 No Access CTRM administrative web interface
TCP 2037 No

 

Source Destination Port Numbers Allowing Outbound Traffic? Purpose
Console Workstation Linux Oracle DB TCP 5555 No Smart Suite console database connection
Console Workstation MS SQL Server Cluster TCP 1433 No Spok Console or MediCall console database connection

 

Source Destination Port Numbers Allowing Outbound Traffic? Purpose
Care Connect Server, Primary MS SQL Server Cluster TCP 1433 No Database access
Care Connect Server, Primary SAN/DFS/File Server TCP 135-139 No Message attachment access
UDP 135-139 No
TCP 445 No
Care Connect Server, Primary SMTP Relay Server TCP 25 No E-mails for DPE escalations
Care Connect Server, Primary Spok Mobile Servers via Load Balancer TCP 8081 No Mobile adapter service
(Required when using DPE or vSphere "Spheres" only.
Port can be closed if adapter service not used.)
Care Connect Server, Primary Spok Mobile Servers via Load Balancer TCP 443 No Administrative Web Interface

 

Source Destination Port Numbers Allowing Outbound Traffic? Purpose
Care Connect Server, Secondary MS SQL Server Cluster TCP 1433 No Database access
Care Connect Server, Secondary SAN/DFS/File Server TCP 135-139 No Message attachment access
UDP 135-139 No
TCP 445 No
Care Connect Server, Secondary SMTP Relay Server TCP 25 No E-mails for DPE escalations
Care Connect Server, Secondary Spok Mobile Servers via Load Balancer TCP 8081 No Mobile adapter service
(Required when using DPE or vSphere "Spheres" only.
Port can be closed if adapter service not used.)
Care Connect Server, Secondary Spok Mobile Servers via Load Balancer TCP 443 No Administrative Web Interface

 

Source Destination Port Numbers Allowing Outbound Traffic? Purpose
Spok Mobile Server, Primary MS SQL Server Cluster TCP 1433 No Database access
Spok Mobile Server, Primary SAN/DFS/File Server TCP 135-139 No Message attachment access
UDP 135-139 No
TCP 445 No
Spok Mobile Server, Primary Care Connect Server via Load Balancer TCP 443 No Web services
Spok Mobile Server, Primary Spok Mobile Hosted Cloud, Primary Data Center - East Coast, 107.21.32.169 / 107.21.32.168 TCP 443 Yes Android & iOS push and licensing
TCP 8091 Yes
TCP 2001 No
Spok Mobile Server, Primary Spok Mobile Hosted Cloud, Disaster Recovery Data Center - West Coast, 50.112.130.246 TCP 443 Yes Android & iOS push and licensing
TCP 8091 Yes
TCP 2001 No
Spok Mobile Server, Primary https://amclr1.amcomamc.com TCP 443 Yes Data registration and licensing
TCP 8091 Yes
TCP 2001 No
Spok Mobile Server, Primary https://amclr2.amcomamc.com TCP 443 Yes Data registration and licensing
TCP 8091 Yes
TCP 2001 No
Spok Mobile Server, Primary https://amccore1.amcomamc.com TCP 443 Yes Data registration and licensing
TCP 8091 Yes
TCP 2001 No
Spok Mobile Server, Primary https://www.amcomamc.com TCP 443 Yes Data registration and licensing
TCP 8091 Yes
TCP 2001 No

 

Source Destination Port Numbers Allowing Outbound Traffic? Purpose
Spok Mobile Server, Secondary MS SQL Server Cluster TCP 1433 No Database access
Spok Mobile Server, Secondary SAN/DFS/File Server TCP 135-139 No Message attachment access
UDP 135-139 No
TCP 445 No
Spok Mobile Server, Secondary Care Connect Server via Load Balancer TCP 443 No Web services
Spok Mobile Server, Secondary Spok Mobile Hosted Cloud, Primary Data Center - East Coast, 107.21.32.169 / 107.21.32.168 TCP 443 Yes Android & iOS push and licensing
TCP 8091 Yes
TCP 2001 No
Spok Mobile Server, Secondary Spok Mobile Hosted Cloud, Disaster Recovery Data Center - West Coast, 50.112.130.246 TCP 443 Yes Android & iOS push and licensing
TCP 8091 Yes
TCP 2001 No
Spok Mobile Server, Secondary https://amclr1.amcomamc.com TCP 443 Yes Data registration and licensing
TCP 8091 Yes
TCP 2001 No
Spok Mobile Server, Secondary https://amclr2.amcomamc.com TCP 443 Yes Data registration and licensing
TCP 8091 Yes
TCP 2001 No
Spok Mobile Server, Secondary https://amccore1.amcomamc.com TCP 443 Yes Data registration and licensing
TCP 8091 Yes
TCP 2001 No
Spok Mobile Server, Secondary https://www.amcomamc.com TCP 443 Yes Data registration and licensing
TCP 8091 Yes
TCP 2001 No

 

Source Destination Port Numbers Allowing Outbound Traffic? Purpose
Spok Mobile Hosted Cloud, Primary Data Center - East Coast, 107.21.32.169 / 107.21.32.168 Spok Mobile Servers via Load Balancer TCP 443 No Handling registration and push confirmations
TCP 8091 No

 

Source Destination Port Numbers Allowing Outbound Traffic? Purpose
Spok Mobile Hosted Cloud, Disaster Recovery Data Center - West Coast, 50.112.130.246 Spok Mobile Servers via Load Balancer TCP 443 No Handling registration and push confirmations
TCP 8091 No

 

Source Destination Port Numbers Allowing Outbound Traffic? Purpose
Spok Speech MS SQL Server Cluster TCP 1433 No Database access

 

Source Destination Port Numbers Allowing Outbound Traffic? Purpose
Care Connect Speech Care Connect Server via Load Balancer TCP 443 No Web services and message broker
TCP 90911 No
Care Connect Speech MS SQL Server Cluster TCP 1433 No Database access
Care Connect Speech PBX / VoIP system TCP 50601 or 5061 No SIP traffic unencrypted or encrypted respectively & UDP ports for RTP traffic
UDP dynamic No

1. The application is set to use this port by default. If desired, the port number can be changed.

 

Source Destination Port Numbers Allowing Outbound Traffic? Purpose
Mobile User Spok Mobile Servers via Load Balancer TCP 443 N/A Retrieve message after notification
TCP 8091 N/A
TCP 8883 N/A Subscribe to Spok Notification Framework 
Mobile User Spok Mobile Hosted Cloud, Primary Data Center - East Coast, 107.21.32.169 / 107.21.32.168 TCP 443 N/A Registration
TCP 8091 N/A
Mobile User Spok Mobile Hosted Cloud, Disaster Recovery Data Center - West Coast, 50.112.130.246 TCP 443 N/A Registration
TCP 8091 N/A
Mobile User Apple Push Server TCP 5223 N/A APNS
Mobile User Android Push Server TCP 5228-5230 N/A GCM

 

Source Destination Port Numbers Allowing Outbound Traffic? Purpose
CTRM Care Connect Server via Load Balancer TCP 443 No Web services
CTRM MS SQL Cluster TCP 1433 No Database access

 

Source Destination Port Numbers Allowing Outbound Traffic? Purpose
Spok Messenger SMTP Relay Server TCP 25 No E-mail input and output for Messenger
Spok Messenger Spok Mobile Servers via Load Balancer TCP 443 No Thick client connection to Messenger
TCP 8091 No
TCP 2000x No
Spok Messenger Paging Services Cloud WCTP TCP 443 No WCTP Paging

 

Security

Antivirus Exclusions List

Required Ciphers for Spok Mobile

New Cipher Suites for Windows Server 2016

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

New Cipher Suites for Windows Server 2012 R2

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256

Windows Security

TLS 1.2 Security Protocol for Spok Mobile 4.5

Spok Care Connect 1.9 products require the TLS 1.2 security protocol on all Windows servers that host Spok products. If TLS 1.2 is disabled, it may result in Spok Mobile users being unable to register, send or receive messages, or search for users in the enterprise directory. Older protocols including SSL 3, TLS 1.0, and TLS 1.1 may be disabled.

Exporting the Certificate to PFX Format for the Spok Notification Framework

This procedure only needs to be completed at Spok Mobile customer sites at which the Spok Notification Framework will be used to support non-GCM Android devices. This procedure is typically completed by a customer-site IT professional prior to a Spok Mobile implementation, to make sure the security certificate needed for the Spok Notification Framework is available in a format that a Spok PSG professional can convert during the implementation.

Before you begin, install the certificate on on the server that will host Spok Mobile.

Certificates which are installed in the Windows certificate stores can only be exported to certain formats. Unfortunately, Windows cannot export certificates directly to PEM, Spok's target format. Instead, the certificate must first be exported to PFX format, which can then be reliably converted to PEM by Spok PSG representatives during a Spok Mobile implementation.

To export the certificate to PFX format:

  1. On the server that will host Spok Mobile, open the Run program by pressing Windows key + R. Type MMC.exe in the box, and press Enter. The Microsoft Management Console will open.
  2. Click File > Add/Remove Snap-in, select the Certificates snap-in from the leftmost options, then click Add.
  3. In the Certificates snap-in window, select Computer Account and click Next.
  4. In the Select computer window, select Local Computer and click Finish.
  5. Click OK to save your progress.
  6. Expand the list Certificates (Local Computer) > Personal > Certificates.
  7. Right-click on the Spok Mobile server certificate in the middle panel. The certificate name varies from site to site. Click All Tasks > Export. The Certificate Export Wizard will open.
  8. In the Certificate Export Wizard, click Next.
  9. Select Yes, Export the private key, then click Next.
  10. Select Personal Information Exchange - PKCS #12 (.PFX). Ensure that Include all certificates in the certification path if possible and Export all extended properties are selected. Do not select any of the other options. Click Next.
  11. Select the Password check box and enter a password to be used temporarily for exporting the certificate. Confirm the password and click Next.
    Be sure to save and share this password with Spok. Your Spok PSG representative will need this password in order to convert the PFX to PEM during the Spok Mobile implementation. 
  12. Click the Browse button and navigate to %AppData%\RabbitMQ\Certs\certificate.pfx, then click Next and Finish.
    Do not change the name of the exported PFX file. It must be named certificate.pfx.
  13. Close the Microsoft Management Console window. You do not need to save your changes when asked.

Setting Up SSL Certificates

This section includes information on how to set up wildcard SSL certificates and non-wildcard SSL certificates for use with Spok Mobile.

For detailed information on how to configure the certificate to the Spok Mobile product, please refer to the Implementing Spok Mobile Services guide for your release of Spok Mobile.

The following SSL certificate requirements must be met in order for Spok Mobile to function properly:

  • The SSL certificate CANNOT be self-signed. The certificate must be from a trusted root authority. Examples include: Verisign, Thawte, and GoDaddy.
  • If Smart Suite is being used with Spok Mobile, the following requirements must be met:
    • Smart Suite 4.8.x requires SHA1
    • Smart Suite 5.x requires SHA1 or SHA2
  • The certificate can be a wildcard certificate for Android and iPhone devices. However, please note that if a wildcard certificate is being used, the certificate must be marked as “exportable.”

SSL Certificates (Non-Wildcard)

If a non-wildcard certificate is to be used with Spok Mobile, the certificate must be installed and bound to the Spok Mobile server and then tested. Certificates can also be imported and backed up. Information on how to perform these actions is included below.

Creating an SSL Certificate

  1. Choose a certificate name. Please note that this name should not be the host name of the server. For example, if you had www32-a-node1.yourmedicalfacility.org as your host name, the customer may not know to access this location. Instead, the customer may know to go to www.yourmedicalfacility.org. Therefore, this name needs to be registered. This SSL host name is shared between all applications that serve data for this application. Because of this, pick a generic SSL website name, such as “spokmobile.customer.org”.

  2. Access the Internet Information Services (IIS) Manager on the Spok Mobile server. In most cases, this can be accessed by choosing the Start > Internet Information Services (IIS) menu option from the Windows start menu. The Internet Information Services (IIS) Manager screen displays.

  3. In the left navigation bar, choose the server name entry. Menu options display.

  4. Choose the Server Certificates menu option. The Server Certificates screen displays.

  5. Click the Create Certificate Request option from the Actions list on the right-hand side of the screen. The Distinguished Name Properties dialog displays.

  6. In the Distinguished Name Properties dialog, enter any desired information.

  7. Click the Next button. The Cryptographic Service Provider Properties dialog displays.

  8. From the Cryptographic service provider drop down menu, choose the Microsoft RSA SChannel Cryptographic Provider option.

  9. From the Bit length drop down menu, choose the 2048 option.

  10. Click Next. The File Name dialog displays.

  11. In the Specify a file name for the certificate request field, specify a location and file name where the Cryptographic Service Provider (“CSR”) file should be saved.

  12. Click Finish. The Server Certificates screen displays.

  13. Send the generated file (Example: c:\messengeramc_csr.txt) to your certificate vendor.

  14. Obtain the certificate file (.p7b, .pfx, or .cer file). The certificate is received.

Installing the SSL Certificate on the Server

  1. In the right-hand side of the Server Certificates screen, click the Complete Certificate Request link. The Specify Certificate Authority Response dialog displays.

  2. Next to the File name containing the certification authority’s response field, click . Files display.

  3. Choose the desired file. The chosen file displays in the File name containing the certification authority’s response field.

NOTE: The File name containing the certification authority’s response field should include a .cer file. However, if you would like to use a .p7b or .crt file, change the file type to *.*.

  1. In the Friendly name field, enter the server host name that is specified in the certificate SSL name. Note that the file name entered in this field must match the Common Name entry on the Distinguished Name Properties display.

  2. Click OK. The Server Certificates screen with the newly installed certificate displays.

Adding the HTTPS Binding to IIS

The bindings are created automatically during Spok Mobile Implementation, so there is no procedure required.

Importing Certificates

  1. If an environment is configured for high availability, export the .pfx file for each server.

  2. Access IIS manager. The IIS manager home screen displays.

  3. Click the Server Certificates option. The Server Certificates screen displays.

  4. In the Server Certificates screen, click the Import link. The Import Certificate dialog displays.

  5. In the Certificate file field, choose the desired certificate. The certificate displays in the field.

  6. In the Password field, enter the password that is linked to the certificate entered in the Certificate file field.

  7. Click OK. The certificate is imported.

Testing SSL Certificates

  1. To test the installation of the certificate, add an entry to the C:\Windows\System32\Drivers\Etc\hosts file that points to the external DNS SSL name, specified as the Common Name during set up, to 127.0.0.1.

Example: 127.0.0.1  messengeramc.amcomsoft.com messengeramc

Testing the Host Name
  1. To test the host name, execute a ‘ping <hostname>’ from that machine. If the localhost is accessed, the test is successful.
    "

  2. Test the external resolution of the name.

  3. Test the internal resolution of the name. This can be done by using “nslookup.”

Testing the Certificate
  1. Access the installed certificate via https by entering the certificate’s Common Name from the previous steps in a browser session.

NOTE: If the navigation bar does not display red text, it means that the browser believes the certificate is valid. If the navigation bar displays red text, the browsers believes the certificate is invalid. 

Backing Up the SSL Certificate

Backing up an SSL certificate allows the certificate to be re-imported if a system failure occurs that requires a disaster recovery.

  1. Access the Internet Information Services (IIS) Manager screen.

  2. Choose the server name in the left-hand side of the screen. Menu options display.

  3. Click the Server Certificates icon. The Server Certificates screen displays.

  4. Right click on the desired SSL name. Menu options display.

  5. Choose the Export menu option. The Export Certificate dialog displays.

  6. Click to the right of the Export to field.

  7. In the File name field, enter the file name to use.

  8. Click Open. You are returned to the Export Certificate dialog and the chosen file name displays in the Export to field.

  9. In the Password field, enter a password to associate with the certificate.

  10. In the Confirm password field, re-enter the password that is entered in the Password field.

  11. Click OK.

  12. Exit the IIS Manager.

  13. Navigate to the path where the certificate is stored.

  14. Copy the certificate to send it to the Spok Project Manager that is involved with the implementation.

  15. Send this certificate to the Spok Project Manager that is involved with the implementation. Doing so allows for a re-import if a system failure occurs that requires a disaster recovery.

  16. Access the Spok Enterprise Administration page http://localhost/Amc/Admin. Note that detailed information on the Spok Mobile Administration page can be found in the Administrator’s Guide Spok Enterprise Administration.

  17. Ensure that the Local message delivery option is chosen. For detailed information on configuring the message delivery type, please refer to the Implementing Guide Spok Mobile Services 4.4 document.

  18. Enable the HTTPS option. For detailed information on how to enable the HTTPS option, refer to the Implementing Spok Mobile Services 4.4 document.

  19. Ensure the information in the Message Download URL matches the SSL name of the certificate you registered. For detailed information on how to configure the Message Download URL, refer to the Implementing Spok Mobile Services 4.4 document. Note that wildcard certificates can be used if they match a server on the domain.

  20. Click Save.

  21. Click Apply. The application is re-started and the HTTPS functionality can be utilized.

SSL Certificates (Wildcard)

When an existing wildcard certificate is to be used with Spok Mobile, the wildcard certificate must be added to the Spok Mobile server, installed on and bound to Spok Mobile, and then tested.

Adding an SSL Certificate to the Server

The SSL certificate must be added to the server. For detailed information on how to do this, please refer to the Importing Certificates.

Installing an SSL Certificate into IIS

  1. Open the IIS Manager. The Internet Information Services (IIS) Manager screen displays.

  2. Choose the desired server. The server name becomes highlighted.

  3. Choose the Server Certificates menu option. The Server Certificates screen displays.

  4. Right click on the working area in the Server Certificates screen. Menu options display.

  5. Choose the Import menu option. The Import Certificate dialog displays.

  6. In the Certificate file (.pfx) field, enter the .pfx license’s file location.

  7. In the Password field, enter the password for the .pfx file that is entered into the Certificate file (.pfx) field.

  8. Choose the Allow this certificate to be exported option.

  9. Click OK.