3.2.5.1.4 Generating Managed Object Data

Article
10/15/2020

This section describes the process for populating the object data attribute of a managed object entry. The object data contains a base64-encoded string representing a serialized managed object. Section 2.2.2.2.10 defines the schema for various managed objects used in this protocol. A managed object consists of an object header as defined in section 2.2.2.2.12, a body which varies with each managed object type, and a signature part as defined in section 2.2.2.2.13. The process for populating managed object data has three steps.

Step 1: Populate Managed Object Header

The managed object header contains information about the object and the domain managing the object.

Section 2.2.2.2.9 defines the schema for the management domain information contained in the header. The management domain information is identical for all managed objects in that domain. The content for the management domain information references the management domain and the management server entry specified in the abstract data model.

Section 2.2.2.2.12 defines the schema for the managed object header. The attribute values differ for each managed object as defined in the following tables:

Account Services Policy

XPath	Description
/ManagedObjectHeaderType/@Name	MUST contain value "grooveAccountServicesPolicy2:"
/ManagedObjectHeaderType/@DisplayName	MUST be value "Account Services Policy"
/ManagedObjectHeaderType/@Description	Same as display name
/ManagedObjectHeaderType/@GUID	MUST be the managed object GUID
/ManagedObjectHeaderType/@IntendedIdentityURL	MUST be empty
/ManagedObjectHeaderType/@IssuedTime	MUST be managed object issued time in double, represented as milliseconds since midnight 01/01/1970
/ManagedObjectHeaderType/@ReplacementPolicy	MUST be value "$IssuedTime"

Component Update Policy

XPath	Description
/ManagedObjectHeaderType/@Name	MUST be value "grooveDeviceBehavior://ComponentUpdatePolicy"
/ManagedObjectHeaderType/@DisplayName	MUST be value "Groove Update Policy"
/ManagedObjectHeaderType/@Description	Same as display name
/ManagedObjectHeaderType/@GUID	MUST be the managed object GUID
/ManagedObjectHeaderType/@IntendedIdentityURL	MUST be empty
/ManagedObjectHeaderType/@IssuedTime	MUST be managed object issued time in double, represented as milliseconds since midnight 01/01/1970
/ManagedObjectHeaderType/@ReplacementPolicy	MUST be value "$IssuedTime"

Data Recovery Policy

XPath	Description
/ManagedObjectHeaderType/@Name	MUST be value "grooveAccountPolicy2://DataRecovery"
/ManagedObjectHeaderType/@DisplayName	MUST be value "Groove Data Recovery Policy"
/ManagedObjectHeaderType/@Description	Same as display name
/ManagedObjectHeaderType/@GUID	MUST be the managed object GUID
/ManagedObjectHeaderType/@IntendedIdentityURL	MUST be empty
/ManagedObjectHeaderType/@IssuedTime	MUST be managed object issued time in double, represented as milliseconds since midnight 01/01/1970
/ManagedObjectHeaderType/@ReplacementPolicy	MUST be value "$IssuedTime"

Device Policy

XPath	Description
/ManagedObjectHeaderType/@Name	MUST be value "grooveDevicePolicy:"
/ManagedObjectHeaderType/@DisplayName	MUST be value "Device Policy"
/ManagedObjectHeaderType/@Description	Same as display name
/ManagedObjectHeaderType/@GUID	MUST be the managed object GUID
/ManagedObjectHeaderType/@IntendedIdentityURL	MUST be empty
/ManagedObjectHeaderType/@IssuedTime	MUST be managed object issued time in double, represented as milliseconds since midnight 01/01/1970
/ManagedObjectHeaderType/@ReplacementPolicy	MUST be value "$IssuedTime"

Domain Trust Policy Object

XPath	Description
/ManagedObjectHeaderType/@Name	MUST be value "grooveDomainTrustPolicy://DomainGUID/ObjectGUID" Where DomainGUID is the management domain GUID ObjectGUID is the managed object GUID
/ManagedObjectHeaderType/@DisplayName	MUST be value "Domain Trust Policy"
/ManagedObjectHeaderType/@Description	Same as display name
/ManagedObjectHeaderType/@GUID	MUST be the managed object GUID
/ManagedObjectHeaderType/@IntendedIdentityURL	MUST be empty
/ManagedObjectHeaderType/@IssuedTime	MUST be managed object issued time in double, represented as milliseconds since midnight 01/01/1970
/ManagedObjectHeaderType/@ReplacementPolicy	MUST be value "$IssuedTime"

Identity Object

XPath	Description
/ManagedObjectHeaderType/@Name	MUST be the value. "grooveIdentity://MemberGUID " Where MemberGUID is the GUID of the member referenced by this managed object
/ManagedObjectHeaderType/@DisplayName	MUST be the full name of the member
/ManagedObjectHeaderType/@Description	MUST be the value "Groove Identity"
/ManagedObjectHeaderType/@GUID	MUST be the managed object GUID
/ManagedObjectHeaderType/@IntendedIdentityURL	MUST be empty
/ManagedObjectHeaderType/@IssuedTime	MUST be managed object issued time in double, represented as milliseconds since midnight 01/01/1970
/ManagedObjectHeaderType/@ReplacementPolicy	MUST be the value "$Always"

Identity Policy Object

XPath	Description
/ManagedObjectHeaderType/@Name	MUST be the value. "grooveIdentityPolicy2:"
/ManagedObjectHeaderType/@DisplayName	MUST be the value "Identity Policy"
/ManagedObjectHeaderType/@Description	MUST be the value "Identity Policy"
/ManagedObjectHeaderType/@GUID	MUST be the managed object GUID
/ManagedObjectHeaderType/@IntendedIdentityURL	MUST be empty
/ManagedObjectHeaderType/@IssuedTime	MUST be managed object issued time in double, represented as milliseconds since midnight 01/01/1970
/ManagedObjectHeaderType/@ReplacementPolicy	MUST be the value "$IssuedTime"

PassphrasePolicy

XPath	Description
/ManagedObjectHeaderType/@Name	MUST be the value. "groovePassphrasePolicy2:"
/ManagedObjectHeaderType/@DisplayName	MUST be the value "Passphrase Policy"
/ManagedObjectHeaderType/@Description	MUST be the value "Passphrase Policy"
/ManagedObjectHeaderType/@GUID	MUST be the managed object GUID
/ManagedObjectHeaderType/@IntendedIdentityURL	MUST be empty
/ManagedObjectHeaderType/@IssuedTime	MUST be managed object issued time in double, represented as milliseconds since midnight 01/01/1970
/ManagedObjectHeaderType/@ReplacementPolicy	MUST be the value "$IssuedTime"

Step 2: Populate Managed Object Body

There are two types of managed objects: a policy object and an identity object. A management server administrator sets the content for a policy object, while a member entry defined in the abstract data model provides the data for an identity object.

Managed objects are stored in managed object collections as defined in the abstract data model. Each entry in the collection contains object data representing the managed object. Any changes to a policy or a member attribute MUST result in an updated managed object data.

Account Services Policy

Section 2.2.2.2.10.1 defines the schema for this managed object.

Component Update Policy

Section 2.2.2.2.10.2 defines the schema for this managed object.

If the component update policy is set to "Allow", the client is allowed for component updates over the Internet. If the policy is set to "Deny", the client is not allowed for component updates. If the policy is set to "Local", the client is allowed for component updates on the local system.

Data Recovery Policy

Section 2.2.2.2.10.3 defines the schema for this managed object. Any changes to the policy attribute or management domain's data recovery certificate MUST result in an updated managed object data.

Device Policy

Section 2.2.2.2.10.4 defines the schema for this managed object.

Domain Trust Policy

Section 2.2.2.2.10.5 defines the schema for this managed object. Each policy MUST contain one item to establish a cross-domain trust relationship. Multiple domain trust policies MUST be used to establish cross-domain trust relationships with more than one domain. Any changes to the management domain's name or certified authority name MUST result in an updated managed object data.

Identity

Section 2.2.2.2.10.6 defines the schema for this managed object. This managed object represents a member entry as defined in the abstract data model. The data for generating this managed object is provided by the management domain, members, relay server sets, and relay server entries specified in the abstract data model. Any changes to the member attributes or relay server provisioning MUST result in an updated managed object data. Instructions for populating the identity template are given in the following table:

XPath	Description
/fragment/ManagedObject/Body/IdentityTemplate	Identity template element.
/fragment/ManagedObject/Body/IdentityTemplate/@Flags	MUST be one of the following values: 1: Valid member if the member status is active or pending. 3: Disabled member if the member status is disabled.
/fragment/ManagedObject/Body/IdentityTemplate/ManagementDomainMigration	This element MUST be present if and only if the member's migration status is true .
/fragment/ManagedObject/Body/IdentityTemplate/ManagementDomainMigration/@ServerURL	MUST be member's migration server URL .
/fragment/ManagedObject/Body/Contact	Contact element containing signed information about the member VCARD, relay and presence server assignments, and management domain information.
/fragment/ManagedObject/Body/Contact/VCard	vCard element.
/fragment/ManagedObject/Body/Contact/VCard/@Data	This base64 encoded UTF-8 string contains the member's VCARD data in the following format: BEGIN:VCARD VERSION:2.1 CS:UTF-8 FN: [[- FN -]] N:[[- N -]] EMAIL;PREF;INTERNET:[[- EMAIL -]] TITLE:[[- ORG Title -]] ORG:[[- ORG -]] ADR;POSTAL;WORK:[[- ORG ADDRESS -]] TEL;WORK;VOICE:[[- ORG PHONE NUMBER -]] TEL;PAGER:[[- ORG CELL PHONE NUMBER -]] TEL;WORK;FAX:[[- ORG FAX NUMBER -]] END:VCARD [[- FN –]]: Member's full name. [[- Email -]]: E-mail address of the member. [[- N -]] : If first name and last name are present, this field MUST be created by concatenating the first name, comma, and last name. If only the last name is present, this field MUST represent the last name. [[- ORG TITLE -]]: Member's title. [[- ORG -]]: Name of the organization the member belongs to. [[- ORG ADDRESS-]]: MUST be created by concatenating the member's Org Street 1, comma, Org Street 2, comma, Org City, comma, Org State, comma, Org Postal Code, comma, and Org Country. [[- ORG PHONE NUMBER -]]: Member's business phone number. [[- ORG CELL PHONE NUMBER -]]: Member's business cell phone number. [[- ORG FAX NUMBER -]]: Member's business fax number. VCARD is extensible by client; server will only process the preceding fields.
/fragment/ManagedObject/Body/Contact/RelayDevices	This element and sub elements represent relay servers provisioned to the member. Member's relay server set provides the information for this element.
/fragment/ManagedObject/Body/Contact/RelayDevices/RelayDevice	There MUST be a relay device element for each relay server associated with member's relay server set. The sequence number (RSG Sequence) of the relay server governs the order of relay devices.
/fragment/ManagedObject/Body/Contact/RelayDevices/RelayDevice/@AuthorizationToken	MUST be the member's Pre-authentication token.
/fragment/ManagedObject/Body/Contact/RelayDevices/RelayDevice/@Certificate	MUST be the Relay Server's SSTP certificate
/fragment/ManagedObject/Body/Contact/RelayDevices/RelayDevice/@URL	MUST be the Relay Server's device URL.
/fragment/ManagedObject/Body/Contact/PresenceDevices	This element and sub elements represent relay servers provisioned to the member. The member's relay server set provides the information for this element. PresenceDevices and RelayDevices MUST specify the same devices in the same order. Each element of these lists MUST be the identical URL, Certificate, and AuthorizationToken as the corresponding element of the other list.
/fragment/ManagedObject/Body/Contact/PresenceDevices/PresenceDevice	There MUST a presence server device element for each relay server associated with the member's relay server set. The sequence number (RSG Sequence) of the relay server governs the order of presence server devices.
/fragment/ManagedObject/Body/Contact/PresenceDevices/PresenceDevice/@URL	MUST be the Relay Server's device URL.
/fragment/ManagedObject/Body/Contact/PresenceDevices/PresenceDevice/@Certificate	MUST be the Relay Server's SSTP certificate.
/fragment/ManagedObject/Body/Contact/PresenceDevices/PresenceDevice/@AuthorizationToken	MUST be the member's Pre-authentication token.
/fragment/ManagedObject/Body/Contact/CustomFields	This element MUST only be present for a member who has finished the enrollment process.
/fragment/ManagedObject/Body/Contact/CustomFields/@_95_95Affiliation	MUST be the member's affiliation attribute as defined in section 3.2.5.1.5.
/fragment/ManagedObject/Body/Contact/CustomFields/@_95_95_95Affiliation_95Flags	This value MUST be 0x4000000.
/fragment/ManagedObject/Body/Origin	This element MUST be present for a member who has finished the enrollment process. The element data is copied from the member's contact security.
/fragment/ManagedObject/Body/Origin/ManagementDomain	This element MUST be present for a member who has finished the enrollment process. The element data is copied from the member's contact security.
/fragment/ManagedObject/Body/Contact/Certificate	This element MUST be present for a member who has finished the enrollment process and the management domain is not using Enterprise PKI.
/fragment/ManagedObject/Body/Contact/Certificate/@ExpirationDate	MUST be the certificate expiration date in milliseconds since midnight 01/01/1970.
/fragment/ManagedObject/Body/Contact/Certificate/@SignerAddress	MUST be the server URL of the management server.
/fragment/ManagedObject/Body/Contact/Certificate/@SignerKeyHash	The value MUST be the SHA1 hash of the DER-encoded signature public key from the domain certificate.
/fragment/ManagedObject/Body/Contact/Certificate/@Signature	The management server MUST implement the following rules to generate the signature: The contact element MUST only contain the following elements: vCard element CustomFields element Origin element ManagementDomain element Certificate element Serialize contact element as XML, with UTF-8 encoding and sorted attributes. Compute the SHA1 hash of the serialized contact element. Generate the signature by signing the SHA1 hash with the signature private key from the domain's certificate using the RSA algorithm.

Identity Policy

Section 2.2.2.2.10.7 defines the schema for this managed object.

Passphrase Policy

Section 2.2.2.2.10.8 defines the schema for this managed object. The management server MUST implement the following rules for constructing the "vector" attribute value:

The value MUST be a comma-separated list of integers.
Each integer's string representation MUST be between 1 and 9 characters long.
The final integer MUST not have anything after it (such as no comma after the final integer).
The client uses the number of failed logon attempts as an index into this array of integers. Negative elements of this array are ignored for this purpose.
Integer values MUST be positive, nonzero, and monotonically increase.
Each value specifies the delay in seconds that the client waits before allowing the next logon attempt after a failed attempt.
If the number of failed logon attempts exceeds the size of the vector, the last positive entry is used.
Negative integer values are allowed as follows:
- Each negative value MUST occur no more than once.
- A value of -1 specifies that the client is to lockout the account (once the number of failed logon attempts is greater than the index of this value). If the value -1 is present in a list, it MUST be the last value in the list.
- A value of -3 specifies that the client SHOULD display a message about delay because of failed logon attempts (once the number of failed logon attempts is greater than the index of this value).
- All other negative values are reserved and MUST not be used.

Step 3: Securing the Managed Object

Section 2.2.2.2.13 defines the content of the security element. Instructions for populating the security element are given in the following table:

XPath	Description
/ObjectSignatureType/@Fingerprint	This value is reserved and MUST be set to zero.
/ObjectSignatureType/@Value	To compute this value, the management server MUST implement the following rules: Delete "urn:groove.net:Signatures" element from the managed object. Serialize the managed object as XML, with UTF-8 encoding and sorted attributes. Compute the SHA1 hash of the preceding. Sign the hash computed in the preceding step with domain's signature private key. Set this attribute to the signed hash.

XPath

Description

/ObjectSignatureType/@Fingerprint

This value is reserved and MUST be set to zero.

/ObjectSignatureType/@Value

To compute this value, the management server MUST implement the following rules:

Delete "urn:groove.net:Signatures" element from the managed object.
Serialize the managed object as XML, with UTF-8 encoding and sorted attributes.
Compute the SHA1 hash of the preceding.
Sign the hash computed in the preceding step with domain's signature private key.
Set this attribute to the signed hash.

3.2.5.1.4 Generating Managed Object Data

Additional resources