Using WebSphere DataPower as a push notification proxy for Worklight mobile applications

IBM® WebSphere® DataPower® Appliances are built for simplified deployment and hardened security, bridging multiple protocols, and performing conversions at wire speed. These capabilities help you achieve and maintain security and operational polices. Often used as a reverse proxy and security gateway for handling inbound traffic into an enterprise, DataPower can also be used as a gateway for outbound connections to facilitate monitoring and routing. IBM Worklight® makes outbound connections to notification mediators in order to push notifications for mobile applications. This article explains how you can setup DataPower to act as a push notification proxy. This content is part of the IBM WebSphere Developer Technical Journal.

Share:

Thejaswini Ramachandra (thejaswini@in.ibm.com), Advisory Software Engineer, IBM

Thejaswini Ramachandra is an Advisory Software Engineer in the IBM Worklight Product Development group. During her twelve years of experience with IBM, she has worked across SWG, STG and Research groups in the areas of SOA, Business Process Modeling, Model Driven Architecture and now in Mobile. She has presented at several conferences and has international publications to her credit.



Jerry Reghunadh, Staff Software Engineer, IBM

Photo of Jerry ReghunadhJerry M. Reghunadh is a Staff Software Engineer with IBM Software Labs, India. Jerry joined IBM in 2008 and is currently part of the IBM Worklight team. His primary area of expertise is with Quality Assurance and Control, SOA, XML and Automation. Apart from his regular work, he extends his expertise in WSRR and DataPower by helping IBM Tech Sales and Lab Services in their customer engagements. Before joining Worklight, Jerry was a part of the DataPower development team for XB60 and XI50 appliances, the WebSphere Quick Connect Appliance team (the current Cast Iron team), IBM SOA Policy Pattern, and WebSphere Service Registry and Repository. He has also worked as a DataPower Deployment Architect for a customer.



26 February 2014

Also available in Chinese Japanese

Introduction

IBM WebSphere DataPower SOA Appliances are built for simplified deployment and hardened security, bridging multiple protocols, and performing conversions at wire speed. These capabilities help an organization to achieve and maintain their security and operational polices.

DataPower can act as a reverse proxy and security gateway for handling inbound traffic into an enterprise. In addition, there have also been client requirements where corporate policy mandates that all outbound connections be made through a gateway to facilitate monitoring and routing. DataPower can also be used as a gateway for such a requirement.

IBM Worklight makes outbound connections to notification mediators — APNS (Apple Push Notification Service) and GCM (Google Cloud Messaging servers) — in order to push notifications for mobile applications. Hence, DataPower should be able to act as a proxy between IBM Worklight Server and APNS/GCM.

This article explains how you can setup DataPower to act as a push notification proxy.


Configuring DataPower as a GCM proxy

There are two possible DataPower configurations that would enable it to act as a GCM proxy for Worklight: a TCP proxy configuration and a web application firewall configuration.

TCP proxy

A TCP (transmission control protocol) proxy acts as proxy at the TCP network layer. It uses a TCP connection to relay all traffic that is received on a specified local address to a specified remote peer.

A. DataPower configuration

  1. Log in to the DataPower appliance.
  2. Navigate to Services > Other Services, click TCP Proxy Service and click Add.
  3. Provide a name with which you can identify the configuration.
  4. Enter these configuration details:
    • Local IP Address: Select the correct alias or leave it at the default value (0.0.0.0)
    • Port Number: 443
    • Remote Host: android.googleapis.com
    • Remote Port:443
  5. Click Apply.
  6. Save the configuration.

B. Worklight Server configuration

  1. Edit the hosts file of the Worklight Server machine. The host file is located at:
    • Linux: /etc/hosts
    • Windows: SystemRoot%\system32\drivers\etc\hosts

    In the line:

    <ip address of datapower> android.googleapis.com

    replace <ip address of datapower> with the actual IP address.

  2. The notification proxy settings in the worklight.properties file does not need to be modified.
  3. Restart Worklight Server.

Web application firewall

A. DataPower configuration

  1. Log in to the DataPower appliance.
  2. Create a key-certificate pair with CN value android.googleapis.com:
    1. Navigate to Administration > Miscellaneous and click Crypto Tools.
    2. Under the Generate Key tab, enter android.googleapis.com as the value for Common Name (CN).
    3. Select Export private key if you plan to export the private key later.
  3. Create a Crypto Identification Credential:
    1. Navigate to Objects > Crypto Configuration and click Crypto Identification Credentials.
    2. Click Add.
    3. Provide a name with which you can identify the crypto identification credential later.
    4. For the Crypto Key and Certificate, select the key and certificate generated at step 2 from the drop-down menu.
    5. Click Apply.
  4. Create a Crypto Profile:
    1. Navigate to Objects > Crypto Configuration and click Crypto Profile.
    2. Click Add.
    3. Provide a name with which you can identify the crypto profile later..
    4. For Identification Credentials, select the identification credential created at step 3 from the drop down menu.
    5. Click Apply.
  5. Create a web application firewall:
    1. Go to Control Panel > Web Application Firewall and click Add Wizard.
    2. Click Add.
    3. Provide a name with which you can identify the web application firewall later.
    4. Click Next.
    5. Under Back End (Server) Information, enter these values:
      • Remote Host: android.googleapis.com
      • Remote Port: 443.
      • Select the checkbox for SSL after the screen refreshes and select the crypto profile from step 4.
      • Click Next.
    6. Under Front End (Client-Facing) Information:
      • For IP, select the correct alias or leave it at the default value (0.0.0.0).
      • Select the check-box for SSL and click Add.
      • After the screen refreshes, select the crypto profile from step 4.
    7. Click Next until you reach the Confirm Your Changes and Commit panel and click Commit.
    8. If you wish to see the configuration, click View Web Application Firewall, otherwise click Done.
  6. Save the configuration.

B. Worklight Server configuration

The certificate that is being used by DataPower, above, is a self-signed one. Unless that certificate is added to the JRE keystore used by Worklight, connections to DataPower will fail.

  1. To add the self-signed certificate into the JRE keystore, follow these instructions from the Worklight Information Center.
  2. Edit the hosts file of the Worklight Server machine. The host file is located at:
    • Linux: /etc/hosts
    • Windows: SystemRoot%\system32\drivers\etc\hosts

    In the line:

    <ip address of datapower> android.googleapis.com

    replace <ip address of datapower> with the actual IP address.

  3. The notification proxy settings in worklight.properties does not need to be modified.
  4. Restart the Worklight Server.

Configuring DataPower as an APNS proxy

A. DataPower configuration

  1. Log in to the DataPower appliance.
  2. Navigate to Services > Other Services, click TCP Proxy Service and click Add.
  3. Provide a name with which you can identify the configuration.
  4. Enter these configuration details:
    • Local IP Address: Select the correct alias or leave it at the default value (0.0.0.0)
    • Port Number: 2195
    • Remote Host: gateway.sandbox.push.apple.com
    • Remote Port: 2195
  5. Click Apply
  6. Save the configuration.

B. Worklight Server configuration

  1. Edit the hosts file of the Worklight Server machine. The host file is located at:
    • Linux: /etc/hosts
    • Windows: SystemRoot%\system32\drivers\etc\hosts

    In the line:

    <ip address of datapower> gateway.sandbox.push.apple.com

    replace <ip address of datapower> with the actual IP address

  2. The notification proxy settings in the worklight.properties file does not need to be modified.
  3. Restart the Worklight Server.

Sending notifications from Worklight

Once the above configurations for Worklight and DataPower are complete, you can begin sending notifications from Worklight. For information about Worklight push notifications, see the Worklight Information Center.

See the Worklight Getting started documentation for a push notification example.

Be sure to check the DataPower and Worklight logs in case of any errors.


Conclusion

This article highlighted how IBM WebSphere DataPower Appliances can act as a reverse proxy and security gateway for handling outbound push notifications for an enterprise. The DataPower configurations detailed here act as a proxy between IBM Worklight Server and notification mediators, ensuring that corporate policies and security compliances are met when outbound requests are made.

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into WebSphere on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=WebSphere, Mobile development
ArticleID=964128
ArticleTitle=Using WebSphere DataPower as a push notification proxy for Worklight mobile applications
publish-date=02262014