Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
8 replies Latest Post - ‏2013-02-08T00:12:36Z by SystemAdmin
SystemAdmin
SystemAdmin
2327 Posts
ACCEPTED ANSWER

Pinned topic App Authentication

‏2013-01-22T07:54:43Z |
I am studying auto-provisioning to be given new feature on 5.0.

I made a android app(no security test, signed app, included <publicSigningKey>) and uploaded that to app center. When I uploaded that, I could see "App Authentication" field on WL Console. Its value was "Enable, blocking".

After I downloaded that into my own device, I started downloaded app. I could see app blocking. When I changed the value(Enable, Servicing), It was working.

I want to pass the authentication step. Please let me know what should I do for a success of authentication.

And I am wondering about auto provisioning. I read Authentication section(20 ~ 25) on Getting started.
WL version: 5.0.5
App : Android 4.0.2
Test Device: Android smartphone

  • IdanAdar
    IdanAdar
    741 Posts
    ACCEPTED ANSWER

    Re: App Authentication

    ‏2013-01-23T05:46:41Z  in response to SystemAdmin
    Authenticity in the Information Center: http://pic.dhe.ibm.com/infocenter/wrklight/v5r0m5/topic/com.ibm.worklight.help.doc/admin/c_controlling_authenticity_testing.html

    These are the steps to make the Authenticity feature work. I am basing these steps for a new application with default settings; for a custom application you may need some extra tinkering, depending how it is set up...

    1. Create a new Worklight project and application
    2. Uncomment the securityTests element in projectName\apps\appName\server\conf\authenticationConfig.xml
    3. Add the Android environment
    4. Add securityTest='customTests' to the android element in projectName\apps\appName\application-descriptor.xml
    5. Right-click on the android folder and choose Extract public signing key

    ^ Here you need to either create your own keystore, or for the sake of the example, use Google's provided keystore.
    Google's provided key is located at: C:\Users\your-user\.android\debug.keystore; the password is 'android'.

    6. Build all deploy

    ^ This will save the authenticity key in the database
    Note: if using your own keystore, you must then export the app, signed, using your keystore. This is done by right-clicking on the generated Android project >> Android Tools >> Export signed application package, followed by installing the app

    7. Launch app on device

    The authenticity check should now pass when set to "Enabled, Blocking".

    Idan Adar
    QA Engineer
    IBM Worklight Mobile Platform
    • SystemAdmin
      SystemAdmin
      2327 Posts
      ACCEPTED ANSWER

      Re: App Authentication

      ‏2013-01-24T06:04:14Z  in response to IdanAdar
      I tried to do as you mentioned to me.

      But I didn't resolve yet.

      <step 1> I created new project

      <step 2> I removed comment. I ignored customSecurityTest, mobileSecurityTest and webSecurityTest elements.

      • my sample -
      <securityTests>
      <!--
      <customSecurityTest name="WorklightConsole">
      <test realm="WorklightConsole" isInternalUserID="true"/>
      </customSecurityTest>

      <mobileSecurityTest name="mobileTests">
      <testAppAuthenticity/>
      <testDeviceId provisioningType="none" />
      <testUser realm="myMobileLoginForm" />
      </mobileSecurityTest>

      <webSecurityTest name="webTests">
      <testUser realm="myWebLoginForm"/>
      </webSecurityTest>
      -->

      <customSecurityTest name="customTests">
      <test realm="wl_antiXSRFRealm" step="1"/>
      <test realm="wl_authenticityRealm" step="1"/>
      <test realm="wl_remoteDisableRealm" step="1"/>
      <test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
      <test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
      </customSecurityTest>
      </securityTests>
      <step 3> Added new android environment

      <step 4> I added new attribute(securityTest='customTests') to android element.
      • my sample -
      <android version="1.0" securityTest='customTests'>
      <worklightSettings include="true"/>
      <security>
      <encryptWebResources enabled="false"/>
      <testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
      <publicSigningKey>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ... XXXXX ...MHa3e5DiK7F5An7a6WIpOyS3WwIDAQAB</publicSigningKey>
      </security>
      </android>
      <worklightServerRootURL>http://AAA.AA.AA.AA:BBBB/worklight</worklightServerRootURL>

      <step 5> I tried to do all of case.
      1) my own key
      2) google's key

      <step 6> Run as > build and deploy.

      <step 7> I did signing process(android tools > Export signed Application package)

      <step 8> I downloaded new package(signed apk) im my own device.
      But, I can't pass authentication step.
  • IdanAdar
    IdanAdar
    741 Posts
    ACCEPTED ANSWER

    Re: App Authentication

    ‏2013-01-24T06:17:48Z  in response to SystemAdmin
    I see that you have added a contxt (/worklight) to the worklightServerRootURL address;
    Are you using the Developer Edition or Consumer Edition?

    If you are using the developer edition, remove the context and try again.

    Idan Adar
    QA Engineer
    IBM Worklight Mobile Platform
    • ozair
      ozair
      15 Posts
      ACCEPTED ANSWER

      Re: App Authentication

      ‏2013-02-05T23:06:56Z  in response to IdanAdar
      I am also running into issues getting the authenticity check in Android to work. I followed the instructions as were posted. I am running WL 5.0.5.1 with an Android environment.

      I was able to capture the init request which was causing the failure for the application to load:

      Request

      http://host:port/worklight/apps/services/api/MyApp/android/init

      Response

      +/*-secure-.{"challenges":{"wl_authenticityRealm":{"WL-Challenge-Data":"ruo2uaf6gk9ucnqdbkql3m56rm+18.542-8.464-12.591-28.283-32.916-38.088-18.498-33.868-5.72-40.204-5.185-26.933"},"wl_antiXSRFRealm":{"WL-Instance-Id":"f8p8bdd036j8s6n941u5l10l7s"}},"WL-Authentication-Success":{"wl_anonymousUserRealm":{"userId":"21e0b33f-7783-4378-8ed7-cbd501937b51","attributes":{},"isUserAuthenticated":1,"displayName":"21e0b33f-7783-4378-8ed7-cbd501937b51"},"wl_remoteDisableRealm":{"userId":"NullLoginModule", "attributes":{}, "isUserAuthenticated":1,"displayName":"NullLoginModule"}}}*/....+
      AuthenticationConfig.xml

      <tns:loginConfiguration xmlns:tns="http://www.worklight.com/auth/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <!-- Sample security tests
      Even if not used there will be some default webSecurityTest and mobileSecurityTest
      Attention: if using <testAppAuthenticity/> test below ,<publicSigningKey> element must be added to application-desc
      riptor.xml as well. -->

      <securityTests>
      <mobileSecurityTest name="mobileTests">
      <testUser realm="WASLTPARealm" />
      </mobileSecurityTest>

      <customSecurityTest name="customTests">
      <test realm="wl_antiXSRFRealm" step="1"/>
      <test realm="wl_authenticityRealm" step="1"/>
      <test realm="wl_remoteDisableRealm" step="1"/>
      <test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/
      <test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
      </customSecurityTest>
      </securityTests>

      <realms>

      <!-- For websphere -->
      <realm name="WASLTPARealm" loginModule="WASLTPAModule">
      <className>com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator</className>
      <parameter name="login-page" value="/login.html"/>
      <parameter name="error-page" value="/loginError.html"/>
      </realm>
      </realms>

      <loginModules>
      <!-- For websphere -->
      <loginModule name="WASLTPAModule">
      <className>com.worklight.core.auth.ext.WebSphereLoginModule</className>
      </loginModule>
      </loginModules>

      </tns:loginConfiguration>

      Thanks

      Ozair
      • ozair
        ozair
        15 Posts
        ACCEPTED ANSWER

        Re: App Authentication

        ‏2013-02-05T23:11:06Z  in response to ozair
        One correction to authenticationConfig.xml

        <mobileSecurityTest name="mobileTests">
        <testAppAuthenticity/>
        <testUser realm="WASLTPARealm"/>
        </mobileSecurityTest>
  • IdanAdar
    IdanAdar
    741 Posts
    ACCEPTED ANSWER

    Re: App Authentication

    ‏2013-02-06T03:46:06Z  in response to SystemAdmin
    Please provide the full steps you have taken...

    Idan Adar
    QA Engineer
    IBM Worklight Mobile Platform
    • ozair
      ozair
      15 Posts
      ACCEPTED ANSWER

      Re: App Authentication

      ‏2013-02-06T18:34:30Z  in response to IdanAdar
      Hi Idan,

      I created a sample Worklight app with an Android environment and customTests security tests, following your steps and it works :) ... however, my existing app with LTPA security enabled is not working, so am trying to understand how to debug my issue. I noticed that the Worklight console allows you specify authenticity checking for your deployed app as long as you reference an existing securityTest. I did not think I needed to use the out-of-the-box customTests. When trying to use the mobileTests below with my LTPA realm and testAppAuthenticity enabled (snippet) below, I get the following error:

      authenticationConfig.xml

      <mobileSecurityTest name="mobileTests">
      <testAppAuthenticity/>
      <testUser realm="WASLTPARealm" />
      </mobileSecurityTest>

      Error from init call

      *-secure-
      {"WL-Authentication-Failure":{"wl_authenticityRealm":{"reason":"missing shared data required for authenticity test"}}}*/

      Below are my configuration steps:
      ==================================

      Using WL 5.0.5.1 Enterprise edition with DB2 9.7

      1. Created Worklight project and app
      2. Created Worklight environment for Android and Mobile
      3. Created security test mobileTest and customTests
      4. In application-descriptor.xml, added securityTest=customTests and publicSigningKey value

      <android version="1.0" securityTest="customTests">
      <worklightSettings include="true"/>
      <security>
      <encryptWebResources enabled="false"/>
      <testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
      <publicSigningKey>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAplCGk9PRlZRPCI3hKu58TFh2r/HTTwO2+Mj64xZl6oXBYBhziA0PhMhqrk5ROW4VQm4I58FaryDY2VF0amPP2/MNeVY2N/9+Wb5xWSpjqoZxQ5Z6bgumbz0ueBOmG4ylbdTIkjt6/yEdd1wXDhaEEcCzmx9nvRloEjqakutFKxfMepzJHKPFGxIHoDVNs4sR1xJaSdeyUdBF9A9Fq6JDull/en8HRhHoe+YYwgwqG2pKln/0FB48DRMkoBcBbK/zxpk6Zs1+PjOTMYL9w34kNv24NQxoX2Lmv1qu92Ke5Yv0O6tz1pIEdihYkuxklLtxBD9RGZgpA5FOUcBN8ymWXQIDAQAB</publicSigningKey>
      </security>
      </android>

      <worklightServerRootURL>http://host:port/MyURI</worklightServerRootURL>

      5. Changed the authenticationConfig on my server (/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/installedApps/localhostCell01/MyApp_war.ear/MyApp.war/WEB-INF/classes/conf)

      <tns:loginConfiguration xmlns:tns="http://www.worklight.com/auth/config"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
      <securityTests>
      <mobileSecurityTest name="mobileTests">
      <testAppAuthenticity/>
      <testUser realm="WASLTPARealm" />
      </mobileSecurityTest>

      <customSecurityTest name="customTests">
      <test realm="wl_antiXSRFRealm" step="1" />
      <test realm="wl_authenticityRealm" step="1" />
      <test realm="wl_remoteDisableRealm" step="1" />
      <test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1" />
      <test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2" />
      </customSecurityTest>
      </securityTests>

      <realms>
      <!-- For websphere -->
      <realm name="WASLTPARealm" loginModule="WASLTPAModule">
      <className>com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator</className>
      <parameter name="login-page" value="/login.html" />
      <parameter name="error-page" value="/loginError.html" />
      </realm>

      </realms>

      <loginModules>
      <loginModule name="WASLTPAModule">
      <className>com.worklight.core.auth.ext.WebSphereLoginModule</className>
      </loginModule>

      </loginModules>

      </tns:loginConfiguration>
      • SystemAdmin
        SystemAdmin
        2327 Posts
        ACCEPTED ANSWER

        Re: App Authentication

        ‏2013-02-08T00:12:36Z  in response to ozair
        Note: IBM forums are in the process of migrating to a new format. During migration the forums will be frozen and in read-only mode. If you wish to continue this thread discussion please post it on stackoverflow, where the Worklight team and others can respond.

        See the Forum Migration announce post for more details. Thank you.

        Barbara Hampson, Manager, IBM Worklight