Contents


Using WebSphere DataPower as a push notification proxy for Worklight mobile applications

Comments

IBM WebSphere DataPower SOA Appliances are built for simplified deployment and hardened security, bridging multiple protocols, and performing conversions at wire speed. These capabilities help an organization to achieve and maintain their security and operational polices.

DataPower can act as a reverse proxy and security gateway for handling inbound traffic into an enterprise. In addition, there have also been client requirements where corporate policy mandates that all outbound connections be made through a gateway to facilitate monitoring and routing. DataPower can also be used as a gateway for such a requirement.

IBM Worklight makes outbound connections to notification mediators — APNS (Apple Push Notification Service) and GCM (Google Cloud Messaging servers) — in order to push notifications for mobile applications. Hence, DataPower should be able to act as a proxy between IBM Worklight Server and APNS/GCM.

This article explains how you can setup DataPower to act as a push notification proxy.

Configuring DataPower as a GCM proxy

There are two possible DataPower configurations that would enable it to act as a GCM proxy for Worklight: a TCP proxy configuration and a web application firewall configuration.

TCP proxy

A TCP (transmission control protocol) proxy acts as proxy at the TCP network layer. It uses a TCP connection to relay all traffic that is received on a specified local address to a specified remote peer.

A. DataPower configuration

  1. Log in to the DataPower appliance.
  2. Navigate to Services > Other Services, click TCP Proxy Service and click Add.
  3. Provide a name with which you can identify the configuration.
  4. Enter these configuration details:
    • Local IP Address: Select the correct alias or leave it at the default value (0.0.0.0)
    • Port Number: 443
    • Remote Host: android.googleapis.com
    • Remote Port:443
  5. Click Apply.
  6. Save the configuration.

B. Worklight Server configuration

  1. Edit the hosts file of the Worklight Server machine. The host file is located at:
    • Linux: /etc/hosts
    • Windows: SystemRoot%\system32\drivers\etc\hosts

    In the line:

    <ip address of datapower> android.googleapis.com

    replace <ip address of datapower> with the actual IP address.

  2. The notification proxy settings in the worklight.properties file does not need to be modified.
  3. Restart Worklight Server.

Web application firewall

A. DataPower configuration

  1. Log in to the DataPower appliance.
  2. Create a key-certificate pair with CN value android.googleapis.com:
    1. Navigate to Administration > Miscellaneous and click Crypto Tools.
    2. Under the Generate Key tab, enter android.googleapis.com as the value for Common Name (CN).
    3. Select Export private key if you plan to export the private key later.
  3. Create a Crypto Identification Credential:
    1. Navigate to Objects > Crypto Configuration and click Crypto Identification Credentials.
    2. Click Add.
    3. Provide a name with which you can identify the crypto identification credential later.
    4. For the Crypto Key and Certificate, select the key and certificate generated at step 2 from the drop-down menu.
    5. Click Apply.
  4. Create a Crypto Profile:
    1. Navigate to Objects > Crypto Configuration and click Crypto Profile.
    2. Click Add.
    3. Provide a name with which you can identify the crypto profile later..
    4. For Identification Credentials, select the identification credential created at step 3 from the drop down menu.
    5. Click Apply.
  5. Create a web application firewall:
    1. Go to Control Panel > Web Application Firewall and click Add Wizard.
    2. Click Add.
    3. Provide a name with which you can identify the web application firewall later.
    4. Click Next.
    5. Under Back End (Server) Information, enter these values:
      • Remote Host: android.googleapis.com
      • Remote Port: 443.
      • Select the checkbox for SSL after the screen refreshes and select the crypto profile from step 4.
      • Click Next.
    6. Under Front End (Client-Facing) Information:
      • For IP, select the correct alias or leave it at the default value (0.0.0.0).
      • Select the check-box for SSL and click Add.
      • After the screen refreshes, select the crypto profile from step 4.
    7. Click Next until you reach the Confirm Your Changes and Commit panel and click Commit.
    8. If you wish to see the configuration, click View Web Application Firewall, otherwise click Done.
  6. Save the configuration.

B. Worklight Server configuration

The certificate that is being used by DataPower, above, is a self-signed one. Unless that certificate is added to the JRE keystore used by Worklight, connections to DataPower will fail.

  1. To add the self-signed certificate into the JRE keystore, follow these instructions from the Worklight Information Center.
  2. Edit the hosts file of the Worklight Server machine. The host file is located at:
    • Linux: /etc/hosts
    • Windows: SystemRoot%\system32\drivers\etc\hosts

    In the line:

    <ip address of datapower> android.googleapis.com

    replace <ip address of datapower> with the actual IP address.

  3. The notification proxy settings in worklight.properties does not need to be modified.
  4. Restart the Worklight Server.

Configuring DataPower as an APNS proxy

A. DataPower configuration

  1. Log in to the DataPower appliance.
  2. Navigate to Services > Other Services, click TCP Proxy Service and click Add.
  3. Provide a name with which you can identify the configuration.
  4. Enter these configuration details:
    • Local IP Address: Select the correct alias or leave it at the default value (0.0.0.0)
    • Port Number: 2195
    • Remote Host: gateway.sandbox.push.apple.com
    • Remote Port: 2195
  5. Click Apply
  6. Save the configuration.

B. Worklight Server configuration

  1. Edit the hosts file of the Worklight Server machine. The host file is located at:
    • Linux: /etc/hosts
    • Windows: SystemRoot%\system32\drivers\etc\hosts

    In the line:

    <ip address of datapower> gateway.sandbox.push.apple.com

    replace <ip address of datapower> with the actual IP address

  2. The notification proxy settings in the worklight.properties file does not need to be modified.
  3. Restart the Worklight Server.

Sending notifications from Worklight

Once the above configurations for Worklight and DataPower are complete, you can begin sending notifications from Worklight. For information about Worklight push notifications, see the Worklight Information Center.

See the Worklight Getting started documentation for a push notification example.

Be sure to check the DataPower and Worklight logs in case of any errors.

Conclusion

This article highlighted how IBM WebSphere DataPower Appliances can act as a reverse proxy and security gateway for handling outbound push notifications for an enterprise. The DataPower configurations detailed here act as a proxy between IBM Worklight Server and notification mediators, ensuring that corporate policies and security compliances are met when outbound requests are made.


Downloadable resources


Related topics


Comments

Sign in or register to add and subscribe to comments.

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=WebSphere, Mobile development
ArticleID=964128
ArticleTitle=Using WebSphere DataPower as a push notification proxy for Worklight mobile applications
publish-date=02262014