The security framework in IBM MobileFirst™ Platform Foundation was
entirely redesigned. New security features were introduced, and some
modifications were made to existing features.
Security framework overhaul
The MobileFirst security
framework was redesigned and reimplemented to improve and simplify
security development and administration tasks. The framework is now
inherently based on the OAuth model, and the implementation is session-independent.
See Overview of the MobileFirst security
framework.
On
the server side, the multiple building blocks of the framework were
replaced with security checks (implemented in adapters), allowing
for simplified development with new APIs. Sample implementations and
predefined security checks are provided. See Security checks.
Security checks can be configured in the adapter descriptor, and customized
by making runtime adapter or application configuration changes, without
redeploying the adapter or disrupting the flow. The configurations
can be done from the redesigned MobileFirst Operations Console security
interfaces. You can also edit the configuration files manually, or
use the MobileFirst Platform CLI or mfpadm tools.
See Security-checks configuration.
See the other security release
notes for specific changes and additions that are also the result
of the security-framework redesign.
Application-authenticity
security check
MobileFirst application-authenticity
validation is now implemented as a predefined security check that
replaces the previous "extended application authenticity checking".
You can dynamically enable, disable, and configure application-authenticity
validation by using either MobileFirst Operations Console or mfpadm.
A stand-alone MobileFirst application-authenticity Java™ tool (mfp-app-authenticity-tool.jar)
is provided for generating an application-authenticity file. See Application-authenticity security check.
Confidential clients
The
support for confidential clients was redesigned and reimplemented
using the new OAuth security framework. See Confidential clients.
Web-applications
security
The revised OAuth-based security framework supports
web applications. You can now register web applications with MobileFirst Server to
add security capabilities to your application and protect access to
your web resources. For more information about developing MobileFirst web
applications, see Developing web applications. The
application-authenticity security check is not supported for web applications.
Cross-platform
applications (Cordova apps), new and changed security features
Additional
security features are available to help protect your Cordova app.
These features include the following:
- Web resources encryption: Use this feature to encrypt the web
resources in your Cordova package to help prevent someone from modifying
the package. For more information, see Encrypting the web resources of your Cordova packages.
- Web resources checksum: Use this feature to run a checksum test
that compares the current statistics of the web resources of the app
with the baseline statistics that were established when it was first
opened. This check helps to prevent someone from modifying the app
after it is installed and opened. For more information, see Enabling the web resources checksum feature.
- Certificate pinning: Use this feature to associate the certificate
of an app with a certificate on the host server. This feature helps
to prevent information that is passed between the app and the server
from being viewed or modified. For more information, see Certificate pinning.
- Support for the Federal Information Processing Standard (FIPS)
140-2: Use this feature to ensure that data that is transferred is
compliant with the FIPS 140-2 cryptography standard. For more information,
see Enabling FIPS 140-2.
- OpenSSL: To use
OpenSSL data encryption and decryption with your Cordova app for the
iOS platform, you can use the cordova-plugin-mfp-encrypt-utils Cordova
plug-in. For more information, see Cordova plug-ins for MobileFirst features and Enabling OpenSSL for Cordova iOS.
Device Single Sign-On (SSO)
Device
single sign-on (SSO) is now supported by way of the new predefined enableSSO security-check
application-descriptor configuration property. See Configuring device single sign-on (SSO).
Direct Update
In
contrast to earlier versions of MobileFirst, starting with V8.0.0:
- If a client application accesses an unprotected resource, the
application does not receive updates, even if an update is available
on MobileFirst Server.
See Updating Cordova client apps directly.
- After it has been activated, Direct Update is enforced on every
request for a protected resource.
External-resources Protection
The
supported method and provided artifacts for protecting resources on
external servers were modified:
- A new, configurable MobileFirst Java Token Validator access-token
validation module is provided for using the MobileFirst security
framework to protect resources on any external Java server. The module is provided as a Java library (mfp-java-token-validator-8.0.0.jar),
and replaces the use of the obsolete MobileFirst Server token-validation
endpoint to create a custom Java validation
module. See MobileFirst Java Token Validator.
- The MobileFirst OAuth
Trust Association Interceptor (TAI) filter, for protecting Java resources on an external WebSphere® Application Server or WebSphere Application Server Liberty server,
is now provided as a Java library
(com.ibm.imf.oauth.common_8.0.0.jar).
The library uses the new Java Token
Validator validation module, and the configuration of the provided
TAI changed. See MobileFirst OAuth
Trust Association Interceptor (TAI) for protecting resources on WebSphere Java servers.
The
server-side MobileFirst OAuth
TAI API is no longer required and was removed.
- The passport-mfp-token-validation MobileFirst Node.js
framework, for protecting Java resources
on an external Node.js server, was modified to support the new security
framework. See MobileFirst Node.js
resource protection.
- You can also write your own custom filter and validation module,
for any type of resource server, which uses the new introspection
endpoint of the authorization server. See External resources protection.
Integration with WebSphere DataPower as an authorization server
You
can now select to use WebSphere DataPower® as the OAuth authorization
server, instead of the default MobileFirst Server authorization
server. You can configure DataPower to
integrate with the MobileFirst security
framework. See Configuring IBM® WebSphere DataPower as the OAuth authorization server.
LTPA-based single sign-on (SSO) security check
Support
for sharing user authentication among servers that use WebSphere light-weight third-party authentication
(LTPA) is now provided by using the new predefined LTPA-based single
sign-on (SSO) security check. This check replaces the obsolete MobileFirst LTPA
realm, and eliminates the previous required configuration. See LTPA-based single sign-on (SSO) security check.
Mobile-application
management with MobileFirst Operations Console
Some
changes were made to the support for tracking and managing mobile
applications, users, and devices from IBM MobileFirst Platform Operations
Console.
Blocking
device or application access is applicable only to attempts to access
protected resources.
See Mobile-application management.
MobileFirst Server keystore
A single MobileFirst Server keystore
is used for signing OAuth tokens and Direct Update packages, and for
mutual HTTPS (SSL) authentication. You
can dynamically configure this keystore by using either MobileFirst Operations Console or mfpadm.
See Configuring the MobileFirst Server keystore.
Native encryption and decryption for iOS
OpenSSL has been removed
from the main framework for iOS and replaced by a native encryption/decryption.
OpenSSL can be added as a separate framework. See
Enabling OpenSSL for iOS.
For iOS Cordova
JavaScript, OpenSSL is still
embedded in the main framework. For both APIs, both native and OpenSSL
encryption are available.