Enabling Direct Update Authenticity checks

You can configure client applications to check the authenticity of a direct update package downloaded from the MobileFirst Server or CDN.

About this task

When you enable the Direct Update Authenticity feature, the direct update package is digitally signed during deployment. After the client has downloaded the package, it performs a security check on it to validate its authenticity. This means that if the direct update package has been altered or replaced, the client will not install it. Additionally, the client reports direct update authenticity failure to the MobileFirst Server. These reports appear in the server logs with a log level SEVERE. For more information, see Customizing the direct update interface and process.

The Direct Update Authenticity feature is not enabled by default. Follow the instructions below to enable this feature for new applications and for existing applications that have been upgraded. The instructions are for all supported environments

Procedure

  1. In the MobileFirst project, under the server folder, in the conf/worklight.properties file, update the keystore data. The following properties must be updated:
    • wl.ca.keystore.path - The path to the keystore, relative to the server folder in the MobileFirst project, for example: conf/default.keystore.
    • wl.ca.keystore.type - The type of the keystore file. Valid values are jks or pkcs12.
    • wl.ca.keystore.password - The password to the keystore file, for example: mobile.
    • wl.ca.key.alias - The alias of the entry where the private key and certificate are stored, in the keystore, for example: keypair1.
    • wl.ca.key.alias.password - The password to the alias in the keystore for example: mobile.
    Note: The maximum permitted key length is 3072 bits.
  2. In the applicationDescriptor.xml file for your app, update the client with the public key that will be used to authenticate the direct update zip file.
    Note: The public key must use Base64 encoding.
    Use any of the following three ways to update the file:
    • Edit source code manually:
      Use your preferred text editor to edit the application-descriptor.xml file directly, in the <application> section. For example: 
      <directUpdateAuthenticityPublicKey>public_key</directUpdateAuthenticityPublicKey>
    • Use the Application Descriptor Editor:
      1. Click the Design view to display the Application Descriptor Editor.
        The Application Descriptor Editor dialog shows the Direct update authenticity public key field.
      2. In the Direct update authenticity public key field, enter the authenticity public key.
    • Use the public key extraction wizard:
      1. Right-click the apps/app folder in your project.
      2. Select Extract public key for direct update authenticity to display the Extract public signing key from keystore wizard.
        The Extract public signing key wizard appears. It displays additional fields for keystore file and keystore password.
      3. Specify the location and password of the keystore file and click Load Keystore.
        The Extract public signing key wizard, second step appears. It displays an additional field for key alias.
      4. Select Key alias and click Next to display the key.
        The Extract public signing key wizard, third step appears. It displays an additional Key field.
      5. Click Finish to insert the key into the application-descriptor.xml file.
  3. After you have updated the required information, rebuild and redeploy your application to IBM MobileFirst™ Platform Server.
Parent topic: Configuring and customizing direct update