Configure and implementing custom device provisioning

Custom device provisioning is an extension of auto device provisioning. The main difference between auto and custom provisioning is we can perform custom validation of the certificate signing request (CSR) during the provisioning process and custom validation of the certificate during each device authentication process.

The custom device provisioning must be implemented in the JavaScript code of an adapter. Specify the names of the validate-csr and validate-certificate functions in authenticationConfig.xml.as realm and login module parameters:

  <securityTests>
    <mobileSecurityTest name="CustomDeviceProvisioningSecurityTest">
      <testAppAuthenticity/>
        <testDeviceId provisioningType="custom" realm="CustomDeviceProvisioningRealm"/>
    </mobileSecurityTest>
  </securityTests> 
  <realms>
    <realm name="CustomDeviceProvisioningRealm" loginModule="CustomDeviceProvisioningLoginModule">
      <className>com.worklight.core.auth.ext.DeviceAutoProvisioningAuthenticator</className>
      <parameter name="validate-csr-function" value="ProvisioningAdapter.validateCSR"/>
    </realm>
  </realms>
  <loginModules>
    <loginModule name="CustomDeviceProvisioningLoginModule">
      <className>com.worklight.core.auth.ext.DeviceAutoProvisioningLoginModule</className>
      <parameter name="validate-certificate-function" value="ProvisioningAdapter.validateCertificate"/>
    </loginModule>
  </loginModules>

The validate-csr-function checks that the certificate signing request (CSR) sent by the client is complete and contains the correct information that is needed for the certification of the device. This logic might also validate some properties of CSR against internal or external services / directories.

The validate-certificate-function verifies that the certificate was issued with the right certificate authority (CA). The logic might also verify that the certificate contains all the necessary data about the device for this custom device authentication realm.

For more information about how to implement these functions, see the tutorials on the Get Started page.

It is important to understand the concept of mobile device authentication and auto provisioning. For more information about mobile device authentication, see Mobile device authentication.

With custom device provisioning, we can also implement custom variations of the CSR during the initial provisioning flow and of the certificate at each application start.

We must configure the server and the client for custom device provisioning.

• Implementing server-side components for custom device provisioning
  We can implement server-side components for custom device provisioning.

• Implementing client-side components for custom device provisioning
  We can implement client-side components for custom device provisioning.

Parent topic: Configure device auto provisioning