Configure device auto provisioning

We can change the default behavior of device auto provisioning with regards to granularity of the provisioning, and pre- required realms for provisioning. We can also change the CA certificate (root certificate) used to issue certificates for provisioned devices.

• To change the default behavior of provisioning granularity and pre- required realms, define a new realm for device provisioning and add the following <realm> element to the <realms> element in the authenicationConfig.xml file. Then, use it in the security test of choice:

  <realm name="wl_myProvisioningRealm"
         loginModule="WLDeviceAutoProvisioningLoginModule">
    <className>com.worklight.core.auth.ext.DeviceAutoProvisioningAuthenticator</className>
    <parameter name="provisioned-entity" value="application" />
    <parameter name="pre- required-realms" value="wl_authenticityRealm" />
  <realm>

  where provisioned-entity can have one of the following values:

  • application

  • device

  • group:<group-name>, where group-name is the name of the provisioning application group

  and pre- required-realms is a comma-separated list of realm names required to be successfully logged in to before provisioning is allowed to begin.

  Applications must be signed by the same signing credentials and (on iOS) share the same bundleID prefix.

• To use a CA certificate other than the default MobileFirst CA certificate, configure the following properties.

  wl.ca.keystore.path

  The path to the keystore, relative to the server folder in the MobileFirst Project, for example: conf/default.keystore.

  wl.ca.keystore.type

  The type of the keystore file. Valid values are jks or pkcs12.

  wl.ca.keystore.password

  Password to the keystore file, for example: worklight.

  wl.ca.key.alias

  The alias of the entry where the private key and certificate are stored, in the keystore, for example: keypair1.

  wl.ca.key.alias.password

  Password to the alias in the keystore for example: worklight.

  For information about how to specify MobileFirst configuration properties, see Application server-side configuration parameters

• To enable multiple applications to share the same certificate, define a sharedUserId attribute (for Android) or a bundleId attribute (for iOS) in the application descriptor. For further information about defining these attributes, see The application descriptor.

• Configure and implementing custom device provisioning
  Custom device provisioning is an extension of auto device provisioning. The main difference between auto and custom provisioning is we can perform custom validation of the certificate signing request (CSR) during the provisioning process and custom validation of the certificate during each device authentication process.

Parent topic: MobileFirst security framework