+

Search Tips   |   Advanced Search

Implementing server-side components for custom device provisioning

We can implement server-side components for custom device provisioning.

To implement server-side components for custom device provisioning, complete the following steps.

  1. Create an adapter and name it ProvisioningAdapter.

  2. Add two functions with the following signatures to the adapter's JavaScript file:

    • The validateCSR(clientDN, csrContent) function is called only during initial device provisioning. The function is used to check whether the device is authorized to be provisioned. After the device is provisioned, this function is not called again.

    • The validateCertificate(certificate, customAttributes) function is called each time that the mobile application establishes a new session with the MobileFirst Server. The function is used to validate that the certificate that the application or device possesses is still valid and that the application or device is allowed to communicate with the MobileFirst Server.

    These functions are called internally by the MobileFirst authentication framework. Do not declare them in the adapter's XML file.

  3. Configure authenticationConfig.xml.

    1. Add a realm and name it CustomDeviceProvisioningRealm to authenticationConfig.xml.

      • Use CustomDeviceProvisioningLoginModule for the loginModule.

      • Use the auto provisioning authenticator className parameter.

      • Add a validate-csr-function parameter.

      • The value of this parameter points to an adapter function that validates the certificate signing request (CSR). 

      <realms>
    <realm name="CustomDeviceProvisioningRealm"
           loginModule="CustomDeviceProvisioningLoginModule">
        <className>com.worklight.core.auth.ext.DeviceAutoProvisioningAuthenticator</className>
        <parameter name="validate-csr-function"
                   value="ProvisioningAdapter.validateCSR" />
    </realm>
</realms>

    2. Add the loginModule named CustomDeviceProvisioningLoginModule.

      • Use the auto provisioning login module className parameter.

      • Add a validate-certificate-function parameter.

      • The value of this parameter points to an adapter function that validates the certificate. 

      <loginModules>
    <loginModule name="CustomDeviceProvisioningModule">
        <className>com.worklight.core.auth.ext.DeviceAutoProvisioningLoginModule</classname>
        <parameter name="validate-certificate-function"
                   value="ProvisioningAdapter.validateCertificate" />
    </loginModule>
</loginModules>

    3. Create a securityTest named mobileSecurityTest.

      • Add a mandatory <testAppAuthenticity /> test.

      • Add a mandatory <testDeviceId /> test.

      • Specify provisioningType="custom".

      • Specify realm="CustomDeviceProvisioningRealm". 

      <securityTests>
    <mobileSecurityTest name="CustomDeviceProvisioningSecurityTest">
        <testAppAuthenticity />
        <testDeviceId provisioningType="custom" realm="CustomDeviceProvisioningRealm" />
    </mobileSecurityTest>
</securityTests>


Results

You implemented server-side components for custom device provisioning.


Example

validateCSR function

The following example shows the validateCSR function: 
function validateCSR(clientDN, csrContent) {
    WL.Logger.log("validateCSR :: clientDN :: " + JSON.stringify(clientDN));
    WL.Logger.log("validateCSR :: csrContent :: " + JSON.stringify(csrContent));
    var activationCode = csrContent.activationCode;
    // This is a place to perform validation of csrContent and update clientDN if  required.
    // We can do it using adapter backend connectivity     if (activationCode == "worklight") {
        response = {
            isSuccessful: true,         clientDN: clientDN + ",CN=someCustomData",         attributes: {
                customAttribute: "some-custom-attribute"
            }
        };
    } else {
        response = {
            isSuccessful: false,         errors: ["Invalid activation code"]
        };
    }
    return response;
}

validateCertificate function

The following example shows the validateCertificate function: 
function validateCertificate(certificate, customAttributes) {
    WL.Logger.log("validateCertificate :: certificate :: + "JSON.stringify(certificate));
    WL.Logger.log("validateCertificate :: customAttributes :: + "JSON.stringify(customAttributes));
    // Additional custom certificate validations can be performed here.
    return {
        isSuccessful: true
    };
}


What to do next

We can implement client-side components for custom device provisioning. For more information about implementing client-side components, see Implementing client-side components for custom device provisioning. For more information about custom device provisioning, see tutorial on the Get Started page.


Parent topic: Configure and implementing custom device provisioning