+

Search Tips   |   Advanced Search

Update the server authentication configuration

A requirement to enable the User Certificate Authentication feature is to configure the authentication configuration on the MobileFirst Server.

We must update authenticationConfig.xml.to configure the server to use the User Certificate Authentication feature. User certificate authentication uses standard MobileFirst authentication mechanisms: authenticator and login modules. The com.worklight.core.auth.ext.UserCertificateAuthenticator and the com.worklight.core.auth.ext.UserCertificateLoginModule modules are bundled with the core MobileFirst Server library.

  1. From within the server configuration, open authenticationConfig.xml.for editing.

  2. Add a realm definition inside the <realms> attribute in authenticationConfig.xml. 
    <realm name="wl_userCertificateAuthRealm"
       loginModule="UserCertificateLoginModule">
  <className>com.worklight.core.auth.ext.UserCertificateAuthenticator</className>
  <parameter name="dependent-user-auth-realm"
             value="<DEPENDENT REALM NAME HERE>" />
  <parameter name="pki-bridge-class"
             value="<PKI BRIDGE CLASS>" />
</realm>

  3. Modify this realm definition by supplying our own dependent realm by specifying its name for the dependent-user-auth-realm parameter and a PKI bridge implementation (full Java class path) for the pki-bridge-class parameter. Use the included PKI bridge classes such as embedded (Embedded PKI bridge) or adapter-based (External/adapter-based PKI bridge) or supply our own custom PKI bridge implementation (Custom PKI bridge).

  4. Add the custom parameters to this realm definition based on the PKI bridge implementation. Bundled PKI bridge implementations such as Embedded (Embedded PKI bridge) or Adapter-Based (External/adapter-based PKI bridge) have extra required parameters that must be added.

  5. Add the following login module definition, as-is, to the <loginModules> element in authenticationConfig.xml. 
    <loginModule name="UserCertificateLoginModule">
  <className>com.worklight.core.auth.ext.UserCertificateLoginModule</className>
</loginModule>

  6. Add the wl_userCertificateAuthRealm realm as a test in the security test to use for the application or environment.

  7. Add the security test to the resource to protect. To protect an adapter procedure, add the securityTest attribute for the procedure. See Overview of MobileFirst adapters. To protect an application environment, define a security test for each environment in application-descriptor.xml, using the securityTest="your_test_name" property. If no security test is defined for a specific environment, only a minimal set of default platform tests are run. 
    <securityTest name="your_test_name">
  <testUser realm="wl_userCertificateAuthRealm" />
  <testDeviceId provisioningType="none" />
</securityTest>

    To protect your application or adapter procedure, reference the security test in the application descriptor file.

      <iphone bundleId="com.UserCertApp" version="1.0" securityTest="your_test_name">


Parent topic: User certificate authentication on the server