IBM Worklight v5.0.5 > Develop IBM Worklight applications > Authentication configuration
Mobile device provisioning
When first run on a mobile device, WL apps creates a pair of PKI-based keys that are used to...
- Sign the public characteristics of the device and application.
- Send them to the WL server for authentication purposes.
Create a certificate key pairs must be signed by an external trusted authority. Provisioning is the process of obtaining a security certificate.
After a certificate is obtained, the app can store the key pair in the device keystore, access to which is protected by the operating system.
The provisioning process has three modes:
No provisioning The client application does not trigger the provisioning process.
The server does not verify the client certificate.
Auto-provisioning The server issues a certificate for the device and application data provided by the client application. Use when Worklight application authenticity features are enabled. Custom provisioning The server is augmented with custom logic to control provisioning process. This logic can involve integration with an external system, such as a mobile device manager (MDM) that can issue the client certificate based on an activation code obtained from the app, or can instruct the WL server to do so.
Auto-provisioning and custom provisioning are supported only on iOS and Android devices.
Certificates are stored by the client app on the device, and used for signing the payload sent to the WL server. WL server validates the client certificate.
The server sends a request for ID, which the client responds to with a certificate-signed payload. If the client does not have the certificate, then a request is sent to the Worklight server automatically to get a certificate, and after that is done, the client automatically sends the signed payload.
After the server sends the ok response, the original request is sent automatically.
The key pair used to sign the device and app properties can represent a single application, a group of applications, or an entire device. For example:
Single application The provisioning process requires separate activation for each application installed on the device. In this case, the application is the provisionable entity, and each application must generate its own key pair. Group of applications There are different groups of applications in different geographical regions. If the activation is required per region, the key pair would represent the group of applications that belong to that region. All applications from the same group use the same key pair for their signatures. Entire device The key pair represents the whole device. All the applications from the same vendor that are installed on that device use the same key pair.
Parent Authentication configuration