IBM Worklight v5.0.5 > Develop IBM Worklight applications > Authentication configuration

Mobile device provisioning

When first run on a mobile device, WL apps creates a pair of PKI-based keys that are used to...

Create a certificate key pairs must be signed by an external trusted authority. Provisioning is the process of obtaining a security certificate.

After a certificate is obtained, the app can store the key pair in the device keystore, access to which is protected by the operating system.

The provisioning process has three modes:

Auto-provisioning and custom provisioning are supported only on iOS and Android devices.


Device auto-provisioning

Certificates are stored by the client app on the device, and used for signing the payload sent to the WL server. WL server validates the client certificate.

The server sends a request for ID, which the client responds to with a certificate-signed payload. If the client does not have the certificate, then a request is sent to the Worklight server automatically to get a certificate, and after that is done, the client automatically sends the signed payload.

After the server sends the ok response, the original request is sent automatically.

The key pair used to sign the device and app properties can represent a single application, a group of applications, or an entire device. For example:

Single application The provisioning process requires separate activation for each application installed on the device. In this case, the application is the provisionable entity, and each application must generate its own key pair.
Group of applications There are different groups of applications in different geographical regions. If the activation is required per region, the key pair would represent the group of applications that belong to that region. All applications from the same group use the same key pair for their signatures.
Entire device The key pair represents the whole device. All the applications from the same vendor that are installed on that device use the same key pair.


Parent Authentication configuration