How to enable extended application authenticity protection in Eclipse mobilefirst project - ibm-mobilefirst

I have an IBM mobile first version 7.0 project which developed in Eclipse Luna. Just want to check how to enable the extended application authenticity protection for apk and ipa as mentioned in https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/7.1/authentication-security/application-authenticity-protection/#enablingExtendedApplicationAuthenticityProtection?
Thanks

Application authenticity protection is only available in standalone ( production) installs of IBM MobileFirst server. Application authenticity feature is disabled in IBM MFP Studio.
Once you have installed your standalone server, make use of the 'wladm' command to enable extended application authenticity protection.

Related

Worklight 6.2 iOS binary issue with MobileFirst 7.1

I have MFP Server version: 7.1.0.00.20160401-2103
I'm trying to accomplish the following:
MyApp runtime (WAR file) is built using MFP 7.1
My WLAPP's, Adapters and device binaries are built using WL 6.2
Where I need to run 6.2 app inside MFP 7.1 container to mimic my production environment as I can't have two stand alone live server in PROD, one for WL 6.2 and the other for MFP7.1.
My concern is the following for iOS (9+):
The iOS app that is live is built with ATS not configured and bit code disabled using xCode (Version 6.3.1).
What is the configuration on MFP 7.1 that needs to be done to allow the connection from my live application.
WAS security level:
My IHS which is in front of my MFP server has the SSLCipherSpec as:
When I compile the xCode project I'm getting :
[https://IP:PORT/MobileBanking/apps/services/api/MobileBanking/iphone/query] Host is not responsive.
How can I make my 6.2 app works on MFP 7.1.?
Is there a missing configuration I need to add/remove?
I can't make any changes on App level as it is already in PROD. Also I can't migrate the 6.2 app yet as we have timeline/outage issues that we can't meet.
Please see this blog post: https://mobilefirstplatform.ibmcloud.com/blog/2015/09/07/preparing-ibm-mobilefirst-platform-server-app-transport-security-ios-9/
7.1 can run wlapp files that were built by 6.2, but those apps (assuming your server is not configured with session independence), but those apps will not benefit of any 7.1 features because you did not re-build them with 7.1 Studio...
Additionally you must have the server configured with TLS 1.2 support and the client application must be configured with TLS. So yes, you must re-build the app even with 6.2 Studio and re-submit to the App Store.

Application Authenticity is not getting enabled

I am using Worklight 6.2 consumer edition. When I deploy my app, following warning flashes on server console:
[WARNING ] FWLSE0259W: Application authenticity protection is not being performed within the Worklight Development Server. In order to fully test Application authenticity protection, deploy the application to a non-development Worklight Server (i.e. external Worklight Server). [project MyProject].
I am using Web Sphere Liberty Profile 8.5.5.1 server. Pls advise how to make this warning make go away?
As the message says, if you are trying to test Application Authenticity Protection in Worklight Studio (the Eclipse development environment of Worklight), Authenticity protection is not supposed to work.
To test Application Authenticity in Worklight 6.2, you must deploy Worklight using IBM Installation Manager to your Application Server (WAS, Liberty, Tomcat), as well as your .war, .wlapp, .adapters, etc... and set it up in Worklight Console belonging to this instance of Worklight.
Only then should it work.

worklight v6.2 console to use LDAP authentication

Anyone know how to configure v6.2 to LDAP to authenticate on the console (localhost:10080/worklightconsole/). On v6.1, this is done in authenticationConfig.xml but the migration process to v6.2, automatically removed all the configuration that was configure to use LDAP to secure the console with this comment:
"IBM migration removed customSecurityTest named WorklightConsole. IBM migration removed realm named WorklightConsole. It is not supported as of Worklight v6.2"
I have already tried following this PDF and still not working - http://public.dhe.ibm.com/software/mobile-solutions/worklight/docs/v620/09_11_Using_LDAP_login_module_to_authenticate_user_with_LDAP_server_in_hybrid_applications.pdf
Thanks
In previous versions of Worklight, Worklight Console protection was handled by Worklight's security framework. Starting v6.2, this is now handled by the underlying application server, be it WAS, WAS Liberty profile or Tomcat.
In Worklight Studio WAS Liberty profile is used, so you will need to follow these instructions: http://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.installconfig.doc/appcenter/t_ac_lib_ldap.html?lang=en
For other application servers follow the relevant instructions from here: http://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.installconfig.doc/appcenter/c_ac_ldap_jndi.html?lang=en

How to test App Authenticity in Worklight Application

I have configured and enabled the App Authenticity in my application using custom Security. Added the security test property in my Application discriptor xml file. In my worklight console the respective application gives me the option to enable the App Authenticity.
Now how to test this feature. Fail case senario. How to explicitly fail the client app for app authenticity. My eithcal Hacking team want to perform this testing.
Thanks.
Easiest way to simulate it would be to:
Deploy your application to the server, build the generated project and install it on the device. See that it works.
Depending on the environment, in application-descriptor.xml:
for Android, alter the signing key used and re-deploy to the server
for iOS, alter the bundleId and re-deploy to the server
Re-launch the already install application, it should now fail.
Note:
In Worklight 6.2 application authenticity will only work with an external application server that Worklight Server is deployed to. Otherwise the feature will "always work" when testing in the Worklight Development Server.
In Worklight 6.1 application authenticity will use a "dummy" challenge when used in the Worklight Developer edition; to really test the feature in v6.1, you must use Worklight Studio and Server based on the Consumer or Enterprise editions.

Worklight Studio 6 - device provisioning and app authenticity

I am running Worklight Studio 6 from Worklight Enterprise Edition download with Eclipse Juno.
My application is using form security with the WASLTPA login module. The application tests correctly.
When I add AppAuthenticity (needed for device provisioning) my client sees the following error in the console. (None in the server log)
Failed to load resource: the server responded with a status of 401 (Unauthorized)
drilling deeper I see:
/*-secure-
{"challenges":{"wl_authenticityRealm":{"WL-Challenge-Data":"o97e2ph8kguqh1vpljbio1o5k3+23.507-9.852-31.807 "}}}*/
I am running this on the Worklight Development Server packaged with Worklight Studio.
You have mentioned both the Enterprise Edition and Developer Edition.
Please clarify your question with the following: You have installed Worklight using the IBM Installation Manager, yes?
You have an application server (Tomcat/WebSphere/Liberty) installed and you've used the supplied Ant scripts to create the Worklight database(s), configure them, deploy the Worklight platform files to the application server, as well as deploy your project's .war file? (and of course the .wlapp /.adapter file(s)...).
If you have done the above, then you will have in your Worklight Server, now installed on the application server, the required components for App Authenticity to work.
Then there is the case of how you actually configured your project for App Authenticity.
Make sure you follow these steps to set up App Authenticity