In MobileFirst 8 Android project, there are libauthjni.so file.
These files appear to be used for Application Authenticity
If we do not use this feature, use only the following features:
UserAuthenticationSecurityCheck
SecurityCheck
Certificate Pinning
Encrypting the web resources
DirectUpdate and application access/notify/disabled
In this case, can we remove libauthjni.so file?
Yes, if you do not use Application Authenticity you can remove these files. However, can you say why you'd want to do that ?
Related
I have a react-native app that communicates with a server that makes calls to stripe for payment processing/customer creation. I want to ensure that requests are coming only from my app. so i figured i could create a token of sorts on the client, and encrypt it with a special key using b-crypt, then on the server side when the request comes in with the encrypted token as a parameter, i can decrypt that token with the same special key.
i understand the optimal place to store this key is in the env variables server-side, but how do you manage security of a secret key client-side in a react-native app?
There are several ways to store keys on the client side.
The easiest way is to use the Async storage which stores data in a key value pair.
The problem with Async storage is that its nor encrypted so it wont suit your requirement.
The other option is to use the react-native-keychain library which stores the passwords or keys in the securely in the keychain of IOS and keystore in Android. The security part will be managed by the operating system. So this is an approach that can be recommended for your requirement.
There are multiple ways to do this, these are just two options.
After further research, I ended up revoking the accepted status of #GuruparanGiritharan. his solution (react-native-keychain) dealt with storing passwords in an OS's keychain implementation. this ended up not being the solution for my question. as my question deals with storing secrets keys in a way they wouldn't be visible in binary, de-compiling situation.
What I did was research key management services. I found this:
Handling secrets with dotenv
In Node.js secrets are usually loaded from env files using the dotenv
module. This is done in order to separate the secrets from source
code. For example an env file might look like this (reference below):
DB_HOST=localhost
DB_USER=root
DB_PASS=s1mpl3
Now doing this in a context (potentially development) where you dont need to implement continuous integration, it's referred to a "manual provisioning"
My issue (admittedly, I did not specify a production environment in my question) is when it comes to a production environment, in my case, with visual studio app center (a CI option for React-Native apps)
Continuing on this site for an option for key management services:
While this removes hardcoded secrets from source code, it doesn’t
solve your problem completely; Now you need to find a way to provision
your app with the .env file.
This guide will show how you can remove the secrets from the .env file
altogether, so that it can be safely checked into source control and
shipped with your application.
This guide is discussing how to implement key management in the context of a production environment with continuous integration. This approach is relatively simple and straightforward, as all you need to do is create an .env file, add the keys with a variable, and add (in this tool's case) an additional run script to your main node.js start script.
Tool mentioned: SecretHub
https://secrethub.io/docs/guides/nodejs/
I am getting below error when I select Key database type as CMS for creating a CSR for IBM HTTP Server-
The CMS Java Native Library was not found.Please make sure the SSL Component required by your product is installed and the library path is defined correctly.Consult your product documentation for further information.
Please help on this.
Thanks.
Make sure your JAVA_HOME is pointing to the IBM Java.
i.e. JAVA_HOME=C:\Program Files (x86)\IBM\Java80
I have created a new certificate using Let's Encrypt, also, I was able to generate my keystore. Now I'm loading my Play application like this:
activator run -Dspring.profiles.active="dev" -Dhttp.port=disabled -Dhttps.port=9443 -Djavax.net.ssl.keyStore=/home/webapp/play/conf/keystore.jks -Djavax.net.ssl.keyStorePassword="password"
However, Play seems not to read my keystore and keeps generating a new one.
[warn] play - Using generated key with self signed certificate for HTTPS. This should not be used in production.
How can I make Play to read my keystore ?
You don't mention which version of Play you're on, so I'll assume you have Play 2.4.6.
Configuring SSL is documented in https://www.playframework.com/documentation/2.4.x/ConfiguringHttps
The warning you're seeing comes from the DefaultSSLEngineProvider -- the source code is in:
https://github.com/playframework/playframework/blob/2.4.x/framework/src/play-server/src/main/scala/play/core/server/ssl/DefaultSSLEngineProvider.scala#L57
So you can see looking at the documentation, you need to set play.server.https.keyStore.path and so on to configure SSL.
I've spent the better part of this afternoon trying to figure out how to implement SSL/TLS support directly in the Play Framework 2.1 web server without having to use a front end proxy, to no avail. I have all of my certificates signed by a CA and I'm told Play 2.1 supports SSL, but am lost on the configuration options to use in application.conf to set this up. There doesn't appear to be a clear answer out there in the documentation.
Couple questions:
Do I HAVE to convert my .crt and .key files to a .jks file (Java keystore) or can I use them as-is?
If I have to import to the Java keystore, can someone provide some insight into how this is done? I have seen a lot of conflicting documentation on this.
What are the configuration options in the Play Framework 2.1.x application.conf to set this up?
As I stated before, I could not find any clear answers after a couple hours of Googling, so I figured I better ask here. Also, I want to reiterate - I DO NOT want to use a front-end web server like Apache for specific reasons, so I am looking ONLY to set up SSL/TLS support directly in Play.
EDIT:
I have found this thread: http://grokbase.com/t/gg/play-framework/1326s1ttny/2-1-ssl but I can't get any of it to work still. Not sure if I'm created the JKS file correctly by combining all of my bundled CRT files AND the private key into a single file then importing and I'm not sure what I should use for the "path to keystore".
I'm very new to web applications. I've been told that JBOSS 7.1.1 has an in-built JAAS system which can be enabled on my JBOSS configuration quite simply. However I'm having trouble trying to get this running, namely most internet searching I went through has just ended up with older versions of JBoss.
Does anyone have a step-by-step guide on how to implement a simple JAAS authentication screen on my WAR file in JBoss 7.1.1? Prefarbly using its h2 database. Thanks :)
Also - my machine has trouble with Eclipse, so I can't use any of Eclipse EE's nifty server running mechanisms.
Finally got it. For those of you in the future:
You need your own standard login/logout pages in jsp/html/whatever. You put that in your web.xml constraints. Then you add an xml file called "Jboss-web" and type in your security domain (the default AS 7 is called 'other'). Then lastly add users and roles using adduser.bat in config folder.