We Keep Coding

llegal JSON value for key 'deviceProvisioningRealm': null while running wladm

When running the Worklight Admin command line tool, version 6.3.0.00.20141127-1357, against same version server, I am receiving an error. This occurs when running the "list apps" command and a few other app-specific queries.
/app/IBM/MobileFirst_Platform_Server/shortcuts/wladm --configfile=/app/IBM/bldsrvwladmconfig.txt
Error accessing
http://localhost:9080/worklightadmin/management-apis/1.0/runtimes/worklight/applications?pageSize=1000000000&locale=en_US:
HTTP/1.1 500 Internal Server Error FWLSE3000E: A server error was
detected. Illegal JSON value for key 'deviceProvisioningRealm': null
Getting the content of the URL directly successfully returns data.
APAR PI33197 references a similar error, but without explanation of the cause or solution.
authenticationConfig.xml:
<?xml version="1.0" encoding="UTF-8"?>
<tns:loginConfiguration xmlns:tns="http://www.worklight.com/auth/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- Licensed Materials - Property of IBM 5725-G92 (C) Copyright IBM Corp.
2006, 2013. All Rights Reserved. US Government Users Restricted Rights -
Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM Corp. -->
<staticResources>
<resource id="subscribeServlet" securityTest="SubscribeServlet">
<urlPatterns>/subscribeSMS*;/receiveSMS*;/ussd*</urlPatterns>
</resource>
</staticResources>
<securityTests>
<customSecurityTest name="SubscribeServlet">
<test realm="wl_directUpdateRealm" step="1"/>
<test isInternalUserID="true" realm="SubscribeServlet"/>
</customSecurityTest>
<customSecurityTest name="ISAMforWorklight-web-securityTest">
<test realm="wl_antiXSRFRealm" />
<test realm="WASLTPARealm" isInternalUserID="true" step="1"/>
</customSecurityTest>
<customSecurityTest name="ISAMforWorklight-Step-up-securityTest">
<test realm="wl_directUpdateRealm" step="1"/>
<test isInternalDeviceID="false" isInternalUserID="true" realm="WASLTPARealm"/>
</customSecurityTest>
</securityTests>
<realms>
<realm loginModule="WASLTPAModule" name="WASLTPARealm">
<className>com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator</className>
<parameter name="login-page" value="/login.html"/>
<parameter name="error-page" value="/loginError.html"/>
</realm>
<realm loginModule="rejectAll" name="SubscribeServlet">
<className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
</realm>
<realm name="WorklightConsole" loginModule="requireLogin">
<className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
<onLoginUrl>/console</onLoginUrl>
</realm>
<realm name="deviceProvisioningRealm" loginModule="rejectAll">
<className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
</realm>
</realms>
<loginModules>
<loginModule name="rejectAll">
<className>com.worklight.core.auth.ext.RejectingLoginModule</className>
</loginModule>
<loginModule name="WASLTPAModule">
<className>com.worklight.core.auth.ext.WebSphereLoginModule</className>
</loginModule>
</loginModules>
</tns:loginConfiguration>

This APAR has been fixed in version 6.3.0.00.20150305-1844. Please download the latest fix available at Fix Central. Our fixes are cumulative so the latest fix will include the fix for this APAR.

Trying to do App Authenticity and during client.connect() getting "App authenticity security check failed"

Hi I am trying to connect to production server and do App authenticity (native android app). But I Am getting following error "App authenticity security check failed".
What I am doing at MFP project level.
In authconfig xml.
<customSecurityTest name="AuthSecurityTest">
<test realm="wl_antiXSRFRealm" step="1" />
<test realm="wl_authenticityRealm" step="1" />
<test realm="wl_remoteDisableRealm" step="1" />
<test isInternalUserID="true" realm="AuthRealm" step="1" />
<test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true"
step="2" />
</customSecurityTest>
<realm loginModule="AuthLoginModule" name="AuthRealm">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function" value="AuthAdapter.onAuthRequired" />
<parameter name="logout-function" value="AuthAdapter.onLogout" />
</realm>
<loginModule name="AuthLoginModule">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule>
My application descriptor :
<nativeAndroidApp xmlns="http://www.worklight.com/native-android-descriptor"
id="MFP_Android"
platformVersion="7.1.0.00.20160401-2103" securityTest="AuthSecurityTest" version="1.0">
<displayName>MFP_Android</displayName>
<description>MFP_Android</description>
<accessTokenExpiration>3600</accessTokenExpiration>
<publicSigningKey>MIIBHSAKJHDFKJHFKHDFKJHDKJHDFSKJHFDSKJHFDSKJDFHKJDFHDFHJDSKDFSHKDJFSHKJFDHSKJDFSHKJDFSHKJDFSHKJDFHSKJDFHlkasalJAscnmxzcncxmnzksjdadskjdsjsdjskjdksjdakjdssdjksdaj</publicSigningKey>
<packageName>com.mfp</packageName>
<targetCategory>UNDEFINED</targetCategory>
<licenseAppType>APPLICATION</licenseAppType>
</nativeAndroidApp>
I am calling the challenge hander on connect.
AndroidChallengeHandler challengeHandler = new AndroidChallengeHandler("AuthRealm");
WLClient client;
client.registerChallengeHandler(challengeHandler);
client.connect();
I am getting response as
/*-secure- {"reason":"App authenticity security check failed"}*/
y would I get such response.

I find it very strange that your package name is really "com.mfp" as seen in the descriptor XML file: <packageName>com.mfp</packageName>.
Are you absolutely sure this is your package name (that you can find in the AndroidManifest.xml file of your Android native project)?
Another possibility is that the key used to in the descriptor XML file does not match the key that was used to sign the .apk with.
Lastly, this could be due to the steps that you've defined in the Authentication Configuration XML file. Try changing the "wl_remoteDisableRealm" to be "step 2". This change will require you to re-deploy the updated .war file to your application server.

MobileFirst Direct update customization using adapter

I am trying to customize direct update by getting all the messages from an adapter.
I am not getting adapter success callback if direct update is triggered.
I want to show a dialog giving option to the user to cancel direct update.
Below is the code I am trying with:
wl_directUpdateChallengeHandler.handleDirectUpdate = function (directUpdateData,directUpdateContext){
console.log("Test for directUpdate");
var invocationData = {
adapter : 'DirectUpdateCustomizationAdapter',
procedure : 'getConfig',
parameters : ["android","1.9.0"]
};
var result = WL.Client.invokeProcedure(invocationData,{timeout: 30000,
onSuccess : function(success){
console.log("Adapter call success" + JSON.stringify(success));
},
onFailure : function(failure){alert(3);console.log("Adapter call fail" + JSON.stringify(failure));},
});
};
I am using the below security test:
<customSecurityTest name="customTests">
<test realm="wl_antiXSRFRealm" step="1"/>
<test realm="wl_authenticityRealm" step="1"/>
<test realm="wl_remoteDisableRealm" step="1"/>
<test realm="wl_directUpdateRealm" mode="perSession" step="1"/>
<test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
<test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
</customSecurityTest>
If direct update is not triggered and adapter call is outside challenge handler then adapter call is successful.
Please guide.

What does direct update has to do with adapters?
You cannot invoke or handle it in adapters; it must be handled on the client-side, as it is the client-side SDK that handles direct update, and not adapters, which reside on the server-side.

for such flow to work , the method DirectUpdateCustomizationAdapter#getConfig must be stripped from any security and use unprotected access.
meaning: in the DirectUpdateCustomizationAdapter adapter's xml file
the method getConfig should have an additional property :
<procedure name="getConfig" securityTest="wl_unprotected" />
since getConfig returns non-confidential data I believe its ok to un-secure it.
such change in the adapter code requires to re-deploy the adapter file to the Worklight server.
Nevertheless, retrieving data from remote server during direct update handler is not recommended. As Idan stated here, the best approach to customize the title,body and other text elements is actually having those strings in some property file on the device (network hop does cost time).
Updating such property file with new text can be done via the direct update mechanism itself (just like updating any other web resource).

mobilefirst 7.1 authentication not working

*EDIT: An IBM Employee visited us today to have a look at this problem as well.
We did not solve the problem, but we think the root of the problem is something else. So I will rewrite the problem description.
The server was refusing connection due to the appAuthenticityTest failing. So for now we disabled the appAuthenticityTest to test the server configuration.
But we are now seeing the following errors in the log:
[3/4/16 16:12:06:529 CET] 000000a4 LoginContext E com.worklight.core.auth.impl.LoginContext processRequest FWLSE0059E: Login into realm 'wl_authenticityLoginModule' failed. Missing app authenticity configuration parameters. [project mapruntime]
com.worklight.gadgets.GadgetRuntimeException: Missing app authenticity configuration parameters
at com.worklight.core.auth.ext.appauth.AuthenticityAuthenticatorImpl.processRequest(AuthenticityAuthenticatorImpl.java:82)
at com.worklight.core.auth.ext.AuthenticityAuthenticator.processRequest(AuthenticityAuthenticator.java:79)
at com.worklight.core.auth.impl.LoginContext.processRequest(LoginContext.java:212)
at com.worklight.core.auth.impl.AuthenticationContext.checkAuthentication(AuthenticationContext.java:779)
at com.worklight.core.auth.impl.AuthenticationContext.processRealms(AuthenticationContext.java:679)
at com.worklight.core.auth.impl.AuthenticationContext.pushCurrentResource(AuthenticationContext.java:652)
at com.worklight.core.auth.impl.AuthenticationServiceBean.accessResource(AuthenticationServiceBean.java:81)
at com.worklight.core.auth.impl.AuthenticationFilter.doFilter(AuthenticationFilter.java:228)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91)
at com.worklight.analytics.AnalyticsFilter.doFilter(AnalyticsFilter.java:124)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:967)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1107)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3926)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:304)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1007)
at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:200)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:463)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:530)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:316)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:287)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:1049)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInboundPostHandshake(SSLConnectionLink.java:717)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyHandshakeCompletedCallback.complete(SSLConnectionLink.java:413)
at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:1073)
at com.ibm.ws.ssl.channel.impl.SSLHandshakeIOCallback.complete(SSLHandshakeIOCallback.java:87)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881)
[3/4/16 16:12:06:537 CET] 000000a4 LoginContext E com.worklight.core.auth.impl.LoginContext processRequest FWLSE0117E: Error code: 4, error description: AUTHENTICATION_ERROR, error message: An error occurred while performing authentication using loginModule wl_authenticityLoginModule, User Identity Not available. [project mapruntime] [project mapruntime]
My application-descriptor.xml contains:
<android securityTest="MAPCertLogin" version="1.0.4">
<worklightSettings include="false"/>
<pushSender key="**********" senderId="******"/>
<compressWebResources enabled="true"/>
</android>
<common securityTest="MAPCertLogin"/>
My authenticationConfig.xml:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<tns:loginConfiguration xmlns:tns="http://www.worklight.com/auth/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- Licensed Materials - Property of IBM
5725-I43 (C) Copyright IBM Corp. 2006, 2013. All Rights Reserved.
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp. -->
<!---->
<!-- Sample security tests
Even if not used there will be some default webSecurityTest and mobileSecurityTest
Attention: if using <testAppAuthenticity/> test below ,<publicSigningKey> element must be added to application-descriptor.xml as well. -->
<securityTests>
<mobileSecurityTest name="MAPCertLogin">
<testUser realm="MAPLoginRealm"/>
<testDirectUpdate mode="perRequest"/>
<testDeviceId provisioningType="custom" realm="MAPLoginRealm"/>
<!-- testAppAuthenticity -->
</mobileSecurityTest>
<!--
<customSecurityTest name="PushSecurityTest">
<test isInternalUserID="true" realm="MAPLoginRealm"/>
<test isInternalDeviceID="true" realm="MAPLoginRealm" />
</customSecurityTest>
-->
</securityTests>
<realms>
<realm loginModule="StrongDummy" name="SampleAppRealm">
<className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
</realm>
<realm loginModule="MAPLoginModule" name="MAPLoginRealm">
<className>com.worklight.core.auth.ext.DeviceAutoProvisioningAuthenticator</className>
<parameter name="validate-csr-function" value="Authenticator.validateCSR"/>
</realm>
</realms>
<loginModules>
<loginModule expirationInSeconds="-1" name="StrongDummy">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule>
<loginModule expirationInSeconds="-1" name="requireLogin">
<className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>
</loginModule>
<loginModule expirationInSeconds="-1" name="MAPLoginModule">
<className>com.worklight.core.auth.ext.DeviceAutoProvisioningLoginModule</className>
<parameter name="validate-certificate-function" value="Authenticator.validateCertificate"/>
</loginModule>
</loginModules>
</tns:loginConfiguration>
Why do we get the "Missing app authenticity configuration parameters" error while having the appAuthenticityTest disabled?
Regards,
Stijn

I believe this error happens because you are also trying to implement Custom Device Provisioning, however device provisioning requires authenticity... so either fix your authenticity setup per the Application Authenticity tutorial, or remove the device provisioning definition as well.

MobileFirst 7.0 An error was encountered while processing the request from the application

Getting the error alert after direct update success and app try to reload the application.
Server version: 7.0.0.00.20151020-1831
Project WAR version: 7.0.0.00.20151020-1831
Adapter name: WLClientLogReceiver. Version: 7.0.0.00.20151020-1831
Server authenticationConfiguration setting
<customSecurityTest name="CustomAppAuthenticitySecurity">
<test realm="wl_antiXSRFRealm" step="1"/>
<test realm="wl_authenticityRealm" step="1"/>
<test realm="wl_remoteDisableRealm" step="1"/>
<test realm="wl_directUpdateRealm" mode="perSession" step="1"/>
<test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
<test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
</customSecurityTest>
Client error log: same error message in android and iOS while app try to reload after direct update.
2015-11-04 16:49:12.589 Direct[12642:47638] [TRACE] [WLNativeXHR] callback {"statusText":"Expected status code in (200-299), got 403","status":403,"headers":{"Pragma":"no-cache","X-Powered-By":"Servlet/3.0","Keep-Alive":"timeout=10, max=100","Connection":"Keep-Alive","Content-Type":"application/json; charset=UTF-8","P3P":"policyref=\"/w3c/p3p.xml\", CP=\"CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE\"","Date":"Wed, 04 Nov 2015 21:49:35 GMT","Content-Language":"en-US","Content-Length":"119","Cache-Control":"no-cache, no-store, must-revalidate","Expires":"Thu, 01 Jan 1970 00:00:00 GMT"},"responseText":"/-secure-\n{\"WL-Authentication-Failure\":{\"wl_authenticityRealm\":{\"reason\":\"App authenticity security check failed\"}}}/","wlFailureStatus":"","callbackId":"WLNativeXHRPlugin119420831"}

As mentioned in the comments, this question is tracked as PMR #08772,L6Q,000 as there seems to be no workaround for the error (authenticity failure after Direct Update), other than disabling authenticity...