I have configured and enabled the App Authenticity in my application using custom Security. Added the security test property in my Application discriptor xml file. In my worklight console the respective application gives me the option to enable the App Authenticity.
Now how to test this feature. Fail case senario. How to explicitly fail the client app for app authenticity. My eithcal Hacking team want to perform this testing.
Thanks.
Easiest way to simulate it would be to:
Deploy your application to the server, build the generated project and install it on the device. See that it works.
Depending on the environment, in application-descriptor.xml:
for Android, alter the signing key used and re-deploy to the server
for iOS, alter the bundleId and re-deploy to the server
Re-launch the already install application, it should now fail.
Note:
In Worklight 6.2 application authenticity will only work with an external application server that Worklight Server is deployed to. Otherwise the feature will "always work" when testing in the Worklight Development Server.
In Worklight 6.1 application authenticity will use a "dummy" challenge when used in the Worklight Developer edition; to really test the feature in v6.1, you must use Worklight Studio and Server based on the Consumer or Enterprise editions.
Related
I have an IBM mobile first version 7.0 project which developed in Eclipse Luna. Just want to check how to enable the extended application authenticity protection for apk and ipa as mentioned in https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/7.1/authentication-security/application-authenticity-protection/#enablingExtendedApplicationAuthenticityProtection?
Thanks
Application authenticity protection is only available in standalone ( production) installs of IBM MobileFirst server. Application authenticity feature is disabled in IBM MFP Studio.
Once you have installed your standalone server, make use of the 'wladm' command to enable extended application authenticity protection.
I have a server which has been upgraded from IBM Worklight 6.0 to IBM Mobilefirst 6.3
The server is currently running older versions of my mobile application, which do not have AppAuthenticity enabled.
When I uploaded the newer version of Application, AppAuthenticity option became enabled ONLY for one (windows) environment, while others stayed disabled.
After a restart, Windows Environment version became like others, while iPAD environment started giving option to change the AppAuthenticity.
I listed the application through WLADM CLI, and it gave me below error:
XML validation error, reading from
https://URL/wladmin/management-apis/1.0/runtimes/worklight/applications/MYAPPS?locale=en_US:
cvc-complex-type.4: Attribute 'downloadLink' must appear on element
'applicationEnvironmentDataAccess'.
Please note, the application if ran alone on other server is working fine with same Application-descriptor and WAR file, only when Old and new versions are uploaded on same server, this problem comes.
Are you saying your server has a single .war file with 2 apps on it, one from 6.0 and one from 6.3?
There are very different Application Authenticity Protection implementations in 6.0 and 6.3. These cannot co-exist in the same single .war file.
You need to deploy to your application server 2 .war files - one for handling the 6.0 app and another for handling the 6.3 app.
Relevant user documentation can be read here: http://www-01.ibm.com/support/knowledgecenter/SSHS8R_6.3.0/com.ibm.worklight.upgrade.doc/devenv/c_upgrade_to_srvr_in_production_env.html
As Idan said, the 6.0 and 6.3 app can not be handled together, since I only wanted to enable the App Authenticity in the newer version, what I did as a workaround was to connect via WLADM tool and disable the App Authenticity for Older Versions via command line.
Below are the commands one needs to use:
\Worklight\shortcuts>wladm --url=https://server.url/wladmin --user=admin --passwordfile=password.properties
to verify the application's current Authenticity :
app version %CONTEXT% %APP_NAME% %Environment_Name% %versionCode% get authenticitycheckrule
To Disable
app version %CONTEXT% %APP_NAME% %Environment_Name% %versionCode% set authenticitycheckrule DISABLED
I am developing a hybrid app in Worklight 6.2. I have a WorkLight Server installed Red Hat Linux 6 base as remote server.
I have give the servers ip address, port number and context root as"/worklight" in the "build settings and deploy target".
Then i added my adapter file and wlapp file into the remote servers "app" folder. I haven't made any changes in the server.xml file.
Now when i call the procedure from my app i am getting "[IPADDRESS:PORT/worklight/apps/services/api/MyApp/ipad/query] failure. state: 404, response: The server was unable to process the request from the application. Please try again later."
What am i missing and What changes do i have to make to make the request to work.?
The steps you are describing are not clear.
Make sure you are following the steps as provided in the IBM Worklight Knowledge Center.
First make sure the Worklight Server deployment to the application server was done correctly
You can verify this then by loading the Worklight Console (there will be no deployed projects)
Then follow the Worklight project (.war, .wlapp, .adapter) deployment to the Worklight Server instructions
You can verify this then by loading the Worklight Console (there will be 1 deployed application)
I am using Worklight 6.2 consumer edition. When I deploy my app, following warning flashes on server console:
[WARNING ] FWLSE0259W: Application authenticity protection is not being performed within the Worklight Development Server. In order to fully test Application authenticity protection, deploy the application to a non-development Worklight Server (i.e. external Worklight Server). [project MyProject].
I am using Web Sphere Liberty Profile 8.5.5.1 server. Pls advise how to make this warning make go away?
As the message says, if you are trying to test Application Authenticity Protection in Worklight Studio (the Eclipse development environment of Worklight), Authenticity protection is not supposed to work.
To test Application Authenticity in Worklight 6.2, you must deploy Worklight using IBM Installation Manager to your Application Server (WAS, Liberty, Tomcat), as well as your .war, .wlapp, .adapters, etc... and set it up in Worklight Console belonging to this instance of Worklight.
Only then should it work.
I am running Worklight Studio 6 from Worklight Enterprise Edition download with Eclipse Juno.
My application is using form security with the WASLTPA login module. The application tests correctly.
When I add AppAuthenticity (needed for device provisioning) my client sees the following error in the console. (None in the server log)
Failed to load resource: the server responded with a status of 401 (Unauthorized)
drilling deeper I see:
/*-secure-
{"challenges":{"wl_authenticityRealm":{"WL-Challenge-Data":"o97e2ph8kguqh1vpljbio1o5k3+23.507-9.852-31.807 "}}}*/
I am running this on the Worklight Development Server packaged with Worklight Studio.
You have mentioned both the Enterprise Edition and Developer Edition.
Please clarify your question with the following: You have installed Worklight using the IBM Installation Manager, yes?
You have an application server (Tomcat/WebSphere/Liberty) installed and you've used the supplied Ant scripts to create the Worklight database(s), configure them, deploy the Worklight platform files to the application server, as well as deploy your project's .war file? (and of course the .wlapp /.adapter file(s)...).
If you have done the above, then you will have in your Worklight Server, now installed on the application server, the required components for App Authenticity to work.
Then there is the case of how you actually configured your project for App Authenticity.
Make sure you follow these steps to set up App Authenticity