I'm currently reading the Client X.509 Certificate Authentication and User Enrollment tutorial (https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-6-3/authentication-security/client-x-509-certificate-authentication-userenrollment/ ) and trying to implement it with my current worklight appliation. I'm using Worklight Studio 6.0
However, I'm a bit confused about the authenticationConfig.xml setup. I currently have an adapter authentication working. The first page of my app presents a login page and the adapterChallenge handler will verify the username and password against the database. The following snippet represents the configuration:
<customSecurityTest name="AuthRealm">
<test isInternalUserID="true" realm="AdapterAuthRealm"/>
<!-- <test isInternalUserID="true" realm="SampleAppRealm"/> -->
</customSecurityTest>
<realm name="AdapterAuthRealm" loginModule="NonValidatingLoginModule">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function" value="AuthAdapter.onAuthRequired"></parameter>
<parameter name="logout-function" value="AuthAdapter.onLogout"></parameter>
</realm>
<loginModule name="NonValidatingLoginModule">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule>
I'm not sure how to use the following snippet of the tutorial to tie into my setup. Does my security test become step 2 or 3? Do I simply add these under my security test (AuthRealm)?
<customSecurityTest name="customx509Tests">
<test realm="wl_antiXSRFRealm" step="1"/>
<test realm="wl_directUpdateRealm" mode="perSession" step="1"/>
<test realm="wl_userCertificateAuthRealm" isInternalUserID="true" step="1"/>
<test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
</customSecurityTest>
<realm name="wl_userCertificateAuthRealm" loginModule="WLUserCertificateLoginModule">
<className>com.worklight.core.auth.ext.UserCertificateAuthenticator</className>
<parameter name="dependent-user-auth-realm" value="SampleAppRealm" />
<parameter name="pki-bridge-class" value="com.worklight.core.auth.ext.UserCertificateEmbeddedPKI" />
<parameter name="embedded-pki-bridge-ca-p12-file-path" value="/path/to/certificates/directory/signingca/signing_ca.p12"/>
<parameter name="embedded-pki-bridge-ca-p12-password" value="passSigningP12" />
</realm>
<loginModule name="WLUserCertificateLoginModule">
<className>com.worklight.core.auth.ext.UserCertificateLoginModule</className>
</loginModule>
Any advice is appreciated.
The user authentication feature is it's own separate security realm. It allows you to specify a dependent user auth realm that is used when an x509 certificate is not provided by the client. The dependent realm is basically used to enroll the device/user/app into your PKI. The dependent realm can be any security realm you choose.
To specify your security realm as the dependent realm, change the following line:
<parameter name="dependent-user-auth-realm" value="SampleAppRealm" />
to:
<parameter name="dependent-user-auth-realm" value="AdapterAuthRealm" />
Was this your question?
FYI, you can read up more on the feature at:
https://www-01.ibm.com/support/knowledgecenter/?lang=en#!/SSHS8R_6.3.0/com.ibm.worklight.monitor.doc/monitor/c_user_CA.html
and the server side PKI configuration for more details:
https://www-01.ibm.com/support/knowledgecenter/?lang=en#!/SSHS8R_6.3.0/com.ibm.worklight.monitor.doc/monitor/c_user_CA_PKIBridge.html