The WebView used in a Cordova application does not prompt the user for credentials or for a client certificate as a regular browser does when this information is not provided. In addition, on iOS the WebView does not provide any feedback when incorrect credentials are used.
The AuthProxy plugin can be used to handle the communication for an app and will present a dialog for the user to enter credentials or to choose a client certificate when it is handling the communications. An alternate option is to use the Android Crosswalk plugin which can also handle basic authentication challenges.
When an app needs to provide a certificate to the server to identify itself this is known as client authentication or mutual authentication. An example of this is if you are required to provide a client certificate as part of the onboarding process to register with an application or perhaps to access an OData provider (not needed to complete the example). This occurs mostly in Business to Business (B2B) applications. This is different from most business to consumer or B2C websites where it is only the server that authenticates itself to the client with a certificate that has been signed by a certificate authority (CA) such as an online banking site.
For additional details on the AuthProxy plugin see C:\SAP\MobileSDK3\KapselSDK\docs\api\sap.AuthProxy.html or Using the AuthProxy Plugin.
The following two examples demonstrate the functionality of the AuthProxy plugin.
Making an OData request through the AuthProxy Plugin
Using Client Certificates
The following steps will demonstrate what happens when an incorrect password is sent to a backend OData endpoint and how this behavior can be improved with the AuthProxy plugin.
<button id="chgPwd" onclick="sap.Logon.changePassword(logonSuccessCallback, errorCallback)">Change Password</button>
<preference name="SAPKapselHandleHttpRequests" value="false" />
cordova run android
or
cordova run ios
Choose Unregister, Register, provide the valid username and password, and then once registered, click on Read. Notice that the data is returned. <preference name="SAPKapselHandleHttpRequests" value="true" />
cordova run android
or
cordova run ios
Notice that this time the user is prompted to enter the correct credentials and the realm of the site requesting the credentials is shown.This example will demonstrate how to use the AuthProxy plugin to register with the SMP 3.0 server using a client certificate and how to use a client certificate in a request to access an OData endpoint. Before continuing, complete HTTPS in the Security Appendix as this is required to be setup before adding client authentication.
The Open SSL Toolkit will be used to create a certificate authority that will sign a client certificate.
Note this example is not using the Logon plugin to perform the registration as the Logon plugin requires using SAP Afaria to provide a client certificate or the CertificateProvider interface. See SAP Afaria and Kapsel and X.509 Certificate Interface for additional details on how to use client certificates with the Logon plugin.
This example can be run on an Android device or emulator.
Note that on iOS, only certificates that have been loaded into the applications keychain are available to be selected. See Making Certificates and Keys Available To Your App and Finding a certificate for further details. A solution to this problem is to use an MDM solution such as SAP Mobile Secure or SAP Afaria to provision the application with a certificate using the Certificate Provider Interface of the Logon plugin or to use Keychain Sharing with an app that has a certificate in its shared keychain.
Note, the following instructions are meant for demonstration purposes only. Security in a production environment should be managed by your company's security professional.
C:\SAP\MobilePlatform3\Server\config_master\org.eclipse.gemini.web.tomcat\default-server.xml
<Connector smpConnectorName="mutualSSL" protocol="com.sap.mobile.platform.coyote.http11.SapHttp11Protocol"
port="8082" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA"
keyAlias="serverkey" clientAuth="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"/>
PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Java\jdk1.7.0_45\bin;C:\OpenSSL-Win64\bin;
set OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg
openssl s_client -connect localhost:8080 > c:\temp\8080.txt
openssl s_client -connect localhost:8082 > c:\temp\8082.txt
8080.txt will contain the following text.no peer certificate available
---
No client certificate CA names sent
Which indicates that the server is not using a certificate (ie, no https, no encryption, or identification).Acceptable client certificate CA names
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 4 Public Primary Certification Authority - G3
/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
...
/C=CA/ST=Ontario/L=Waterloo/O=SAP/OU=SAP Canada/CN=demoRootCA
The last entry will appear after following the steps below which are to create a certificate authority named demoRootCA which will be used to sign a client certificate named user1. After following the below instructions, an app will be created that will be able to pass in a client certificate named user1 to the SMP 3.0 server during the registration process and the SMP 3.0 server will accept the registration because it will trust the certificate authority named demoRootCA. countryName = Country Name (2 letter code)
countryName_default = CA
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Ontario
localityName = Locality Name (eg, city)
localityName_default = Waterloo
0.organizationName = Organization Name (eg, company)
0.organizationName_default = SAP
cd C:\OpenSSL-Win64
mkdir certs
cd certs
mkdir demoCA
cd demoCA
type NUL > index.txt
echo 01 > serial
mkdir newcerts
mkdir private
cd C:\OpenSSL-Win64\certs
openssl genpkey -des3 -out demoRootCA.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pass pass:112233
openssl req -new -x509 -days 3650 -key demoRootCA.key -out demoRootCA.crt
move demoRootCA.crt demoCA
move demoRootCA.key demoCA\private
keytool -import -deststorepass changeit -destkeystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks -file demoCA\demoRootCA.crt -alias demoRootCA
The SMP 3.0 server will now accept client certificates that have been signed by this certificate.keytool -list -v -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks -alias demoRootCA -storepass changeit
openssl genpkey -des3 -out user1.key -algorithm RSA -pass pass:changeit
openssl req -new -key user1.key -out user1.csr -passin pass:changeit
Note, enter can be pressed for the question A challenge password.openssl ca -out user1.crt -infiles user1.csr
openssl pkcs12 -export -out user1.p12 -inkey user1.key -in user1.crt -name user1 -certfile demoCA\demoRootCA.crt -passin pass:changeit -passout pass:changeit
com.mycompany.authproxy
Set the endpoint to behttps://sapes1.sapdevcenter.com/sap/opu/odata/IWFND/RMTSAMPLEFLIGHT
The alias name should match the alias name of a certificate in the smp_keystore.jks that is used to access the OData source.[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls]
"1"="{\"pattern\":\"*\",\"filter\":{\"ISSUER\":{\"CN\":\"SSO_CA\"}}}"
See also List of Policies for Chrome.cordova create C:\Kapsel_Projects\AuthProxyDemo com.mycompany.authproxy AuthProxyDemo
cd C:\Kapsel_Projects\AuthProxyDemo
cordova platform add android
cordova plugin add cordova-plugin-console
cordova plugin add kapsel-plugin-authproxy --searchpath %KAPSEL_HOME%/plugins
cordova create ~/Documents/Kapsel_Projects/AuthProxyDemo com.mycompany.authproxy AuthProxyDemo
cd ~/Documents/Kapsel_Projects/AuthProxyDemo
cordova platform add ios
cordova plugin add cordova-plugin-console
cordova plugin add kapsel-plugin-authproxy --searchpath $KAPSEL_HOME/plugins
C:\Kapsel_Projects\LogonDemo\plugins\kapsel-plugin-authproxy\www\authproxy.js
cordova run android
The below links contain some additional information on SSL, certificates, configuring a Tomcat server to use client authentication and how to add an OData producer to Tomcat.
Mutual Authentication
Tomcat SSL How To
Tomcat Mutual Authentication
OData4J
Hosting OData4J in Tomcat
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
13 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
5 |