Skip to Content

/wp-content/uploads/2015/07/sap_logo_751950.png

Appendix D:  Security Part 1

This appendix goes over some topics that should be considered for secure Kapsel apps.

HTTPS
Whitelist and Content Security Policy
Password Policy
Feature Restriction

Additional Security Topics in Part 2

The following are some additional links on security.
Securing SAPUI5 Applications
SMP 3 – Security Concept and Features and the link to the recording 2014 Webinars
How to change SMP3 Keystore and Truststore Passwords

Android Security Tips
Protecting Data Using On-Disk Encryption
iOS Security

HTTPS

In iOS 9 introduced App Transport Security which requires all connections to be made using TLS 1.2.  See also App Transport Security Technote.

Hypertext Text Transfer Protocol Secure (HTTPS) can be used to communicate between the mobile app and the SMP 3.0 server and between the SMP 3.0 server and the OData endpoint rather than HTTP.  HTTPS provides a reasonable guarantee that one is communicating with precisely the web site that one intended to communicate with (as opposed to an imposter), as well as ensuring that the contents of communications between the user and site cannot be read or forged by any third party.

The video SSL Certificate Explained may be useful if you are not very familiar with SSL and HTTPS.

The SMP 3.0 server uses port 8080 by default for HTTP and port 8081 for HTTPS.  In addition, port 8082 is used for mutual authentication (clientAuth=”true”) and port 8083 is used for the management cockpit.  The ports have a specific name (see the smpConnectorName tag below) and the pre-defined ports are configurable in the Management Cockpit under Settings > Connectors.  For additional details on how the ports are configured see the below file.

C:\SAP\MobilePlatform3\Server\config_master\org.eclipse.gemini.web.tomcat\default-server.xml

<Connector smpConnectorName="noSSL" port="8080" protocol="HTTP/1.1"
               maxThreads="250" connectionTimeout="20000" enableLookups="false"
               acceptCount="100" redirectPort="8081" server="SAP" compression="on"
               compressionMinSize="2048"
               compressableMimeType="text/html,text/xml,application/javascript,text/json,text/plain,application/json,application/atom+xml,application/atomsvc+xml,application/xml" />

<Connector smpConnectorName="oneWaySSL"
               protocol="com.sap.mobile.platform.coyote.http11.SapHttp11Protocol"
               port="8081" maxThreads="200" scheme="https" secure="true" SSLEnabled="true"
               ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
               keyAlias="smp_crt" clientAuth="false" sslProtocol="TLS"
               sslEnabledProtocols="TLSv1.2" compression="on"
               compressionMinSize="2048"
               compressableMimeType="text/html,text/xml,application/javascript,text/json,text/plain,application/json,application/atom+xml,application/atomsvc+xml,application/xml" />

<Connector smpConnectorName="AdminSSL"
               protocol="com.sap.mobile.platform.coyote.http11.SapHttp11Protocol"
               port="8083" maxThreads="200" scheme="https" secure="true" SSLEnabled="true"
               ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
               keyAlias="smp_crt" clientAuth="false" sslProtocol="TLS"
               sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" smpServiceType="admin"
               compression="on" compressionMinSize="2048"
               compressableMimeType="text/html,text/xml,application/javascript,text/json,text/plain,application/json" />

<Connector smpConnectorName="mutualSSL"
               protocol="com.sap.mobile.platform.coyote.http11.SapHttp11Protocol"
               port="8082" maxThreads="200" scheme="https" secure="true" SSLEnabled="true"
               ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
               keyAlias="serverkey" clientAuth="true" sslProtocol="TLS"
               sslEnabledProtocols="TLSv1.2" compression="on"
               compressionMinSize="2048"
               compressableMimeType="text/html,text/xml,application/javascript,text/json,text/plain,application/json" />

<Connector smpConnectorName="customSSLConnector"
                protocol="com.sap.mobile.platform.coyote.http11.SapHttp11Protocol"
                port="443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true"
                ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_                  128_CBC_SHA" 
                keyAlias="serverkey" clientAuth="false" sslProtocol="TLS" 
                sslEnabledProtocols="TLSv1.2" compression="on" 
                compressionMinSize="2048" 
                compressableMimeType="text/html,text/xml,application/javascript,text/json,text/plain,application/json,application/atom+xml,
                application/atomsvc+xml,application/xml" />

Note that the alias of the certificate used by the SMP 3.0 server for connections to 8081, 8082 and 8083 (Management Cockpit) is smp_crt.  This is self-signed certificate that is created during the install.

Note that in SMP 3.0 SP07 of the server, a change was made to no longer support versions older than TLSv1.2 SSL by default.  SP08 SDK Hybrid Apps running on Android do not support HTTPS using TLS 1.2 with the Logon plugin to register.  To workaround this add TLSv1 and TLSv1.2 as shown above.  TLSv1.2 should be supported by the Logon plugin in SP09 of the SDK.  See HTTPS Connection Problem.
The associated error message on Android is

javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x7a4ccbc8: Failure in SSL library, usually a protocol error

The above xml file shows a new entry added to support HTTPS on port 443 using a certificate with an alias of serverkey and a smpConnectorName of customSSLConnector.
Note that the SMP 3.0 server requires a restart after making changes to the default-server.xml file.

A new certificate can be created in the SMP 3.0 keystore (C:\SAP\MobilePlatform3\Server\configuration\local_smp_keystore.jks) using the Java KeyToolcommand as shown below.

keytool -genkeypair -alias serverkey -dname cn=YKFN00528072A.amer.global.corp.sap,c=CA -keystore local_smp_keystore.jks -storepass changeit -keyalg RSA -validity 360 -keysize 2048

Note that the storepass parameter takes the password entered for the SMP 3.0 keystore which is set during the installation of the SMP 3.0 server.
The common name must be the fully qualified domain name of the machine that the SMP 3.0 server is running on.  This must match the name entered into the browser to access the site.  For example the site must be accessed using
https://YKFN00528072A.amer.global.corp.sap and not
https://localhost or
https://ip_number.

Note that SMP 3.0 server must be restarted after making changes to the local_smp_keystore.jks file.

It is possible to use self-signed certificates in a desktop browser.  The browser will however not be able to verify the certificate as it was not signed by a certificate authority that the browser trusts and will indicate this as shown below.
image16.PNG

The self-signed certificate can be imported into the browser’s certificate authority’s store.
To do so, click on Details > Copy To File > Next > Base-64 encoded X.509 > C:\temp\serverkey.
Then click on Settings > type in cert in the Search settings > Manage certificates > Trusted Root Certification Authorities > Import > c:\temp\serverkey.cer.
At this point the self-signed certificate used by the SMP 3.0 server to identify itself and encrypt communication using SSL will now appear as a Trusted Root Certificate Authority as shown here.
image23.PNG

Once the certificate is installed into the Trusted Root Certification Authorities store and the page is next opened in Chrome (after all instances of Chrome have been shut down), there will no longer be a certificate error (Notice the HTTPS and lock icon in the address bar is green) as shown below.
image17.PNG
Note that the default port number for HTTPS communication is 443 which is why 443 is not shown in the browser’s URL.

The same process can be used to install the certificate used by the Management Cockpit so that when opening the Management Cockpit the user is not presented with a warning screen.
image22.PNG

A better solution is to replace the self-signed smp_crt certificate with a certificate that has been signed by your company’s certificate authority or one of the standard certificate authorities.

When a certificate is signed by a Certificate Authority (CA) that is known to the browser, it is not necessary to manually install the certificate.  The browser contains the CA in its trusted root certificate authorities and will trust certificates that have been signed by that CA.  Here we can see that the certificate used by the Netweaver Gateway demo system was signed by Starfield Secure Certification Authority.
image19.PNG

It is possible to view the trusted certificate authorities available to a browser such as Chrome by choosing Settings > Show Advanced Settings > HTTPS/SSL > Manage Certificates
image18.PNG

The SMP 3.0 server stores its certificates into two files C:\SAP\MobilePlatform3\Server\configuration\local_smp_keystore.jks and C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks.  One tool which provides a graphical view of the contents of keystores is KeyStore Explorer.image20.PNG

The management cockpit as of SP08 also provides a list of installed certificates under Settings > Certificates.

In the image above, we can see that the previously created key with an alias of serverkey is a self-signed certificate as the issuer is the same as the subject.  The other certificate of interest is smp_crt which is the default self-signed certificate used by the SMP 3.0 server.

Unlike a desktop browser such as Chrome, it is not possible to install a self-signed certificate into the device’s trusted credentials store to establish an HTTPS connection between the SMP 3.0 server and a mobile device or simulator in a Cordova app.  A certificate signed by a certificate authority is required.  It is possible to create your own certificate authority using Open SSL and use that certificate authority to sign the server certificate.  The AuthProxy sample demonstrates how to sign a client certificate using a certificate authority created using Open SSL.  Another approach is to use an SSL provider and request them to sign the certificate.

SAP provides SAP Trust Center Services

where one can purchase a SSL server certificate.  Previously there was a free test certificate that could be created.  The following steps are performed using an internal SAP service for signing server certificates and are meant for illustration purposes.  Please use your own companies service if available, a public CA, or perhaps when available https://letsencrypt.org/.

  • Download the Root CA Certificate from the CA.This SAP internal file is named SAPGlobalRootCA.crt and SAPNetCA_G2.crt.
    Import the certificates into the local_smp_keystore.jks store.

    keytool -importcert -alias SAPGlobalRootCA -file C:\certs\SAPGlobalRootCA.crt -keystore local_smp_keystore.jks -storepass changeit
    keytool -importcert -alias SAPNetCA_G2 -file C:\certs\SAPNetCA_G2.crt -keystore local_smp_keystore.jks -storepass changeit
    

    Generate a certificate signing request (CSR).

    keytool -certreq -keyalg RSA -alias serverkey -file server.csr -keystore local_smp_keystore.jks -storepass changeit
    

    Provide the certificate signing request to CA.

    Paste the contents of the server.csr file into the form and press the Submit Application button.
    Copy the resultant string and place it in a file named server.rsp.
    The below command will import the signed certificate into the keystore.

    keytool -importcert -alias serverkey -file server.rsp -keystore local_smp_keystore.jks -storepass changeit

    At this point the certificate serverkey is now signed by the SAP SSL Test Server Certificate Authority as shown below.
    image24.PNG

  • A certificate in a keystore can also be viewed using the following command.
    keytool -list -v -keystore local_smp_keystore.jks -alias serverkey -storepass changeit
  • The SMP 3.0 server needs to be restarted after making changes to the local_smp_keystore.jks.
  • Ensure the device or emulator trusts the CA.  If needed import the CA’s onto the device trust store.  Here is an example of how to add the two CA’s used in this example.For Android
    adb push C:\certs\SAPGlobalRootCA.crt /mnt/sdcard/
    adb push C:\certs\SAPNetCA_G2.crt /mnt/sdcard/
    adb shell
    cd /mnt/sdcard
    ls
    exit
    

    Install the certs to the Android trusted credential store via

    Settings -> Personal -> Security -> Install from SD card (requires Android 4.0+)

    Another option is to copy the two files to C:\SAP\MobilePlatform3\Server\webapps\sapui5, and open the emulator’s browser to http://machine_name:8080/sapui5/SAPGlobalRootCA.crt and SAPNetCA_G2.crt.

    Note, on Android 4.4, a warning message is shown after a trusted credentials such as SAPServerCA is installed.  For further details see Network may be monitored.

    For iOS
    When using the iOS 7.0 emulator, the SAPServerCA.cer certificate can be installed by simply dragging and dropping it onto the emulator.

    When using an iOS device the certificates can be installed into the device’s trusted store by sending it via an e-mail or by opening the device browser to a webpage that contains a link to the certificate.  The certificate can be viewed and uninstalled under

    Settings -> General -> Profiles

Once a certificate that has not been self-signed is used, the secure toggle can be selected on the Registration screen.  This toggle can be set to true and the HTTPS port set via the Logon plugin’s context (see the index.html from the logon demo) as shown below.

    // Optional initial connection context
    var context = {
        "serverHost": "YKFN00528072A.amer.global.corp.sap", //Place your SMP 3.0 server name here
        "https": "true",
        "serverPort": "443",
        ...
    }

image1.PNG

In summary, when an HTTPS connection is established between a client and the server, the client verifies that the server certificate is signed by a certificate authority that the client trusts, that the certificate is not expired and the connection is coming from the host described in the server certificate.

For additional details on certificates see
www.sslshopper.com/ssl-faq.html
Common Keytool Commands
Changing Installed Certificates Used for HTTPS Listeners

Whitelist and Content Security Policy

In Cordova 5.x there is a new plugin named cordova-plugin-whitelist.  This plugin is added by default when creating a new Cordova app.  It is possible to specify where a page can load its dynamic resources from, to which locations it can communicate with and which intents it can use.

The following sample attempts to demonstrate this.

  • Create a new project.
    cordova create C:\Kapsel_Projects\WhitelistDemo com.mycompany.whitelist WhitelistDemo
    cd C:\Kapsel_Projects\WhitelistDemo
    cordova platform add android
    
    cordova create ~/Documents/Kapsel_Projects/WhitelistDemo com.mycompany.whitelist WhitelistDemo
    cd ~/Documents/Kapsel_Projects/WhitelistDemo
    cordova platform add ios
    
  • Notice that the whitelist plugin was automatically added to the project.
    C:\Kapsel_Projects\WhitelistDemo>cordova plugins
    cordova-plugin-whitelist 1.0.0 "Whitelist"
    
  • Replace www\index.html with the contents of register7.html.
  • Prepare, build and deploy the app with the following command.
    cordova run android
    or
    cordova run ios

    Notice that you can successfully execute an XMLHttpRequest to register with the SMP server or unregister.
    The intents to call, text or view a location all work. The include to load jQuery succeeds as can be seen by examining the Web Inspector log.
    The SAP logo image successfully loads.
    There is however an error and  warning message coming from the whitelist plugin as seen in the image below.
    image2.PNG

  • Correct this by adding a Content Security Policy meta tag and an intent restriction.  Uncomment, the first content security policy meta tag in the index.html.
        <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'" >
    

    This indicates that only content from the same origin (‘self’) can be loaded and it enables onclick handlers that are used in this sample (‘unsafe-inline’).

    In the config.xml, comment out the intent named geo which will disable the viewing of the map.

        <!--<allow-intent href="geo:*" />-->

    Note, the Android WebView support for Content Security Policy started with Android 4.4.  On an older device, it is recommended to use Crosswalk or use the allow-navigation tags in the config.xml as shown below.

    <!--<access origin="*" />-->
    <allow-navigation href="*://10.7.171.234/*" />
    <allow-navigation href="https://ajax.googleapis.com" />
    <allow-navigation href="http://go.sap.com" />
  • Prepare, build and deploy the app with the following command.
    cordova run android
    or
    cordova run ios
    

    Notice that Content Security Policy provided restricted the image and the jQuery script to load since they are being loaded from another site.
    Notice also that this time the register and unregister returns an error, the include for jQuery fails as does the SAP logo image.
    Also note that the intent to open a google map of the SAP Waterloo location no longer works while the other two intents succeeds.
    image3.PNG

     

  • Use the second content security policy meta tag in the index.html.
        <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' https://ajax.googleapis.com; connect-src http://10.7.171.234:8080; img-src http://go.sap.com" >

    Prepare, build and deploy the app with the following command.

    cordova run android
    or
    cordova run ios

    Notice that there are no longer any error messages.
    Notice also that the registration and unregistration succeeds, jQuery include succeeds, and the SAP Logo is shown.
    image4.PNG

Password Policy

Before a Kapsel app can be opened that includes the Logon plugin, the unlock screen appears.  This application passcode can be used to provide additional security for the application.
image9.PNG

The rules defining how often the password must be changed, the length of the password, if the password must include digits, upper and lower case letters etc. can be specified.
image15.PNG

Note, if the app does not require an unlock screen, the button disable passcode can be pressed.
image7.PNG

This requires that the option Default password allowed checkbox on the Client Password Policy screen be checked.

If the application does not register with an SMP 3.0 server, the passcode policy can be specified as shown below using the initPasscodeManager API call rather than init.

var passcodePolicy = {
    "expirationDays":"0",
    "hasDigits":"false",
    "hasLowerCaseLetters":"false",
    "hasSpecialLetters":"false",
    "hasUpperCaseLetters":"false",
    "defaultAllowed":"true",
    "lockTimeout":"0",
    "minLength":"6",
    "minUniqueChars":"0",
    "retryLimit":"0"
};

//Used if the application is not registering with the SMP 3.0 server.  New to SP03.
sap.Logon.initPasscodeManager(successCallback, errorCallback, appId, null, passcodePolicy, context);

Feature Restriction

In some cases, it may be a company policy to restrict certain types of functionality on a device.  Starting with SMP 3.0 Server SP05, the feature restriction capability provides this ability.  This list can be seen in the management cockpit under Application > Client Policy tab.  imagefr1.PNG

In order to make use of this, the Settings plugin provides an API that can be used to see if a feature is available or not.

isFeatureEnabled(FeatureName, successCallback, errorCallback)

To try this out, start with the example shown in the Logon section named Accessing the Values Stored by the Logon Plugin.

  • Add the Cordova contacts plugin and the Kapsel settings plugin.
    cordova plugin add cordova-plugin-contacts
    cordova plugin add kapsel-plugin-settings --searchpath %KAPSEL_HOME%/plugins
    or
    cordova plugin add kapsel-plugin-settings --searchpath $KAPSEL_HOME/plugins

    Each time the application starts a settings exchange will occur between the app and the SMP 3.0 server.  The information passed to the app includes the feature policy which is then accessible to the app.

  • Add the following methods to index.html which will enable the selection of a contact from the list of contacts on the device.
    function pickContact() {
        //first check if the feature is enabled
        sap.Settings.isFeatureEnabled("navigator.contacts", isPickContactEnabledCallback, errorCallback);
    }
    
    function isPickContactEnabledCallback(enabled) {
        if (enabled) {
            navigator.contacts.pickContact(contactPickedCallback, errorCallback);
        }
        else {
            alert("The Contacts Plugin has been disabled by the feature restriction policy");    
        }
    }
    
    function contactPickedCallback(contact)  {
        alert("The following Conact was selected: " + JSON.stringify(contact));
    }
    
    function errorCallback(error) {
        alert(JSON.stringify(error));
    }
    
    
  • Add a button to show the contacts picker.
    <button id="picker" onclick="pickContact()">Choose Contact</button>
  • Optionally modify the method SettingsExchangeDone in
    C:\Kapsel_Projects\LogonDemo\plugins\kapsel-plugin-settings\www\settings.js

    to display the info returned from the SMP server during the settings exchange.

    console.log("YYZ Settings are: " + JSON.stringify(JSON.parse(message)));
    
  • Prepare, build and deploy the app with the following command.
    cordova run android
    or
    cordova run ios

    Click on Register and then press the Choose Contact button.
    imagefr2.PNGimagefr3.PNG

    Notice that the application has access to the device’s contacts.

  • The next step will be to demonstrate how the functionality exposed through the Cordova contacts plugin can be disabled by an administrator.
    In the management cockpit, select Applications > com.mycompany.logon > Client Policy > select the Contacts plugin in the Available Feature Policy table and click on Restrict.
  • Exit and reopen the app. Notice that this time the contacts picker is not shown after the Choose Contact button is pressed.
    imagefr4.PNG
  • Note, some Fiori apps use the Camera API, rather than the Cordova Camera plugin.  The Feature Restriction policy can only be applied to plugins.

Security Part 2

Back to Getting Started With Kapsel

To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

  1. Premnarayan Patidar

    Hi Daniel,

    i am trying feature restriction policy, u have explained above, i am unable to read the contact using setting code u have given, it returns nothing basically,  also i could not see any code related to feature restriction policy in your attached (register7.html) file, could you please provide more details for this.

    thanks, prem

    (0) 
    1. Daniel Van Leeuwen Post author

      If you are running this on an emulator, have you added some contacts?

      The register7.html file is used by the section called Whitelist and Content Security Policy and is not used by the Feature Restriction section.

      It might help to open the Web Inspector on your project and see if there are any JavaScript errors or perhaps use it to step through the JavaScript code. 

      Getting Started with Kapsel – Appendix B — Debugging (SP09+)

      Regards,

      Dan van Leeuwen

      (0) 

Leave a Reply