Authentication to mobile services application using certificates issued by custom CA

To access Mobile services applications using certificates issued by an enterprise CA that is not part of the Trusted Certificate Authorities for Client Certificate Authentication, there are two options.

• Setup a custom domain and upload the desired CA certificates as trusted entries. Configure mobile services applications to use X.509 Certificate authentication.
• Configure the mobile application to use SAML as the authentication mechanism. Setup a custom SAML IdP to require certificates to authenticate the user and issue a SAML response to the cloud platform. This is preferable if you wish to use such certificates for accessing multiple applications deployed in the cloud platform account and not just mobile services applications. Please note that the IdP configuration to require certificate authentication should be handled by the IdP administrator.

This blog focuses on the first alternative. To authenticate users to mobile services applications using certificates issued by custom CA, follow the steps below to configure the cloud platform account:

1. Set up custom domain using Cloud Platform documentation on Configuring Custom Domains. In the step to “Add the custom domain”

   neo add-custom-domain --account mysubaccount --user mymail@example.com --host hana.ondemand.com
   --custom-domain www.example.com --application-url mysubaccountmyapp.hana.ondemand.com --ssl-host mysslhostname

   application-url value should be “mobile-<account-id>. <landscape_identifier>.hana.ondemand.com”, where <landscape_identifier> is similar to us1, eu1, and so forth. For ex: mobile-abcd1234.hana.ondemand.com or mobile-abcd1234.eu1.hana.ondemand.com or mobile-abcd1234.ap1.hana.ondemand.com

2. Upload the custom CA certificate(s) used for issuing the user certificates to the Big IP instance serving the custom domain as trusted CA(s) so that the user certificates can be validated successfully. Refer to Managing Client Certificate Authentication for Custom Domains for details.
3. Follow mobile services documentation on the topic “Configuring X.509 Certificate Authentication” to create and upload a keystore with the above trusted CA certificate(s) to mobile services.