The WebView used in a Cordova application does not prompt the user for credentials or for a client certificate as a regular browser does when this information is not provided. In addition, on iOS the WebView does not provide any feedback when incorrect credentials are used.
The AuthProxy plugin can be used to handle the communication for an app and as of SP04 will present a dialog for the user to enter credentials or to choose a client certificate when the option SAPKapselHandleHttpRequests is set to true.
When an app needs to provide a certificate to the server to identify itself this is known as client authentication or mutual authentication. An example of this is if you are required to provide a client certificate as part of the onboarding process to register with an application or perhaps to access an OData provider (not needed to complete the example). This occurs mostly in Business to Business (B2B) applications. This is different from most business to consumer or B2C websites where it is only the server that authenticates itself to the client with a certificate that has been signed by a certificate authority (CA) such as an online banking site. For additional details on the AuthProxy plugin see the JavaScript file in a project that includes this plugin at
project_name\www\plugins\com.sap.mp.cordova.plugins.authproxy\www\authproxy.js
or the JS Documentation at Kapsel AuthProxy API Reference.
The following two examples demonstrate the functionality of the AuthProxy plugin.
Making an OData request through the AuthProxy Plugin
Using Client Certificates
The following steps will demonstrate what happens when an incorrect password is sent to a backend OData endpoint and how this behavior can be improved with the AuthProxy plugin.
<button id="chgPwd" onclick="sap.Logon.changePassword(logonSuccessCallback, errorCallback)">Change Password</button>
<preference name="SAPKapselHandleHttpRequests" value="false" />
cordova prepare
Run the example and choose Unregister, Register, provide the valid username and password, and then once registered, click on Read. Notice that the data is returned. <preference name="SAPKapselHandleHttpRequests" value="true" />
cordova prepare
This example will demonstrate how to use the AuthProxy plugin to register with the SMP 3.0 server using a client certificate and how to use a client certificate in a request to access an OData endpoint. Before continuing, complete HTTPS in the Security Appendix as this is required to be setup before adding client authentication.
The Open SSL Toolkit will be used to create a certificate authority that will sign a client certificate.
Note this example is not using the Logon plugin to perform the registration as the Logon plugin requires using SAP Afaria to provide a client certificate or as of SP03, the CertificateProvider interface. See SAP Afaria and Kapsel and X.509 Certificate Interface for additional details on how to use client certificates with the Logon plugin.
This example can be run on an Android device or emulator or an iOS device or an iOS 7 simulator. The server certificate must be installed onto the device's system store which is not possible in an iOS simulator prior to version 7.0.
Note, the following instructions are meant for demonstration purposes only. Security in a production environment should be managed by your company's security professional.
C:\SAP\MobilePlatform3\Server\config_master\org.eclipse.gemini.web.tomcat\default-server.xml
<Connector smpConnectorName="mutualSSL" protocol="com.sap.mobile.platform.coyote.http11.SapHttp11Protocol"
port="8082" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA"
keyAlias="serverkey" clientAuth="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"/>
PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Java\jdk1.7.0_45\bin;C:\OpenSSL-Win64\bin;
set OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg
openssl s_client -connect localhost:8080 > c:\temp\8080.txt
openssl s_client -connect localhost:8082 > c:\temp\8082.txt
8080.txt will contain the following text.no peer certificate available
---
No client certificate CA names sent
Which indicates that the server is not using a certificate (ie, no https, no encryption, or identification).Acceptable client certificate CA names
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 4 Public Primary Certification Authority - G3
/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
...
/C=CA/ST=Ontario/L=Waterloo/O=SAP/OU=SAP Canada/CN=demoRootCA
The last entry will appear after following the steps below which are to create a certificate authority named demoRootCA which will be used to sign a client certificate named user1. After following the below instructions, an app will be created that will be able to pass in a client certificate named user1 to the SMP 3.0 server during the registration process and the SMP 3.0 server will accept the registration because it will trust the certificate authority named demoRootCA. countryName = Country Name (2 letter code)
countryName_default = CA
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Ontario
localityName = Locality Name (eg, city)
localityName_default = Waterloo
0.organizationName = Organization Name (eg, company)
0.organizationName_default = SAP
cd C:\OpenSSL-Win64
mkdir certs
cd certs
mkdir demoCA
cd demoCA
type NUL > index.txt
echo 01 > serial
mkdir newcerts
mkdir private
cd C:\OpenSSL-Win64\certs
openssl genpkey -des3 -out demoRootCA.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pass pass:112233
openssl req -new -x509 -days 3650 -key demoRootCA.key -out demoRootCA.crt
move demoRootCA.crt demoCA
move demoRootCA.key demoCA\private
keytool -import -deststorepass changeit -destkeystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks -file demoCA\demoRootCA.crt -alias demoRootCA
The SMP 3.0 server will now accept client certificates that have been signed by this certificate.keytool -list -v -keystore C:\SAP\MobilePlatform3\Server\configuration\smp_keystore.jks -alias demoRootCA -storepass changeit
openssl genpkey -des3 -out user1.key -algorithm RSA -pass pass:changeit
openssl req -new -key user1.key -out user1.csr -passin pass:changeit
Note, enter can be pressed for the question A challenge password.openssl ca -out user1.crt -infiles user1.csr
openssl pkcs12 -export -out user1.p12 -inkey user1.key -in user1.crt -name user1 -certfile demoCA\demoRootCA.crt -passin pass:changeit -passout pass:changeit
com.mycompany.authproxy
Set the endpoint to behttps://sapes1.sapdevcenter.com/sap/opu/odata/IWFND/RMTSAMPLEFLIGHT
The alias name should match the alias name of a certificate in the smp_keystore.jks that is used to access the OData source.[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls]
"1"="{\"pattern\":\"*\",\"filter\":{\"ISSUER\":{\"CN\":\"SSO_CA\"}}}"
See also List of Policies for Chrome.cordova -d create C:\Kapsel_Projects\AuthProxyDemo com.mycompany.authproxy AuthProxyDemo "{\"plugin_search_path\":\"C:/SAP/MobileSDK3/KapselSDK/plugins/\"}"
cd C:\Kapsel_Projects\AuthProxyDemo
cordova -d platform add android
cordova -d create ~/Documents/Kapsel_Projects/AuthProxyDemo com.mycompany.authproxy AuthProxyDemo "{\"plugin_search_path\":\"/Users/i826567/SAP/MobileSDK3/KapselSDK/plugins/\"}"
cd ~/Documents/Kapsel_Projects/AuthProxyDemo
cordova -d platform add ios
cordova plugin add https://git-wip-us.apache.org/repos/asf/cordova-plugin-console.git cordova -d plugin add com.sap.mp.cordova.plugins.authproxy
cordova -d prepare
adb push user1.p12 /mnt/sdcard/
adb shell
cd /mnt/sdcard
ls
exit
For iOSclientCert = new sap.AuthProxy.CertificateFromFile("/mnt/sdcard/user1.p12", "changeit", "user1"); //Android
clientCert = new sap.AuthProxy.CertificateFromFile("user1.p12", "changeit", "user1"); //iOS
On iOS, the certificate could be loaded from the certificate store after it is first loaded into the application's keychain via a call to CertificateFromFile before using CertificateFromStore. In this example only CertificateFromFile is used.sap.AuthProxy.CertificateFromLogonManager("clientKey")
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
Alternatively if using Android 4.3 or lower modify Settings -> Developer Options -> Protect SD Card -> Uncheck<preference name="SAPKapselHandleHttpRequests" value="true" />
Modify index.html and comment out the following two lines in the init and register methods.//OData.defaultHttpClient = sap.AuthProxy.generateODataHttpClient(); //In SP04, this method is no longer needed when using SAPKapselHandleHttpRequests
...
//certificateSource : clientCert,
Now when the SMP 3.0 server requests a client certificate, a dialog showing the available client certificates is shown. Note the client certificates must be installed into the device's certificate store in order to be shown in the dialog.sap.AuthProxy.addHTTPSConversionHost(successCallback, errorCallback, "http://ykfn00528072a.amer.global.corp.sap");
Add the following two methodsfunction successCallback() {
console.log("Success");
}
function errorCallback() {
console.log("Error");
}
Also note that getSMPURL method needs to be changed from returning https to http.sap.AuthProxy.startIntercepting(successCallback, errorCallback); //New in SP08, not needed in SP07.
sap.AuthProxy.addHTTPSConversionHost(successCallback, errorCallback, "http://YKFN00528072A.amer.global.corp.sap");
Add the following two methodsfunction successCallback() {
console.log("Success");
}
function errorCallback() {
console.log("Error");
}
Also ensure the below setting is set to true.<preference name="SAPKapselHandleHttpRequests" value="true" />
When the Logon plugin attempts to register the AuthProxy plugin will intercept the request and since the server requires a client certificate to complete the request, it will show the Choose certficate dialog as shown below.The below links contain some additional information on SSL, certificates, configuring a Tomcat server to use client authentication and how to add an OData producer to Tomcat.
Mutual Authentication
Tomcat SSL How To
Tomcat Mutual Authentication
OData4J
Hosting OData4J in Tomcat
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
43 | |
25 | |
17 | |
15 | |
10 | |
7 | |
7 | |
6 | |
6 | |
6 |