Appendix 😧 Security Part 2
This appendix goes over some topics that should be considered for secure Kapsel apps.
Cross-Site Request Forgery (CSRF)
Sharing Credentials between Applications
Accessing the SMP 3.0 Server From Outside a Corporate Firewall or on a Cellular Network
Using the X.509 Certificate Provider to Register using a Client Certificate
Things to Consider Before Release
SiteMinder
Additional Security Topics in Part 1
Cross-Site Request Forgery (CSRF)
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. See Cross-Site Request Forgery (CSRF) for additional details.
The SAP Netweaver Gateway system protects against CSRF attacks by requiring that all modifying requests include an X-CSRF-Token in the header of the request. The value of this is returned from a GET request. See Cross-Site Request Forgery Protection for additional details. The included index.html demonstrates how to perform create, update and delete operations that make use of the CSRF header. To use this provide the user id and password for the OData source on line 6, place a copy of datajs-1.1.2.min.js into the same folder as the HTML file and deploy the Kapsel app. Notice below that the carrier ID AA has been deleted and the currency for AC has been changed to USD. 
Sharing Credentials between Applications
If multiple applications on a device connect to the same SAP Mobile Platform server and use the same user name and password or certificate, those can be shared between apps so that they only need to be entered once. The shared credentials are managed by an application called Client Hub which integrates with the Logon plugin. The Client Hub is provided as an Android and iOS project that can be built and installed on a mobile device or simulator. It is part of the mobile SDK native SDK.
C:\SAP\MobileSDK3\ClientHub For additional details see Client Hub.
Note the applications that are sharing credentials can be either native mobile applications or Kapsel applications.
Note that the Client Hub does not work with the iOS 8 simulator. See BCP issue 1570001617.
The Client Hub project and the Kapsel projects must be signed by the same certificate. For more information on Android application signing see Signing Your Applications.
Perform the following steps to share credentials between two Kapsel apps.
- Deploy the ClientHub project to a device or emulator. When it starts provide a single sign-on password.
- Open the LogonDemo project which was described in the section named Logon.
- Note, if deploying to an iOS device the clienthubEntitlements keychain group must be added to the entitlements section as well as the bundle identifier.
Note the bundle identifier can also be represented as $(CFBundleIdentifier).
Xcode 5
- On Android, add a folder and file named LogonDemo/res/raw/clienthub.properties. The contents should include
Host=10.7.171.208
Port=8080
HTTPS=false
SecurityConfiguration=Config123
UserCreationPolicy=automatic
FarmID=0
Domain=default
URLSuffix=
- Note that on Android the FarmID, Domain and URLSuffix fields must be provided even though they are not being used in this example.
- On iOS, right click on the project and choose New File > iOS > Resource > Property List and name the file clienthub. Right-click on the file and choose Open As > Source Code. The contents should include
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Host</key>
<string>10.7.171.208</string>
<key>Port</key>
<string>8080</string>
<key>HTTPS</key>
<false/>
<key>SecurityConfiguration</key>
<string>Config456</string>
<key>UserCreationPolicy</key>
<string>automatic</string>
</dict>
</plist> - The value of SecurityConfiguration must be the same across apps that wish to share credentials on the device.
- Remove the app from the device or simulator. Deploy and run the app LogonDemo. When it starts the single sign-on password for the client hub screen is requested.
Notice that the registration screen is not shown. When using the Client Hub, the connection details for the SMP 3.0 server (host, port etc.) must be statically supplied in the plist or properties file. - Create a second Kapsel project with a name of LogonDemo2 and an application id of com.mycompany.logon2. Follow the steps in the section named Logon.
- Follow the steps shown in Configuring a Kapsel App in the Management Cockpitto create an Application with the application id of
com.mycompany.logon2 - Create the clienthub file as described previously.
- Deploy and run Logon2. When it starts, the single sign-on password screen is presented.
Notice that the screen asking for a username and password was not shown as the username and password are provided from the Client Hub app.
If Logon Demo 2 is closed and reopened, it is only the app's passcode screen that is shown.
- Note that on iOS, it is necessary to press the reset button in the Client Hub before removing the Client Hub application.
Accessing the SMP 3.0 Server From Outside a Corporate Firewall or from a Cellular Network
Support for the Relay Server was added as part of the SMP 3.0 SP03 release. SAP provides a publicly hosted relay server that can be used in development to enable a server such as the SMP 3.0 server to be available to devices outside of a corporate firewall or on a different network. In a production environment it is recommended that you install the relay server into your own environment.
The relay server works by establishing a persistent connection between the rsoe.exe (outbound enabler) which typically runs on the same machine as the SMP 3.0 server and a relay server (which is publically reachable). The publicly hosted relay server is running at http://relayserver.sybase.com and more recently at http://relayserver.sap.com.
The complete documentation is available at Relay Server.
The relay server is part of the SAP Sybase SQL Anywhere product. If you do not already have a copy of it, a trial version can be downloaded from SAP Sybase SQL Anywhere 16 Developer Edition. During the install, ensure the option Relay Server is checked.
The following steps demonstrate how to use the publicly hosted relay server to enable a Kapsel app to be able to connect to an SMP 3.0 server running behind a corporate firewall or on a different network. Before following the below steps, make sure that the server connections in the SMP 3.0 server are using test data only or have sufficient security setup.
- Create a file named C:\Kapsel_Projects\rsoeSMP.config. Here is what my settings look like. The farm name must be unique.
The outbound enabler options are documented here. Note the settings for proxy_host and proxy_port. If your network does not use a proxy server, remove these values.-f dan.van.leeuwen.rsFarm
-id rsoeSMP
-t d5337df5a9a26141ce52bd0f5b59
-cr "host=relayserver.sap.com;https=1;port=443;proxy_host=proxy;proxy_port=8080;url_suffix=/rs1/server/rs_server.dll"
-cs "host=localhost;port=8080"
-v 4
-o c:\temp\rsoe_smp.log
-os 10M - Locate the outbound enabler (rsoe.exe). It should be located at C:\Program Files\SQL Anywhere 16\Bin64 and start it from a command window.
rsoe @c:\Kapsel_Projects\rsoeSMP.config
- Open a browser and verify that the SAPUI5 page can be accessed through the relay server.
http://relayserver.sap.com/rs1/client/rs_client.dll/dan.van.leeuwen.rsFarm/sapui5/
Note, the value dan.van.leeuwen.rsFarm will need to be replaced with your subscription ID and farm name. At this point the relay server is allowing access to the SMP 3.0 server running on your laptop from any machine or device that can reach the public URL relayserver.sap.com. - Finally modify the sample from the Logon sample to use the relay server. This will enable the Kapsel app to register against a SMP 3.0 server that is on a private network from another network.
In register3.html, change the context to use the relay server. The changed context is shown below. Note, the farmId dan123.rsFarm will need to be modified to match the subscription ID provided when registering with the hosted relay server.var context = {
"serverHost": "relayserver.sap.com", //Place your SMP 3.0 server name here
"https": "false",
"serverPort": "80",
"user": "i82xxx", //Place your user name for the OData Endpoint here
"password": "xxx", //Place your password for the OData Endpoint here
//once set can be changed by calling sap.Logon.changePassword()
"communicatorId": "REST",
"passcode": "password", //note hardcoding passwords and unlock passcodes are strictly for ease of use during development
//once set can be changed by calling sap.Logon.managePasscode()
"unlockPasscode": "password",
"passcode_CONFIRM":"password",
"farmId" : "dan.van.leeuwen.rsFarm",
"resourcePath" : "rs1/client/rs_client.dll"
};
Using the X.509 Certificate Provider to Register using a Client Certificate
Client certificates can be used by applications to uniquely identify a user to the SMP 3.0 server or to an OData backend. Client certificates can be passed to the Logon Plugin either by SAP Afaria or via the X.509 Certificate Provider Interface. The AuthProxy plugin can access a certificate directly via its CertificateFromFile or CertificateFromStore classes. The Authproxy plugin can also access a certificate from the Logon plugin via the class CertificateFromLogonManager but the Logon plugin cannot access a certificate from the AuthProxy plugin. If the AuthProxy setting SAPKapselHandleHttpRequests is set to true, then on Android when challenged for a certificate, the system choose certificate dialog will appear. On iOS, only certificates that are part of the application's key chain are displayed. For further details see Making Certificates and Keys Available To Your App and Finding a certificate for further details.
The X.509 Certificate Provider is an interface that can be used to integrate third-party certificate providers with the Logon plugin. For additional details see Using the X.509 Certificate Provider Interface to Integrate with Third-Party Certificate Providers and https://github.com/SAP/mobilesdk-certificateprovider.
The following steps demonstrate how to use this interface to allow the Logon plugin to access a client certificate that is stored on an Android device or emulator. It is intended that this same technique can be used to allow the Logon plugin to work with third-party software that will provide the certificate to the device rather than simply accessing a certificate that is already on the device. This example uses the Logonsample.
- Add the sample implementation of the X.509 certificate provider to the project. The source to two required Java files can be copied from CustomCertificateProvider.java and CustomKeyManager.java
In the file CustomCertificateProvider.java, modify the initial value of _alias to match the name of the client certificate and change the line settings.put("filepath", "user1.p12"); to match the name of the client certificate. - Add the below bolded line to the AndroidManifest.xml file to indicate the class name the logon plugin should load which implements the X.509 certificate provider API.
<application android:hardwareAccelerated="true" android:icon="@drawable/icon" android:label="@string/app_name">
<meta-data android:name="certFromFileProvider" android:value="com.example.certificatefromfileprovider.CustomCertificateProvider" /> - Modify index.html to instruct the Logon plugin to use the X.509 Certificate Provider API. Change the two occurrences of the line
Modify the index.html to usesap.Logon.init(logonSuccessCallback, logonErrorCallback, appId, context);
to
sap.Logon.init(logonSuccessCallback, logonErrorCallback, appId, context, null, "certFromFileProvider");
//null indicates to use the default view provider, "certFromFileProvider" is the name of the class to load
var appId = "com.mycompany.authproxy";
...
"serverHost": "ykfn00528072a.amer.global.corp.sap", //Must be the fully qualified host name
"https": "true",
"serverPort": "8082" //mutual authentication port
- Copy the file x509ProviderUI.view.js to C:\Kapsel_Projects\LogonDemo\plugins\com.sap.mp.cordova.plugins.logon\www\common\assets\ui\resources\x509ProviderUI.view.js
Copy the file i18n.provider.properties to C:\Kapsel_Projects\LogonDemo\plugins\com.sap.mp.cordova.plugins.logon\www\common\assets\i18n\i18n.provider.properties - The following instructions enable the read request to include the client certificate.
Add the following line to the start of the init method
Add the following two bolded lines to the read method.//Integrate datajs with HTTPS proxy
OData.defaultHttpClient = sap.AuthProxy.generateODataHttpClient();
Also note that the certificate alias property of the endpoint in the management cockpit can be used to specify a certificate alias.clientCert = new sap.AuthProxy.CertificateFromLogonManager("com.mycompany.logon");
var request = {
headers : oHeaders,
certificateSource : clientCert,
requestUri : sUrl,
method : "GET"
}; - This example requires that the SMP 3.0 server has been configured to use port 8082 for mutual authentication. See the AuthProxy plugin section for additional details.
- Ensure that the public key of the certificate authority used to sign the SMP 3.0 server's certificate for port 8082 is installed onto the Android device or emulator and that the client certificate has been uploaded to the device. This is covered in the AuthProxy section of the guide.
- Copy the files to the platform directory by running
cordova -d prepare - Use the Android IDE to deploy and run the project.
Note, there seems to be a focus bug in the screen Get File Certificate Settings. After providing the password, click on an empty space before pressing the submit button.
- Note that the CustomCertificate Provider.java class can be debugged using Eclipse by placing a breakpoint in the method setParamaters and then clicking on Run > Debug. After pressing the Submit button on the Get File Certificate Settings screen the breakpoint should be hit.
Things to Consider Before Release
Consider minifying or even obfuscating your code if you wish to make it harder for someone to examine your code.
Ensure that the app cannot be debugged. See the debugging section for additional details.
Remove any hardcoded passwords. Many of the samples have these set in the context variable so they do not need to be entered for ease of use during development.
Ensure that the log level is set appropriately and that the log commands that are left are intended to be in the production code. Review the log output to ensure that nothing is being logged that should not.
Review the client password policy and ensure that it is set appropriately.
Consider adding a Mobile Device Management solution such as SAP Afaria to enforce a lock screen, a password policy, to enable remote wipes of a device and to prevent devices from being rooted or jail broken.
SiteMinder
SiteMinder is a commonly used access management solution that can be used with the SMP 3.0 platform. The following links provide additional details.
CA SiteMinder
Single Sign-on Integration with SiteMinder
How-To: Set up SUP with SiteMinder
Note that comments are not easily searchable in SCN. If you have a question that is not specific to the above content it would be best to create a new discussion on SCN.
To include a reference to this document, Right Click on the title and select 'Copy Shortcut'. Paste it into the new Discussion so people will know the relevance. If you want to bring it to the attention of the author, repeat the same process with the Author's name.
- SAP Managed Tags:
25 Comments
