IBM Mobile Foundation POT - Part 3 securing and managing mobile appilcations using Worklight

© 2012 IBM Corporation

An IBM Proof of Technology

Securing and managing mobile applications using Worklight


IBM Software


Agenda

� Securing mobile applications using Worklight

� Managing mobile applications using Worklight

� Distributing mobile applications using IBM Application Center

2


IBM Software

Worklight Server

Performs Data Transformation to streamline back-end data for mobile consumption

Built-in Adapters with support for SOAP, REST, SQL, Cast Iron, as well as a custom Adapter development interface

Server and device Security control

Supports Physical Clustering for high availability

Controls Application Deployment and Versioning

Push Notification administration

Analytics including user adoption and usage data

Securing and managing mobile applications using Worklight3


IBM Software

Worklight Console

• Application Version Management

• Push management

• Usage reports

• Configurable audit log

• Administrative dashboards for:

• Deployed applications

• Installed adapters

• Push notifications

• Data export to BI enterprise systems



IBM Software

Securing mobile applications requires a multi-pronged approach


Validate installed applications

• Must ensure the validity of applications connecting to enterprise systems

Validate user devices• Must ensure that only specific applications

on specific devices can connect to

enterprise systems

Validate user identity

• Must be able to authenticate mobile

application users

5


IBM Software

Ensuring application authenticity with Worklight

� Application authenticity checks protect against corruption of installed applications

� When enabled the Worklight Server checks properties of a connecting application

against a previously known value of these properties

� Various options available for authenticity checking:

– Disabled – the IBM Worklight Server does not test the authenticity of the app

(despite the developer settings).

– Enabled, servicing – the IBM Worklight Server tests the authenticity of the app. If

the app fails the test, the IBM Worklight Server outputs an information message to

the log but services the app.

– Enabled, blocking – the IBM Worklight Server tests the authenticity of the app. If

the app fails the test, the IBM Worklight Server outputs an information message to

the log and blocks the app.

� Authenticity checking is enabled in the application-descriptor.xml



IBM Software

Device provisioning and authentication

� A form of mobile device authentication

– Prior to application authenticity and user authentication.

– Asserts that the device and application have confirmed identity prior to allowing access

to the Worklight server.

– Can use a 3rd party system to confirm and provide a client certificate

� Three modes of provisioning are supported:

– No provisioning: In this mode the provisioning process does not happen. This mode is

suitable during the development cycle to temporarily disable the provisioning for the

application.

– Auto-provisioning: In this mode the Worklight Server automatically issues a certificate

for the device and application data provided by the client application. This option should

only be used in conjunction with Worklight’s application authenticity features are enabled.

– Custom provisioning: In this mode the Worklight Server is augmented with custom

logic that controls the device and application provisioning process. This logic can involve

integration with an external system, such as a mobile device manager (MDM), that can

issue the client certificate based on out-of-band data obtained from the app, or can

instruct the Worklight Server to do so.



IBM Software

User authentication in Worklight

� Worklight provides an extensible framework for authentication of mobile application users

� The framework consists of Realms, Authenticators, and Login Modules

– Realms encapsulate the description of how users are authenticated for a particular

application

– Authenticators are responsible for the collection of user credentials

– Login modules are responsible for the validation of user credentials

� IBM Worklight provides a number of Authenticators and Login Modules that only require

configuration from the user

� The user authentication framework is also extensible by the application developer

– Allows for the implementation of custom credential gathering (e.g. via biometrics) as well

as for integration with existing security systems



IBM Software

Integrating with WebSphere Application Server security

� An Authenticator and login module are provided for authentication via LTPA tokens

– No custom coding required by the user

� Authenticator understands where to look for the LTPA token in the HTTP header

� Login module can validate those credentials with a user registry defined in WebSphere

Application Server

� LTPA token can also be propagated to back end data sources required by the mobile

application thus supporting a Single Sign On approach


IBM Worklight Server

Session authentication

1. Call Protected Procedure

1. Call Protected Procedure

2. Request Authentication

2. Request Authentication

9


IBM Software


Agenda




10


IBM Software

Managing mobile applications with IBM Worklight

� The Worklight Server provides many application management features that are exposed to

users via the Worklight Console

� IBM Worklight allows users to deploy multiple versions of a single application concurrently

� IBM Worklight provides the capability to manage the status of a deployed application

– Active

– Active, Notifying

– Disabled

� IBM Worklight provides the capability to directly update a deployed application



IBM Software

Application versioning

Supports multiple

versions on the same platform

Device specific versions are uncoupled



IBM Software

Direct application update

1. Web resources packaged with app to ensure initial offline availability

2. Web resources transferred to app's cache storage

3. App checks for updates on startup and foreground events

4. Updated web resources downloaded when necessary

Worklight Server

Native Shell

Pre-packaged resources

1 Download

4 Update web resource

App Store

Web resources

Cached resources

2 Transfer

3 Check for updates



IBM Software

Analyze application usage with out-of-the-box reports

� Worklight utilizes audited information to

provide several usage reports for your

consumption

– Daily visits per application

– Daily hits per application

– Total visits per application

– Newly detected devices per

application

– Total unique devices – per server or

cluster

� Access reports via Eclipse using the

BIRT plugin

� The BIRT reports are fully customizable

and extensible

– Fully documented data model to allow

other reporting or BI tools to create

additional custom reports



IBM Software

Report extensibility and customization using IBM Cognos



IBM Software


Agenda




16


IBM Software

IBM Worklight Application Center

� The Application Center provides a

means for developers and testers to

publish and share applications with key

stakeholders during the delivery cycle

� Application owners upload applications

to the Application Center and provide

various information about the

application

� Stakeholders install the Application

Center mobile application to view,

install, rate, and provide feedback on

applications in the Application Center

� The Application Center is included with

IBM Worklight and comes pre-installed

on the Worklight Server

– Users must install the mobile

application to their device



IBM Software

Using the Application Center mobile application



IBM Software

Rating and feedback displays in the Application Center



IBM Software



IBM Software


We appreciate your feedback.

Please fill out the survey form in order to improve this educational event.

SIMPLIFIED CHINESEHINDI JAPANESE

ARABICRUSSIANTRADITIONAL CHINESE TAMIL THAI

FRENCH

GERMAN

ITALIAN

SPANISH

BRAZILIAN PORTUGUESE

21


IBM Software


Reference materials

For more information:

� IBM Worklight Training Modules

– http://www-01.ibm.com/software/mobile-solutions/worklight/library/

� IBM Worklight User Documentation

– http://www-01.ibm.com/software/mobile-solutions/worklight/library/v50/documentation/

22

Documents

IBM Mobile Foundation POT - Part 3 securing and managing mobile appilcations using Worklight