As a mobile application developer, you are probably familiar with handling several authentication methods – basic, digest, Kerberos, client certificate, server trust etc. – which are requested by servers for user authentication. Among the above authentication schemes, one of the appealing methods for users and IT admins is the certificate-based authentication(CBA) as this CBA method includes strong authentication scheme:
- Eliminates the need to enter a username and password for users,
- Makes it easy for administrators to issue, renew and revoke certificates,
- Provides two-way authentication of server and client.
For these advantages, enterprise servers and network resources are often configured for CBA with Active Directory as enterprise access control model. Client apps and users are expected to provide appropriate certificates to access enterprise resources.
There is quite a bit of configuration process for the CBA to work between client apps and servers. Client apps are expected to store all required certificates. In addition, SSL/TLS is used to authenticate a server and provide an encrypted HTTP session.
When requesting a client certificate, the server provides the client with a list of Certificate Authority(CA)s that the server trusts. If the client app possesses a certificate issued by a CA from the server’s certificate trust list, it sends a copy of that certificate to the server for verification. If the certificate is valid, the server authenticates the user that maps to the provided certificate.
It’s cumbersome for individual client apps to configure and manage all certificates required.
As you might have guessed it, there is a better solution.
The BlackBerry Dynamics SDK not only supports the CBA but also extends to the sharing of a single client certificate among all BlackBerry Dynamics-based apps for an end-user. That is, if authentication via client certificates is enabled in Good Control and one or more client certificates have been uploaded to Good Control, those certificates are used for user authentication by all BlackBerry Dynamics apps on the user’s device. This certificate sharing simplifies the set up by the end user, who does not need to manage certificates for each individual application. During application activation process, end users might notice additional interaction among applications as apps being activated must retrieve a certificate from an application that already has it.
How to configure Good Control Server for CBA
Below are the steps required for the CBA to work.
- Enable the security policy for the client certificate storage and allow use of client certificates.
- Upload at least one PKCS12 certificate for a user to Good Control. Users can also do this if a Good Control self-service portal is available.
- Set a list of apps that are allowed to use certificates.
- If needed, set trusted authorities under the Trusted Authorities Tab in the Certificates Menu.
How to handle CBA in BlackBerry Dynamics apps
As for the BlackBerry Dynamics client apps, no programming is required. See the Objective-C code snippet below as an example.
When requesting to access a CBA configured server, it will execute the case
“ NSURLAuthenticationMethodClientCertificate”. - (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential * _Nullable credential))completionHandler [authMethod isEqualToString:NSURLAuthenticationMethodHTTPDigest]
When you run your BlackBerry Dynamics app, a user’s certification is imported as below. The user can enter a password for the p12 file if needed.
Screenshot 1: Importing Client Certificate
Screenshot 2: Loading a test page requesting CBA
For details, see the topic “Certificate Management Policies” in the Good Control Help (On-premise).
Hope this helps. That’s all for now.
For more developer resources or to get started on any of our platforms, please visit the BlackBerry Developer Community website.