Device provisioning concepts
Device provisioning is one of the most advanced and complex security features that IBM MobileFirst Platform Foundation provides.
Device provisioning is the process of attaching a certificate to the device identity.
Device identity (or in short – device ID) is similar to user identity, but is used to uniquely identify a specific device.
Device identity is essential for various features, such as
- Push notifications – You want to know which device you are sending the notification to.
- Reports – You want to know how many devices are using your server.
Knowing the device identity opens a wide array of security integration possibilities. For example, you can decide which devices are allowed to communicate with the MobileFirst Server.
In this tutorial, you learn what device provisioning is, what types of device provisioning are supported by IBM MobileFirst Platform Foundation and what artifacts are involved in the process of device provisioning.
IBM MobileFirst Platform Foundation supports three types of device provisioning:
- No provisioning
- Auto provisioning
- Custom provisioning
This training module focuses on the first two types.
For more information about custom provisioning, see Custom device provisioning.
The device ID is automatically generated by the client-side framework when requested by the MobileFirst Server.
The device ID is used to uniquely identify a specific device with the server.
Similar to the way a user ID is used for user authentication, the device ID is used for device authentication.
Device provisioning is based on the device ID and supported on the Android and iOS platforms.
Understanding device provisioning
Device provisioning is a process where a certificate is issued by the MobileFirst Server for a specific device.
The issued certificate contains device information that is obtained during the provisioning process.
Before a certificate is issued to a specific device, the server can perform extra validations on the received device credentials.
It is possible to configure your own CA keystore for the generation of the device provisioning certificate.
No provisioning is appropriate for development environments.
Using No provisioning means that the provisioning process is not triggered (requested) by the MobileFirst Server.
The application obtains the device ID and sends it to the server as-is.
The server does not validate whether this device is allowed to communicate with it.
The certificate is not issued and not requested at any stage.
No provisioning is the default setting for mobile applications.
If you are use the default security settings, you do not have to enable No provisioning manually.
If you use a custom security test to protect a resource that requires device identity and you want to use No provisioning, add the realm to your security test. For example:
Auto provisioning is an automated one-time process during which a certificate is issued by the MobileFirst Server and sent to the client application.
Auto provisioning is triggered by a server when it requests a provisioned device identity.
The application obtains the device ID and starts an automated provisioning process.
The server collects the supplied device information and issues a certificate by using the server-side CA keystore.
The certificate is issued to any device that requests it, therefore Auto provisioning makes sense only when it is used after a successful application authenticity check.
First Application Start
Authenticity check is a proprietary MobileFirst technology that makes sure the application is the authentic one and was not modified by anyone.
Subsequent Application Starts
Enabling auto provisioning
To enable Auto provisioning, add the following realms to your authentication-config.xml file.
By default, the MobileFirst Server uses its internal keystore to issue a certificate.
You can tell the server to use your own keystore by adjusting the worklight.properties file.
Note: The wl.ca.keystore.path property value can be either relative to the /server/ folder of the MobileFirst project or absolute to the file system.
Auto provisioning must be used together with the application authenticity protection.
For more information, see Application Authenticity Protection
Custom provisioning is an extension of Auto provisioning.
With Custom provisioning, you can add custom CSR and certificate validation functions to define custom device provisioning rules.
For more information, see Custom device provisioning.