Implementing Secure Direct Update

improve this page | report issue


For secure Direct Update to work, a user-defined keystore file must be deployed in MobileFirst Server and a copy of the matching public key must be included in the deployed client application.

This topic describes how to bind a public key to new client applications and existing client applications that were upgraded. For more information on configuring the keystore in MobileFirst Server, see Configuring the MobileFirst Server keystore.

The server provides a built-in keystore that can be used for testing secure Direct Update for development phases.

Note: After you bind the public key to the client application and rebuild it, you do not need to upload it again to the MobileFirst Server. However, if you previously published the application to the market, without the public key, you must republish it.

For development purposes, the following default, dummy public key is provided with MobileFirst Server:

-----END PUBLIC KEY-----

Important: Do not use the public key for production purposes.

Generating and deploying the keystore

There are many tools available for generating certificates and extracting public keys from a keystore. The following example demonstrates the procedures with the JDK keytool utility and openSSL.

  1. Extract the public key from the keystore file that is deployed in the MobileFirst Server.
    Note: The public key must be Base64 encoded.

    For example, assume that the alias name is mfp-server and the keystore file is keystore.jks.
    To generate a certificate, issue the following command:

    keytool -export -alias mfp-server -file certfile.cert
    -keystore keystore.jks -storepass keypassword

    A certificate file is generated.
    Issue the following command to extract the public key:

    openssl x509 -inform der -in certfile.cert -pubkey -noout

    Note: Keytool alone cannot extract public keys in Base64 format.

  2. Perform one of the following procedures:
    • Copy the resulting text, without the BEGIN PUBLIC KEY and END PUBLIC KEY markers into the mfpclient property file of the application, immediately after wlSecureDirectUpdatePublicKey.
    • From the command prompt, issue the following command: mfpdev app config direct_update_authenticity_public_key <public_key>

    For <public_key>, paste the text that results from Step 1, without the BEGIN PUBLIC KEY and END PUBLIC KEY markers.

  3. Run the cordova build command to save the public key in the application.
Inclusive terminology note: The Mobile First Platform team is making changes to support the IBM® initiative to replace racially biased and other discriminatory language in our code and content with more inclusive language. While IBM values the use of inclusive language, terms that are outside of IBM's direct influence are sometimes required for the sake of maintaining user understanding. As other industry leaders join IBM in embracing the use of inclusive language, IBM will continue to update the documentation to reflect those changes.
Last modified on January 20, 2017