Search code examples
ibm-mobilefirstworklight-security

IBM Worklight - How to enable App Authenticity in Worklight Console?

I tried to follow the tutorial at this url, the tutorial is so straight forward but I just couldn't get the correct outcome.

below is my authenticationConfig.xml

<securityTests>
  <customSecurityTest name="custom-mobilesecurityTest">
    <test realm="wl_antiXSRFRealm" step="1"/>
    <test realm="wl_authenticityRealm" step="2"/>
    <test realm="HeaderAuthRealm" isInternalUserID="true" step="3"/>
  </customSecurityTest>
</securityTests>

But the App Authentication appeared in console is always "Access Disabled", I can't enable it. Did I missing anything here?

enter image description here

Solution

  • It would be more helpful if you would mention what you've actually done, because configuring authenticationConfig.xml is only 1 step of several.

    Also note that for App Authenticity to really work and not use dummy implementation, you must use the Consumer edition of IBM Worklight (i.e., be a paying customer and install the correct version of Worklight Studio and Worklight Server).


    I believe that for your problem, you have not done step 2 below.


    Steps to enable App Authenticity:

    1. Configure a security test that has the wl_authenticityRealm realm:

      <customSecurityTest name="customTests">
     <test realm="wl_antiXSRFRealm" step="1"/>
     <test realm="wl_authenticityRealm" step="1"/>
     <test realm="wl_remoteDisableRealm" step="1"/>
     <test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
     <test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
</customSecurityTest>

      ^ This is mentioned in slide 9

    2. Place this securityTest on the environment(s) in application-descriptor.xml, for example: 

      <android version="1.0" securityTest="customTests">

    3. For Android, generate the public signing key:

      <android version="1.0" securityTest="customTests">
        <worklightSettings include="true"/>
        <security>
            <encryptWebResources enabled="false"/>
            <testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
            <publicSigningKey>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBdfdsfdsfiQKBgQCPCbaCfAfnAqQ12/S5LLfA4cBz/3INyLRPhFGSVFztdWNzPhrna1xDc8/3V1sUIW2odfdfddfdfffdR2n3dAnNMVydfdfdfv68gmU5qVCN4LxSKKRAj7VVbhBxBIEt5MbY+c0o7NZ2Pgu/moJee8Wgu8veZ1TJntYn+cWCYuI/JSnA9nsskwhSdPHK32edsfsdfdfQIDAQAB</publicSigningKey>
        </security>
    </android>

      ^ This is mentioned in slides 10-13

    4. For iOS, place the app bundleId:

      <iphone bundleId="com.worklight.test" version="1.0" securityTest="customTests">

      ^ This is mentioned in slides 10-13

    5. Run As > Run on Worklight Development Server

    Now the App Authenticity dropdown should be enabled for you in Worklight Console.