Change is the only constant in life ... get used to it.
Friday, August 22, 2014
You only have to know one thing ...
that you can learn anything.
Change is the only constant in life ... get used to it.
Change is the only constant in life ... get used to it.
Configuring SSL between Worklight adapters and back-end servers which are protected by self-signed certificates
SSL is usually used to secure the communication between endpoints and when it comes to Worklight environment, there might be some hick-ups you need to workout. This post provides some basic steps with the hope to help you out.
Here is what you might have (Oops, sorry):
Http request failed: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
FWLSE0101E: Caused by: [project bond]javax.net.ssl.SSLPeerUnverifiedException: peer not authenticatedjava.lang.RuntimeException: Http request failed: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.worklight.adapters.http.HTTPConnectionManager.execute(HTTPConnectionManager.java:241)
at com.worklight.adapters.http.HttpClientContext.doExecute(HttpClientContext.java:185)
at com.worklight.adapters.http.HttpClientContext.execute(HttpClientContext.java:169)
at com.worklight.adapters.http.HTTP.execRequest(HTTP.java:146)
at com.worklight.adapters.http.HTTP.invoke(HTTP.java:135)
at com.worklight.integration.model.ProcedureInvoker.invokeProcedure(ProcedureInvoker.java:57)
- You have keytool installed together with Java in your machine
- This tutorial aims to help developers to setup their local development environment, specifically on Mac OS X, with WAS Liberty profile.
Retrieve the public certificate from the server to which your adapters are connecting.
There are several ways to do this but since you have openssl installed, simply use it
- Try to connect to the_remote_server:port using openssl on you console:
$openssl s_client -connect the_remote_server:port
- The command will result some information displayed on your console. Capture the certificate information:
- Create a text file (name it server_cert.cer), and copy the cert information displayed in the previous step, into the file, including -----BEGIN CERTIFICATE---- and -----END CERTIFICATE-----
- You now have the cert file at: path_to_your_cert_file/server_cert.cer
Add the cert into your Worklight Server’s JRE’s keystore.
- First, you need to locate the place where the keystore file placed. In your Worklight studio, to go Preferences settings:
Then go to Server >> Runtime Environments >> Select the server >> Edit
- In this case, the_path_to_keystore will be:
/Library/Java/JavaVirtualMachines/jdk1.7.0_17.jdk/Contents/Home/jre/lib/security/cacerts
- Use keytool to import the server_cert.cer into the keystore:
$keytool -import -trustcacerts -alias "an_alias" -keystore the_path_to_keystore -file path_to_your_cert_file/server_cert.cer
- Enter password of the keystore, default one is “changeit”, type “yes” if asked.
- Check if the cert is actually added in:
$keytool -list –keystore the_path_to_keystore
Add non self-signed cert to Worklight Server’s keystore
With SSL cert that is not self-signed, you still need to add it to the keystore which is being used by your Worklight Server at least. Assuming you already retrieved the cert with the method described in section 1. Below are some more steps to go:
Go to the Worklight Server’s configuration to locate where the keystore is:
- You get the location of the keystore in the Location text field above (worklight_keystore_path)
- Use keytool to import the cert into the keystore:
$keytool -import -alias an_alias -file path_to_your_cert_file/ server_cert.cer -keystore worklight_keystore_path
- Restart your Worklight Server
Here is what you might have (Oops, sorry):
Http request failed: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
FWLSE0101E: Caused by: [project bond]javax.net.ssl.SSLPeerUnverifiedException: peer not authenticatedjava.lang.RuntimeException: Http request failed: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.worklight.adapters.http.HTTPConnectionManager.execute(HTTPConnectionManager.java:241)
at com.worklight.adapters.http.HttpClientContext.doExecute(HttpClientContext.java:185)
at com.worklight.adapters.http.HttpClientContext.execute(HttpClientContext.java:169)
at com.worklight.adapters.http.HTTP.execRequest(HTTP.java:146)
at com.worklight.adapters.http.HTTP.invoke(HTTP.java:135)
at com.worklight.integration.model.ProcedureInvoker.invokeProcedure(ProcedureInvoker.java:57)
Assumption
- You have installed openssl tool on your machine- You have keytool installed together with Java in your machine
- This tutorial aims to help developers to setup their local development environment, specifically on Mac OS X, with WAS Liberty profile.
Way to go
Retrieve the public certificate from the server to which your adapters are connecting.
There are several ways to do this but since you have openssl installed, simply use it
- Try to connect to the_remote_server:port using openssl on you console:
$openssl s_client -connect the_remote_server:port
- The command will result some information displayed on your console. Capture the certificate information:
- Create a text file (name it server_cert.cer), and copy the cert information displayed in the previous step, into the file, including -----BEGIN CERTIFICATE---- and -----END CERTIFICATE-----
- You now have the cert file at: path_to_your_cert_file/server_cert.cer
Add the cert into your Worklight Server’s JRE’s keystore.
- First, you need to locate the place where the keystore file placed. In your Worklight studio, to go Preferences settings:
Then go to Server >> Runtime Environments >> Select the server >> Edit
- In this case, the_path_to_keystore will be:
/Library/Java/JavaVirtualMachines/jdk1.7.0_17.jdk/Contents/Home/jre/lib/security/cacerts
- Use keytool to import the server_cert.cer into the keystore:
$keytool -import -trustcacerts -alias "an_alias" -keystore the_path_to_keystore -file path_to_your_cert_file/server_cert.cer
- Enter password of the keystore, default one is “changeit”, type “yes” if asked.
- Check if the cert is actually added in:
$keytool -list –keystore the_path_to_keystore
Add non self-signed cert to Worklight Server’s keystore
With SSL cert that is not self-signed, you still need to add it to the keystore which is being used by your Worklight Server at least. Assuming you already retrieved the cert with the method described in section 1. Below are some more steps to go:
Go to the Worklight Server’s configuration to locate where the keystore is:
- You get the location of the keystore in the Location text field above (worklight_keystore_path)
- Use keytool to import the cert into the keystore:
$keytool -import -alias an_alias -file path_to_your_cert_file/ server_cert.cer -keystore worklight_keystore_path
- Restart your Worklight Server
Friday, August 15, 2014
Three key focus areas for a bank to get started on mobile journey
Mobile has been significantly changing the way banks service their
customers. It’s forcing banks to innovate, transform and try new ways of
reaching, engaging and communicating with customers. At the same time
it is moving the banking industry away from specific places, products
and processes to capabilities that are available when and where
customers need them. If your bank was to get started on a mobile journey
today, below are three key focus areas that you should consider.
Mobile banking
Mobile banking enablement recently became an important deciding
factor for a customer choosing a bank—just as important as fees, branch
location or services.
This is the first transformation action you should take for your bank in order to monetize opportunities brought in by mobile. It starts with offering basic banking functions such as:
Mobile payment
Garner predicts an explosion in the mobile payments market
worldwide that is expected to have 448 million users and $617 billion
in transaction value by 2016. This trend could potentially introduce a
major source of revenue that banks cannot ignore.
In developed markets, where mobile access to financial services is more prevalent and comfortable, mobile payments represent a chance to create feature-rich products that enhance consumers’ banking experience and consequently create better consumer sentiment toward the use of mobile in financial transactions.
Even in developing countries where a significant number of people do not have any bank accounts, mobile still can fill the gap, bring the banking to a new customer base, the un-backed people. This represents an opportunity to create profitable services for the unbanked populations through partnerships between banks and payment or telecommunication companies.
As predicted by the Aite Group, the top mobile payment markets in 2015 by volume will be bill payments, bankcard acceptance, mobile commerce, NFC payments and person-to-person transfers. More information about mobile payment patterns currently available in the market worldwide can be found here.
In all cases, in order to catch the explosion of mobile payments, banks will need to act quickly with a complete mobile strategy that not only covers their infrastructure adaptation as the inevitable transaction volume increases and puts growing pressure on their traditional systems, but also innovates their processes to serve this new, always-on revenue stream.
Mobile marketing
Timing is critical to creating delightful engagement experiences for
banking customers. It’s about reaching them in the right place, at the
right time, with the right kind of service or message. With the natural,
always-on characteristic, and its many other features, mobile could
provide a new opportunity to engage, cross-sell, up-sell and promote
other banking products or services, like analytics-powered, event-driven
and location-based services—just to name a few. As an example, an air
ticket purchase might present a chance to cross-sell travel insurance;
or a person who steps into a mall could trigger sending him information
about a retail promotion program of the bank to buy things in the mall.
People nowadays are embracing mobile in their day-to-day lives and are more likely to forget their wallet at home than their mobile phone. Every mobile device a consumer has can potentially be a commerce device. Your bank needs to transform to catch the trends, be well prepared and focus on key areas that could effectively drive your benefits.
*This post was originally published on IBM Mobile Business Insights
Mobile banking
This is the first transformation action you should take for your bank in order to monetize opportunities brought in by mobile. It starts with offering basic banking functions such as:
- account balance
- funds transfer
- bill payments
- share trade
- check order
- transaction notification alerts on mobile devices
Mobile payment
Garner predicts an explosion in the mobile payments market
worldwide that is expected to have 448 million users and $617 billion
in transaction value by 2016. This trend could potentially introduce a
major source of revenue that banks cannot ignore.In developed markets, where mobile access to financial services is more prevalent and comfortable, mobile payments represent a chance to create feature-rich products that enhance consumers’ banking experience and consequently create better consumer sentiment toward the use of mobile in financial transactions.
Even in developing countries where a significant number of people do not have any bank accounts, mobile still can fill the gap, bring the banking to a new customer base, the un-backed people. This represents an opportunity to create profitable services for the unbanked populations through partnerships between banks and payment or telecommunication companies.
As predicted by the Aite Group, the top mobile payment markets in 2015 by volume will be bill payments, bankcard acceptance, mobile commerce, NFC payments and person-to-person transfers. More information about mobile payment patterns currently available in the market worldwide can be found here.
In all cases, in order to catch the explosion of mobile payments, banks will need to act quickly with a complete mobile strategy that not only covers their infrastructure adaptation as the inevitable transaction volume increases and puts growing pressure on their traditional systems, but also innovates their processes to serve this new, always-on revenue stream.
Mobile marketing
People nowadays are embracing mobile in their day-to-day lives and are more likely to forget their wallet at home than their mobile phone. Every mobile device a consumer has can potentially be a commerce device. Your bank needs to transform to catch the trends, be well prepared and focus on key areas that could effectively drive your benefits.
*This post was originally published on IBM Mobile Business Insights
Mobile enterprise: Overcoming the security challenges
Even though the use of mobile in business is becoming more prevalent,
there are still big concerns about it from a security standpoint.
Security concerns significantly influence how confident people are about
applying mobile technology within their organizations. According to the
survey results talked about in a recent press release (download available here)
from the US Federal Reserve System, 25 percent of mobile phone users
believe their personal information is “somewhat unsafe” when using
mobile banking and 18 percent believe that it is “very unsafe.” The
natural portability of mobile technology and other characteristics
specific to the mobile environment demand that your organization’s
approach to address these security issues is sufficient enough to gain
the users’ confidence and to actually win competitive advantages by
using the technology. Below are three key focus areas you should
consider when implementing security for your mobile enterprise.
1. How to secure the device and corporate data
You need a complete solution that will protect corporate-owned devices as well as the bring-your-own-device (BYOD) types of devices that people use with the expectation of accessing enterprise resources. Management of these devices should include enrolling and provisioning the device when it comes into your enterprise environment. Given how easy it is for a device to be misplaced or stolen, data loss prevention is of the utmost importance. Hence, being able to remotely lock, locate and even wipe corporate applications, documents and settings without touching personal information is a fundamental requirement for the solution you choose. You need to ensure that you can enforce your enterprise policy on these devices—passcode, jail-breaking and rooting detection, encryption and so on—and that you have the ability to fingerprint each device. This means that not only should you be able to look at the media access control (MAC) address or name of the device, but you should be able to deeply inspect it to determine if you can trust the device and its user.
Also, the natural portability of the mobile environment is
challenging your organization to have sufficient control over the data
that is being stored on or shared across devices. Sensitive corporate
information can be leaked from these devices during sharing activities.
The technology you choose should allow users the freedom to share, cut
and paste information between their mobile enterprise applications, but
should also be able to keep this information separate from any of the
users’ personal applications.
2. How to secure the application
One well-known approach for securing applications is containerization. Essentially, this means putting a security perimeter into your application itself to enforce enterprise security policy and to prevent data from leaking out of the application. In order to do this, it’s critical to consider both a software development kit (SDK) and an app-wrapping approach to support both the apps you develop and the apps you buy.
The first thing you need is a comprehensive mobile application
development lifecycle approach as well as a comprehensive integrated
development environment (IDE) where you can include these security
considerations by design. You need to detect the security
vulnerabilities in every corner of your application while it is being
developed, not after. Besides applying best practices and writing
secured source code, you can use static scanning tools (for example, IBM Security AppScan) to automate the security assurance. A comprehensive IDE like IBM Worklight Studio
can help your development team to implement a security strategy on all
of your mobile applications for a wide range of supported mobile
platforms. An IDE can also extensively enforce this strategy vertically
on each platform by making use of platform-specific, security-related
features.
The next thing you should do is put the instrumentation into the apps
that is necessary to wrap the apps into a container and then harden the
app. Lack of binary protection is the newest item in the top 10 mobile security risks introduced by the Open Web Application Security Project (OWASP)
in 2014. Given that, it’s important that you make it difficult for an
attacker to go in and identify a weakness in your application, inject
malware, recompile and redistribute the app.
3. How to secure the transaction
This focus area is about securing the transactional workloads that occur on the mobile devices between clients, business partners, contractors and so on within your organization. You may want to make sure that you have both access control as well as transaction integrity for all interactions (even for ones that involve users that are not part of the security framework being used by your employees).
In order to secure the transaction, your organization should use a
robust mobile access management system and have a strong
fraud-prevention and detection approach at all points of impact. Your
fraud-prevention approach should include cross-channel fraud detection,
IP velocity, mobile malware detection and real-time detective services.
These are some of the key security focuses in mobile enterprise, but
there are probably others. What do you see as possible security
challenges in mobile enterprise? Leave your comments here or follow me
on Twitter @duyhat to discuss further on how to effectively overcome security challenges in your mobile enterprise.
*This post was originally published on IBM Mobile Business Insights
Subscribe to:
Posts (Atom)