Kony App Management Two Way SSL Authentication Support for Enterprise Applications

Ajay Bhat - Dec 16, 2016 - EMM

In this post, Suhas Bhat & Bipin Jethwani discuss the 2-way feature SSL authentication feature enabled by Kony App Management in release 4.2.

Kony App Management 4.2 introduces support for attaching SSL Client Certificate in HTTPS transactions used in Enterprise Applications. This enables two-way SSL authentication. It is supported for iOS and Android devices.

The purpose of using a two way SSL Client authentication is mutual authentication between the Client (Enterprise application installed on an Android or an iOS device) and the Server (could be an Enterprise Server designed to communicate with the Enterprise application). Mutual authentication means that Client authenticates the Server by obtaining the SSL Certificate of the Server and the Server authenticates the client by obtaining the SSL Certificate of the Client. The Server and Client both mutually validate the identity of each other via the Certificates they exchange. This way it is ensured that neither the Client nor the Server are spurious. This double authentication strengthens communication security. Enterprise Server which mandates the Client to produce an SSL Certificate does not entertain requests without a Client SSL Certificate. This usually ends up as an SSL Handshake exception occurring at the Client end.

SSL Client Certificates which include a Client Certificate (signed by a standard Certificate Authority) along with a private key are usually bundled in a file with extension “.p12”. A P12 file may also include the Certificate chain i.e., all the certificates involved in signing the Client certificate. Kony App Management Currently allows uploading of only P12 files. Other file formats are not supported.

It is understood that the Enterprise Application developer does not explicitly use any P12 certificate while doing HTTPS calls. However, there might exist a scenario where an Enterprise application might be programmed to interact with Web Services hosted behind a Secure Boundary which may be configured to demand an SSL Client certificate for it to validate the request and pass it to the actual Service. Secure boundary can be a Load balancer which is usually the first point to receive a request and validate.

Kony App Management Provides a way to upload the P12 certificate in the Management Console. After logging into the Kony App Management console, on the left side there is “Application Settings” panel. Clicking on it would open a page with many tabs. In that, there is a “Certificates” tab on the top selecting which would open the Certificates upload page. One of the sections provides a way to upload a Client P12 certificate along with its pass phrase. The Section looks as follows:

Once a certificate is uploaded, Kony App Management will start “wrapping” the Enterprise Store application (a.k.a Launchpad) which is a container application of all the Enterprise applications. The “Wrapping” process is meant to enable the Launchpad to share the certificate with Enterprise applications which use default HTTP Clients (in iOS and Android) to make programmatic HTTPS calls.

The Enterprise Apps which are “Wrapped and Signed” by Kony App Management Wrapping process are enabled to obtain the P12 certificate from the Launchpad and use it in their HTTPS calls. Enterprise apps which are just signed will not be able to read the certificate from the Launchpad.

Architecture Diagram

The diagram below shows the architecture an data flow for 2-way SSL certificate used in Enterprise Apps

Two-way SSL architecture diagram