Advanced PKI authentication: Authenticating with ArcGIS for Server using client certificates
In this topic
Your iOS application can use a digital certificate to access resources on ArcGIS for Server that are secured using Public Key Infrastructure (PKI). In such a scenario, each user who is authorized to access the secured resources is provided a digital certificate (also known as a client certificate) that can be used to confirm his or her identity when connecting to the server. This certificate file is in pkcs#12 format and usually has a .p12 or .pfx extension.
To install the certificate on a user’s iOS device so that your app can use it, you must make the certificate available on the user’s device and programmatically import the certificate into the keychain access group of your app.
Add PKI support while building the app
The Em4Mstr framework provides an API to import the digital certificate into the app. To programmatically import the certificate into the keychain access group of your app, you must make changes in Xcode.
- Choose the project file in Xcode Project Navigator.
- In the window on the right, choose the MicroStrategyMobileIPad target.
- Right-click Info_IPad.plist.
- Click Open As and click Source Code.
- In the window on the right, scroll down to the end of the file.
- Add the following XML code (from the first <key> tag to the last </array> tag) just before the final closing </dict> tag at the bottom of the file. The end of the file should appear as follows.
Note:
These changes will register your app to handle a custom .px12 file extension. If you used a different custom file extension, replace px12 with your file extension in the XML code. As explained in Make the certificate available on the user’s device, you cannot use a .p12 or .pfx extension.
<key>CFBundleDocumentTypes</key> <array> <dict> <key>CFBundleTypeIconFiles</key> <array/> <key>CFBundleTypeName</key> <string>Certificate file</string> <key>CFBundleTypeRole</key> <string>Editor</string> <key>LSHandlerRank</key> <string>Owner</string> <key>LSItemContentTypes</key> <array> <string>com.esri.px12</string> </array> </dict> </array> <key>UTExportedTypeDeclarations</key> <array> <dict> <key>UTTypeConformsTo</key> <array> <string>public.data</string> </array> <key>UTTypeIdentifier</key> <string>com.esri.px12</string> <key>UTTypeTagSpecification</key> <dict> <key>public.filename-extension</key> <array> <string>px12</string> </array> </dict> </dict> </array> - Choose the correct Identity Inspector Custom Class as follows:
- In Xcode Project Navigator, click MainWindow-iPad.xib.
- In the window on the right, under Objects, click MSTRMobile App Delegate.
- In the Utilities window, click the Identity Inspector tab titled Custom Class and enter Em4MstrAppDelegate for the class field.
Note:
- Ensure the Identity Inspector view is open. Choose View > Utilities > Show Identity Inspector from the Xcode menu.
- If you have your own AppDelegate class that inherits from MSIAppDelegateImpl, change your AppDelegate class to inherit from Em4MstrAppDelegate. The Em4MstrAppDelegate class is declared in the <Em4Mstr/Em4MstrAppDelegate.h> header file and inherits from the MSIAppDelegateImpl class.
- Continue building and deploying your app. See Compile the mobile app.
Make the certificate available on the user’s device
The first step in installing the certificate is to make it available on the user’s device. Before sending the certificate to the user by email attachment, you must change its file extension from .p12 or .pfx. If this is not done, the iOS system will attempt to import the certificate into the default keychain when the user tries to open the attachment. As custom iOS apps do not have access to the default keychain, applying a custom file extension to the certificate is required.
- Ensure that email is configured on the user’s device.
- Rename the certificate file to use a custom file extension—for example, .px12.
- Send the renamed certificate by email attachment to the user.
- Instruct the user to select the client certificate file attached to the email and select your custom app icon. This will launch the app and pass the certificate file to the app.
The app now uses this PKI certificate to authenticate with your PKI Portal Server.