Using Personal Information Exchange files
An organization can deploy corporate services that require two-way SSL/TLS authentication for users. A user is issued a password-protected Personal Information Exchange file (PKCS12 format, .p12 or .pfx) containing an SSL/TLS client certificate and a private key. This file can be provided to
BlackBerry Dynamicsapps to grant access to secure corporate services.
BlackBerry Dynamics SDKsupports the use of Personal Information Exchange files to authenticate
BlackBerry Dynamicsapps and to access secure services. All of the required operations to support client certificates are carried out by the
BlackBerry Dynamics Runtime, with no additional programming required to handle the authentication challenge. For more information on how this is handled, refer to
HttpViewController.swiftin the Dynamics-iOS-Swift sample app. The app can use client certificates if:
- The app uses theBlackBerry DynamicsSecure Communication Networking APIs.
- The device user’sUEMaccount is configured to support certificates.
- The certificates satisfy the certificate requirements.
After a user activates a
BlackBerry Dynamicsapp, the app receives the Personal Information Exchange files. For each file, the user is prompted to provide the issued password so that the files and identification material can be installed. When this process is complete, the app can access the server resources that require two-way SSL/TLS authentication.
If more than one Personal Information Exchange file is required per user, the
BlackBerry Dynamics Runtimeselects the appropriate certificate using the following criteria:
- Only client certificates that are suitable for SSL/TLS client authentication are eligible to send to the server. Certificates must have no Key Usage or Extended Key Usage, or Key Usage that contains “Digital Signature" or "Key Agreement”, or Extended Key Usage that contains "TLS Web Client Authentication”. Key Usages and Extended Key Usages must not contradict allowances for SSL/TLS client authentication.
- If the server advertises the client certificate authority in the SSL/TLS handshake, only client certificates that have been issued by that authority are considered.
- Expired certificates and certificates that are not yet valid cannot be selected.
- If more than one certificate satisfies the above criteria, theBlackBerry Dynamics Runtimeselects the most recently issued certificate.