SAP Fiori Client Guide

Certificate Provider Configuration for Fiori Client Applications

This section describes updates and improvements for configuring the certificate provider in Fiori Client applications implemented by the FederationProvider Plugin version 3.0 SP13.

The following scenarios are all backward compatible. That is, either the flat (pre 3.0 SP13) or JSON (3.0 SP13) formats are supported. The migration between old and current implementations work properly for only the appConfig.js configuration. In the other cases the applications continue to work as before, i.e. they are unable to refresh the certificate, if the provider needs custom parameters.

You can configure the certificate provider through any of the following methods.

The Fiori Client’s appConfig.js File

The format of the certificate provider configuration in previous versions (prior to 3.0 SP13) is a flat structure:
"certificate": "com.sap.federationprovider",
 "federated_certificate": "X509FileCertificateProvider",
 "com.sap.fileprovider.filename": "<name_of_PKCS12_FILE>",
 "com.sap.fileprovider.password": "<password_of_PKCS12_FILE>",
The ‘certificate’ key contains the name of the provider, while the others are custom provider-specific. This format prevents restoring all the latest keys after the application restarts. All the values are persisted, but only the value of the ‘certificate’ key is restored. This prevents proper set up of the provider, since it is unable to refresh the certificate, if it becomes invalid. Beginning with 3.0 SP13, the configuration is transformed to a structure where all settings are moved to a JSON object associated with the ‘certificate’ key, which resolves this issue:
"certificate": {
   "id": "com.sap.federationprovider",
   "config" : {
      "federated_certificate":"X509FileCertificateProvider",	                        
      "com.sap.fileprovider.filename": "<name_of_PKCS12_FILE>",                  
      "com.sap.fileprovider.password": "<password_of_PKCS12_FILE>"
       }
}

The keys ‘id’ and ‘config’ are fixed, but the others are provider-specific. The advantage of this format is that it is restored without information loss after the application restarts. Furthermore, configuration migration is resolved for applications having the above formats.

Mobile Device Management (MDM)

Prior to 3.0 SP13, MDM was unable to push down complex provider settings that contained in a flat structure, and the client was unable to parse custom keys (Android). The client could utilize only the ‘certificate’ key from the flat configuration. The new implementation allows the certificate key to be given the value of a JSON object, so the client can receive all the provider specific keys.

Manually Through the Entered URL

Prior to 3.0 SP13, The implementation was able to convey just the provider name as the value associated with the ‘certificate’ key. The new implementation can deliver a complex configuration in a JSON object. The value of the ‘certificate’ key should be base64 encoded, to be able to add this data to the URL.

For instance this is the traditional method of configuring the Afaria Certificate Provider through the Fiori URL:
https://<hcpms_server_host>/sap/bc/ui5_ui5/ui2/ushell/shells
/abap/FioriLaunchpad.html?fioriURLIsSMP=true&appID=com.sap.fiori.
client&certificate=com.sap.afaria
This is the enhanced version:
https://hcpms-certest.sap.de/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html?fioriURLIsSMP=true&appID=com.sap.fiori.client&certificate=eyJjZXJ0aWZpY2F0ZSI6eyJpZCI6ICJjb20uc2FwLmZlZGVyYXRpb25wcm92aWRlciIsImNvbmZpZyI6eyJmZWRlcmF0ZWRfY2VydGlmaWNhdGUiOiJYNTA5RmlsZUNlcnRpZmljYXRlUHJvdmlkZXIiLCJjb20uc2FwLmZpbGVwcm92aWRlci5maWxlbmFtZSI6ICJNQUZURVNULnAxMiIsImNvbS5zYXAuZmlsZXByb3ZpZGVyLnBhc3N3b3JkIjogIk1vYmlsZTEyMyJ9fX0=
Where the base64 encoded string contains:
{
"certificate": {
   "id": "com.sap.federationprovider",
   "config" : {
      "federated_certificate":"X509FileCertificateProvider",	                        
      "com.sap.fileprovider.filename": "<name_of_PKCS12_FILE>",                  
      "com.sap.fileprovider.password": "<password_of_PKCS12_FILE>"
      }
   }
}

Configuration App Discovery (Mobile Secure)

Mobile Secure Configuration App Discovery provides JSON objects as a configuration. Such a JSON configuration can be configured to provide required content for the Fiori Client to operate with the selected Certificate Providers.