Using a Third-Party Certificate Provider

SAP Mobile Platform SDK includes a Provider API, which enables apps to download certificates from third-party infrastructures.

Prerequisites

Install a Client Hub application on the client device, and enable <SSO pincode>.
Create a new Android project in Android Studio by clicking File New Project . Enter the project's name and click Finish.
Add maflogonui.aar to the libs folder and import it in to the build.gradle file.
Note The version number for maflogonui.aar must be at least 1.203.0.

Procedure

Set <UserCreationPolicy>=certificate in the clienthub.properties file.
See Registering a New Application Using Client Hub in the Client Hub documentation.
Set the CertificateProvider interface for the MAF Logon component. Each certificate provider must implement this interface.
Implement the getCertificate method. During registration, the Logon component invokes the getCertificate method, described in CertificateProvider interface, and sends a callback to retrieve the user certificate. Save the callback reference and logoncomponentactivity context. Then start a new UI to request parameters from the user.
```
@Override
public void getCertificate(CertificateProviderListener callback) {
   this.listener = callback;
   this.ctx = (Activity) LogonUIFacade.getInstance().getActivityContext();
   ctx.startActivity(new Intent(ctx, ProviderActivity.class));
}
```
Implement a custom method to pass parameters from the Activity XML file to the code written for developing certificate provider functionality. For example, you can implement a setParameters method to retrieve the UI parameters and create X509KeyManager interface to send the certificate back to the MAF Logon component.
Note X509KeyManager is a standard Java interface. The X509KeyManager that is returned by the certificate provider must contain only one certificate; so the Logon component cannot select between multiple certificates. The Logon component uses the first certificate found by the alias.
```
public void setParameters(Map<String, String> parameters) {
   …
   // download certificate from your PKI/CA server or load it from the  System Keychain
   getCertificate(ctx, parameters);
   X509KeyManager keyMan = new MyX509KeyManager();
   // calling callback onGetCertificateSuccess
   listener.onGetCertificateSuccess(keyMan);
}
```
Make your test .P12 files available to the provider. Depending on your implementation, these files might be:
- Installed in the System Keychain of your device.
- Placed in a resource folder of your Android project.
- Uploaded to your MDM server and accessed via HTTPS request.
Test your implementation by installing the Root CA certificate into the SAP Mobile Platform server keystore. See Managing Keystore and Truststore Certificates in Administrator.