Show TOC

Using the X.509 Certificate Provider Interface to Integrate with Third-Party Certificate ProvidersLocate this document in the navigation structure

Use the X.509 certificate provider interface to integrate third-party certificate provider solutions into native and hybrid applications.

The CertificateProvider interface defines a provider class to wrap X.509 certificate generation, signing, and storage, and integrates with Logon for Hybrid SDK (Kapsel), SAP Fiori Client, and native SDKs. All logic related to generating public/private keys, and presenting the UI to get user input (for example, username/password and common name) for obtaining the certificate is encapsulated in the CertificateProvider. The certificate provider interface has been updated in the Hybrid (Kapsel) SDK 3.0 SP08; make sure to use the new interface when creating the third party X509 certificate provider.

Determining whether an Application is Implemented as an SSO Application

Check with your mobile device management (MDM) provider to see if the application has an SSO application. In that case, you could have an SSO application from your MDM application which provisions a certificate from a shared certificate, and SAP Fiori Client or the Hybrid SDK (Kapsel) could retrieve the certificate. In this situation, you do not need to create a custom provider. If you lack an SSO application, you could create a custom provider as described in these sections.

Using the CertificateProvider Interface with Kapsel Applications

For Kapsel SDK applications, you can implement and integrate a customized CertificateProvider into a Hybrid SDK (Kapsel) application to get the signed certificate (X509KeyManager for Android, or SecIdentityRef for iOS) for mutual authentication or application registration. When the application starts, you should set the logonContext and appDelegate objects and use them as parameters in the call to the sap.logon.startLogonInit method. The sap.logon.startLogonInit method first sends a request to the certificate provider to retrieve a client certificate if the certificate is not yet retrieved previously. Once the certificate is available on the device, the method calls logon.init to start the registration.

Note that the Logon plugin has built-in support for the Afaria certificate provider. Two certificate provider IDs can be used for the Afaria certificate: "com.sap.afaria" is for the new Afaria certificate provider, and "afaria" is used for the old logon core Afaria certificate support (which is not implemented as a certificate provider).

For the iOS client, in order to use the "com.sap.afaria" or "afaria" as a certificate provider in the Kapsel project, besides setting the certificate provider ID in the startLogonInit's logonContext parameter, you also need to create a unique URL identifier and URL Scheme in the project settings in order to receive the openURL requests from the Afaria client. However, there is no need to update the plist file to specify the certificate provider ID to class mapping as required for third party certificate providers, or to add any extra libraries into the project.