IBM SoftwareWebSphereTechnical White PaperIBM Worklight V5.0.6Technology overviewContents1 IBM Worklight—Overview2 IBM Worklight—Components3 Development tools8 Runtime server environment9 The IBM Worklight Console910IBM Worklight DeviceRuntime componentsSecurity and authenticationmechanismsIBM Worklight—OverviewIBM® Worklight® software helps enable organizational leaders toextend their business to mobile devices. This software provides an open,comprehensive and advanced mobile application platform for smart-phones and tablets, helping organizations of all sizes to efficientlydevelop, connect, run and manage mobile and omni-channel applications.Leveraging standards-based technologies and tools, the IBM team hascreated Worklight software that provides a single integrated platform.This platform includes a comprehensive development environment,mobile-optimized runtime middleware, a private enterprise applicationstore and an integrated management and analytics console—all supportedby a variety of security mechanisms.Develop. The IBM Worklight Studio and the IBM Worklight softwaredevelopment kit (SDK) simplify the development of mobile and omni-channel applications (apps) throughout multiple mobile platforms, includ-ing iOS, Android, BlackBerry, Windows 8, Windows Phone and JavaME. The IBM Worklight optimization framework fosters code reusewhile delivering rich user experiences that match the styling requirementsof each target environment. With such code reuse, IBM Worklightreduces costs of development, reduces time-to-market and providesstrong support for your ongoing management efforts.Connect. The IBM Worklight Server architecture and adapter technol-ogy simplifies the integration of mobile apps with back-end enterprisesystems and cloud-based services. The IBM Worklight Server is designed
2WebSphereTechnical White PaperIBM Softwareto fit quickly into your organization’s IT infrastructure and isdesigned to leverage your existing resources. The standaloneback-end integration layer can be customized and sharedamong multiple applications. Furthermore, IBM WorklightAdapters support two types of data-delivery mechanisms: devicerequests and push notifications.Run. The IBM Worklight Studio prepares application files forupload to public app stores and to private distribution reposito-ries. Active mobile apps communicate with virtually any enter-prise back-end systems and cloud-based services through theIBM Worklight server. This server optimizes data for mobiledelivery and consumption, and is supported by a variety ofsecurity features that help to protect sensitive user data intransit on device.Manage. Once the software is deployed, administrators canmanage registration and authentication for users and devices;monitor and control the access of different apps to back-endsystems; directly update and disable apps based upon predefinedrules or custom rules; host and manage a production-ready,cross-platform mobile application store; audit and managemobile data synchronization to enterprise back-end systems;and control virtually all push services and event sources fromone centralized web interface called the IBM WorklightConsole. In addition, administrators can access usage informa-tion about the installed app base and its users, using built-inand customized reports. Usage data can be exported and fedinto analytics platforms such as the IBM Cognos® platformand the IBM Coremetrics® platform.IBM Worklight—ComponentsThe IBM Worklight architecture consists of five maincomponents:●● The IBM Worklight Studio—the platform’s Eclipse-basedintegrated development environment (IDE).●● The IBM Worklight Server—a gateway between apps,back-end systems and cloud services; this gateway handlesvirtually all mobile specifics including application manage-ment and updates, push notifications, user authenticationand device authentication, and synchronization of securityand data.●● The IBM Worklight Application Center—a cross-platform,enterprise app store that helps organizational leaders togovern the distribution of apps throughout the enterprise.●● The IBM Worklight Console—a web-based administrationinterface.●● The IBM Worklight Device Runtime Components—mobiledevice implementations of the server’s functions.Enterpriseback-endsystemsandcloudservicesApplicationCodeWorklight ApplicationCenterIBM Worklight ComponentsWorklight StudioWorklight StudioWorklight ServerWorklight ServerWorklight ConsoleWorklight ConsoleBuildEngineWorklight ApplicationCenterDevice RuntimeDevice RuntimeApplicationCodeHTML5, Hybrid,and Native CodingiOSSDKsAndroidBlackberry Development Team ProvisioningEnterprise App Provisioningand GovernanceApp Feedback ManagementPublic App StoresCross-PlatformCompatibility LayerServer IntegrationFrameworkEncrypted andSyncable StorageReporting for Statisticsand DiagnosticsRuntime SkinningWindowsPhoneWindows 8Java MEMobile WebDesktop WebOptimizationFrameworkIntegrated DeviceSDKsUser authentication andmobile trustMobileWeb AppsDirect UpdateReporting andAnalyticsPush / SMSManagementApp VersionManagementClient-SideApp ResourcesUniﬁed PushNotiﬁcationsMashups and servicecompositionJSON TranslationAdapter Library forbackend connectivityThird Party LibraryIntegrationBuildEngineEnterpriseback-endsystemsandcloudservicesStatsAggregation
8WebSphereTechnical White PaperIBM SoftwareRuntime server environmentThe IBM Worklight Server●● The Java-based IBM Worklight Server is a scalable gatewaybetween apps, external services and the enterprise. Theserver helps facilitate encrypted communication, back-endconnectivity, data manipulation, authentication, analytics,private cross-platform application store and operationalmanagement functions that are supported by a variety ofsecurity features. Server-side entities that affect the behaviorof the IBM Worklight server are represented in the studio’sproject tree, including configuration files, authenticationintegration code and more. From the IBM Worklight Studio,developers can save under a unified project all inter-relatedclient and server code and resources in their source controlsystem. Server configuration artifacts are automatically builtby the Worklight Studio in to a web archive (WAR) file. Thisfile can then be deployed on a standalone server for collabo-ration or test purposes.●● The IBM Worklight Server can be deployed to a widerange of hardware and operating system environments.Organizational teams that deploy the server to anIBM PureApplication™ System on Intel or Power canapply patterns of expertise. Use the IBM Mobile Applicationpattern for PureApplication System to configure and managea scalable and cloud-ready mobile server infrastructure.The IBM Worklight Server can:●● Provide adapter technology that connects to a variety ofenterprise information systems over widely used integrationtechnologies, such as Simple Object Access Protocol (SOAP),representational state transfer (REST), Structured QueryLanguage (SQL), Lightweight Directory Access Protocol(LDAP) and more. In addition, IBM Worklight provides aspecial IBM Cast Iron® adapter.●● Enable multisource data mashups to efficiently integrateseveral data streams into one and serve it to the applicationuser. Multisource data mashups are not only an effective wayof optimizing data delivery to the mobile user, but alsoreduce overall traffic in the system.●● Enable developers to add custom server-side logic that isnecessary for delivering back-end data for mobile consump-tion. This helps distribute processes between the client andserver and helps address data-security regulations within theorganization.●● Provide flexible security architecture with server-managedsecurity challenges, delivering more-robust protection.●● Integrate with the corporate authentication infrastructureto help secure application and data access, in addition totransaction invocation. The IBM Worklight authenticationinfrastructure is flexible enough to support different types ofauthentication—from multifactor or multistep login processesto non-interactive single sign-on (SSO) integration. You canalso expect offline authentication of users to increase appavailability. Furthermore, the IBM Worklight Server simpli-fies the integration with HTTP-based services that requireauthentication. Integration with Kerberos, Windows NTLAN Manager (NTLM), Basic and Digest authenticationcan be more-easily achieved by simple configuration of theHTTP adapter, without the need to write server-side code.The server also supports device-based application SSO,enabling apps to be automatically authenticated if an existingauthenticated session is already available through the samemobile device.●● Integrate with IBM WebSphere® security functions byproviding authenticators and login modules to leverageWebSphere security configuration and settings.●● You can employ standard and proprietary securitymechanisms to help prevent attacks.●● More-easily scale to support hundreds of thousands of usersand multiple applications through physical clustering.●● Provide app-deployment and version-control features that aremanaged and accessed by the IBM Worklight Console.●● Be integrated with IT monitoring and performance manage-ment systems that verify the vitality of the IBM WorklightServer and the services that it provides to applications.●● Automatically collect user-adoption and usage data forauditing and reporting purposes and gain access to customconfiguration of reporting metrics. Raw data can be more-easily exported for further analysis by the different businessintelligence tools used by the organization.
9WebSphereTechnical White PaperIBM SoftwareThe IBM Worklight Application CenterThe IBM Worklight Application Center enables companyteams to set up an enterprise app store to help govern the dis-tribution and management of pre-release and production-readymobile applications. Administrators can make the most ofexisting authentication frameworks, including ACL and LDAP,to manage app distribution by department, job function, geog-raphy and other schema. Employees who access the ApplicationCenter from their mobile devices will only see the mobile appsthat they are allowed to download. Employees can rate appsand provide feedback that can be considered for futureenhancements.For development teams, the Worklight Application Centerprovides a convenient way to distribute pre-release software todevelopers and testers. Feedback can be organized by deviceand by version to quickly isolate and resolve defects, whetherthose defects are device-specific or version-specific. TheApplication Center can also integrate with software-buildprocesses to automate the distribution of the latest releases toproject teams, accelerating the develop-test-debug cycle.The Worklight Application Center provides:●● Administrators with improved governance over the distribu-tion of mobile apps throughout the enterprise;●● Employees with easier access to the latest apps that areneeded by their department or job function and that areoptimized for their device;●● Developers with an easier way to distribute mobile buildsand to elicit feedback from members of development andtest teams.The IBM Worklight ConsoleThe IBM Worklight Console is a web-based user interfacethat is dedicated for the ongoing administration of theIBM Worklight Server and its deployed apps, adapters andpush-notification services. Through the console,administrators can:●● Access administrative dashboards that monitor virtually alldeployed adapters and applications.●● Control and monitor virtually all push-notification services,event sources and related applications.●● Assign device-specific security IDs to support installation ofbusiness applications on sanctioned devices.●● Manage multiple versions of the same application andremotely disable applications by version and mobile-operating-system type.●● Access built-in and custom reports of application adoptionand usage using Eclipse’s BIRT plug-in.●● Define device-based access-control policies to control accessof apps.IBM Worklight Device Runtime ComponentsIBM Worklight provides client-side runtime code that servicesHTML5, hybrid or native apps. Capabilities include:●● Access back-end data and transactions. API for theinvocation of IBM Worklight services, retrieval of data andexecution of transactions against back-end systems.●● Authentication and security. API and code for managingthe authentication sequence and for securing the applicationdata and its link to the IBM Worklight Server.●● Offline access. Local JSON database for data persistencewith back-end synchronization; supports encryption and largedata-sets.●● Application Management. API and code for applying newapplication versions and for disabling applications in accor-dance with policies that are defined in the IBM WorklightConsole.●● Troubleshooting. Code for detecting runtime connectivityproblems in the app and for collecting troubleshootinginformation about the app and about the device.●● Usage reporting for audit and analytics. API for collectingbuilt-in and custom data from apps, to be recorded by theIBM Worklight Server for audit and analytics purposes.●● Cross-platform compatibility APIs. Uniform API fordevice features and useful UI tasks, hiding the differencesacross different environments.●● Skins management. Enables developers to adjust thefeatures and functions of the app to the device’s form factorin run time, optimizing the app for different versions of thesame OS family as smartphones and tablets.
11WebSphereTechnical White PaperIBM SoftwareMechanism Benefit DetailsDevice SSO Enables a mobile user to authenticate one time in order to • Upon successful login, the authentication state is saved in theintegration gain access to multiple mobile applications from a singledevice.Mobile users get a more-seamless experience withouthaving to explicitly log in to each application.Enterprises can integrate authentication services undersingle umbrella, streamlining governance and reducing helpdesk costs that are related to password resets and security.Developers can eliminate redundant development effort;they are no longer required to build authentication into eachapplication independently.database and used for validations in subsequent sessionsfrom the same device• No credentials are stored in the on-device database; only thestate of the authentication is stored, for improved securityVirtual private Enable delivery and operation of mobile apps for employee- • Client-side and server-side frameworks act as secure socketnetwork (VPN) owned devices or device types that are not allowed on the layer (SSL)-based VPNalternative corporate network, and enable delivery when installation ofVPN client on mobile devices is not possible or is compli-cated to manage• Network access control and policies are preconfigured in theclient-side framework layer• Network access and security measures are updated usingserver-side framework• On-device encrypted storage to help prevent compromise ofsensitive dataIT system security involves protecting systems and informationthrough prevention, detection and response to improper accessfrom within and from outside a client’s enterprise. Improperaccess can result in information being altered, destroyed or mis-appropriated, or can result in misuse of systems to attack others.Without a comprehensive approach to security, no IT system orproduct should be considered completely secure and no singleproduct or security measure can be completely effective in pre-venting improper access. IBM Worklight systems and productsare designed to be part of a comprehensive security approach,which will necessarily involve additional operational proceduresand may require other systems, products or services to be mosteffective. IBM Worklight does not warrant that systems andproducts are immune from the malicious or illegal conduct ofany party.System requirementsProduction environmentThe IBM Worklight server can be installed on the followingoperating systems:●● AIX●● HP-UX●● Red Hat Enterprise Linux (RHEL)●● SUSE Linux (SLES)●● Oracle Solaris●● Microsoft Windows ServerThe server requires the following databases to store metadataand cached back-end data:●● Derby●● Oracle●● MySQL●● IBM DB2®The IBM Worklight server can run on the followingapplication servers:●● Apache Tomcat●● IBM WebSphere Application Server (and NetworkDeployment) version 7.0 and higher (including the providedWebSphere Application Server v8.5 Liberty Profile)The IBM Worklight Server can be clustered to achieve highavailability and scalability. In such cases, a load balancer isrequired. This can be any commercial load balancer, softwareor hardware, which supports “sticky” sessions. The load bal-ancer can optionally act as a reverse proxy and as an SSLaccelerator.