Securing Oracle BI Mobile HD application using Oracle Business Intelligence Mobile Security Tool Kit and OMSS

Download and install c14n containerization tool on the Mac machine where Jdeveloper and XCode are running. Skip this section if you
already have the containerization tool.

1. Download patch 19982462 from support.oracle.com (p19982462_30100_Generic.zip). Extract the file and you will
   see a package file under OMSS-v3.0.6\C14N-Tool-v3.0.6.109.15344. Double-click to start the installer.
   If you get an error about Xquartz, download and install the latest XQuartz from http://xquartz.macosforge.org
for example. XQuartz-2.7.7.dmg

   

2. Run the installer of c14n as shown below.

   

   
   

   

   
   

   

3. Open a terminal window and enter the following commands.
   c14n -version
which c14n
   Make sure the output is correct.

   

1. Download Oracle BI Mobile Security Toolkit 11.1.1.7.2420 from
   http://www.oracle.com/technetwork/middleware/bi-enterprise-edition/downloads/
bi-mobile-security-toolkit-1872818.html
   on your Mac OS. Accept the license agreement and then download the file. Extract the file.

2. Open XCode 6.0.1. From the XCode menu, Select File > New > Project to create a new XCode project or
   when you open XCode, select the option to create a new XCode project from the Launch Pad.

   

3. When asked to select a template, Select Single View Application. Click Next.

   

4. Enter Product Name as MobileBI, Organization Name as MyCompanyOrg, Organization Identifier as MyCompany. Observe the
   Bundle Identifier that gets automatically constructed based on <organization_identifier>.<product_name>.

   In the Devices drop-down, specify the devices you are targeting. The Oracle BI Mobile HD application is a universal application
   that supports iPhone and iPad clients, so make sure to select Universal.

   

5. Click Next and specify the destination to save your new project. Click Create.

   

6. Drag the OBIMobile.framework, Settings.bundle and OBIMobile.bundle files from the unzipped location of
   Oracle_BI_Mobile_Security_Toolkit.11.1.1 to the project. Be sure to drop them on the Project icon and not
   above the icon.

   

7. Select MobileBI in Add to targets. Select Create groups in Added Folders. Leave other options
   unselected and click Finish.

   

   

Add the icons for the application. Be sure to add them for both the iPhone and iPad. You can do
this by dragging and dropping icons into their appropriate image set's (AppIcon) corresponding asset catalog.

1. In the Project Navigator, select the asset catalog (for example,images.xcassets ).

   

2. Drag and Drop the images to the Image Set. Drag and drop the icons from unzip_location/artwork into the
   placeholders.

   

3. For the last two entries above, for which there is no icon out of the box, create your own icons.
   Open Icon-Small@2x.png in MS Paint (on windows machine). Click Resize. Select Pixel radio button
   and specify the size as 87 x 87. Click OK.

   Note: On a MAC machine, you could use the Paint Brush tool to edit images.

   

   Save the image in the artwork folder as Icon-Small@3x.png

   

4. Similarly, Open Icon-120.png in MS Paint (on windows machine) or Paint Brush in Mac. Click Resize. Select
   Pixel radio button and specify the size as 180 x 180. Click OK. Save the image in the artwork folder as Icon-180.png.
   Use these two images to populate the placeholders iPhone 29pt 3x and iPhone 60pt 3x.

   Note: You will find the icons for the iPad and the iPhone in the zip file (downloaded earlier), but you can
   use any icon you want as long as it complies with Apple sizes and specifications. You can also apply some
   custom branding to the icons (rather than using Oracle branded icons).

   This is what the end result of placing the icons in the placeholders should look like.

   

   Note: If you place an incorrect size icon on the placeholder, it would show an error(!) on the menu bar as
   shown below.

   

1. Click MobileBI in the project navigator. Click General. Under Deployment Info, Observe the orientations for both the
   iPad and the iPhone. Also, verify that Deployment Target is set to 8.0, a version of iOS that the Oracle BI Mobile HD
   application supports. Do not select a Target lower than 6.1.

   

   Note: Supported iOS versions can be found by checking the requirements list for the Oracle BI Mobile HD application
   on the Apple App Store https://itunes.apple.com/us/app/oracle-businessintelligence/id534035015?mt=8

2. Click Info. Expand URL Types. Click + to add a new URL Type. Fill in the following fields
   with the corresponding values:
   Identifier             :          com.oracle.obimobile
   URL Schemes     :          oraclebimobile
   Leave the rest of the options for the new URL type blank or as defaults.

   

3. Click Build Settings > All. Search for "Other Linker Flags" under Linking. Add the follow parameter:
-all_load -ObjC

   To add this parameter you must double-click in the blank space next to the property. Then in the dialog
   (shown below), add
   the new parameter.

   

   The Linker Flag is successfully added as shown below.

   

4. Under Build Settings, remove the arm64 from the valid architectures property under the Architectures section.

   

5. Click Build Phases. From Link Binary, Click the + sign to add the following libraries. Verify if each has Status
   marked Required.
   

   • MessageUI.framework
   • Security.framework
   • QuartzCore.framework
   • CoreData.framework
   • UIKit.framework
   • Foundation.framework
   • CoreGraphics.framework
   • libsqllite3.dylib

   

   Note: OBIMobile.framework is already present by default.

1. Select the file <classprefix>AppDelegate.h in the project and add or modify the following lines of code:
   Add #import <OBIMobile/OBIMobile.h>
   Make AppDelegate inherit from OBIApplicationDelegate

   Note: In our example, as seen from the screenshot below, you are not using Class Prefix

   

2. The final modified AppDelegate.h should have the following lines of code :
   #import <UIKit/UIKit.h>
#import <obimobile obimobile.h="">
@interface <classprefix<AppDelegate:OBIApplicationDelegate
@property(strong,nonatomic)UIWindow*window;
@end


   

   NOTE: The <classprefix> represents the name of the Class Prefix. Since you did not specify a class prefix, the
   file will simply be called AppDelegate.h and any reference in the code will be AppDelegate.

3. Comment out all the code in <classprefix>AppDelegate.m and replace it with the following code:
   #import "<classprefix>AppDelegate.h"
@implementation <classprefix>AppDelegate
@synthesize window=_window;
@end
/*CODE COMMENTED OUT*/


   

1. Navigate to Build settings > Code Signing. Assign the enterprise distribution provisioning profile such as
   Bitzer Enterprise Distribution Star and assign the certificate mapped to that profile,
   iPhone Distribution: Bitzer Mobile Inc.

   

2. Verify if the device is set to iOS Device (not a simulator).

   

3. Click Product > Build. Observe the error:

   

4. To fix this error, Click General. Change Bundle Identifier under Identity section from MyCompany.MobileBI to
<App id of the provisioning profile>.MobileBI i.e, com.bitzerMobile.MobileBI. In our case the App id
   of the provisioning profile is com.bitzerMobile.*

   

   Observe that you used a provisioning profile with a wildcard * at the end so it can be used with multiple applications. If you
   used a non-star (wildcard) suffixed provisioning profile such as Bitzer Enterprise Distribution with APNS or similar
   certificate, then you would have to use the exact same App ID of the provisioning profile in the Bundle Identifier for the app.
   Therefore the MyCompany.MobileBI bundle identifier would have to be changed to the App ID of the provisioning profile.

   Note: The reason you are able to see all the provisioning profiles in the drop down under Code Signing section is because
   you are logged into XCode as the Apple developer (XCode > Preference > Accounts). Based on your account profile as
   an apple developer, you will see the provisioning profiles and certificates in XCode.

   

5. Select Product > Build. Build should now be successful.

1. To create an .ipa application archive file, select Product > Archives. Click Export.

   

2. On Select a method for export window, Select Save for Enterprise Deployment option.

   

3. Select a development team to use for provisioning.

   

4. On Summary window, Click Export.

   

5. Specify the destination to save the .ipa file.

   

1. You can check information about the ipa file for eg, app bundle name, signature used to sign the ipa file,
   bundle identifier using c14n command. Invoke a terminal window. Issue the commands given below.
   cd <location of ipa file> (in our case it is saved on Desktop)
   c14n -c info -i MobileBI.ipa

   

2. To containerize the app, you need to run the following command:
   c14n -c inject -i MobileBI.ipa -o MobileBI_Containerized.ipa -cert "<name_of_the_cert>"
-p <name_of_the_prov_profile>

   After the command runs successfully, you can verify if it was containerized properly by running the
   following command:
   c14n -c info -i MobileBI_Containerized.ipa

   

Publish the containerized app to the catalog.

1. Login to MSAC https://idgovserver1.idc.oracle.com/acp as admin@idc.oracle.com. Click Catalog.

   

2. Click +Add vApp. Select CONTAINERIZED APP. Browse and upload the MobileBI_Containerized.ipa file.

   

3. The page should refresh automatically when the upload completes and you should see the MobileBI app.
   Observe the containerization version in the screen below.

   

4. Click MobileBI app and it should display detailed properties.

   

5. Click Policies. The app is now in the catalog and you will add it to a policy to make it available.
   Select Default Policy.

   

6. Navigate to Default Policy > Catalog. Enter the Application Name in Add vApp to User Catalog, Select the app.

   

7. Select Save.

   

8. If you want to make it a birth-right app, that is, an app that is automatically installed on the home page of iPad for
   the users, Click Install on Homepage.

   

Open your iPad. Tap on MyCompany Icon (Secure Workspace Container).

1. Login as any user who is member of the control group (in our example sanjays@idc.oracle.com). You should see
   the MobileBI app on the home page automatically as you had made it a birth-right app.

   Observe that the app appears in two places, within the secure workspace and outside the workspace (with the lock on it,
   meaning even though it is placed outside the secure workspace, it is protected by the secure workspace container).

   

   
   

   

2. Click and Launch it, Observe that MobileBI app doesn't challenge you to authenticate since you are already authenticated
   to secure container (it redirects to secure workspace container). It then redirects back to the MobileBI app and you login
   transparently using the same credentials as secure workspace app login.

   Click Accept to the End User License Agreement. You can now access the secure app.

   

3. On the Add Server page, mobile users have to specify the server settings by clicking Add Server.

   

   
   

   

   

   
   

   

   
   

   

   If you want to avoid this for the end users and embed this information in the application itself, you could do
   the following section. The section below is for information only, you don't have to perform these steps.

• Many organizations do not want their end users to have to bother with server configuration. One of the benefits of
  creating a “wrapped” application that is deployed in an enterprise application store, is the ability to modify the code
  and avoid this problem of server configuration having to be done by end users.

• Select the file <classprefix>AppDelegate.m in the MobileBI project within Xcode and add the following method:
  (BOOL)application:(UIApplication*)application
didFinishLaunchingWithOptions:(NSDictionary*)launchOptions
  {
  //To add a server you can do the following:
  [super createServer:@"<Provide server name>"
  host:@"<Provide host>"
  port:<9704>
  enableSSL:FALSE
  enableSSO:FALSE
  username:@"<Provide username or blank(user will be prompted)>"
  password:@"<Provide password or blank (user will be prompted>"
  setAsDefaultServer: NO];
  //Override point for customization after application launch.
  return [super application:application
didFinishLaunchingWithOptions:launchOptions];
  }

  NOTE: Replace any strings above in <> or italics with actual values based on your configuration.

• Open XCode with MobileBI project. After you have made all the changes to the application (as explained in the above sections)
  , Navigate to Build Settings > Code Signing. Set the Provisioning Profile to Automatic and Code Signing Identity to
  Don't Code Sign.

  

1. Save the project (if not saved already using File > Save ). Open a terminal window. Navigate to the location of
   MobileBI.xcodeproj (in our case under MobileBI folder on the desktop).
   Run the following command to build the application.
   $ /Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild clean build
-project MobileBI.xcodeproj -target MobileBI CODE_SIGN_IDENTITY=""
CODE_SIGNING_REQUIRED=NO -configuration Release PROVISIONING_PRPFILE=""


   

   Note: Using command line we can build a XCode application without signing the app or attaching a
   provisioning profile.

2. After the application builds successfully, the following message is displayed.

   

3. Observe that the MobileBI.app file got generated under MobileBI/build/Release-iphoneos directory. This is
   an unsigned app. You can get more information on this app by navigating to MobileBI/build/Release-iphoneos
   directory on the terminal window and running the following command.
   c14n -c info -i MobileBI.app


   

1. Containerize the app, using c14n command line specifying enterprise distribution provisioning
   profile and certificate as shown below.
   c14n -c inject -i MobileBI.app -o MobileBI_Secured.ipa -cert "iPhone Distribution: Bitzer Mobile Inc."
-p /Users/vishalparashar/Desktop/Bitzer_Enterprise_Distribution_Star.mobileprovision


   

2. Once the command runs successfully, you can get more information on the containerized app MobileBI_Secured.ipa file, by
   running the following tool.
   c14n -c info -i MobileBI_Secured.ipa


   

General Note 1:

If you get an XCode project from ISV then you can open it in XCode, customize it(to some extent) as
needed. You can generate an ipa file after attaching your enterprise distribution provisioning profile and enterprise certificate
in the Code Signing section. Now, you have to inject OMSS libraries in the .ipa file to containerize it.
Hence there are two options:

• Run c14n with inject only option which containerizes the app. Then hand it over to the security team who
  will run c14n with sign-only option and sign the app (using the same certificate that was used in Xcode). You have
  to sign the app after injecting it with OMSS libraries (i.e, after containerization) as the code signature
  for the binary has changed.

• Run c14n with inject option where you specify both the enterprise distribution provisioning profile and enterprise
  certificate together.

Note: Choosing either of the above option depends on how your team is structured. If the team handling containerization
of the app is the same team responsible for enterprise certificates then you can choose the second option. However if these
are two separate teams, choose the first option.

General Note 2:

If you are creating/updating the app in XCode, you have to code sign it (attach a provisioning profile and certificate) to generate the
app or ipa file. There is no way to create an unsigned app through XCode. So if you are using XCode to create or update the app,
you have two options:

• Generate the .app or .ipa file from XCode. In this case, you must code sign it using the same provisioning profile and certificate
  which will be later used to containerize the app and sign it using c14n, otherwise c14n will fail.

• Save the project in XCode after creating/updating it however build the app using command line tool, xcodebuild. The advantage
  of this option is that using xcodebuild, you can generate unsigned app (which you cannot using xcode). Once you have the .app
  or .ipa file generated using xcodebuild which is unsigned, then you can simply run c14n to containerize and sign it using
  the enterprise distribution provisioning profile and an enterprise certificate.

Generally speaking, in most situations, you will not get an xcode project file from ISV. Instead you will get an unsigned app
or ipa file from the ISV. Hence to containerize it, you simply run c14n using either of the options mentioned above in General Note 1.

Publish this containerized app to the catalog as you did in the previous approach.

1. Login to MSAC https://idgovserver1.idc.oracle.com/acp as admin@idc.oracle.com. Click Catalog.

   

2. Before you add this app, Make sure to delete the existing MobileBI app, as these two are the same app. Click
MobileBI app and Click Delete.

   Click the Add vApp icon. Select CONTAINERIZED APP and browse and upload the MobileBI_Secured.ipa file.

   

3. The page should refresh automatically when the upload completes and you should see the MobileBI app.
   Observe the containerization version in the screen below.

   

4. Click MobileBI app and it should display detailed properties.

   

5. Click Policies. The app is now in the catalog and you will add it to a policy to make it available.
   Select Default Policy.

   

6. Select Catalog on the Default Policy. Enter the Application Name in Add vApp to User Catalog, Select the app.

   

7. Select Save.

   

8. If you want to make it a birth-right app that is, an app that is automatically installed on the
   home page of iPad for the users, Click Install on Homepage.

   

Open iPad. Tap on MyCompany Icon.(Secure Workspace Container).

1. Login as any user who is member of the control group (for example sanjays@idc.oracle.com). You should see
   the MobileBI app on the home page automatically as you had made it a birth-right app.

   Observe that the app appears in two places - within the secure workspace and outside the workspace (with the lock on it -
   meaning even though it is placed outside the secure workspace, it is protected by the secure workspace container).

   

   
   

   

2. Click and launch it, Observe that the MobileBI app doesn't challenge you to authenticate since you are already
   authenticated to secure container (it redirects to the secure workspace container and then redirects back to the
MobileBI app). You login transparently using the same credentials as secure workspace app login.

   Click Accept on the End User License Agreement.You can now access the secure app.

   

3. On the Add Server page, mobile users have to specify the server settings by clicking Add Server.