JustWare Mobile¶
JustWare has a mobile application that allows active JustWare users the ability to access and perform basic case actions from a mobile device. The JustWare Mobile product is an md5 web app, meaning it can be accessed from any mobile device with a modern web browser.
Installing JustWare Mobile¶
The diagram below demonstrates the recommended set up for installing JustWare Mobile.
Note: If you don't already have MSDTC (Microsoft Distributed Transaction Coordinator) setup on your DMZ, this must be done in order for JustWare Mobile to work correctly. For some information on MSDTC see http://technet.microsoft.com/en-us/library/dd337629(v=WS.10).aspx and for instructions on how to install your MSDTC see http://support.microsoft.com/kb/301600.
JustWare Mobile Users¶
In order to use JustWare Mobile, there are some specific users that need to be created and those users need specific rights and permissions. The following users are needed to run JustWare Mobile and need to be created before you install JustWare Mobile as these users are used in the installation process:
User |
Permissions |
---|---|
API User |
This user needs View, Insert and Update access to the JustWare Database. This user's credentials will be used when using JustWare Mobile. If you already have an API user created, then you could use that one. If you do not have the JustWare API, you will still need to create this user as the JustWare Mobile has its own API. |
JustWare Database User |
Needs to be a SQL Account with the following permissions:
|
To install JustWare Mobile you will need to run the following installers in this order:
- Message Broker
- User Security Services - Must be installed where the Active Directory is accessible. Recommended to be installed on the same server as the Message Broker.
- API Entity Writer - Must be installed where the Active Directory is accessible. Recommended to be installed on the same server as the Message Broker.
- Mobile Documents Service - Must be installed on the same server as the Message Broker.
- JustWare Mobile - Must be installed on the same server as the Message Broker.
For information on each of these installers, see below.
Message Broker¶
The Message Broker facilitates messages between components of the JustWare, API, and JustWare Mobile.
-
Installation Options¶
Select the Installation option desired. If this is a new install, select Install.
-
Service Configuration¶
Field Description Service Name This read-only field displays the service name that was specified on the previous page. Install Location Specify the file path for the service. Click on the browse button to find an existing path or create a new path. Bind Address Specify the machine's address for which you want the Message Broker bound to. Enter * to have the Message Broker bind to all available addresses. Bind Port This is the TCP Port that the Message Broker will listen on. Click Finish.
User Security Services¶
These services handle authentication between JustWare Mobile and JustWare.
-
Installation Options¶
Select the Installation option desired. If this is a new install, select Install.
-
Install Location¶
Specify the location where the User Security Services will be installed.
-
Message Broker Address¶
Specify the address and port for the Message Broker that was installed previously.
Field Description Address Enter the IP address or host name where the Message Broker was installed. Port Enter the port number that was specified in the Message Broker installer. Click Finish.
API Entity Writer Service¶
These services handle writing to the database through the API.
-
Installation Options¶
Select the Installation option desired. If this is a new install, select Install.
-
Install Location¶
Specify the location where the User Security Services will be installed.
-
API Credentials¶
Select the Installation option desired. If this is a new install, select Install.
Field Description Username Enter the username that will be used to connect to the installed JustWare API. Password Enter the password associated with the above username. -
JustWare Database Connection¶
-
Message Broker Address¶
Specify the address and port for the Message Broker that was installed previously.
Field Description Address Enter the IP address or host name where the Message Broker was installed. Port Enter the port number that was specified in the Message Broker installer. Click Finish.
Mobile Documents Service¶
These services handle writing to the database through the API.
-
Installation Options¶
Select the Installation option desired. If this is a new install, select Install.
-
Install Location¶
Specify the location where the User Security Services will be installed.
-
File Access Credentials¶
Field Description Username Enter the username that will be used to connect to the File System. Password Enter the password associated with the above username. -
Message Broker Address¶
Specify the address and port for the Message Broker that was installed previously.
Field Description Address Enter the IP address or host name where the Message Broker was installed. Port Enter the port number that was specified in the Message Broker installer. Click Finish.
JustWare Mobile¶
This installs the JustWare Mobile product and the JustWare Mobile API.
-
Installation Options¶
Select the Installation option desired. If this is a new install, select Install.
-
System Requirements¶
Before you begin the installation process, you must ensure that your system has the correct components. This page will automatically begin verifying the necessary components. If you system does not have all the components necessary, you must install those components on your system before continuing to ensure that JustWare Mobile functions properly.
Also on this page is a list of additional information you will need during the installation process.
Click Next to continue.
-
JustWare Mobile IIS¶
Specify the following fields to configure IIS to work in conjunction with the JustWare Mobile site:
Field
Description
Web Site
Select the correct Web site from the list. This list is generated by the available Web sites in IIS that are located on the computer being used.
Virtual Directory
Type a virtual directory to be used. Ensure that the virtual directory you type is not in use by another Web site, because the installer cannot overwrite an existing virtual directory.
Application Pool
Select the Application Pool to be used. This list is compiled from the list of available Application Pools listed in IIS.
Rewrite HTTP to HTTPS
Selecting this check box will rewrite the url to HTTPS, meaning, when someone types in HTTP the url will automatically be changed to HTTPS. In order to use HTTPS, there must be a certificate bound to the Web site specified above. To learn more about binding and creating security certificates, see the [Enabling HTTPS] (../JusticeWeb/Security/JusticeWeb_Security_EnablingHTTPS.md) section of this Help.
Note: In order to use the Rewrite to HTTPS feature, you must have IIS Rewrite URL installed on the server. This download can be found at: http://www.iis.net/download/URLRe write
-
JustWare Database Connection¶
-
JustWare Mobile API IIS¶
Specify the following fields to configure IIS to work in conjunction with the JustWare Moble API:
Field
Description
Web Site
Select the correct Web site from the list. This list is generated by the available Web sites in IIS that are located on the computer being used.
Virtual Directory
Type a virtual directory to be used. Ensure that the virtual directory you type is not in use by another Web site, because the installer cannot overwrite an existing virtual directory.
Application Pool
Select the Application Pool to be used. This list is compiled from the list of available Application Pools listed in IIS.
Rewrite HTTP to HTTPS
Selecting this check box will rewrite the url to HTTPS, meaning, when someone types in HTTP the url will automatically be changed to HTTPS. In order to use HTTPS, there must be a certificate bound to the Web site specified above. To learn more about binding and creating security certificates, see the [Enabling httpsHTTPS] (../JusticeWeb/Security/JusticeWeb_Security_EnablingHTTPS.md) section of this Help.
Note: In order to use the Rewrite to HTTPS feature, you must have IIS Rewrite URL installed on the server. This download can be found at: http://www.iis.net/download/URLRe write
-
Message Broker Address¶
Specify the address and port for the Message Broker that was installed previously.
Field Description Address Enter the IP address or host name where the Message Broker was installed. Port Enter the port number that was specified in the Message Broker installer. Click Finish.
Granting Access¶
JustWare Mobile is for use by JustWare users. Before a user can log into JustWare Mobile, they must be an active app person in JustWare with mobile privileges. To give a user mobile access, select the Mobile User checkbox in the Application Person code table.
All active app persons are granted privileges to JustWare Mobile on install. This setting can be configured by JustWare administrators in JustWare's System Administration section. Once configured, users can visit their JustWare Mobile URL and use the same domain credentials and password they use in JustWare to log in.
Security¶
Because sensitive data is stored in JustWare, we have taken steps to ensure JustWare Mobile is as secure as possible. The information in this section outlines JustWare's security paradigm and how it keeps your data secure.
JavaScript Object Notation (JSON) Web Tokens¶
The primary means of authentication and authorization in JustWare Mobile uses JSON Web Tokens (JWT). These tokens are a compact method for the application to identify and verify incoming clients and provide correct data as requested.
The token's contents are structured in JavaScript Object Notation (JSON) with a header declaring itself as a JWT and a JWT Claims Set consisting of multiple claims used by the application which consists of:
-
A unique token Globally Unique Identifier (GUID) as the JWT ID
-
The date and time it was issued
- The date and time it will expire (20 minutes from the issue date)
- The issuer of the token
- The JustWare username associated with the token
Base64url encoding is applied to both the header and claims set. A unique signature generated from these items using an HMAC SHA-256 cryptographic hash algorithm and a private key is attached onto the end of the token for data integrity and authorization.
The tokens are for one-time-use requests to the API and have a limited lifespan of twenty minutes from when they are generated. By design, the tokens allow no storage of usernames and passwords on the client or the server beyond what is needed for validation. The private key used to generate tokens is stored only on the server and never transmitted. In the case of compromise, changing the server's private key would generate different token signatures and effectively invalidate every existing token generated by the previous key.
More details about JWTs can be found at https://tools.ietf.org/md/draft-ietf-oauth-json-web-token.
Authentication¶
JustWare Mobile is developed for use by named JustWare users. Before a user can log into JustWare Mobile, they must be an active application person in JustWare with mobile privileges. All active app persons are granted privileges to JustWare Mobile on install of JustWare Mobile. This setting is configurable by JustWare administrators in JustWare's System Administration section. Once configured, users visit their JustWare Mobile URL and use the same domain credentials and password they use to login to JustWare.
When the server receives a login request, it first authorizes the received credentials through Active Directory, similar to JustWare. Then the server looks up whether that associated app person has privileges for mobile. Upon successful authorization, a new token associated with that user is generated and transmitted back to the client for use in accessing more data through the application. No additional data is stored on the server on login.
If a user is authenticated and their password is close to expiration, the user will receive a notification before proceeding. There is no mechanism for users to update their JustWare passwords through JustWare Mobile.
Authorization¶
When the client makes a request to the API for data, such as the user's active case list or a case's details, the client will transmit their stored token alongside the request. The server will evaluate this token before responding. Requests to the API without a token are not possible.
The server first attempts to decode the token. The server takes its private key and generates a signature with that token's header and claims set. That signature is compared with the one supplied with the token. A mismatch indicates that the received token has either been altered, generated with a different private key, or exposed to some other form of tampering and is rejected.
To defend against reuse, the token's JWT ID is checked against a list of other JWT IDs used. If there is a match, that means this token has been used previously and is rejected. Otherwise, the JWT ID is recorded.
Afterward, the username inside the token is used to complete the API call for data. A new token is generated for the user with a refreshed expiration time and sent along with the data back to the client. In cases where the request is rejected for any reason, an 'unauthorized' response is sent back to the client without a token.