Configuration and security

    Configuring account auto-discovery for Android

    Mobile users must configure the connection to their LiveCycle user account(s), including the LiveCycle name and port. If your users are using Android devices, you can enable auto-configuration so that users simply have to enter their email address and password. LiveCycle Mobile for Android can discover the DNS information for the domain and get the server information for the user’s account. To enable auto-configuration in LiveCycle Mobile for Android, you must configure a DNS Service (SRV) record.

    Configuring a DNS Service (SRV) record

    An SRV record is a type of data in the Domain Name System (DNS) that specifies connection details for certain services. Using SRV records for service endpoint configuration can simplify the often error-prone process of users entering host names, port numbers, and so on.

    An SRV record takes the following form:

    _service._proto.name TTL class SRV priority weight port target

    LiveCycle uses the service, proto, port, and target fields, so a typical DNS SRV record for LiveCycle Mobile for Android is:

    _livecycle._tcp.yourco.com 86400 IN SRV 0 5 443 livecycle.yourco.com

    The above statement means: "bob@yourco.com should connect to LiveCycle with SSL to port 443 on the server livecycle.yourco.com".

    LiveCycle Mobile interprets the port field of the SRV record to determine whether SSL should be used for the connection. The common SSL port fields that the client detects include: 443, 8443, and 9443. If you use an uncommon SSL port number, it is possible to override this calculation during account setup in the client.

    Security through obscurity

    Often, it is undesirable to place SRV records on your root domain because this could potentially allow attackers to learn more information about your network topology. If you consider this a problem, you can, for example, indicate in your SRV record that the SRV record should only be returned when queried on a subdomain. For example:

    _livecycle._tcp.somesubdomain.yourco.com 86400 IN SRV 0 5 443 livecycle.yourco.com

    The above statement means: "bob@somesubdomain.yourco.com should connect to LiveCycle with SSL to port 443 on the server livecycle.yourco.com"

    Note that LiveCycle Mobile for Android uses the email address format purely as an identifier to easily gather the user's ID (in the example above, "bob") and the domain name to query for the SRV record (somesubdomain.yourco.com). You could inform your users to use an email address that is not the same as the one they use to receive corporate email. You could also place the SRV record on an unrelated domain (for example, bob@yourco-net-cfg.org).

    DNS SRV records do not compromise the security of your system, but do have the potential to expose a host name that you would rather not have exposed.

    Elements of DNS SRV that are not used by LiveCycle Mobile

    DNS SRV supports high availability, using the priority and weight fields. This feature is useful for services such as SIP and XMPP, which rely heavily upon DNS SRV at runtime to resolve connection details, but it is not useful for auto-configuration tasks. For this reason, LiveCycle Mobile uses the first SRV record for its combination of service and proto that it finds.

    For more information on DNS SRV, see the SRV Record page on Wikipedia.

      Setting up a reverse proxy for LiveCycle Mobile

      If your organization requires a reverse proxy in front of the server running LiveCycle Mobile (for example, to hide LiveCycle Server details from clients), the following URLs must be forwarded from the proxy to the host running LiveCycle. Note that the URLs should begin with https if you want to use SSL connectivity:

      • http://<server>:<port>/rest/services/lc-pm-mobile.listTasks

      • http://<server>:<port>/rest/services/lc-pm-mobile.listProcesses

      • http://<server>:<port>/rest/services/lc-pm-mobile.getTaskDetail

      • http://<server>:<port>/rest/services/lc-pm-mobile.getTaskCount

      • http://<server>:<port>/rest/services/lc-pm-mobile.completeTask

      • http://<server>:<port>/rest/services/lc-pm-mobile.getTaskCount

      • http://<server>:<port>/rest/services/lc-pm-mobile.getFlattenedPDF

      • http://<server>:<port>/rest/services/lc-pm-mobile.getImage

      • http://<server>:<port>/rest/services/lc-pm-mobile.dismissDeadlinedTask

      • http://<server>:<port>/rest/services/MobileProvisioning.getProfile

      • http://<server>:<port>/rest/services/MobileRuntime.listMobileEndPoints

      • http://<server>:<port>/rest/services/MobileRuntime.renderMobileEndPoint

      • http://<server>:<port>/rest/services/MobileRuntime.submitMobileEndPoint

      • http://<server>:<port>/contentspace/webdav/

      Each URL accepts a number of URL parameters, either via HTTP GET or HTTP PUT. For example:

      http://<server>:<port>/rest/services/lc-pm-mobile.listTasks?start=0&count=15&includeSharedTasks=true

      The example above is a valid URL for accessing a task lists, as is the equivalent using HTTP POST.

      For more information on reverse proxy, see the Reverse proxy page on Wikipedia.

        Security considerations

        LiveCycle Mobile is a native application. It makes connections only to the server locations listed above. It is recommended that you use SSL to secure those HTTP connections.

        Users should always use SSL when connecting to the LiveCycle Server. Otherwise, the user name and password are sent in plain text, which is not secure.

          // Ethnio survey code removed