1

I am using MobileFirst version 6.3.0 and I am trying to setup MobileFirst server to run in only https mode. Essentially, this means I need to have a self signed certificate generated on the server side and also have the certificate installed on my Android device for the app to work.

I have setup MobileFirst server to run only on port 10443 and am able to see that the chrome browser (from my android device) is able to access https://<server>:10443/worklightconsole without warning me about accessing an untrusted website [I take this as confirmation that the certificate was installed properly on the mobile device]. However, I see that the android app I generated from MobileFirst is not able to connect to the server (I don't think this is a connectivity issue because when I build the app to use http://<server>:10080, the app works well. It only fails when I rebuild the app to use https://<server>:10443.

I followed the instructions as mentioned in the MFP documentation to create a self-signed certificate [http://www-01.ibm.com/support/knowledgecenter/SSHS8R_6.3.0/com.ibm.worklight.installconfig.doc/admin/t_updating_keystore_liberty.html?lang=en]

Let me detail out the exact steps I followed:

Server side changes:

  1. Remove httpPort="10080" from server.xml so that the server runs only on port 10443
  2. Create a self-signed certificate for the server. I used openssl to generate a self-signed certificate. First, create certificate and private key files with the command "openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt"
  3. Next, create a keystore file that zips the certificate and key into one file with the command "openssl pkcs12 -export -in certificate.crt -inkey privateKey.key -out server.p12 -passout pass:passServerP12 -passin pass:passServer"
  4. Configure mfp server to use the new keystore I generated above. Essentially, copy the server.p12 file to "MobileFirstServerConfig\servers\worklight\resources\security" under the workspace directory
  5. Remove (or comment out) <keyStore id="defaultKeyStore" password="worklight"/> in server.xml
  6. Ensure that <feature>ssl-1.0</feature> is set under <featureManager> Add the following lines
    <ssl id="mySSLSettings" keyStoreRef="myKeyStore"/> <keyStore id="myKeyStore" location="server.p12" password="passServerP12" type="PKCS12"/> <sslDefault sslRef="mySSLSettings"/>
  7. Build the mobile app with build settings set to https://<server>:10443 and deploy it in mfp server

Mobile device side changes:

  1. Download the certificate (certificate.crt generated above) onto the mobile device. Install the file and accept the certificate on the device.
  2. Ensure that this certificate is now trusted by the mobile device and the browsers by accessing https://<server>:10443/worklightconsole on the chrome browser. This step proceeded to my according to the screenshots shown here: http://www-01.ibm.com/support/knowledgecenter/?lang=en#!/SSHS8R_6.3.0/com.ibm.worklight.installconfig.doc/admin/t_installing_root_CA_android.html .
  3. Download the app onto the device and it should start contacting the server at https://<server>:10443.

While step 2 above worked for me well, step 3 is where things are not working. Essentially, the chrome browser is picking up the certificate, while the mobile app is not.

Is there something I need to do while building the mobile app in Eclipse so that it will pick up trusted (and self-signed) certificates from the android device?

Idan Adar
  • 44,156
  • 13
  • 50
  • 89
Bharathi Shekar
  • 11
  • 2
  • Can you add some more information? How is it failing in the device? What do you see? Which device model and Android version? – Idan Adar Mar 18 '15 at 13:42
  • Did you install the certificate via the browser or via email? – Idan Adar Mar 18 '15 at 13:43
  • I installed the certificate by sending it as an attachment in an email. I downloaded the certificate on the device (Android Lollipop on Moto G) and had to specify a name for the certificate. The screenshots while installing the certificate were exactly as in [link](http://www-01.ibm.com/support/knowledgecenter/SSHS8R_6.3.0/com.ibm.worklight.installconfig.doc/admin/t_installing_root_CA_android.html?lang=en) – Bharathi Shekar Mar 19 '15 at 05:39

1 Answers1

2

Step 2 above verifies that the browser trusts your server but it does NOT verify that the device trusts your server. The device and browser use two different trust stores and ssl logic (in some cases).

Idan's question is the same I have, how did you 'install' the root CA? Via the browser or via the device thru email or a download link? If it was thru browser import, then that won't put it on the device trustore which is where you need it.

lizet
  • 239
  • 1
  • 3
  • Responded to Idan's question, but adding it here as well. The Android version is 5.0.2 and I am using Moto G. The certificate was downloaded via email and not via the browser. I can see that the certificate is installed on the device because when I go to Security-->Credential Storage-->Trusted Credentials-->User, I see the certificate. – Bharathi Shekar Mar 19 '15 at 05:40
  • At the time of creating the certificate using openssl command, I understand that it is mandatory to have the ip address of the server as the "Common name". Are there any such restrictions or best practices for other parameters (like Organization, Unit, etc)? – Bharathi Shekar Mar 19 '15 at 05:48
  • Bharathi, in general, I think using IP address is not recommended. You should be using a hostname in the common name. And using the hostname in the URL accessing the server. If you must use IP, I believe you need to create the certificate with a specific cert extension., and use IP in the URL accessing the server. – lizet Mar 20 '15 at 16:42