3

I'm trying to setup a MDM Check-in connection from my device to server. In my .mobileconfig I already put in the identity which is from the credential, I generate it from keychain access and using the .p12 file. For Server & Check-in URL - https://address.To.Server:9769/mdm/

I'm hosting my server in tomcat with SSL enabled which i generate the JKS using keytools, - "keytool -importkeystore -srckeystore client-cert.p12 -srcstoretype PKCS12 -destkeystore keystore.jks"

*client-cert.p12 is same with the .p12 file i put in mobileconfig's identity.

If i'm not mistaken, all the request from IOS to server are using HTTP PUT method. I already tried access my server directly from chrome browser and got no problem with it. I believe it is the certificate problem, but i got no clue what happening.

I got all these error when i tried to install the profile from safari.

>Notice: (Error) MC: Connection to <server> failed with error: NSError:
Desc   : The server certificate for <server> is invalid.
US Desc: The server certificate for <server> is invalid.
Domain : MCHTTPTransactionErrorDomain
Code   : 23002
Type   : MCFatalError
Params : (
"<server>"
)

>Notice: (Error) MC: Cannot install MDM Mobile Device Management. Error: NSError:
Desc   : The payload Mobile Device Management could not be installed.
Sugg   : The server certificate for <server> is invalid.
US Desc: The payload Mobile Device Management could not be installed.
US Sugg: The server certificate for <server> is invalid.
Domain : MCInstallationErrorDomain
Code   : 4001
Type   : MCFatalError
Params : (
"Mobile Device Management"
)

>Desc   : The profile SilverlakeMDM could not be installed.
Sugg   : The payload Mobile Device Management could not be installed.
US Desc: The profile SilverlakeMDM could not be installed.
US Sugg: The payload Mobile Device Management could notbe installed.
Domain : MCProfileErrorDomain
Code   : 1009
Type   : MCFatalError
Params : (
SilverlakeMDM
)

Below are from my server console:

>httpsConnector.receiver.02 ERROR DefaultSystemExceptionStrategy:300 logException - Caught exception in Exception Strategy: Received close_notify during handshake
javax.net.ssl.SSLException: Received close_notify during handshake
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1868)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1821)
        at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1922)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1059)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)
        at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:848)
        at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
        at sun.security.ssl.AppInputStream.read(AppInputStream.java:69)
        at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
        at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
        at org.mule.transport.http.HttpServerConnection.readLine(HttpServerConnection.java:219)
        at org.mule.transport.http.HttpServerConnection.readRequest(HttpServerConnection.java:185)
        at org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:155)
        at org.mule.work.WorkerContext.run(WorkerContext.java:311)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
        at java.lang.Thread.run(Thread.java:722)
soniality
  • 109
  • 1
  • 2
  • 12

2 Answers2

1

Possible issues can be,

  1. Check your CN first. Yes it should match the domain. If you are testing it in your local machine make sure to add the IP there.

  2. Make sure you SSL certificate is signed with Root CA if its self signed. Signer should clearly indicated as Root CA.

  3. If you are using a RA certificate it also needs to be signed by the Root CA.

  4. Implement checkin and server urls as PUT methods. If this is not implemented simply it will give this error.

I also had your issue due to point 4) and managed to resolve that.

Abimaran Kugathasan
  • 31,165
  • 11
  • 75
  • 105
Dilshan
  • 3,231
  • 4
  • 39
  • 50
  • Hi,which server you are using for MDM?Initially we used dedicated server but now we are transferring to Microsoft Azure.So the profile installation is failing when we are installing it (Profile Installation Failed) which used to work earlier.May be the azure has issue with the PUT request what I got to know till now.Do you gave any idea about it?Do we need to create fresh Certificates? – Imran Jun 25 '15 at 07:40
  • Right now I am just a developer of WSO2 EMM. This will work with WSO2 EMM. – Dilshan Jun 25 '15 at 12:19
0

Most likely, it's exactly the problem which it mentions: "The server certificate for is invalid.".

May be, it's not root certificate (I am not sure how iOS will like that) or may be you are using something unusual in this cert which is supported by your desktop, but it's not support by iOS device.

Try to access to your server from Safari on your iOS device and see what it will say.

Also, I assume that you created a configuration profile with server certificate which you installed beforehand. Go to Preferences and look at this configuration profile. This certificate should say something like "Trusted".

Victor Ronin
  • 22,758
  • 18
  • 92
  • 184
  • I able to access the https link using my ipad safari, but the cert is stated not trusted because it is self-sign certificate. For configuration profile, i generate using IPCU and insert .p12 generated from keychain access into identity section in IPCU. i can't install the profile because of "The server certificate for is invalid". By the way, am i doing it right on generating the certificate? I'm confused. – soniality Aug 30 '13 at 03:04
  • First of all, disregard my comment regarding cert trusted or not. I just looked in iOS UI and it looks like it doesn't indicate any per cert status, but rather indicate Unsigned/Verified status for the whole profile. – Victor Ronin Aug 30 '13 at 13:31
  • Regarding cert generation. Just to make sure that we are on the same page. Credentials item in IPCU allows to add one of two things: 1) .cer (This will make iOS device trust server cert). 2) PKCS12 - it's device identity cert (it's a cert and private key which will be used by a device to authenticate to the server). At the end of the day, if your server has self-signed key, you should have install both server certificate + (PKCS12 or SCEP). – Victor Ronin Aug 30 '13 at 13:34
  • If I am not mistaken, Apple downloads has some configuration profiles for diagnostics and one of them is for diagnostic of MDM errors. You can install this configuration profile and in such case, it may give you more information on your error. – Victor Ronin Aug 30 '13 at 13:35
  • According to this answer here http://stackoverflow.com/a/10905901/2695014 , my CN would be address.To.Server:9769/mdm/ or address.To.Server:9769? Is it necessary to set the CN according to my server address? – soniality Sep 05 '13 at 07:00
  • Read this question for details: http://stackoverflow.com/questions/5935369/ssl-how-do-common-names-cn-and-subject-alternative-names-san-work-together Generally speaking CN should be equal to your host and domain. It shouldn't include ports (like 9769) and it shouldn't include path (/mdm) – Victor Ronin Sep 05 '13 at 16:04
  • @soniality did you solve your problem? I have the same issue. – mor222 Apr 27 '17 at 15:01