0

I have the following implementation in testing environment,

  1. Front-end Server [IBM HTTP Server + IBM Websphere plugin],
  2. WLServer1 [IBM Worklight 6.2 + IBM DB2 10.1+ Liberty Farm 8.5.5.1] and
  3. WLServer2 [IBM Worklight 6.2 + IBM DB2 10.1+ Liberty Farm 8.5.5.1].

plugin-cfg.xml has been generated from each Worklight server and merged.

The request[http] from multiple devices has been directed to worklight server's alternatively, once the merged plugin-cfg.xml has been deployed in Front-end server's IBM Websphere plugin.

How I can implement the same to serve HTTPS request.

And also I have implemented the "UserCertificateAuthenticationProject" from the Worklight modules which connects the device[HTTPS] to Worklight server directly.

Note Tested it on Android only.

Help me to understand, How I can achieve HTTPS in Test environment via IHS.

What should be the procedure in Production environment?

Note IBM Worklight 6.2 supports Android, IOS, Blackberry & Windows, so I have to implement in all platforms.

DJo
  • 2,133
  • 4
  • 30
  • 46
Karikalan
  • 263
  • 2
  • 17
  • What have you tried already? Is something not working? Did you follow the getting started guide? Here are the getting started guides: http://www.ibm.com/developerworks/mobile/worklight/getting-started.html The section that you might be particularly interested is Authentication and Security. – Daniel A. González Aug 01 '14 at 04:16
  • Also, note that user certificate authentication is only supported for Android and iOS at the moment. HTTPS connections, however, are supported on all environments. – Daniel A. González Aug 01 '14 at 04:17
  • One last comment: user certificate authentication is not required to create an HTTPS connection. You only use this authentication realm when you want to create two way SSL connections, but if all you want is HTTPS, you do not need user certificates. – Daniel A. González Aug 01 '14 at 04:18
  • Thanks @DanielA.González, I have understood the necessary of User certificate from your explanations. But I want to implement HTTPS connection from all Platforms. From Worklight Application[Not browser] -> IHS -> Wlserver. – Karikalan Aug 01 '14 at 05:00
  • Demo Http Adapter returns "helloworld". I am getting Host unresponsive as error when I access via "https: //WLServer:9443/demo". I could get the actual response when I access using "http: //WLServer:9080/demo" this implementation is via IHS. If I access the complete URL[Https] in mobile browser I am getting the result. – Karikalan Aug 01 '14 at 05:06
  • It seems that your application does not trust the certificate you are using on the server; you get an "Unresponsive host" whenever the device does not trust the certificate from the server, since a connection could not be established. If you look at the trace logs, you should see an exception about the certificate. Change the Worklight Logger level to trace (refer to the Logger documentation on how to do so: http://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.apiref.doc/html/refjavascript-client/html/WL.Logger.html?cp=SSZH4A_6.2.0%2F10-0-0-1-19&lang=en). – Daniel A. González Aug 01 '14 at 15:08

1 Answers1

0

It sounds like the problem you are having is similar to this one: https://stackoverflow.com/a/21914147/2245921 The Unresponsive Host error occurs for one of two reasons:

  1. Your device cannot reach your server (they are not in the same network)
  2. The device does not trust the server's certificate

Since you can connect to your HTTP connection, it is not #1, so it should be #2. The answer to the other question I pointed to above should fix your problem. Make sure to turn on trace-level logs in the WL Logger so that you can see the exceptions regarding untrusted certificates.

Edit: To expand on this answer; to use HTTPS, your server needs an SSL certificate to identify itself, otherwise the device has no proof that it is connecting to the right server and not to some random server that could be malicious. You should already have a certificate that you are using in your server; if you don't, then read on.

You usually get an SSL certificate from one of two places: you either use a certificate issued to you by a trusted Certificate Authority (e.g., Verisign), or you create one for internal testing purposes. In your case, you probably want to create your own, so you should follow the "Client X.509 Certificate Authentication and User Enrollment" getting started here, specifically the parts that talk about generating the server certificate.

Once you have that certificate set up, you should configure your server to use it; for that, follow the instructions here. After doing this, the last step is to have your device trust your server's certificate. For this, follow the last part in the getting started above, which shows you how to make your iOS/Android device trust the server. You would have to look up how to do this on Windows and Blackberry, too.

After this, you should now be able to connect successfully via HTTPS. (Always make sure that when you get an "Unresponsive host" error, that you can still connect to the HTTP console via the browser, to make sure that you are connected to the same network as your server. I know you already did this as you specified in your question, I'm just mentioning it as a reminder since it is easy to forget this.)

Community
  • 1
  • 1
Daniel A. González
  • 1,225
  • 8
  • 11
  • Thanks @Daniel, I have enabled log level and set as INFO. I couldn't get any log for HTTPS whereas i can get log for http. As you said Certificate would be an issue. Suggest me a debug procedure to resolve this issue. I have got few log's from log cat. In the below comment I have given. – Karikalan Aug 01 '14 at 19:44
  • WLUserAuthManager.doesValidCertifcateExist in WLUserAuthManager.java:114::doesValidCertificateExists=false, establishSSLClientAuth isCertificateExists: false Request [https://x.x.x.x:9443/hello/apps/services/api/HelloWorld/android/query] HttpPostRequestSender.run in HttpPostrequestSender.java:46::Sending request https://x.x.x.x:9443/hello/...../api/HelloWorld/android/query WLNativeXHRPlugin$NativeXHRPostListener.onException in WLNativeXHRPlugin.java:137::onException javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found – Karikalan Aug 01 '14 at 19:46
  • I have followed the steps and also the problem is same. [link](http://stackoverflow.com/questions/25092053/https-connection-to-worklight-server-6-2). Will this be an issue of self-signed certificate? – Karikalan Aug 02 '14 at 06:46
  • Hi Daniel, thanks for your support. I ll implement and update. Let's say the implementation works, the call from mobile app to worklight server directly. What should I do if I have to place IBM Http Server in the middle? I have mentioned this in the question. – Karikalan Aug 04 '14 at 19:16
  • I do not know anything about the IBM HTTP Server, but it would be a matter of placing your certificate wherever it has to go in the IBM HTTP server, which is probably some sort of keystore file. – Daniel A. González Aug 04 '14 at 21:07
  • From a quick google search, I found this: http://www-01.ibm.com/support/docview.wss?uid=swg21179559 It seems you can import the same Java keystore (.jks file) that you are using for the Worklight server (it mentions .kdb files, but .jks files are a different implementation for the same thing). It may or may not work for what you need, but I can't help you more than that, since I'm not familiar with IHS. – Daniel A. González Aug 04 '14 at 21:08
  • Thanks, Daniel. Mobile to Worklight server [HTTPS]connection was successful. However i need to implement it via IHS. Let me give a try. – Karikalan Aug 05 '14 at 06:48
  • @DanielA.González As far as the android application `android:debuggable="true"` makes the application not to check for the CA in the server so the app should be accessing the https connection to the server without any CA installed in device right if i am not wrong. – Kawinesh S K Aug 05 '14 at 10:25
  • If you are using user certificate authentication, then it does check; if you are just using HTTPS, then pre 6.2 I think that is true. However, I am not sure if that is still true on 6.2, so try it. Either way, you should test without the debuggable=true, since you should not have that when you go to production. – Daniel A. González Aug 05 '14 at 13:08