4

I am trying to setup WSO2 EMM V2.0.1. I was able to set it up on my live server and follow all the instruction provided from here WSO2 Getting Started till I got to Configuring Android BKS I configured all settings provided and my https which is working fine. So, I then moved to adding a User, first thing I noticed was that Email Configuration not working. So, I can't add users with there email. Then I noticed that I can't even enrol users. I tried to test user login on the mobile device using username: admin, password: password and I'm getting this error Trust anchor for certification path not found when I use an emulator to test and then when I use a real device, I was getting this No peer certificate. This is my URL SELF EMM URL. After some debugging, I noticed it calls this URL and pass this parameter {"applicationType":"device","callbackUrl":"","clientName":"355972050729590","grantType":"password refresh_token","owner":"admin","tokenScope":"production"} but it wouldn't add a user on Android. I've an instance of WSO2 v1 which was mistakenly deleted. But, I need to get it back up. And I was looking at the configuration here

 public static boolean DEBUG_MODE_ENABLED = false;
  public static boolean LOCAL_NOTIFICATIONS_ENABLED = true;
  public static boolean GCM_ENABLED = false;

  public static String SERVER_IP = "";

  public static String SERVER_PORT = "9443";
  public static String SERVER_PROTOCOL = "https://";
  public static String API_VERSION = "1.0.0";

  public static String SERVER_APP_ENDPOINT = "/EMM/api/";

  public static String OAUTH_ENDPOINT = "/oauth2/token";
  public static String SENDER_ID_ENDPOINT = "devices/sender_id/";
  public static String IS_REGISTERED_ENDPOINT = "devices/isregistered/";
  public static String LICENSE_ENDPOINT = "devices/license/";
  public static String REGISTER_ENDPOINT = "devices/register/";
  public static String UNREGISTER_ENDPOINT = "devices/unregister/";
  public static String NOTIFICATION_ENDPOINT = "notifications/pendingOperations/";

  public static String SERVER_URL = SERVER_PROTOCOL + SERVER_IP + ":" + SERVER_PORT + SERVER_APP_ENDPOINT; <-- There's nothing like this in the Constants.java class

  public static final String TRUSTSTORE_PASSWORD = "";
  public static final String EULA_TITLE = "POLICY AGREEMENT";

Not all are in the Constant.java class and many which are unused. If HTTPS is the problem, I would like to switch to http. I can't switch, I still get a Timeout error. And I tried both 40.68.228.207:9443 which is for HTTPS and 40.68.228.207:9763 which is for HTTP both are giving me No peer certificate. Please HELP ME.

You said, change email Message here

Customize the email that is being sent out by navigating to the notification-messages.xml file, which is in the <EMM_HOME>/repository/conf directory. whereby there's nowhere where notification-messages.xml exist in the whole directory specified

My firewall config

*filter

-A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -j ACCEPT

Allow HTTP and HTTPS connections from anywhere

-A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 8080 -j ACCEPT -A INPUT -p tcp --dport 27017 -j ACCEPT -A INPUT -p tcp --dport 1410 -j ACCEPT -A INPUT -p tcp --dport 1450 -j ACCEPT -A INPUT -p tcp --dport 9443 -j ACCEPT -A INPUT -p tcp --dport 9763 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT -A INPUT -p tcp --dport 1400 -j ACCEPT

-A INPUT -s -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT

-A OUTPUT -d -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT

Allow SSH connections

-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

Allow ping

-A INPUT -p icmp -j ACCEPT

Log iptables denied calls

-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

Drop incoming connections if IP make more than 15 connection attempts to port 80 within 60 seconds

-A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 15 -j D$

Drop all other inbound - default deny unless explicitly allowed policy

-A INPUT -j DROP -A FORWARD -j DROP

COMMIT

Community
  • 1
  • 1
Tonespy
  • 3,257
  • 7
  • 26
  • 52
  • I have resisted a User with following details in your emm instance and try enrolling a device, but the default http port is not working it seems can you check the fire wall and see if the port 9763 is available. User Details : username - kacheix & password - testing. The email template configuration is changed in emm 2.0.1, he new changes is not updated in the documentation i have raised that as a public bug report the documentation will be updates within this week. Thanks. – Kamidu Punchihewa Apr 22 '16 at 04:27
  • @Kachiecx see my firewall settings. I intentionally enabaled it on my Azure server and wrote a custom firewall configuration. If I can setup the instance without HTTPS, I'll be glad. But, it seems like you gyz by default didn't add how to run without https. Because, I changed all my protocol and port to http and 9763 on a server and still, I keep getting redirected to https – Tonespy Apr 22 '16 at 04:43
  • Can you reset data of your testing device and retry? It can not give peer unverified error if it's connecting via HTTP. Usually when saving the host information for the first time, agent app stores the URL configurations in a SharedPreference. It has to get reset for a new host to be added. So please try resetting it and re-enroll with your HTTP URL. You can clear the data simply by going into your settings -> Applications and WSO2 Agent, there click on clear data. (For this to happen you should unregister the agent first or forcefully disable device administrator option for the agent app) – Kasun Delgolla May 06 '16 at 08:29
  • @KasunDelgolla You see this is the problem. When I tried using your product last two years. The documentation wasn't that bad, but kind of understandable. And now, it really has been scattered and not understandable again. I said I tried to change to HTTP by removing https anywhere I see it and I still get redirected to HTTPS. Why? Probably EMM doesn't want to make there service understandable for users trying to use it for free. So, please stop saying your service is open source and fully put a price tag on it. Thanks – Tonespy May 06 '16 at 08:33
  • I don't know what else to do. Re-Installed my server OS more than 3 times and all I get is same error. No going forward past enrolling. Posted a question since April 11 and got first response April 22 and next Today? Please, you can remove the OpenSource free on your service and put a price tag on it. And not the $20,000 for setup. – Tonespy May 06 '16 at 08:37
  • Since this is a complex product, this requires a fair amount of configuration to be performed. If we take the latest released binary pack and start it locally on a machine, it works without any hassle. You should be missing some configuration with your server. Try the latest released (2.1.0) version on your local setup first and when you make sure it works, then move it to the server. – Kasun Delgolla May 06 '16 at 08:47
  • You see, this is it. Yeah. When you run, it runs fine. It always does, I've never experienced an error setting it up. Even generating a BKS for my Android device that needs a CA and RA. But, this is it. I feel like not even using SSL again. I want just `HTTP` I can't get it to respond. If I'm going to set it up, for `HTTP` and I've changed everywhere in the doc that says I should and I'm still being redirected to `HTTPS` it runs fine that's why it's still live on my server 40.68.228.207:9443/emm @KasunDelgolla it's enrolling that never works. I didn't exp this 2years ago v2.0.1 has been hell – Tonespy May 06 '16 at 08:57
  • I just tried to enroll one of my devices to your host and yes I get the same issue. But what I figured out was, agent sends the request to the host "http://40.68.228.207:9763/dynamic-client-web/register" which is the correct one. But from the server side there is a redirection happening to HTTPS. Could you check whether your server has any special configuration to forward all HTTP requests to HTTPS? – Kasun Delgolla May 06 '16 at 09:26
  • I think the reason is, you should have enabled HTTPS redirection on your web apps following step 4 in https://docs.wso2.com/display/EMM201/General+Server+Configurations, you have to undo that if you need to work with HTTP. You should perform the same in all the web apps which you have changed to work with HTTPS (specially mdm-android-agent web app and dynamic-client-web web app) – Kasun Delgolla May 06 '16 at 09:35
  • @KasunDelgolla Okay. You know I've uncommented that line just now. And I tested, but before doing that in your documentation you said change this line to `public static final String SERVER_APP_ENDPOINT = "/mdm-android-agent/";` to this line `//public static final String SERVER_APP_ENDPOINT = "/EMM/api/";` and I was still experiencing the error, so I decided not to use that and use the default, and voila. It enrolled. Please you need to look at your documentation and also, the blog in your profile is pointing to an old android source – Tonespy May 06 '16 at 10:59
  • And if I go to https://40.68.228.207:9443/publisher, I keep getting redirected even after modifying config no.4 here https://docs.wso2.com/display/EMM201/General+Server+Configurations – Tonespy May 06 '16 at 11:38
  • For that, go to EMM_HOME/repository/conf/identity/sso-idp-config.xml and change all the hostname instances to your IP and it should work properly. That is SSO Configurations step 3 in https://docs.wso2.com/display/EMM201/General+Server+Configurations – Kasun Delgolla May 07 '16 at 05:25
  • @KasunDelgolla I've done that. That's the first thing I always do anytime I'm configuring wso2. Because, I know I can't browse to the emm app using my server ip and the port set for emm to listen on. But, I don't know why I keep getting redirected to https://localhost:9443/samlsso Unless you want me to replace all occurrence of `${carbon.local.ip}` in that file – Tonespy May 07 '16 at 05:50
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/111272/discussion-between-ituoke-ajanlekoko-and-kasun-delgolla). – Tonespy May 07 '16 at 05:55
  • I keep getting this error `ERROR {org.wso2.carbon.identity.thrift.authentication.internal.ThriftAuthenticationServiceComponent} - Error in starting Thrift Authentication Service org.apache.thrift.transport.TTransportException: Could not bind to port 10711` – Tonespy May 07 '16 at 06:18
  • I've enrollment working fine now. All I need now is to have /publisher and /store to work fine. Any help would be greatly appreciated. Thanks. I get redirected to localhost:9443/samlsso if I visit https://40.68.228.207:9443/publisher and if I click on SignIn on https://40.68.228.207:9443/store, I get redirected to this too https://localhost:9443/samlsso – Tonespy May 07 '16 at 16:12

1 Answers1

0

If you have follow the IOS configuration as documented here. Please take the following steps to including the ssl certificates who have acquired in to the keystore.

Convert the downloaded certificates to .pem files. openssl x509 -in -out Example:

openssl x509 -in rootcert.crt -out  root.pem

openssl x509 -in intermidiatecert.crt -out  inter.pem

Create a certificate chain with the root and intermediate certifications.

cat <CERTIFCATE 1> <CERTIFICATE 2> ... >> <CERTIFICATE CHAIN>

Example :

cat root.pem inter.pem >> clientcertchain.pem

Export the SSL caertificate chain file as a PKCS12 file with an "wso2carbon" as the alias.

openssl pkcs12 -export -out <KEYSTORE>.p12 -inkey <RSA_key>.key -in ia.crt -CAfile ca_cert.pem -name "<alias>"

Example:

openssl pkcs12 -export -out KEYSTORE.p12 -inkey ia.key -in ia.crt -CA file clientcertchain.pem -name "wso2carbon"

Import the generated p12 file into the wso2carbon.jks and client-truststore.jks in the /repository/resources/security directory. keytool -importkeystore -srckeystore .p12 -srcstoretype PKCS12 -destkeystore Example:

keytool -importkeystore -srckeystore KEYSTORE.p12 -srcstoretype PKCS12 -destkeystore wso2carbon.jks 
keytool -importkeystore -srckeystore KEYSTORE.p12 -srcstoretype PKCS12 -destkeystore client-truststore.jks

NOTE:
When prompted, enter the keystore password and keystore key password as wso2carbon. When prompted to replace an existing entry that has the same name as wso2carbon, enter yes.

Kamidu Punchihewa
  • 1,241
  • 10
  • 18
  • You see, if I tell you I generated all this files without a single error 4 times. And I'll like you to visit https://40.68.228.207:9443/emm to confirm yourself. It's there. I still have the username and password left as admin:admin – Tonespy May 09 '16 at 07:18
  • The above mentioned changes was not there in the documentation. are you sure you follow the same and add the certificates as a certificate chain in to the both keystores under wso2carbon alias ? – Kamidu Punchihewa May 09 '16 at 07:21
  • This is the only line that I see that's missing `cat root.pem inter.pem >> clientcertchain.pem` I did everything here https://docs.wso2.com/display/EMM201/Generating+a+BKS+File+for+Android But, let me get back to you and I'll let you know how it goes – Tonespy May 09 '16 at 07:27
  • Yes this is a critic step to include sll certificated provided by public CAs – Kamidu Punchihewa May 09 '16 at 09:24
  • In order to include your ssl certificates witch is accrued from and public CA you need to follow these steps – Kamidu Punchihewa May 09 '16 at 09:50