cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL Signature verification failure:Communication Error(14)

tahir_z
Contributor

on ‎04-10-2014 7:58 AM

0 Kudos

Hello,


I am trying to run Agentry client on Android device but getting problem. The client that we trying to install on device (Motorola ET1 version android 4.0+) gives : "SSL Signature verification failed: Communication Error(14)".


We have created certificates and that runs on ATE with no problem. Same CA certificate i install on device and i can see it on trusted certificates. I created also PIN for device as it requires.
But no luck same error i receive.

Syclo Work Manager Version : 6.0
The client i use : Agentry_6.1.3.10212_Client-Android
Android version : 4.1.1

Kind Regards,

Tahir ÖZ

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

bill_froelich
Product and Topic Expert
Product and Topic Expert
‎11-05-2014 10:39 PM
0 Kudos

Which certificate did you install on the device.  I found that I could not install the CA cert on Android devices and needed to install the signed cert instead to get the connection to work.  I haven't used 6.1.x in a while and would recommend upgrading to SMP3 personally.

--Bill

Show replies
Show replies
Former Member
‎11-18-2014 1:46 AM
0 Kudos

Hi Bill,

Can you please share the steps to generate the signed certificate?

We have a CA certificate that works on Samsung Android phones but does not work on Motorola MC32 Android device.

Thanks!

estani
Explorer
‎11-18-2014 7:43 PM
0 Kudos

Hi Parker

   The motorola devices has some restriction regarding self signed certificates, hence you have to make your own agentry client, following the steps mentioned on SAP note 1932043.

When you are about to create the apk file, you have to put your certificate file with the name "Agentry.cer" into folder "AgentryAndroidClientSolution\assets". The certificate can be downloaded directly from any web browser (in base64 .CER format) from url https://smpserver:8083/Admin

Regards,

Former Member
‎11-27-2014 12:32 PM
0 Kudos

Thanks Estanislao, we are now able to connect to our SMP server.

estani
Explorer
‎11-05-2014 10:03 PM
0 Kudos

Hello Tahir,

   This is a Motorola security thing, so in order to connect to Agentry server to secure channel, you have to embbed the certificate into the client. You must follow the steps to produce a branded client, and put the certifcate (in base64 .CER format) onto the folder "asset" of the AgentryAndroidClientSolution parent folder. This also works to produce the android client without the need to download the certificate on every device.

Hope it helps someone else, even if is too late for you.

Show replies
Show replies
Former Member
‎05-28-2014 4:49 PM
0 Kudos

Hey Tahir.

We have been facing the same issue, and after a long search we finally succeeded in getting this to work.

The fundamentals are described in SAP standard documentation at Creating a Self-Signed Certificate Using OpenSSL

For Android two additional steps are required (in this work around) for creating a client certificate that Android will accept.

First step is to reconstruct the PEM CA certificate:

Create a text file called Android.txt containing this single line:  basicConstraints=CA:true

Then issue this openssl command: openssl x509 -days 3650 -in server-cert.pem -signkey server-key.pem -extfile android.txt -out server-cert.pem.crt

Second step is to convert the PEM (ASCII) certificate to DER (Binary) format.

Do this by issuing this command: openssl x509 -inform PEM -outform DER -in server-cert.pem.crt -out CAcert.der.crt

You will now have a new client certificate called CAcert.der.crt, which can be imported into the Android certificate store.

Søren Hansen

Show replies
Show replies
tahir_z
Contributor
‎05-28-2014 4:57 PM
0 Kudos

Thank you Soren,

We have tried many things but couldn't make it work on Motorola ET1 (Android OS) device. I have opened an oss note as well but again no success. SAP Support team told us that our device is not in SAP/Syclo supported device list. Then we changed device model to ipad.

Your solution is possible to work cause i didn't make the CA=true.

I hope this case may help to other community members.

Regards,

Tahir

Former Member
‎04-10-2014 1:41 PM
0 Kudos

Hi Tahir,

We already have SAP WM 6.0 running on android Samsung galaxy tablet(android version 4.2.2), We just imported the certificate(.cer) file and installed it on the device.

What do you mean by 'I created also pin for device as it requires' ?

Regards,

Abhishek Wajge

Show replies
Show replies
tahir_z
Contributor
‎04-10-2014 8:20 PM
0 Kudos

Hi Abhishek,

The device we use is Motorola ET1 with 4.1.1 version and I also installed .cer file but same result.

Since after android 4.0+ device installs certificate to the Trusted Certificate and be able to use certificate it requires device with PIN or Password protected.

Regards,

Tahir

Former Member
‎04-11-2014 1:52 PM
0 Kudos

Hi Tahir,

do you use the default certificate that comes with the installation of the Agentry server or hav you created your own certificate?

From my experience you alway have to create custom certificates for your Agentry server, otherwise your 6.1 client won't accept the certificate. Note that you have to provide the correct hostname of your server in the certificate in its CN field. I haven't tested X509 v3 extensions where you can provide a whole set of alternative hostnames for a single certificate.

After installing the certificate an registering in Agentr.ini you alwas have to connect to the server via it's hostname and not using the IP address. The client won't accept the certificate otherwise, unless the IP address is inside the certificate's CN  field. Of course you have to install the certificate on your client device as well. If your certificate is signed by a CA, the CA certificate will suffice.

Hope I could help!

Regards,

Christoph

tahir_z
Contributor
‎04-14-2014 8:20 AM
0 Kudos

Hi Christoph,


I have already created a custom certificate using OpenSSL. I provided FQDN with IP adress and this works on ATE with no problem. I have converted .pfx file to .cer file then installed to the device but no success. Everything seems okey and still couldn't figure out yet where we stuck.



Kind Regards,

Tahir


Former Member
‎04-14-2014 8:29 AM
0 Kudos

Hi Tahir,

when converting .pfx to .cer, did you export it in DER or PEM format? Perhaps you could try to change the format. Also, did you include the private key in the .cer file? I experienced similar problems on an iPad with the private key included in the certificate file.

Regards,

Christoph

tahir_z
Contributor
‎04-14-2014 9:28 AM
0 Kudos

Hi Christoph,

I have exported the key with DER format and tried with PEM format as well.

And also .pfx file is installable format in android this include all private key and etc.

I can see installed certificates in "Trusted Certificate" in device.

Is there any other way to export the certificate ? I might be using wrong way.

Regards,

Tahir

Former Member
‎04-14-2014 9:38 AM
0 Kudos

Hi Tahir,

try to remove all custom certificates from the device. Export only the certificate (without the private key!) from the pfx file in DER or PEM format. Install this certificate on the device.

For certificate format conversion you could use OpenSSL.

This way works for me.

Regards,

Christoph

tahir_z
Contributor
‎04-14-2014 10:01 AM
0 Kudos

Hi Christoph,


I have exported .cer certificate with no private key from Truested Root Certification on Windows as follow,







But result is same .  I have opened a case to SAP for this issue.

Many thanks Christoph for your help.


Regards,

Tahir

Former Member
‎04-14-2014 10:18 AM
0 Kudos

Hi Tahir,

you're welcome. That looks right for me. I would be happy for any hint on how you fixed this issue once it's done.

Regards,

Christoph

bill_froelich
Product and Topic Expert
Product and Topic Expert
‎04-21-2014 8:16 PM
0 Kudos

Christoph,

Did you get this working?

For me I simply took my .cer file that I generated and loaded to my Android device.  This is the same .cer file that I converted to a .pfx for use on the Agentry server.

My biggest problem was getting my Android device (Galaxy S4) to accept the certificate.  Many times it would say that it installed the certificate but when I looked at Security -> Trusted Credentials -> User it would not show up.  Once I successfuly got the cer file to load and show there I was able to connect fine.

--Bill

Former Member
‎04-22-2014 8:42 AM
0 Kudos

Hi Bill,

this was not my issue. For me certificates are working fine. But I'm sure Tahir will let us know once he fixed this on his system.

Christoph

Marçal_Oliveras
Active Contributor
‎05-27-2014 10:29 AM
0 Kudos

Hi Bill,

How did you manage to install the certificate in your Samsung device? I have a 7" Galaxy Tab 3, and I tried to install the certificate more than 10 times and never appears to the User trusted credentials list.

If I try to connect to connect to the Agentry Server I got the same error than the OP...

*If I install the same certificate in my laptop Windows, the ATE is able to synchronize.

bill_froelich
Product and Topic Expert
Product and Topic Expert
‎05-27-2014 2:15 PM
0 Kudos

I also had that issue and the same experience.  Everything indicates it was loading the certificate but it never showed in the User Trusted list.

and it was due to the way I created the certificate.  I had to make some changes to how I was generating the certificate so that Android would accept it.  iOS and Windows both loaded all my certs fine it was just Android that was particular with it.

I'm sure your next question will be what did I change .

You'll have to forgive me as I have my key gen setup as a somewhat automated process so I made the changes and just run it now.  I beleve that what I had to do was modify my config when issuing the certificate to remove the keyUsage and extendedKeyUsage extension options from my conf file used during the process.

Hopefully this may help!

--Bill

Former Member
‎05-28-2014 7:30 AM
0 Kudos

Hey Bill.

Would it be possible for you to post your OpenSSL config file (in an anonymized way). In our config file we do not have the keyUsage and extendedKeyUsage extension options, but are still having problems using our certificates on Android ?

Thanks.

Søren Hansen

Marçal_Oliveras
Active Contributor
‎05-28-2014 4:57 PM
0 Kudos

Thanks for the clues Bill,

I didn't do it but Søren has been able to proceed with the investigation and finally generate a proper certificate for Android as you can see from his answer

bill_froelich
Product and Topic Expert
Product and Topic Expert
‎05-28-2014 5:02 PM
0 Kudos

Here is my openssl command to issue the certificate from my batch file.  The %configname% is simply the reference to my starting config that I use in the naming of the certificates.

openssl ca -batch -config ./myca2a.conf -notext -in ./%configname%.csr -out ./%configname%.cer

After this finishes I take the .cer file and upload to my android device and install from Security settings.

The myca2a.conf file contains the following

[ ca ]

default_ca = myca

 

[ crl_ext ]

# issuerAltName=issuer:copy  #this would copy the issuer name to altname

authorityKeyIdentifier=keyid:always

 

[ myca ]

new_certs_dir = C:/agentry/certs/tmp

unique_subject = no

certificate = C:/agentry/certs/root.cer

database = C:/agentry/certs/certindex

private_key = C:/agentry/certs/keyfile.pem

serial = C:/agentry/certs/serialfile

default_days = 365

default_md = sha256

policy = myca_policy

x509_extensions = myca_extensions

 

[ myca_policy ]

commonName = supplied

stateOrProvinceName = supplied

countryName = supplied

emailAddress = optional

organizationName = supplied

organizationalUnitName = optional

 

[ myca_extensions ]

basicConstraints = CA:true

subjectKeyIdentifier = hash

--Bill

Ask a Question