on 04-10-2014 7:58 AM
Hello,
I am trying to run Agentry client on Android device but getting problem. The client that we trying to install on device (Motorola ET1 version android 4.0+) gives : "SSL Signature verification failed: Communication Error(14)".
We have created certificates and that runs on ATE with no problem. Same CA certificate i install on device and i can see it on trusted certificates. I created also PIN for device as it requires.
But no luck same error i receive.
Syclo Work Manager Version : 6.0
The client i use : Agentry_6.1.3.10212_Client-Android
Android version : 4.1.1
Kind Regards,
Tahir ÖZ
Which certificate did you install on the device. I found that I could not install the CA cert on Android devices and needed to install the signed cert instead to get the connection to work. I haven't used 6.1.x in a while and would recommend upgrading to SMP3 personally.
--Bill
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Parker
The motorola devices has some restriction regarding self signed certificates, hence you have to make your own agentry client, following the steps mentioned on SAP note 1932043.
When you are about to create the apk file, you have to put your certificate file with the name "Agentry.cer" into folder "AgentryAndroidClientSolution\assets". The certificate can be downloaded directly from any web browser (in base64 .CER format) from url https://smpserver:8083/Admin
Regards,
Hello Tahir,
This is a Motorola security thing, so in order to connect to Agentry server to secure channel, you have to embbed the certificate into the client. You must follow the steps to produce a branded client, and put the certifcate (in base64 .CER format) onto the folder "asset" of the AgentryAndroidClientSolution parent folder. This also works to produce the android client without the need to download the certificate on every device.
Hope it helps someone else, even if is too late for you.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey Tahir.
We have been facing the same issue, and after a long search we finally succeeded in getting this to work.
The fundamentals are described in SAP standard documentation at Creating a Self-Signed Certificate Using OpenSSL
For Android two additional steps are required (in this work around) for creating a client certificate that Android will accept.
First step is to reconstruct the PEM CA certificate:
Create a text file called Android.txt containing this single line: basicConstraints=CA:true
Then issue this openssl command: openssl x509 -days 3650 -in server-cert.pem -signkey server-key.pem -extfile android.txt -out server-cert.pem.crt
Second step is to convert the PEM (ASCII) certificate to DER (Binary) format.
Do this by issuing this command: openssl x509 -inform PEM -outform DER -in server-cert.pem.crt -out CAcert.der.crt
You will now have a new client certificate called CAcert.der.crt, which can be imported into the Android certificate store.
Søren Hansen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you Soren,
We have tried many things but couldn't make it work on Motorola ET1 (Android OS) device. I have opened an oss note as well but again no success. SAP Support team told us that our device is not in SAP/Syclo supported device list. Then we changed device model to ipad.
Your solution is possible to work cause i didn't make the CA=true.
I hope this case may help to other community members.
Regards,
Tahir
Hi Tahir,
We already have SAP WM 6.0 running on android Samsung galaxy tablet(android version 4.2.2), We just imported the certificate(.cer) file and installed it on the device.
What do you mean by 'I created also pin for device as it requires' ?
Regards,
Abhishek Wajge
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tahir,
do you use the default certificate that comes with the installation of the Agentry server or hav you created your own certificate?
From my experience you alway have to create custom certificates for your Agentry server, otherwise your 6.1 client won't accept the certificate. Note that you have to provide the correct hostname of your server in the certificate in its CN field. I haven't tested X509 v3 extensions where you can provide a whole set of alternative hostnames for a single certificate.
After installing the certificate an registering in Agentr.ini you alwas have to connect to the server via it's hostname and not using the IP address. The client won't accept the certificate otherwise, unless the IP address is inside the certificate's CN field. Of course you have to install the certificate on your client device as well. If your certificate is signed by a CA, the CA certificate will suffice.
Hope I could help!
Regards,
Christoph
Hi Christoph,
I have already created a custom certificate using OpenSSL. I provided FQDN with IP adress and this works on ATE with no problem. I have converted .pfx file to .cer file then installed to the device but no success. Everything seems okey and still couldn't figure out yet where we stuck.
Kind Regards,
Tahir
Hi Tahir,
when converting .pfx to .cer, did you export it in DER or PEM format? Perhaps you could try to change the format. Also, did you include the private key in the .cer file? I experienced similar problems on an iPad with the private key included in the certificate file.
Regards,
Christoph
Hi Christoph,
I have exported the key with DER format and tried with PEM format as well.
And also .pfx file is installable format in android this include all private key and etc.
I can see installed certificates in "Trusted Certificate" in device.
Is there any other way to export the certificate ? I might be using wrong way.
Regards,
Tahir
Hi Tahir,
try to remove all custom certificates from the device. Export only the certificate (without the private key!) from the pfx file in DER or PEM format. Install this certificate on the device.
For certificate format conversion you could use OpenSSL.
This way works for me.
Regards,
Christoph
Christoph,
Did you get this working?
For me I simply took my .cer file that I generated and loaded to my Android device. This is the same .cer file that I converted to a .pfx for use on the Agentry server.
My biggest problem was getting my Android device (Galaxy S4) to accept the certificate. Many times it would say that it installed the certificate but when I looked at Security -> Trusted Credentials -> User it would not show up. Once I successfuly got the cer file to load and show there I was able to connect fine.
--Bill
Hi Bill,
How did you manage to install the certificate in your Samsung device? I have a 7" Galaxy Tab 3, and I tried to install the certificate more than 10 times and never appears to the User trusted credentials list.
If I try to connect to connect to the Agentry Server I got the same error than the OP...
*If I install the same certificate in my laptop Windows, the ATE is able to synchronize.
I also had that issue and the same experience. Everything indicates it was loading the certificate but it never showed in the User Trusted list.
and it was due to the way I created the certificate. I had to make some changes to how I was generating the certificate so that Android would accept it. iOS and Windows both loaded all my certs fine it was just Android that was particular with it.
I'm sure your next question will be what did I change .
You'll have to forgive me as I have my key gen setup as a somewhat automated process so I made the changes and just run it now. I beleve that what I had to do was modify my config when issuing the certificate to remove the keyUsage and extendedKeyUsage extension options from my conf file used during the process.
Hopefully this may help!
--Bill
Here is my openssl command to issue the certificate from my batch file. The %configname% is simply the reference to my starting config that I use in the naming of the certificates.
openssl ca -batch -config ./myca2a.conf -notext -in ./%configname%.csr -out ./%configname%.cer
After this finishes I take the .cer file and upload to my android device and install from Security settings.
The myca2a.conf file contains the following
[ ca ]
default_ca = myca
[ crl_ext ]
# issuerAltName=issuer:copy #this would copy the issuer name to altname
authorityKeyIdentifier=keyid:always
[ myca ]
new_certs_dir = C:/agentry/certs/tmp
unique_subject = no
certificate = C:/agentry/certs/root.cer
database = C:/agentry/certs/certindex
private_key = C:/agentry/certs/keyfile.pem
serial = C:/agentry/certs/serialfile
default_days = 365
default_md = sha256
policy = myca_policy
x509_extensions = myca_extensions
[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional
[ myca_extensions ]
basicConstraints = CA:true
subjectKeyIdentifier = hash
--Bill
User | Count |
---|---|
76 | |
9 | |
8 | |
7 | |
6 | |
5 | |
5 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.