I am struggling trying to get HTTPS working on Mobilink 17 with an android UltraLiteJ client.

I've tried the following steps (and many variations as well), but when the android client tries a sync, MobiLink returns the message

MobiLink communication error -- code: 8, parameter: 0, system code: 0

and the log shows

(,) [-10117] Stream Error: The TLS handshake failed, error code 0x140890c7

Step 1: on the server, create a root certificate
C:\CentralSSL>"C:\Program Files\SQL Anywhere 17\Bin64\createcert.exe" SQL Anywhere X.509 Certificate Generator Version 17.0.0.1211
Warning: The certificate will not be compatible with older versions of the software including version 12.0.1 prior to build 3994 and version 16.0 prior to build 1691. Use the -3des switch if you require compatibility.
Enter RSA key length (512-16384): 1024 Generating key pair... Country Code: CA State/Province: ON Locality: Waterloo Organization: UofW Organizational Unit: CSG Common Name: CSG Enter file path of signer's certificate: Certificate will be a self-signed root Serial number [generate GUID]: Generated serial number: ced14bb1dbcd43c3a7a07766f4022181 Certificate valid for how many years (1-100): 5 Certificate Authority (Y/N) [N]: Y 1. Digital Signature 2. Nonrepudiation 3. Key Encipherment 4. Data Encipherment 5. Key Agreement 6. Certificate Signing 7. CRL Signing 8. Encipher Only 9. Decipher Only Key Usage [6,7]: 6,7 Enter file path to save certificate: root-cert.pem Enter file path to save private key: root-key.pem Enter password to protect private key: pswd Enter file path to save identity: root-id.pem
C:\CentralSSL>

Step 2: on the server, create a server certificate and sign it with the root certificate C:\CentralSSL>"C:\Program Files\SQL Anywhere 17\Bin64\createcert.exe" SQL Anywhere X.509 Certificate Generator Version 17.0.0.1211
Warning: The certificate will not be compatible with older versions of the software including version 12.0.1 prior to build 3994 and version 16.0 prior to build 1691. Use the -3des switch if you require compatibility.
Enter RSA key length (512-16384): 1024 Generating key pair... Country Code: CA State/Province: ON Locality: Waterloo Organization: UofW Organizational Unit: CSG Common Name: CSG Enter file path of signer's certificate: root-cert.pem Enter file path of signer's private key: root-key.pem Enter password for signer's private key: pswd Serial number [generate GUID]: Generated serial number: 63e9f82cd12543049743fe787cbde690 Certificate valid for how many years (1-100): 5 Certificate Authority (Y/N) [N]: 1. Digital Signature 2. Nonrepudiation 3. Key Encipherment 4. Data Encipherment 5. Key Agreement 6. Certificate Signing 7. CRL Signing 8. Encipher Only 9. Decipher Only Key Usage [1,3,4,5]: Enter file path to save certificate: server-cert.pem Enter file path to save private key: server-key.pem Enter password to protect private key: pswd Enter file path to save identity: server-id.pem
C:\CentralSSL>

Step 3: on the server, set the https MobiLink startup parameter
-x HTTPS(host=172.254.35.101;port=444;identity=C:\CentralSSL\server-id.pem;identity_password=pswd;trusted_certificates=C:\CentralSSL\root-cert.pem;log_bad_request=yes)

And restart MobiLink.

Step 4: copy the trusted-certificate to the Android app and add the following to the sync
StreamHTTPSParms streamParms = (StreamHTTPSParms) syncParms.getStreamParms(); streamParms.setHost( mHost ); streamParms.setPort( mPort ); File file = new File("/path/to/root-cert.pem"); streamParms.setTrustedCertificates( file.getAbsolutePath() );

Step 5: execute sync code in android app

When the sync code in the android app is executed, MobiLink returns the following error

MobiLink communication error -- code: 8, parameter: 0, system code: 0

Looking at the MobiLink log, I see

(,) [-10117] Stream Error: The TLS handshake failed, error code 0x140890c7

I should note that I'm fairly sure this error has something to do with how I'm creating or handling the certificates since, if I change the app to sync using http instead, it all works fine.

I anyone has any advice as to what I could try next, I would greatly appreciate the help. At this point, I'm stumped!

I sure could use a step-by-step tutorial somewhere that shows how to do this :-)

asked 07 Jun, 16:01

Terry%20Wilkinson's gravatar image

Terry Wilkinson
631222644
accept rate: 25%

Wild guess: Does this FAQ help?

For Web client procedures, the client must have access to the root certificate that signed the server certificate, see that FAQ - I guess this also holds for a ML client... - but re-reading your question, you already seem to do so...

(07 Jun, 16:43) Volker Barth

I thought that was what I did. In step 1, I created a 'root' certificate, in step 2 I created a 'server' certificate and signed it with the 'root' certificate, and then in step 4 I provided the 'root' certificate to the MobiLink sync API in the android app. I saw answer at https://sqlanywhere-forum.sap.com/questions/32921/certificate-creation-for-https, and even tried adding the additional 'streamParams' calls mentioned there (with my own values), but it made no difference in my case.

(07 Jun, 16:58) Terry Wilkinson
Replies hidden

OK, then I have no further clue...

(07 Jun, 17:03) Volker Barth

Thanks for trying. :-)

(07 Jun, 18:02) Terry Wilkinson

Self signed certificates may require skip_certificate_name_check=1. We are currently investigating an issue where 17.0.10 (which is using SAP CCL for encryption) cannot have the same Common Name. To supply skip_certificate_name_check=1, use setExtraParameters().

I.e, streamParms.setExtraParameters("skip_certificate_name_check=1" )

Supplying the common name via streamParms.setCertificateName( "CSG" ) may also be sufficient.

(07 Jun, 22:01) Chris Keating

I just tried

streamParms.setExtraParameters( "skip_certificate_name_check=1" );

and

streamParms.setCertificateName( "CSG" );

and still get the error

UltraLiteJ Error[-1305]: MobiLink communication error -- code: 8, parameter: 0, system code: 0

(08 Jun, 00:05) Terry Wilkinson
Replies hidden

Are you using 17.0.0.1211 for your tests or just for the cert creation? Because that is a very old v17 build, and there are some fixes to ML streams according to the readmes...

(08 Jun, 05:21) Volker Barth

Yes to both - upgrading to a newer version is probably the next step - thanks.

(11 Jun, 10:30) Terry Wilkinson
More comments hidden
showing 5 of 8 show all flat view
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×329
×70
×16
×16

question asked: 07 Jun, 16:01

question was seen: 157 times

last updated: 11 Jun, 10:30