I am struggling trying to get HTTPS working on Mobilink 17 with an android UltraLiteJ client.
I've tried the following steps (and many variations as well), but when the android client tries a sync, MobiLink returns the message
MobiLink communication error -- code: 8, parameter: 0, system code: 0
and the log shows
(,) [-10117] Stream Error: The TLS handshake failed, error code 0x140890c7
Step 1: on the server, create a root certificate
C:\CentralSSL>"C:\Program Files\SQL Anywhere 17\Bin64\createcert.exe"
SQL Anywhere X.509 Certificate Generator Version 17.0.0.1211
Warning: The certificate will not be compatible with older versions
of the software including version 12.0.1 prior to build 3994 and version 16.0
prior to build 1691. Use the -3des switch if you require compatibility.
Enter RSA key length (512-16384): 1024
Generating key pair...
Country Code: CA
State/Province: ON
Locality: Waterloo
Organization: UofW
Organizational Unit: CSG
Common Name: CSG
Enter file path of signer's certificate:
Certificate will be a self-signed root
Serial number [generate GUID]:
Generated serial number: ced14bb1dbcd43c3a7a07766f4022181
Certificate valid for how many years (1-100): 5
Certificate Authority (Y/N) [N]: Y
1. Digital Signature
2. Nonrepudiation
3. Key Encipherment
4. Data Encipherment
5. Key Agreement
6. Certificate Signing
7. CRL Signing
8. Encipher Only
9. Decipher Only
Key Usage [6,7]: 6,7
Enter file path to save certificate: root-cert.pem
Enter file path to save private key: root-key.pem
Enter password to protect private key: pswd
Enter file path to save identity: root-id.pem
C:\CentralSSL>
Step 2: on the server, create a server certificate and sign it with the root certificate
C:\CentralSSL>"C:\Program Files\SQL Anywhere 17\Bin64\createcert.exe"
SQL Anywhere X.509 Certificate Generator Version 17.0.0.1211
Warning: The certificate will not be compatible with older versions
of the software including version 12.0.1 prior to build 3994 and version 16.0
prior to build 1691. Use the -3des switch if you require compatibility.
Enter RSA key length (512-16384): 1024
Generating key pair...
Country Code: CA
State/Province: ON
Locality: Waterloo
Organization: UofW
Organizational Unit: CSG
Common Name: CSG
Enter file path of signer's certificate: root-cert.pem
Enter file path of signer's private key: root-key.pem
Enter password for signer's private key: pswd
Serial number [generate GUID]:
Generated serial number: 63e9f82cd12543049743fe787cbde690
Certificate valid for how many years (1-100): 5
Certificate Authority (Y/N) [N]:
1. Digital Signature
2. Nonrepudiation
3. Key Encipherment
4. Data Encipherment
5. Key Agreement
6. Certificate Signing
7. CRL Signing
8. Encipher Only
9. Decipher Only
Key Usage [1,3,4,5]:
Enter file path to save certificate: server-cert.pem
Enter file path to save private key: server-key.pem
Enter password to protect private key: pswd
Enter file path to save identity: server-id.pem
C:\CentralSSL>
Step 3: on the server, set the https MobiLink startup parameter
-x HTTPS(host=172.254.35.101;port=444;identity=C:\CentralSSL\server-id.pem;identity_password=pswd;trusted_certificates=C:\CentralSSL\root-cert.pem;log_bad_request=yes)
And restart MobiLink.
Step 4: copy the trusted-certificate to the Android app and add the following to the sync
StreamHTTPSParms streamParms = (StreamHTTPSParms) syncParms.getStreamParms();
streamParms.setHost( mHost );
streamParms.setPort( mPort );
File file = new File("/path/to/root-cert.pem");
streamParms.setTrustedCertificates( file.getAbsolutePath() );
Step 5: execute sync code in android app
When the sync code in the android app is executed, MobiLink returns the following error
MobiLink communication error -- code: 8, parameter: 0, system code: 0
Looking at the MobiLink log, I see
(,) [-10117] Stream Error: The TLS handshake failed, error code 0x140890c7
I should note that I'm fairly sure this error has something to do with how I'm creating or handling the certificates since, if I change the app to sync using http instead, it all works fine.
I anyone has any advice as to what I could try next, I would greatly appreciate the help. At this point, I'm stumped!
I sure could use a step-by-step tutorial somewhere that shows how to do this :-)
asked
07 Jun '19, 16:01
Terry Wilkinson
746●30●35●48
accept rate:
25%
Wild guess: Does this FAQ help?
For Web client procedures, the client must have access to the root certificate that signed the server certificate, see that FAQ - I guess this also holds for a ML client... - but re-reading your question, you already seem to do so...
I thought that was what I did. In step 1, I created a 'root' certificate, in step 2 I created a 'server' certificate and signed it with the 'root' certificate, and then in step 4 I provided the 'root' certificate to the MobiLink sync API in the android app. I saw answer at https://sqlanywhere-forum.sap.com/questions/32921/certificate-creation-for-https, and even tried adding the additional 'streamParams' calls mentioned there (with my own values), but it made no difference in my case.
OK, then I have no further clue...
Thanks for trying. :-)
Self signed certificates may require skip_certificate_name_check=1. We are currently investigating an issue where 17.0.10 (which is using SAP CCL for encryption) cannot have the same Common Name. To supply skip_certificate_name_check=1, use setExtraParameters().
I.e, streamParms.setExtraParameters("skip_certificate_name_check=1" )
Supplying the common name via streamParms.setCertificateName( "CSG" ) may also be sufficient.
I just tried
streamParms.setExtraParameters( "skip_certificate_name_check=1" );
and
streamParms.setCertificateName( "CSG" );
and still get the error
UltraLiteJ Error[-1305]: MobiLink communication error -- code: 8, parameter: 0, system code: 0
Are you using 17.0.0.1211 for your tests or just for the cert creation? Because that is a very old v17 build, and there are some fixes to ML streams according to the readmes...
Yes to both - upgrading to a newer version is probably the next step - thanks.