Question

IFS10 TouchApps Account Manager - could not establish secured connection error

E
Rank
Badge +2

Hello,

We are trying to test IFS10 Mobile Applications on IFS-TEST environment. 

I have installed TouchApps Server according to documents. I can access customer portal screen without any certificate problem over laptop.

I installed same certificates to android phone with root ca certificate but IFS10 Account Manager is giving an error like that.

“Could not establish a secured connection with the Identity Provider”

I tried to access TouchApps server over the phones browser. It is showing NET:ERR_CERT_AUTHORITY_INVALID error, but i can ignore it.

I am stuck at this point of installization. 

Do you have any suggestion?

 

 

9 replies

S
Rank
Userlevel 7
Badge +21

hi @ErkanTR ,

Are you using the certificate issued by the Enterprise Root CA like Digicert /Symatec or a certificate issues by your domain CA? You would need a Enterprise CA certificate for mobile access as Mobile OS such as Android will not trust Domain CA certificate natively.

If this is for basic testing, you can use the Windows Mobile client to get started. Windows Mobile client will trust the certificate based on the trust settings in the Laptop.

cheers

Rukmal Fernando
Rank
Userlevel 5
Badge +12

@ErkanTR additionally I suggest that you use https://ssllabs.com/ssltest/analyze.html or a similar tool against both your TAS and your MWS instance (since MWS hosts the IFS Database Identity Provider) to ensure the certificate trust chains are complete as Sajith pointed out.

Best regards,

Rukmal

E
Rank
Badge +2

Hi @Sajith D ,

I issued the certificate from Domain root CA. Android phone is not validating this ca certificate it seems as you said.

I tried windows mobile App of NotifyMe before 5 minutes ago. I created an event for purchase_requisition_tab with flow message. It came to IFS EE left bottom messages and came to NotifyMe windows mobile app. It seems working. I am happy to saw that.

But I should run android TouchApps. If I can not find any solution, I will buy a certificate from global authorities as you said.

Thank you for your suggestions.

 

E
Rank
Badge +2

Hi @Rukmal Fernando ,

I installed a local TAS. MWS and TAS is not opened to internet directly. Becouse of that I can not able to analyze ssl with online tools. But i checked that, MWS has TAS certificate in its trusted root certificates and TAS server has MWS certificate in its trusted root certificates. In this stuation they should establish each other with secure channel over https.

I am continue to research a solution.

Thanks for your suggestion.

Kind Regards.

Rukmal Fernando
Rank
Userlevel 5
Badge +12

@ErkanTR since you can access the TAS portal, your TAS and MWS can certainly talk to each other. The problem is that when the app tries to connect, it first connects to the TAS, and then gets redirected to the MWS for authentication (assuming you use the Database Identity Provider) so it’s likely one of these two failing. Therefore you need to make sure that the SSL certificates being presented by the TAS and MWS have a full trust chain. I hope this gives you a way forward.

If TAS and MWS aren’t externally accessible, you can also use a tool like https://github.com/rbsec/sslscan/releases to check the SSL setup on the TAS and MWS.

Best regards,

Rukmal

E
Rank
Badge +2

Hi @Rukmal Fernando , I sent you sslscan results by pm. 

At the IFS documentation there is a paragraph like below. I should install IFS-TEST server(MWS) certificate to android phone. I tried it but android is giving error like that

“Failed to load certificate private key required”

 

 

 

Rukmal Fernando
Rank
Userlevel 5
Badge +12

@ErkanTR I replied to you but missed this. This is the gist of the issue as I see it - I believe you use the Database Identify provider, in which case the mobile apps need to reach the MWS. If so, the MWS certificate needs to be issued either by a well-known CA or the entire certificate trust chain for a self-signed certificate must be trusted on each Android device. My reply did touch on these two, so please also see https://docs.ifs.com/techdocs/foundation1/010_overview/210_security/090_exposing_to_internet/default.htm#Special_considerations_for_Touch_Apps

Best regards,

Rukmal

E
Rank
Badge +2

Hi,

If we can add an extention like below. May be android device can accept the MWS certificate.

basicConstraints=CA:true

https://android.stackexchange.com/questions/237141/how-to-get-android-11-to-trust-a-user-root-ca-without-a-private-key

In this stuation there is two way.

1- If it is possible, we should modify already created MWS certificate

2 - Creating new certificate with CA extention for MWS.

The last way as you said, buying new certificate from global authority.

 

Rukmal Fernando
Rank
Userlevel 5
Badge +12

@ErkanTR your last comment is outside of my area of expertise, so I’m afraid I can’t comment.

What I can reiterate is that the Android device needs to trust the entire certificate of the TAS and MWS SSL certificates, starting from the root CA of the certificate issuer.

Best regards,

Rukmal

Reply


Terms & ConditionsCookie settings