X509 Certificate Based Authentication in IBM Worklight 6.1

Question

I have developed a project which should use X509 based authentication. I followed IBM Worklight getting started module for developing this project. The steps are,

1. Create Root CA
2. Create Signing CA
3. Create Server Certificate
4. Create certificate chain for the server certificate
5. Export a PKCS12 file for the signing CA
6. Export a PKCS12 file for the server certificate
7. Configure IBM Websphere Liberty Profile for SSL

Then, I have given the login module, realm and security test details in authenticationConfig.xml file as in the module. After that I have created a challenge handler for the realm. I gave the security test for adapter procedure.

I have installed the Root CA in android emulator using ReamlB. Then i installed the project in Android Emulator. When trying to access the adapter procedure, it is showing the login form to enter the credentials. I entered the credentials as 'worklight', and entered login. But it shows the follwoing error.
The logcat message is here .

Now, I have two doubts.

1. Is there any default credentials to use, so that the certificate should accept that only.
2. When I downloaded the sample project, that is provided with IBM Worklight Getting Started Module, It includes openssl.cnf file and user_certificate_setup.sh file. But in module nowhere a way to generate .sh file and to include that inside project.

What is the error i am facing, is there any clue!!!

Thanks in advance!!

Answer 1

Here are some possible situations that could be making it fail, but like I said in my comment, please post the logs to be able to figure out what is failing.

The two most likely situations are that either your device does not trust the server, or the certificates were not properly created (especially if you use an intermediate CA, it could be the certificate chain is not built in the correct order).

To rule out the first situation (the device does not trust the server), edit your authenticationConfig.xml to take the user certificate realm out of your security test. If the application can connect properly, then the device is actually trusting the server's certificate, but if it cannot connect, it means that you have not configured the device properly to trust the server. Make sure that when you go under Settings > Security > Trusted Credentials > User tab, you can see the certificate you created there. If you cannot see your certificate there, it means it has not been imported properly. This is typically because you did not import the right format for Android, which is a DER encoded certificate file with a .crt extension. If you have a .pem or .cer file, you can try to do the following in your Terminal (for Linux and Mac only; look at the OpenSSL documentation for a Windows equivalent):

openssl x509 -inform PEM -outform DER -in CA.pem -out CA.crt

For more information and screenshots on how to do this, look here: http://www.jethrocarr.com/2012/01/04/custom-ca-certificates-and-android/ Also note that in this website, they pass the certificate using adb to push it from your computer to the device, but for testing purposes, you can email the certificate to yourself, or put it in a server that the device can download it from, and then open the attachment/download inside the device to install it. This is NOT a secure way to provision actual devices in a production environment, but for testing purposes it is usually easier to do it this way than pushing it via ADB.

If your device is properly trusting the server's certificate and you can connect without the user certificate realm, then this suggests that the problem is with the certificates being created by the signing CA, which usually happens when the certificate chain is not in the correct order.

This is general advice, but I would need to see the logs to be able to tell you what the exact problem is. Most of what I said here can be found in the User Certificate Authentication realm troubleshooting. And here is the rest of the User Certificate feature documentation for future reference.

Also, I am not sure I understand what you mean by "default credentials", as user certificate does not require specific credentials that you have to use; you can use a non validating user realm to "sign in" your user, if you want to test without having to enter valid credentials.

Answer 2

Sorry for not answering in a while; apparently this problem is related to app authenticity, and not directly related with user certificate authentication. If you are using app authenticity in your test, take it out, and it should work.