WSO2 Android Agent Certificates

Question

I am using WSO2's Enterprise Mobility Manager to try and connect a device to it.

I have followed all the instructions on WSO2's documentation. Here is what I have done:

• I followed the client's instructions:

Which includes to create a .bks file from the certificates I created in the iOS Server Configurations. I completed steps 2, 3, 4, 5, 6, 7 and 11.

I then followed the instructions from git to use the ca_cert.pem and ca.p12 to create a .bks file which I renamed to emm_truststore.bks and added to my project as per instructions.

The client still has 159 warnings and 0 errors... Do these need resolving? As I have exported the project as is. Most of the Warnings indicate methods which aren't used or deprecated.

• I set up the database as instructed and everything works.
• Upon launching the server, it throws:

ERROR - LifeCycleException while starting tomcat connector Caused by: org.apcahe.catalina.LifeCycleException: Service.getName(): "Catalina"; Protocol handler start failed ERROR - Error in initializing thrift transport ERROR - Failed to initialize Entitlement Service

And the MDM does not work.

However when i do go back and undo the step 7 in the client setup, and place the original client-truststore.jks, wso2carbon.jks and wso2mobilemdm.jks files in the security folder the server starts without any hickups. -I can access the MDM interface, create Roles and Policies, and send an email to my device. -On my device, I can access the server, download and install the apk. -The problem then comes in that the app and the server won't communicate. "Authentication failed due to connection failure do you want to try again?"

So I did some digging, and the possible problems is due to one of the following:

1. There is a connection problem.
2. There is a certificate mismatch.

1) With regards to the connection this is my setup: I am running the server of my laptop (localhost) which is connected to our company network via wifi. I then connect my device on the same network. In order to reach the 'server' running on my laptop, I make use of my laptop's IP. (hence I was able to download the apk). The device has also been cleared through our proxies. Is any of this a possible cause to the problem?

2) With regards to the certificates, I followed the instructions zealously. However one thing that still bothers me; is when I export my project, Eclipse asks for a 'keystore' which I then create anew. Does this affect the App or is the problem somewhere else?

Answer 1

Turns out my problem lied with my certificates. Here is how I solved my problem:

1. I copied the client-truststore.jks and wso2carbon.jks in to a folder.
2. In the folder I created a batch file with the code below and executed it. *In order for this code to work you need to place the BouncyCastel.jar - bcprov-ext-jdk15on-1.46.jar file in both your C:root and copy it to the jre/ext folders under program files. Also make sure you have SSL installed and set in your environmental variables, along with java's keytool.
3. When executing the batch file make sure you set the passwords correctly; the CA set to 'cacert', RA set to 'racert' and IA set to 'iacert'. When you reach the KEYSTORE.p12,ca.p12 and ra.p12 exports, set their passwords to 'wso2carbon','cacert' and 'racert' respectively. *Remember to use your server IP when setting the Common Name of the certificates. *Also when prompted to over ride the wso2carbon aliases in the client-truststore.jks and wso2carbon.jks, say yes .
4. Next copy the client-truststore.jks, wso2carbon.jks and wso2mobilemdm.jks to your /repository/resources/security, replacing the old ones.
5. Copy the generated emm_truststore.bks to your res/raw folder in your application and update the CommonUtilities.java to reflect the truststore password (which is 'wso2carbon' in this case, change it in the batch file if you like).
6. Update your /repository/conf/mdm-conf.xml file just like the iOS server example at point 11.
7. Lastly, when you export your application you can make use of the wso2mobilemdm.jks to sign your application.

All these passwords and aliases are used for simplicity and once the underlying concepts and workings are understood you can change them as long as all changes are reflected appropriately.

 openssl genrsa -out ca_private.key 4096
openssl req -new -key ca_private.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca_private.key -out ca.crt -extensions v3_ca
openssl rsa -in ca_private.key -text > ca_private.pem
openssl x509 -in ca.crt -out ca_cert.pem

openssl genrsa -out ra_private.key 4096
openssl req -new -key ra_private.key -out ra.csr
openssl x509 -req -days 365 -in ra.csr -CA ca.crt -CAkey ca_private.key -set_serial 02 -out ra.crt -extensions v3_req
openssl rsa -in ra_private.key -text > ra_private.pem
openssl x509 -in ra.crt -out ra_cert.pem

openssl genrsa -out ia.key 4096
openssl req -new -key ia.key -out ia.csr
openssl x509 -req -days 730 -in ia.csr -CA ca_cert.pem -CAkey ca_private.pem -set_serial 044324343 -out ia.crt



openssl pkcs12 -export -out KEYSTORE.p12 -inkey ia.key -in ia.crt -CAfile ca_cert.pem -name "wso2carbon"
openssl pkcs12 -export -out ca.p12 -inkey ca_private.pem -in ca_cert.pem -name "cacert"
openssl pkcs12 -export -out ra.p12 -inkey ra_private.pem -in ra_cert.pem -chain -CAfile ca_cert.pem -name "racert" 



keytool -importkeystore -srckeystore KEYSTORE.p12 -srcstoretype PKCS12 -destkeystore wso2carbon.jks 
keytool -importkeystore -srckeystore KEYSTORE.p12 -srcstoretype PKCS12 -destkeystore client-truststore.jks

keytool -importkeystore -srckeystore ca.p12 -srcstoretype PKCS12 -destkeystore wso2mobilemdm.jks
keytool -importkeystore -srckeystore ra.p12 -srcstoretype PKCS12 -destkeystore wso2mobilemdm.jks

set CLASSPATH=%CLASSPATH%;c:\bcprov-ext-jdk15on-1.46.jar
keytool -importcert -trustcacerts -keystore emm_truststore.bks -storetype bks -storepass wso2carbon -file ca_cert.pem -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath ./

Answer 2

Ok I think from your description it seems you have issues when setting up the jks files in the first part. As in the docs you have to create the SSL certificates. Also CA certificates. Then you need to ensure that the SSL certificates needs to be signed by the CA. That way when you embed the CA in the bks file it will recognize the communication since the underline SSL channel runs with that CA signed SSL certificate. I think what you have messed up in the first phase is the key import to wso2carbon.jks. Make sure you import it properly with the existing alias. If you change the alias there are more files you need to change. Make sure its the same alias we have provided in the mdm-config.xml in repository/conf folder. Also the same thing needs to be imported to the client truststore as well. If this is properly followed it will work. The entitlement issue relates to this certificate issue where it cannot identify the valid SSL certificate.

From the compilation aspect I don't think its an issue but its always better to install the latest Android SDK.

Regarding your second attempt its something to do with the certificate. wso2mobilemdm.jks ships with a pre-generated CA. The server will work with this. But in order to get it working with the client you need to take out that CA form the keystore file. For this you can use OpenSSL and fetch the CA and embed it in your bks file you generated. Another thing is you can use this same jks file and convert it using portecle. This way you can simply use the existing.

Easiest way to try out the setup is to communicate your Android agent app with HTTP instead of HTTPS. This way it will work but not recommended. This is just to test that the pack works perfectly. For that you can change the configurations entries in the Android agent app and it will work without any issue even though you dont have any entry in the bks.

Hope this helps. Let me know whether this works for you.