5 Replies Latest reply on Oct 19, 2012 7:21 PM by Joe Huang-Oracle

    SSL secured REST service with unverified signature

    Pascal B
      Hello. For testing (and probably even for productive phases), we used our own certification departement rather than using standards like verisign or others. This causes our webservice to be accessible via the browser without security warning prompt , once our root certificate has been installed on the device.
      However how does the RestServiceAdapter handle this security problem? When i try to perform the .send() method in this class with the newly added https://192....:443/... connection, it throws me an exception:

      javax.microedition.pki.CertificateException: Certificate was issued by an unrecognized entity

      any way to set it to ignore the certificate reliability? Otherwise we have to switch from internal certification to some standard company. Since this is an internal project though, we'd rather not. Or is there a way to inject the root ca into the java VM used in the application? we've done a similiar thing with our jrocket underneath our wls but then that wasnt a mobile app.

      Kind regards and thanks,
        • 1. Re: SSL secured REST service with unverified signature
          Pascal B
          Okay so adding a private root ca to the iPhone simulator isn't working in this case, I'll have to wait and see how it works with an actual device tomorrow at the office.
          I know it's possible to easily add private certs to androids, haven't checked that out on iPhones yet.
          I will post more once I checked this out!
          • 2. Re: SSL secured REST service with unverified signature
            Pascal B
            Hello again.
            I deployed my application to my device with our private root certificate installed on it. It is just as i feared. The RestServiceAdapter.send() method throws a javax.microedition.pki.CertificateException error. It tells me the certificate was issued by an unrecognized entity.

            I guess now my only two options are either finding a java solution to set the adapter to ignore unrecognized signature entities or to somehow inject our root ca into the JVM used for the app.

            I guess Joe or Dennis, you can tell me more? It would be great to be able to disable certificate verification especially for developing purposes.
            • 3. Re: SSL secured REST service with unverified signature
              Pascal B
              Hey, me again.
              I just checked out the temporary_xcode_project folder to find a cacerts file. There is one in /lib/security/ . I added our root CA to this file and tried to time it right so that I would overwrite it during the deployment process, after adf mobile creates the new temp_xcode_project folder but before xcode starts compiling the app. No luck yet, its hard to see when to paste and overwrite the file.
              Is it possible to add a functionality to add trusted sites to the application? We'll check out if it is possible to intervene and use ANT to edit the cacerts file right after jdev created the temp xcode project, but a framework provided method would be awesome.

              • 4. Re: SSL secured REST service with unverified signature
                Pascal B
                Hello again.
                Just got the ADF Mobile Beta Refresh files this morning.
                Too bad the Android version doesn't support Security, sadly it is of no use for us then. However we got a wildcard SSL certificate from GeoTrust to certify our webservice.
                So our webservice is now 128-Bit-encoded using TLS 1.0 and AES_128_CBC with message authentification SHA1 and exchange DHE_RSA.
                Pretty much out of the book encoding.

                Sadly I still get a Certificate was issued by an unrecognized entity error thrown from the the restServiceAdapter.send() method.
                Please verify wether this is a general problem, or if it has something to do with our set-up. Maybe an example app with SSL encoding could help us getting this set-up. Dev-Guide doesn't have any https:// examples.

                • 5. Re: SSL secured REST service with unverified signature
                  Joe Huang-Oracle
                  Hi, Pascal, you would need to register the private certificate (and also certain public certificates) with the JavaVM. This was missing in the beta version of ADF Mobile developer guide, but it's in the GA version. It's the last topic in the Security chapter.

                  When creating the cert files, though, just be very careful with what you are entering. Any extra space or typo will cause SSL connection to fail later on, and it's hard to diagnose.


                  Joe Huang