SAP BusinessObjects Mobile 5.1: Ensure That The Mobile Server is Trusted
If you are using HTTPS to connect to your SAP BusinessObjects Mobile server, the SAP BI mobile application allows connections to only trusted servers. For the application to establish successful connections to a server, it is essential that:
Your server is trusted. This includes the following aspects:
- The server certificate must have been obtained from a Certificate Authority (CA)
o The CAs of your server certificates are trusted by iOS (such as Verisign, Thawte and others listed at http://support.apple.com/kb/ht5012 )
o Alternatively, the root certificate of your server is installed on the client device (iPhone or iPad) as a profile, so that when the connection to server is added in the application, the device can verify the server certificate.
If the above conditions are not met, and users tries to add a connection to the server, they encounter an error like this:
Connection to the server could not be established (MOB06031)
(HTTP-1202) Details: The certificate for this server is invalid. You might be connecting to a server that is pretending to be <server1.servers.xxcompany.com> which you could put your confidential information at risk.
If you are not using a root certificate that is preinstalled on user’s device (such as a root certificate created by your company), you can distribute it using one of the following ways:
- Using the Mobile Device Management tools
- Sending as an email attachment
- By hosting the root certificate on a server and sharing the link
For example, to retrieve the root certificate of a trusted server and to share it with other users, you can follow the below procedure:
- Open your browser Settings, and open the Certificates (depending on your browser, the Manage Certificates or Certificates option may appear in one of the tabs).
- In the Certificates window, access the Trusted Root Certification Authorities tab as shown in the figure below.
3. Select the trusted root certificate corresponding to your server, and choose Export. The Certificate Export wizard appears.
4. Follow the prompts to export the certificates
The certificate is saved on your machine. Attach the certificate in an email and send it to the required recipients. Alternatively, host the root certificate on a server and send the URL to the users.
When users receive the certificate on their iOS device, they get the Install option on tapping the file or the URL. Once installed, the certificate appears on the device as a profile, and users can confirm its installation using the following on their iPhone or iPad:
Settings->General->Profiles
Note:
Temporarily, the SAP BusinessObjects Mobile application provides you with an option to bypass the verification of server certificate. However, this option should be used only in exceptional situations. We recommend you to install all the root certificates required for your servers on the device. Alternatively, get your current servers signed by a CA trusted by iOS. (For the list of Certificate Authorities trusted by iOS, refer to-> http://support.apple.com/kb/ht5012).
This temporary option will be removed from the application any time during the next release of the application.
To bypass the verification of server certificate and to establish connections to an uncertified server through the application, access Application Settings -> Additional Settings-> Security Exceptions, and add the names or the IP addresses (of the servers that you want to be ignored for verification) to the IGNORE SERVER TRUST CERTIFICATE field.
Hi Will you release an official SAP Note like 1846098 - MOB 06031 (HTTP 200) error while refreshing a Webi report on SAP BI app for iOS ? Adi
Hi Adi,
We already have an official SAP Note for this
SAP Note 1962026 - ENSURING THAT YOUR MOBILE SERVER IS TRUSTED
REgards
Srikanth
Hi Srikanth The Note is not yet released to the public. Please send the draft directly to my email address. Thank you, Adi
Content in is live now.
TROUBLESHOOTING TIPS
--------------------------------------
If you think you have installed the certificates correctly, and yet you get the "The certificate for this server is invalid" error in Mobi, here are some basic things that you can verify:
Once you have verified the basics listed above, you could also perform a small test on your IOS device which will help you confirm if the certificate has been installed correctly:
1. Install Google Chrome from Apple App Store on the your IOS device.
a. If Chrome is already installed, please do the following to clear previously stored exceptions:
b. Launch Chrome > Right-most button on the top bar > Settings > Privacy > Clear All
2. Navigate to the URL specified in the Mobi App using Google Chrome (https://mobi_server.xyz.com)
3. If you have not installed the certificates correctly; or if you have not installed the right certificates, you would see certificate related screen in Chrome.
4. If you see an issue, do not proceed further in Chrome. Try to fix the certificate related issue and try in Chrome again until you do not see any errors.
(If you accept to by-pass the certificate check in Chrome, ensure that use the step 1(B) above to clear the exceptions)
After you have fixed the certificate issues, relaunch MoBI and reconnect. All should work fine.
The test you specify in step 2 is not quite enough. Many environments have their mobile web app hosted behind a reverse proxy, and they normally do not have / exposed. Each web app has a specific rule, so the request being sent to https://webserver/ fails. In mobile, when you specify the url for the connection, only the protocol, host and port need to be specified because the app itself appends the MobileBIService portion of the url in the background.
A better test that should work for all scenarios would be to go to this url instead:
https://server:port/MobileBIService/MessageHandlerServlet?message=test
I use this instead of the usual message=GetVersion because that responds with xml which appears as a blank page in chrome and safari on the ipad. Going to this invalid message url will result in an error but it is a web app generated error which at least produces text on screen.
(Side request: Mobile team, give us a simple url, short, that can be used to valid the mobile web app. something like http://server:port/MobileBIService/test which should respond with a simple message like "Success", even a simple little html page would be sufficient, test.html.)