Setting up SUP/Relay Server for HTTPS connections from REx
You should have high-level knowledge about HTTPS, certificates (CA, server certificates)
1. HTTPS when device connects to the SMP server via Relay server
Does not cover
1. E2EE for Mobilink communication
2. Site minder network edge scenarios
3. Setting up relay server connection from SUP
4. Setting up relay server
Please note this document covers HTTPS connection based on Server Authentication only. HTTPS connection based mutual authentication requires client X.509 certificates that is not available on iOS and not tested on Android.
There are two types of connection between device and SUP server. Mobilink communication and iMO connection (another term MCL).
iMO connection is used by messaging client for message based communication. It makes standard http call to server and it is capable to use “device certificate store”. For this connection, if you install the CA certificate for servers (relay/ SUP) in the device certificate store, the HTTPS connection can be successfully established.
Mobilink connection is used by the Replication based synchronization (RBS) and uses proprietary code to make connection and is not capable to use “device certificate store” in case of iOS. It is able to use “device certificate store” in case of windows mobile/ Android. For this, specifically for iOS, you must provide the CA certificate for the server (Relay or SMP as the case may be) in the SCC configuration, so this certificate is downloaded to the device during registration phase and is used by the client to make HTTPs connection.
We need to set up and test both the scenarios.
Please note that the configuration steps on SMP differs for 2.2.x version and 2.3.x versions. The difference arises because the 2.3.x SCC integrates the java based certificate store (called keystore) within SCC interface. And in case of 2.2.x you have to call java command line keystore utility to manage the certificates.
HTTPS connection via relay server
Assumption: You already set up the SUP server to connect via relay server.
1. Setting up Relay server based on IIS to use correct certificate. (Common for SMP 2.3.X and SMP 2.2.5)
1.1. Generate a certificate with private key for the IIS web server.
It can be done in various ways.
a. Preferred way to do this is via IIS manager on the relay server.
Create the Certificate request, you must put the fully qualified domain name (FQDN) of the relay server as CN of the request (for example: inlc50796246a.apj.global.corp.sap). This CN is validated against the server address provided in the application. At the end of this you will get a certificate request file. This has to be provided to the CA to generate the certificate response. (In this example we used REXCA as CA). The certificate response file from the CA has to be imported to the IIS using complete certificate request… menu. Provide a friendly name for this certificate.
b. (Lower priority) Another way to do this is to use windows certificate manager to create certificate request and get CA response and import it to generate certificate for the local computer with private key. The link to use is http://technet.microsoft.com/en-us/library/cc754490.aspx to open the certificate manager. You should expand to Certificates=>personal =>Certificates. Right click in the right side at empty space and choose all actions => request new certificate… to start the certificate wizard. Then similar to a) you get a certificate request file. You submit the certificate request file to the CA and get a certificate response file. This has to be imported to the windows certificate manager. After this you export the certificate as PFX format including the private key to a PFX file. The PFX file can be imported to IIS manager using Import… menu as shown in a).
1.2. Select this certificate for the https binding in IIS manager as shown in the picture below.
1.3. Verify if this is working by calling https://FQDN_OF_SERVER:https_port_as_given_in_step2/ias_relay_server/client/ias_client.dll/ in chrome and check for the certificate being shown. If the CA certificate is not trusted, please import the CA certificate to the CA store.
1.4. Verify if the certificate shown in step 2 and step 3 are same.
1.5. This completes setting up the IIS for HTTPs. This setup is same SMP 2.3.x and SUP 2.2.x servers.
2. Setting up Outbound Enabler to work with HTTPS (Common for SMP 2.3.X and SUP 2.2.5):
2.1. Import the CA certificate (used to generate certificate for Relay Server) to be used by outbound enabler. You need to get the cer / crt file for the CA.
2.2. Change both RBS and MBS OE nodes to https.
2.3. After the change, look at the OE logs to verify if the connection to relay server is successful.
3. Importing CA certificate to SCC for further configuration
3.1 Setting for SMP 2.3.X
Import the CA certificate used to generate the Relay server certificate the SCC.
3.2 Setting for SMP 2.2.5
Copy the CA certificate to the folder <SUP_INSTALLATION_DIR>\sybase\UnwiredPlatform\Servers\UnwiredServer\Repository\Certificate
(Note: If you closely look at it, in SMP 2.3.3 after step 4.1 below, ca.cer is copied to the same folder (Repository\certificate) and renamed as rs_trusted_cert.crt )
4. Using the CA certificate to the SCC for Replication based communication (RBS Synchronization)
4.1 Settings for SMP 2.3.X
Select the certificate imported in step 3 as Trusted relay server certificate alias as shown in the below picture.
4.2 Setting for SMP 2.2.5
Provide the path of the copied certificate step 3.2 in the SCC.
5. Importing CA certificate to the device for Registration (Messaging based communication): Common for SMP 2.3.X and SUP 2.2.5
The CA certificate should be imported to the device certificate store by sending it as crt file via mail to the device and opening the crt file by double clicking and accepting the prompt to import into the device certificate store. You might be asked to provide device password.
6. Creating the Application Connection Template
You need to create an application connection template and change the Ports / Protocol values to HTTPS as mentioned in the attached picture.
After completing all these steps you should be able to do registration and synchronization over HTTPS via Relay server.
The CA imported to device in step 5 is used for making secure HTTP connection for MBS protocol. The CA certificate provided in step 4 is downloaded to the device during registration or whenever this certificate changes via MBS. This is then used by the Mobilink client to make HTTPS connection to the Mobilink server.
2.2.x client can’t handle RSA256 encrypted certificates (used for REX 3.0/ 3.1/3.2 apps). This limitation is not there for 2.3.x clients.(that will be used for REX 3.3 applications)