Tuesday, August 27, 2013

Android: launch app via URI link from web browser

Android: steps for launch app via URI link from web browser

edit launcher.html
..
<a href="myscheme://?host=my_app_server&port=9000&servername=StubServer">MyApp@MyServer</a>
..

Android project:
edit AndroidManifest.xml, add activity's intent-filter as below:

<application android:icon="@drawable/ventyx_icon" android:label="@string/app_name"
        android:debuggable="true" android:logo="@drawable/splash">
 <activity android:name="MyMobile" android:label="@string/app_name" ....>



     <intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="myscheme" />   << all lowercase
     </intent-filter>           
  </activity>
....


The above code will launch "MyMobile" application if the scheme is myscheme, e.g., "myscheme://"

For better control the launcher URL, we can apply more intent filter options as 

<data android:scheme="myscheme" android:host="myapp.dev.com" android:pathPrefix="/mobile" />
In this case, MyMobile application will be launched by URL like below:
<a href="myscheme://myapp.dev.com/mobile?other_query_params">
Posted by at No comments:

Thursday, August 22, 2013

Even though server's self-signed SSL certificate has been imported and trusted, but iPad won't start SSL connection due to CN doesn't match hostname.

Confirmed:
Even though server's self-signed SSL certificate has been imported and trusted, but iPad won't start SSL connection due to CN doesn't match hostname.

Application Setup:

  • WLS Server configured with self-signed SSL certificate (whose CN=my_company_name doesn't match its DNS name, appserver.mydomain.com)
  • Application (java) deployed on WLS
  • Mobile Application (phonegapped) on mobile devices (iPad, Android) 
Verification Goal:
  • Can mobile application from device communicate with App services via HTTPS in the above settings?
Verification Steps:
  1. import WLS's self-signed SSL certificate into iPad as trusted certificate
  2. launching mobile app to hit server via https
  3. Even though server's self-signed SSL certificate has been imported and trusted, but iOS won't start SSL connection due to CN doesn't match hostname.

** test output 
Aug 22 10:20:42 Dev-iPad-699600 amfid[179] <Error>: Aug 22 10:20:42  SecTrustEvaluate  [leaf CriticalExtensions IssuerCommonName]
Aug 22 10:20:43 Dev-iPad-699600 mobile[178] <Warning>: mobile launchOptions = ….. protocol=https
Aug 22 10:20:43 Dev-iPad-699600 mobile[178] <Warning>: Multi-tasking -> Device: YES, App: YES
Aug 22 10:20:43 Dev-iPad-699600 kernel[0] <Debug>: launchd[178] Builtin profile: container (sandbox)
Aug 22 10:20:43 Dev-iPad-699600 kernel[0] <Debug>: launchd[178] Container: /private/var/mobile/Applications/5E78D4F8-B359-4F99-905C-D09B00E88605 (sandbox)
Aug 22 10:20:43 Dev-iPad-699600 mobile[178] <Warning>: Resetting plugins due to page load.
Aug 22 10:20:43 Dev-iPad-699600 webinspectord[140] <Error>: libMobileGestalt copySystemVersionDictionaryValue: Could not lookup ReleaseType from system version dictionary
Aug 22 10:20:43 Dev-iPad-699600 mobile[178] <Warning>: Finished load of: file:///var/mobile/Applications/5E78D4F8-B359-4F99-905C-D09B00E88605/mobile.app/www/index.html
Aug 22 10:20:43 Dev-iPad-699600 mobile[178] <Warning>: Resetting plugins due to page load.
Aug 22 10:20:43 Dev-iPad-699600 mobile[178] <Error>: Aug 22 10:20:43  SecTrustEvaluate  [leaf SSLHostname]
Aug 22 10:20:43 Dev-iPad-699600 mobile[178] <Warning>: Failed to load webpage with error: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “appserver.dev.mydomain.com” which could put your confidential information at risk.

** end


Posted by at No comments:

Friday, August 16, 2013

Create self-signed root CA and use it to sign wildcard server certificate

This page covers the instruction to
  1. Create self-signed root CA
  2. generate wildcard server certificate
  3. sign the wildcard server certificate with own CA


//  1. My Own RootCA generation 
$ uname -a 
Darwin <hostname> 12.2.1 Darwin Kernel Version 12.2.1: 

$ cd /path/to/myrootca
$ mkdir keys certs servers
// generage rooca PK
$ openssl genrsa -out keys/my_own_rootca.key 2048
// generate self-signed root ca certificate
$ openssl req -new -x509 -days 3650 -key keys/my_own_rootca.key -out certs/my_own_rootca.crt
** enter info as:
Country Name (2 letter code) [AU]:<country>
State or Province Name (full name) [Some-State]:<state>
Locality Name (eg, city) []:<city>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<company name>
Organizational Unit Name (eg, section) []:<department name>
Common Name (eg, YOUR name) []:My Own Root CA       
Email Address []:prod_pd@my.com


** 2. generate wildcard server certificate
// generate company dev servers PK
$ openssl genrsa -out servers/company-dev-server.key 2048
// generate for wildcard certificate CSR for root ca to sign
$ openssl req -new -key servers/company-dev-server.key -out servers/company-dev-server.csr
-----
Country Name (2 letter code) [AU]:<country>
State or Province Name (full name) [Some-State]:<state>
Locality Name (eg, city) []:<city>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<company name>
Organizational Unit Name (eg, section) []:<department name>
Common Name (eg, YOUR name) []:*.dev.pd.my.com
Email Address []:prod_pd@my.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<none>
An optional company name []: <none>

// 3. rooca sign wildcard certificate 
$ openssl x509 -req -days 3650 -CA certs/my_own_rootca.crt -CAkey keys/my_own_rootca.key -set_serial 01 -in servers/company-dev-server.csr -out servers/company-dev-server.crt

// generate P12 keystore (rooca signed wildcard certificate, dev server PK, root ca certificate)
$ openssl pkcs12 -export -in servers/company-dev-server.crt -inkey servers/company-dev-server.key -out servers/company-dev-server.p12 -name prod_name -CAfile certs/my_own_rootca.crt -caname my_own_root_ca
** export password: 1234

// use the keytool functionality to merge one keystore with another one
// convert P12 keystore to JKS keystore
$ keytool -importkeystore -deststorepass pwd -destkeypass pwd -destkeystore servers/company-dev-server.jks -srckeystore servers/company-dev-server.p12 -srcstoretype PKCS12 -srcstorepass 1234 -alias prod_name

// import root ca certificate to JKS
$ keytool -import  -file certs/my_own_rootca.crt -alias MyOwnRootCA -keystore servers/company-dev-server.jks -storepass pwd

$ keytool -v -list -keystore servers/company-dev-server.jks -storepass pwd
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: prod_name
...
Alias name: MyOwnRootCA
...

// for App Server use
// install/config wildcard server keystore to WLS identity keystore
copy servers/company-dev-server.jks to WLS config dir
// @admin console, change keystore, config SSL

// for web client use
// host certs/my_own_rootca.crt from apache
$ cp certs/my_own_rootca.crt <apache-webroot>/my_own_rootca.crt

******* DONE *********
Posted by at No comments:

Tuesday, August 13, 2013

Install self-signed certificate as trusted CA in Android 4 and iPad


Steps to Install self-signed certificate as trusted CA in Android 4 and iPad
Goal: be able to allow iPad/Android clients to access server via https (the server has a certificate from self-signed CA)
Prepare and host root-ca’s certificate for client installation:
  1. save server’s (or its root ca’s) certificate in Base-64 encoded X.509 (.CER) format, say root_ca.crt (exported from server’s .p7b certificate from Windows)
  2. add a link to root_ca.crt, say http://myserver/root_ca.crt (apache already has the mime-type for .crt as application/x-x509-ca-cert)
Install certificate as trusted CA in Android
  1. In browser, hit http://myserver/root_ca.crt (this will download the certificate; then tap to install the certificate, following the instruction, if device has no pin/pwd, we’ll need to set bin or pwd during the installation)
  2. to verify the certificate’s installation: “Settings -> Security -> Trusted credentials -> User tab”, should see the installed certificate there.
Install certificate as trusted CA in iPad
  1. In browser, hit http://myserver/root_ca.crt (this will download the certificate; then tap to install the certificate, following the instruction)
  2. to verify the certificate’s installation: Settings -> General -> Profiles (should see the installed certificate there)
Posted by at No comments:
Subscribe to: Comments (Atom)