I'm trying to configure the REST service for SSL whereby the Andoid App 'CA Service Management' makes use of a SSL url within the Android App.
To make my setup more complicated, Service Desk and Mobility runs on the same server and can I ONLY use port 443 for both environments. The server is an Application Server (Advance Availablity). I believe the solution is IP Binding, I allocated an additional IP to this server and configured my CATALINA_BASE (server.xml) to use the one IP that redirects to SSL (443)
The second IP I configured within CATALINA_BASE_REST (server.xml) to use and redirects to SSL (443) for the Android Mobile App
The *.xml looks something like that ...
<Connector connectionTimeout="20000" address="*.*.*.*" port="8050" protocol="HTTP/1.1" redirectPort="443"/>
<!-- A "Connector" using the shared thread pool--><!--<Connector executor="tomcatThreadPool"port="8080" protocol="HTTP/1.1"connectionTimeout="20000"redirectPort="8443" />--><!-- Define a SSL HTTP/1.1 Connector on port 8443This connector uses the JSSE configuration, when using APR, theconnector should be using the OpenSSL style configurationdescribed in the APR documentation -->
<Connectorprotocol="org.apache.coyote.http11.Http11NioProtocol" address="*.*.*.*" port="443" SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false" keystoreFile="***" keystorePass="***" keystoreType="PKCS12" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" cheme="https" secure="true" sslProtocol="TLS"/>
Via chrome browser was I able to login and authenticate "https://*.*.*.*/casdm/ "
... BUT .. the Andoid App does not want to authencate me, error message "No Response from Server. Please contact your administartor"
Can anybody assist
I dont think this will work properly using the same ports. This is most likely due to DNS and the network externally only seeing one IP for the machine and not two. I believe you will have to use separate port numbers, one for SDM tomcat, and one for REST tomcat in order for this to work properly from a mobile device using the mobile app.
Anyone else have any ideas here?
Yes I agree but I will be making use of DNS entries to drive that. One IP will be associated with https://support:443 (Service Desk) and the other IP with https://mobisupport:443 (Mobility)
If anyone feels that will not work. I would like to know your view please.
if you are binding correctly your 2 IP's to the corresponding API and then use DNS to resolve the correct one, this must work. You need to make sure you did that in both
Not sure I still have this config anymore anywhere but I did it successfully in the past
I will recommend you test your setup outside of the mobile app first using SOAPUI or others to verify that the RESTFull API is up and correctly responding in your setup.
my 2 cents
Thank you for your feedback, both server.xml within 'CATALINA_BASE' and 'CATALINA_BASE_REST' has been configured to bind with their own IP. This is successfully tested via chrome browser ... BUT, this does not work in Android AP, I was told that the https (SSL) URL needs to be configured in USS within the "(Optional) SERVICE DESK REST URL FOR MOBILE APP:" section. I'm still to test this as my QA environment is now giving failures when testing the connection for integration.
well this is only necessary if you have in fact USS in the picture(this is the best option to benefits of all functionalities)
The mobile app can connect directly to the SDM REST API too (but SC and communities will not be available then)or use USS(and in this case only the REST URL option will be needed in USS) in This case you can use directly the IP:port directly. Something to look into too is to make sure that your SSL certificates have a fully trusted chain.
Do you think the android app will complain because it is a self signed cert?I'm running bluestacks to simulate this on our LAN.
Not sure as this really depend on how the CA dev will have implement but will have be me doing yes the app will have complain
If you are testing internally you can quickly switch to http only and see if the app work fine in that setup. then you will have your answer
I re-checked my config and made sure that DNS entries are correctly configured per 2 IP addresses allocated to server.
One IP is configured in server.xml within CATALINA_BASE - DNS entry points to this IP (https://support.*FQDN*)
Other IP is configured in server.xml within CATALINA_BASE_REST - DNS entry points to this IP (https://mobisupport.*FQDN*)The browser works fine but not the android app.
Is there any documentation that shows end-to-end HTTP and HTTPS (TLS) configuration for Mobility and USS?
What do you mean by the browser work?
That you are able from you mobile to access the "https://*.*.*.*/casdm/ " as you mentioned in one of your post above?
CASDM is another web app that is using the REST locally in the backend
The mobile apps must not use the /casdm/ at the end only your DNS and eventually the port (but not necessary in your case as you use 443)
You assume correct, referring to the browser when testing the https connection config "https://*.*.*.*/casdm/ " via the backend. You are also correct ... I don't use the /casdm/ within the android app, only what you indicated above (https://mobilesupport.mydomain.com) but tested various permutations but none will work, the only URL that works is http://mobilesupport.mydomain.com:8050
Hence me asking if there is a start-to-end complete guide that I can follow to make sure I did all the config required to make this work. What I do find is bit and drabs here and there.
Unfortunately I'm not aware of such doc and in any case this will mostly only provide the standard setup.
I don't get why this will not work as I successfully did similar setup with multiple IP's for different purpose in the past including revers proxy and others.
Unfortunately I don't have enough time right now to reproduce your test in my lab.
Just to make sure we eliminate problem from your configuration and in this case identify that this is something coming from the app itself.
A simple test can be to go directly to the URI of the REST API using a browser on your smartphone.
if you access correctly the REST API thereyou will receive a response page with a message like "Invalid REST Access key"
Receiving this error we can then assume that the problem reside on the mobile app itself.
if any other http error is returned (404,500,etc) you may have to look back in your config/dns/proxy, etc.
Hope that make sense.
Thank you so much for your assistance, it would seem it is the android App then, see screenshot.My next step is to update my support call with this.
Good luck then
Hopefully they will find a solution for you
Keep us posted
Both iOS/Android devices should have all your SSL certificates (including the certificate chain) added to the device's truststore before you can use the app properly over SSL.
A quick test might be to kill all browser sessions first, and then open a new browser session to access the HTTPS URL for your REST port. If you get a certificate warning error, then it usually means the cert is not a valid one and so the app would have difficulty that you speak about on this post above.
Hope this helps
Yes, it would seem you are correct ... the feedback I got from support is also saying the same thing.
Also, the browser did complain about the cert.
I'm waiting for public certs for my QA environment and will test again.
I will feedback to this post once I tested to confirm this as correct.
Thank you to all who gave their input and advice, it was much appreciated.
This is now resolved, Entrust SSL cert is needed or at least install your self-signed cert as trusted on your mobile device for testing.