Worklight 6.0 application using SSL - ssl

Worklight 6.0.0, targeting iPad.
I have a simple demonstration application, no authentication at present. I am demonstrating use of reverse proxy. So I am building my application using the Build for Remote Server workaround and can see in xcode the correct server specification. I have some adapter calls, but for a particular demo scenario I also want to make an explicit call to
WL.Client.connect( ... );
If I use an http connection I see a request like this:
http://192.168.0.19/MyApp/apps/services/api/Work01/ipad/init
and it works just fine. If instead I use an SSL connection, as expected I see this
https://192.168.0.19:443/Infrabel01/apps/services/api/Work01/ipad/init
And I get the following error.
> [ERROR ] FWLSE0059E: Login into realm 'NullLoginModule' failed. The
> environment 'ipad' supports multiple versions, therefore you must
> request it with a version parameter.. [project Infrabel01] The
> environment 'ipad' supports multiple versions, therefore you must
> request it with a version parameter. [ERROR ]
> FWLSE0117E: Error code: 4, error description: AUTHENTICATION_ERROR,
> error message: An Error occurred while performing authentication using loginModule
> NullLoginModule, User Identity Not available. [project Infrabel01]
> [project Infrabel01]
That "request it with a version parameter" is intriguing. Is there some extra parameter I need to pass? Or is the overall implication that connecting over SSL requires authentication?

I had the same problem.
I have solved it by using the real IP address of the server in the WL app instead of using localhost:
When the emulator is running your app, press the Menu button.
Select to change your server URL
Remove "localhost" and use the IP address.
Accept and try again.
This fixed my problem.

Please make sure your Worklight server or proxy server is enabled SSL with certificate which signed by a trust public CA like Verisign. Worklight not support private CA certificate.

Related

Configuring Proton for SSL / TLS throwing openssl wrong version number and gRPC client error

I'm kinda at a loss here.
Trying to set up proton with SSL / TLS access, but after creating the certificates with the (modified) shell scripts
supplied by the AppDev-Pack and linking the keyring and everything in notes.ini, I always seem to get
the error "Handshake failed with fatal error SSL_ERROR_SSL: error: 100000f7:SSL routines:OPENSSL_internal:
WRONG_VERSION_NUMBER".
Tried both a windows and linux server, as well as using the accessing node.js app with and without
certificates - but with no success.
Also tried the troubleshoot section of https://doc.cwpcollaboration.com/appdevpack/docs/en/proton-admin.html and it connected just fine,
but won't if i connect with node.js.
Looks like the error is thrown before a certificate is even checked?
In this example the error is thrown after trying to get a document by UNID.
notes.ini (proton parts)
gRPC Client Error
If someone has an idea how to fix that issue or where to start - that would really help me.
Thanks in advance.
It appears that the client side does not have the secure flag set. At least I get a similar stack when I try to connect without TLS when the server expects TLS.
See the secure attribute when calling useServer() function, and you'll also need to provide the credentials attributes.

Hitting Unexpected token < in JSON when registering app to MobileFirst server 8.0

I'm trying to register my app in SITServer using MobileFirst 8.0 by following this tutorial
1) Hitting this error:
mfpdev app register SITServer
Verifying server configuration... Error: Cannot connect to server
'SITServer' at 'http://xxx.xxx.xxx.xxx:9080'. Reason: Failed to set
runtime details.: Unexpected token < in JSON at position 0: HTTP 404 -
Not Found
$ mfpdev server info
2) Is it caused by the difference in server version? My Local server version is 8.0.0-2016101416 and SITServer version is 8.0.0.00-20160822-2140
I suspect this happened due to some of the changes you've made to the server.xml; you did not mention which changes you've done so I would advise to double check those (any real reason to change these?).
Either way, both HTTP and HTTPS are supported, yes.

ColdFusion 10 HTTP SSL

I'm running a site and several sub domains on ColdFuson 10 Standard, we have just upgraded from ColdFusion 9 where everything was working fine.
The sites have a wildcard ssl certificate installed so all the sub domains are secured. I'm making http calls between the sites but getting the I/O Exception: peer not authenticated error.
Charset [empty string]
ErrorDetail I/O Exception: peer not authenticated
Filecontent Connection Failure
Header [empty string]
Mimetype Unable to determine MIME type of file.
Responseheader struct [empty]
Statuscode Connection Failure. Status code unavailable.
Text YES
I've installed the certificate in the correct key store and verified it's there using keytool -listand restarted, but still get the authentication error.
I know this is a common problem and is usually fixed by installing the certificate and there are workarounds for ColdFusion Enterprise but I'm struggling to get this working on Standard. Any suggestions?
After many days of investigation I came across this blog post which leads to bug report #3598342.
It turns out to be an issue on Windows 2012 servers running IIS 8. There is an option on the site binding to 'Require Server Name Indication' or 'SNI'. Turning this option off allows cfhttp to connect via https.
It turns out this is an issue with the HttpClient library and has been fixed in builds 288845, 288846 and 290605. Which doesn't really help as the last update 13 only gives me build 287689.
This could be an issue I have run across where I had to import the secure server certificate into coldfusion before it would allow me to connect.
http://helpx.adobe.com/coldfusion/kb/import-certificates-certificate-stores-coldfusion.html
Import Certificate for ColdFusion10
Hope that helps. I know it helped me!

Unable to deploy Worklight adapter in remote server

I'm experiencing an issue while deploying worklight adapter in a remote machine.
Adapter is using a certificate alias.
Here is the message of error:
Invalid content was found starting with element 'sslCertificateAlias'.
One of '{authentication, proxy}' is expected.
Could you attach here your adapter xml without sensitive data?
Anyway check if your remote server keystore contains private key with alias you are configured in sslCertificateAlias and the password in sslCertificatePassword is right.
A second check is configuration of the keystore in worklight.properties:
ssl.keystore.path=conf/default.keystore
ssl.keystore.type=jks
ssl.keystore.password=mypassword

LDAP Bind issues with ticket from Kerberos using GSSAPI

I have been trying to make an application which needs to bind to LDAP server using GSSAPI using the ticket provided by the Kerberos server. I am using Novell's JLDAP library for this purpose.
I am able to get a ticket from the authentication server but when I try to bind to the Service Server(LDAP in my case ), I get GSSException: Major Status: (589824, Invalid token was supplied), Minor Status: (0, Unknown error)
and the bind fails.
The AS(Authentication Server) and SS(Service Server(LDAP server)), both are behind a single proxy.
In this case, do they need mutual authentication?
I not sure but it seems my java code is not able to get/recognize/decrypt the token recieved from the AS(Authentication Server).
I am providing the mechanism name as "GSSAPI" in the SASL bind method of Novell's LDAPConnection.java
Did anyone face this kind of trouble? What would be the cause and probable solutions for this? Please explain.
Have you configured eDirectory to support GSSAPI?
Errors for GSAPPI show in the ndsd.log file on the eDirectory server.
You can also enable +LDAP and +NMAS trace in ndstrace to see all communications for GSAPPI.
This may also be helpful.