Data Synchronizer Mobility Connector SSL Issues
Welcome to the Novell Data Synchronizer Mobility Connector Wiki
General SSL Issues
While the Data Synchronizer Mobility Connector has the facility to create a self-signed SSL certificate, you will find that many devices will either not work well (i.e., will require continual user intervention to accept the certificate), or not work at all (i.e., will require a trusted certificate or not connect). Data Synchronizer Mobility Connector Devices contains tables for many devices to describe their workings with the Mobility Connector. There is an "SSL Issues" row in each of these tables that can be used to document how various devices interact with various certificates. Please feel free to add information that you discover to those tables.
Conflicting certificates on the phone
If you have been connected to a mobility server with a self-signed certificate and want to connect to another server or if you've re-installed your mobility server, you might find that the phone won't be able to permanently store the certificate of the server. In this situation make sure you delete the old certificate from your phone as it might prevent the new certificate to get imported.
Installing an SSL Certificate
If you will not be using the self-signed certificate generated by the Mobility Connector, here are a few important things to note:
- When you request your certificate ask for it in PEM format, containing both the private key and certificate.
- If you have two files, such as .crt and .key or similar, you can combine the files together in the following format:
-----BEGIN RSA PRIVATE KEY----- private key data -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- certificate data -----END CERTIFICATE-----
- If your certificate provider requires the use of an intermediate certificate, it must be combined with the private key and your certificate, placed after your certificate. The order of the certificates is important.
-----BEGIN RSA PRIVATE KEY----- private key data -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- certificate data -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- intermediate certificate data -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- root certificate data -----END CERTIFICATE-----
- If the device you are testing does not recognize the CA of your certificate, and can import the CA, you can try to create a DER file of the root certificate bundle and install it on the device. One way to do this is to put it on a web server and browse to it from the device. Then follow the device instructions for adding the certificate to the trusted root store on the device.
- These instructions are very generic at this point. We ask that as you develop specific procedures for devices you are testing, you add those procedures to the device list at Data Synchronizer Mobility Connector Devices.
Problems with various certificates
Problems have been reported with some certificates. If you have other certificates that are not working with devices, or if you have found fixes for the issues listed below, please add your experiences here.
- Some devices will not recognize the Comodo CA as trusted.
- DigiCert certificates work great. Just be sure, like with other SSL Certificate providers, that you configure the server to send the intermediate certificates needed to chain up to the trusted root.
- GoDaddy Wildcard certificate. Create a "wildcard.pem" by concatenating "Private Key" + "Wildcard Certificate" + "gd_bundle.crt" (https://certs.godaddy.com/anonymous/repository.seam). Using this wildcard.pem, copied it to /var/lib/datasync/device/mobility.pem, and /var/lib/datasync/webadmin/server.pem. (retain the mobility.pem and server.pem names for ease of use). Remember to back up the original files before overwriting them. Then 'rcdatasync restart'. Tests fine with HTC Hero.
- When using a self-signed certificate with Windows Mobile, you must manually import the trusted root certificate on each WM device. (http://support.microsoft.com/kb/915840)
- Due to a bug in Android 2.2 (Froyo), you cannot use the default self-signed certificate as the common name of the certificate does not match the host name of the server. You'll need to either generate a new self-signed certificate or install a "real" certificate signed by a trusted root authority.
- The GeoTrust root isnâ€™t included in Android yet. But apparently it is on the list for a future update. For more info (and a workaround,) see http://code.google.com/p/android/issues/detail?id=10985 (props to Will Schneider for digging this up for us!)
- Here's a HowTo for Thawte's intermediate SSL certificates: http://forums.novell.com/novell-product-support-forums/data-synchronizer/ds-mobility-pack/419144-certificate-issues-post2056394.html#post2056394
Return to Data Synchronizer Mobility Connector