Question
South Florida Water Management District
US
Last activity: 31 Jan 2024 11:39 EST
Couldn't establish secure connection error from ios mobile app while login
We have created Mobile App on Pega 8.7.3. Able to build for ios and download app successfully after adding the certificate set. Able to install app also in ipad.
We are using SAML 2.0 based authentication service for login.
When app is launched in IPad, log in prompt comes, on click of which screen redirects to external screen for login and when user enters correct userid and password and submits, redirects to app but here error is showing "Could'nt establish secure connection"
From the Safari browser of IPad able to successfully login and pega dashboard is shown to user. Issue is from Pega Mobile App only.
Any suggestions on how to proceed further would be helpful.
Thank you
***Edited by Moderator Marije to add Support Case Details INC-A10063 of original poster***
***Edited by Moderator Marije to add Support Case Details INC-B3469 of original poster***
Accepted Solution
Updated: 31 Jan 2024 11:39 EST
Pegasystems Inc.
PL
In this particular customer case the root cause turned out to be lack of PFS (Perfect Forward Secrecy) ciphers available on the server. After enabling such ciphers issue went away.
PFS is one of the requirements which must be met for iOS/macOS applications to establish a secure network connection - https://developer.apple.com/documentation/security/preventing_insecure_network_connections#3138464 .
Valaris PLC
US
@AnandI0386 Hi Anand. Did you find a resolution for this issue? We have the same issue with the Android app and couldn't find a solution yet. We are running on 8.7.1 version.
South Florida Water Management District
US
Valaris PLC
US
@AnandI0386 Thank you Anand for the reply. Same here. We have also raised a INC and no resolution yet. Please post here if you get a resolution from Pega Support.
Pegasystems Inc.
US
Hi @SivaguruKrish!
Please let us know the INC so that we can connect this post with it to help the Support Engineer.
Thanks!
Valaris PLC
US
@MarissaRogers This is the incident - INC-A16709
Pegasystems Inc.
US
Thank you!
South Florida Water Management District
US
@SivaguruKrishLast week we observed that this issue is not happening in production environment.
Difference we could see is that our test(or dev) environment is using self-signed certificates and production is using external CA signed certificates.
We suspect this could be the reason.
Do you also have similar certificates?
Valaris PLC
US
@AnandI0386 Thanks for the reply. Glad that it is working for you in prod now. We suspected the issue with the cert and tried to rebuilt the app using the external CA cert. But still didn't work. May be we will try that again. Quick question on the cert - The one which is working for you in prod, is that cert a combination of your self signed cert and the external CA cert, or just the external cert?
South Florida Water Management District
US
@SivaguruKrishSorry for late reply, any solution found for you guys?
We are using just the external cert in production environment.
Valaris PLC
US
@AnandI0386 Not yet. Still trying to find what could be the issue with the cert and also checking with Pega support on the incident that we created. Can you tell me where you have the root CA cert, Intermediate cert and your domain cert, as part of the certificate you have in your server or just your domain cert? Also, are the certs part of the cacerts in the Java home directory or is it part of a different file in the server folder?
Valaris PLC
US
@AnandI0386 We were able to fix the issue. The issue was with the App Server SSL certificate as we suspected. It was not having the full chain cert (Intermediate + Root + domain cert), instead it was just having the domain cert. It didn't impact the app access (https) on the regular chrome/edge browsers. But the App version on the mobile/tables were impacted. We generated a new cert with the fill chain and deployed it. The app on the mobile/tablets started working. Thank you for your responses here.
Just for reference - https://developer.android.com/privacy-and-security/security-ssl. This link provides some details about the missing intermediate certificate and its possible impacts in the app on android devices.
Updated: 31 Jan 2024 8:48 EST
Pegasystems Inc.
GB
@AnandI0386 I can see that you logged INC-A10063 (Couldn't establish secure connection error from ios mobile app) and our GCS team explained the cause to you December 26th 2023.
Cause:
The mobility team confirmed that we do not support self-signed certs.
Workaround:
GCS requested you use a CA cert in test env
Closure:
You confirmed that in your lower env, you are using a self signed certificate, whereas in the working scenario you are using a CA cert
Solution provided was to create a CA certificate for the lower env in order to resolve this problem.
From the documentation:
For Pega Mobile authentication, you need to prepare your app for signing by creating a certificate set. This certificate set consists of keys and certificates that sign the app when you generate the installation package. For Android apps, a signing certificate is created with the Java Keytool command line utility. For iOS apps, a signing certificate is generated in the Apple Developer Portal. These certificates provide a digital authentication for the app and guarantee that the app and its updates come from a legitimate source.
Preparing mobile apps for signing
@AnandI0386 I can see that you logged INC-A10063 (Couldn't establish secure connection error from ios mobile app) and our GCS team explained the cause to you December 26th 2023.
Cause:
The mobility team confirmed that we do not support self-signed certs.
Workaround:
GCS requested you use a CA cert in test env
Closure:
You confirmed that in your lower env, you are using a self signed certificate, whereas in the working scenario you are using a CA cert
Solution provided was to create a CA certificate for the lower env in order to resolve this problem.
From the documentation:
For Pega Mobile authentication, you need to prepare your app for signing by creating a certificate set. This certificate set consists of keys and certificates that sign the app when you generate the installation package. For Android apps, a signing certificate is created with the Java Keytool command line utility. For iOS apps, a signing certificate is generated in the Apple Developer Portal. These certificates provide a digital authentication for the app and guarantee that the app and its updates come from a legitimate source.
Preparing mobile apps for signing
Obtaining a signing certificate for iOS apps
Obtaining a signing certificate for Android apps
South Florida Water Management District
US
@MarijeSchillernIncident is reopened and we are working with Pega support and Engineering team to get solution.
Pegasystems Inc.
GB
@AnandI0386 many thanks for letting me know.
I can see that INC-A10063 was left closed but instead the question appears to be investigated in INC-B3469 (Couldn't establish secure connection error from ios mobile app)
As soon as the solution is provided, please provide it as a Reply on this forum post and mark it with Accept Solution.
Accepted Solution
Updated: 31 Jan 2024 11:39 EST
Pegasystems Inc.
PL
In this particular customer case the root cause turned out to be lack of PFS (Perfect Forward Secrecy) ciphers available on the server. After enabling such ciphers issue went away.
PFS is one of the requirements which must be met for iOS/macOS applications to establish a secure network connection - https://developer.apple.com/documentation/security/preventing_insecure_network_connections#3138464 .