SSL handshake issues with APNS on IBM worklight 6.1 running on CentOS 6

Question

We are running into SSL handshake issues with APNS on IBM worklight 6.1 running on CentOS 6.

We do not face any SSL related issues on Mac probably due to the fact that the required p12 cert is already present in the keychain on the OS.

The error encountered is:

com.notnoop.apns.internal.ApnsFeedbackConnection Failed to retreive invalid devices
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: End user tried to act as a CA

We have place the generated p12 file in the "apps" directory of worklight. Not sure if this is the right way and worklight will pick this up.

We have verified that the p12 and the corresponding generated .pem file is fine by executing the following command and getting a "CONNECTED" response from apple servers:

openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns-dev-cert.pem -debug -showcerts -CAfile server-ca-cert.pem

Which makes me think that worklight may not be finding the correct p12 cert.

Also as we've read, worklight uses the "notnoop" library for APNS communication; and notnoop requires the location of the p12 to be defined. Where do we specify this path? Is it in some configuration file of worklight?

Thanks!

Answer 1

If you are using IBM JDK 7, then it is a known bug which is fixed in IBM JDK 7.0.0 SR6. Either you can try with IBM JDK 7 SR6 onwards OR try replacing jre\lib\security\cacerts file in JDK 7 with jre\lib\security\cacerts file in JDK 6

Reference: http://www-01.ibm.com/support/docview.wss?uid=swg1IV43936