IBM Worklight : SSLPeerUniverfiedException: peer not authenticated issue

It's been a long time since I last posted here and finally, today's post will break this lock to continue a
chapter of sharing knowledge between developers around.

Problem Background:

A few weeks back I encountered the issue as written on the subject of this post "SSLPeerUniverifiedException: peer not authenticated" when trying to hit REST base HTTPS service from Worklight Http Adapter reported in Worklight Server log during google search I found a lot of forum threads discussing the same issue found multiple possible reasons behind this reported exception.

Possible Reasons are:

• Your server doesn't have valid SSL certificate
• Certificate expired (Below command can be used to verify the date of certificate validity)
• - keytool -list -v -keystore [certificate file]
• Your server might be configured with different trusted keystore other than the default ( cacerts file is a default used by JVM )

Solution:

Some may found this solution straightforward  (if you are a frequent visitor of IBM Knowledge Center ) and tried to make it simpler as possible.

A very first step to identify and keep the correct certificate ready for deployment within the server.

Open the base https:// URL of exposed services in chrome browser you'll see the green lock icon on the left in URL bar. Just double click on it to proceed export this certificate. (Figure - 1)

Figure - 1

now move the Details tab and use "copy to File" button to export this certificate file. (Figure - 2)

Figure - 2

 Follow the Figure - 3 to proceed to final step and export this somewhere in your machine use .cer file extension to save this file.

Figure - 3

Add Certificate in IBM Trust Store

To add this certificate in the trustore you must check and verifiy the truststore configured in IBM Worklight Server, by keeping the 3rd possible reason in your mind go to the folder location "C:\IBM\WebSphere\Liberty\usr\servers\WorklightServer\" and open the "jvm.options" with notepad or any other editor and search the entry "-Djavax.net.ssl.trustStore" if you found one that means your server is configured with custom trustore with its location defined. for example

-Djavax.net.ssl.trustStore = C:\IBM\WebSphere\Liberty\usr\servers\WorklightServer\resources\security\key.jks

since key.jks is using for trustore we have to add last exported certificate into file and to do this we use IBM Key Management tool (Figure - 4). Open the key.jks file will prompt for password by default password "worklight".

Figure - 4

Note: In windows use "run as adminstrater" option to open this utility.

Figure - 5 illustrate to add this certificate under "Signer Certificates" use Add button to browse your certificate file and you're have successfully add your .cer file in your keystore.

Figure - 5

Now copy and replace this modified .jks file the same Worklight Server location you copied it from.

and Finally,  restart Worklight Server.

Additional info:

If you want to keep the system certs coming from JDK separate from your own trusted signer certs, you can use the liberty's truststore properties which you can specify in server.xml (you can refer to "Full SSL Configuration Example" given here) As this liberty documentation says "If there is no default SSL configuration in Liberty, then the JSSE's default SSLContext is used. The JSSE's default SSLContext uses the cacerts file for the keystore and truststore

Achieve push notification in IBM Worklight (Android)

Using IBM Worklight its become more easy for developer to create hybrid application for cross-platforms, Where platform dependent feature like Push Notification, Storage etc are available to inject over hybrid application. This post entry is targeting to achieve push notification using Worklight, although there are many online article are already written on this topic and IBM Information Center is full of it but none of them are specific to Android device and so decided, to share this meal to have your day.

Following diagram illustrates the push notification architecture that simplifies sending push message across multiple devices running on different platforms. It provides a central management console to manage the mobile vendor services, e.g. APNS and GCM, in the background. 

Now it’s time to implement and check this functionality on emulator, and to simulate this concept on real device or emulator. I recommend to use download push notification sample code provided by IBM on their get started tutorial and sample section on IBM Worklight Information Center:

http://pic.dhe.ibm.com/infocenter/wrklight/v5r0m5/index.jsp

 

The sample code available under the Advanced section with name Module 41 - Push Notifications OR use the below URL to download push notification sample code. 

ftp://public.dhe.ibm.com/software/mobile-solutions/worklight/docs/v505/module_41_0_PushNotifications.zip

Once you downloaded the code please follow these step to configure and test this app on emulator. 

1. Open the Worklight Studio OR eclipse and use the File Menu and select Import option will open the window. 
2. Now Select General | Existing Projects into Workspace and press Next.
3. In the next Import Project window select and browse archive file as shown in the following image and Click Finish.
4.  If Android environment is already added then no need to add android environment, if it doesn’t then add android environment into this project.
   
   
5.  Now open the application-descriptor.xml under the path apps | PushApplication you’ll see pushSender tag under the android tag. There are two values required one is API key and another one is GCM sender ID.
   
6. To add these value use the following steps.
• Open the Google Cloud Message Service by using this URL http://developer.android.com/google/gcm/gs.html and follow Creating a Google API project steps under the shared URL.

• Once your project and enabling GCM service is done you’ll have the project number which we use for GCM sender ID. So now we have Sender ID and to generate the API key (second required value) open the dashboard for recent created project as shown in following image.
  
  
  
• Now simply copy this API key and paste it under required API key attribute and then build and deploy this project will create the android project automatically under the same eclipse.
• Before run this app on emulator make sure adapter must be deployed on Worklight server as this example has PushAdapter under adapters folder and the emulator must target Google API.
  
  
  

• If everything accordingly you’ll have first screen with asking username and password. You can use any username (you must remember the username) and password to bypass this screen using login button will show you the following image with multiple buttons.

a.       Before subscribe please verify the emulator version for push support and check if username you used is already subscribed.

b.       Device configuration and event subscription is done. To send the notification from server we use the adapter so right click on PushAdapter and Run As | invoke Worklight Procedure and finally call the submitNotification procedure with two required parameters; username and notification text passing in the following image.

 

Finally After type your message click on Run to send this message. Within few second you’ll have notification on your emulator similar to following images.