Working with SSL and certificates

Mobile Center allows you to work in secure environments using SSL and to apply certificates when necessary. This section describes how to work with SSL connections. For details about installing certificates on your device for the purpose of accessing secure sites, see Testing sites that require certificates.

Connecting to Mobile Center over SSL

When you install Mobile Center, you can choose whether to work with a non-secure (HTTP) or a secure (SSL) connection. When you install the server using the SSL option, a self-signed SSL certificate is automatically generated on the local Mobile Center machine. Alternatively, you can import a certificate from a certified authority (CA). For details, see Using SSL certificates issued by a Certification Authority (CA).

Self-signed certificates do not, however, provide a trusted identity of the server owner. Therefore, when using the default self-signed certificate, many browsers display a warning or error when you first try to access the Mobile Center server over SSL. For web browsers to trust the certificate that the server has presented, the SSL certificate must be issued by a recognized Certificate Authority (CA).

Despite the warning messages, the self-signed certificate encrypts the data. The warning is issued to inform you that the SSL certificate was self-signed by the server and not by a CA. To access the server, you need to trust the self-signed SSL certificate.

If the server was installed with the SSL option, all connectors and testing tool machines must connect to the server over a secure connection. For more installation details, see Install the connector on a Windows machine or Install the connector on a Linux machine.

You can also reconfigure the connection to the server from non-secure to secure (or vice versa), or change the server address or port. For details, see Reconfigure the Mobile Center server.

Note: If you change the certificate on the server, you must re-establish trust between connectors and the Mobile Center server. For details, see Support for SSL in connectors.

Generating a new certificate

You generate a new certificate for the server using the script in the Security folder as follows: 

Back to top

Using SSL certificates issued by a Certification Authority (CA)

It is a best practice in a security conscious environment to replace self-signed certificates with server certificates issued by a trusted Certification Authority.

After you obtain your certificate file from a Certification Authority, ensure that it contains a complete chain of trust. A chain of trust is a list of certificates that enable the receiver to verify that the sender and all intermediate certificates are trustworthy. To detect and solve problems with your SSL certificate installation, perform an Internet search for "SSL checker" and use one of the online tools to diagnose your problems.

Tip: Mobile Center is a multi-hosted deployment, so the SSL certificate must be generated with a wildcard, and not for specific host. For example, *.LAB01.TEST.ACME.COM, and not MACHINEA.LAB01.TEST.ACME.COM

To import an SSL certificate from a certified authority: 

Back to top

Support for SSL in connectors

When a connector acts as a client connecting to the Mobile Center server, there needs to be trust present on the client, to the certificate on the server. This trust is initially established during the installation. If you later replace the self-signed server certificate with a CA issued certificate, the trust needs to be re-established.

If the CA is a common one, such as Verisign, it may already be trusted. If not, for example if the CA is private, the trust may not be present in the current truststore, and will need to be re-established.

When working in an enterprise environment, you most likely have access to the public key (CA), but not to the server certificate (containing the private key). To establish trust, you need to import a certificate of the Certificate Authority (CA) that issued the server certificate—not the server certificate itself. After you import this certificate, trust is established between the client and any certificate issued by this CA. If this trust is not established correctly, there will be an SSL handshake failure and an error message will be issued.

Back to top

Configuring Mobile Center for secure LDAP

To use Mobile Center with secure LDAP (SSL):

  1. Import the LDAP certificate to the truststore:

    keytool -import -file ldapcert.pem -keystore trustStoreHpmc -storepass password -alias mcldaps

  2. Upload the certificate to your machine by running the uploadCertificates.bat/sh script from the /Security folder.
  3. Select Administration Settings in Mobile Center's Administration tab, and scroll down to the LDAP Integration section.
  4. Enable and configure the LDAP settings.
  5. Restart the Mobile Center server.

For additional guidelines, see User management in Admin tasks.

Back to top

See also: