Sybase Business Intelligence Solutions - Database Management, Data Warehousing Software, Mobile Enterprise Applications and Messaging
Sybase Brand Color Bar
  blank
 
 
 
 
 

HTTPS Synchronization on Android: Handling Certificates

SQL Anywhere supports HTTPS synchronization for secure transmission of data over public networks. If you are setting this up in your application, you need to have a certificate on your device that either matches a server identity (in the case of a self-signed certificate) or which is provided by a certificate authority that the MobiLink server recognizes.

The HTTPS implementation on Android uses the OpenSSL library, which has slightly different behavior to the Certicom libraries that SQL Anywhere uses on other platforms. So here are some pointers on getting HTTPS synchronization to work on Android.

Setting up the certificates

You may already have a certificate signing mechanism set up, so you may not need this stage, but if you don’t then you can use the SQL Anywhere createcert command-line utility to create the certificates that you need. Here are two ways of creating certificates that can be used on Android.

Creating a self-signed certificate

Here is a createcert session to generate a self-signed certificate with the needed properties. The responses that I typed in are bold. Obviously the particular entries for country code and so on would be different in each case, but do notice the non-default key usage entry of 3,4,5,6 , which is required for this to work.

c:\demo>createcert
SQL Anywhere X.509 Certificate Generator Version 12.0.1.3356
Choose encryption type ((R)SA or (E)CC): r
Enter RSA key length (512-16384): 1024
Generating key pair…
Country Code: CA
State/Province: ON
Locality: Waterloo
Organization: Sybase
Organizational Unit: iAnywhere
Common Name: SimpleSync
Enter file path of signer’s certificate:
Certificate will be a self-signed root
Serial number [generate GUID]:
Generated serial number: a670722d106c4cc7b204e02c9c00a34c
Certificate valid for how many years (1-100): 1
Certificate Authority (Y/N) [N]: n
1. Digital Signature
2. Nonrepudiation
3. Key Encipherment
4. Data Encipherment
5. Key Agreement
6. Certificate Signing
7. CRL Signing
8. Encipher Only
9. Decipher Only
Key Usage [3,4,5]: 3,4,5,6
Enter file path to save certificate: rsa_cert.pem
Enter file path to save private key: private_key.pem
Enter password to protect private key: pwd
Enter file path to save identity: identity.pem

The generated files get used by the server (identity.pem) and by the client (rsa_cert.pem), as shown below. But first, let’s show an alternative way to generate certificates, this time using a certificate authority.

Creating a certificate authority

You may use a certificate from an authority such as Verisign, but here is a sample for creating your own authority, and an identity from it, using createcert. You need to run createcert twice; once to create the certificate authority and once to generate an identity file from it. If you are using an external authority you can skip the first session.

1. Create Certificate Authority

c:\demo>createcert
SQL Anywhere X.509 Certificate Generator Version 12.0.1.3356
Choose encryption type ((R)SA or (E)CC): r
Enter RSA key length (512-16384): 1024
Generating key pair…
Country Code: CA
State/Province: Ontario
Locality: Waterloo
Organization: Sybase
Organizational Unit: iAnywhere
Common Name: MyRoot
Enter file path of signer’s certificate:
Certificate will be a self-signed root
Serial number [generate GUID]:
Generated serial number: cfbbe4ac774a49f9984e470f842ba306
Certificate valid for how many years (1-100): 1
Certificate Authority (Y/N) [N]: Y
1. Digital Signature
2. Nonrepudiation
3. Key Encipherment
4. Data Encipherment
5. Key Agreement
6. Certificate Signing
7. CRL Signing
8. Encipher Only
9. Decipher Only
Key Usage [6,7]:
Enter file path to save certificate: rsa_cert.pem
Enter file path to save private key: private_key.pem
Enter password to protect private key: pwd
Enter file path to save identity:
Identity not saved

2. Create server certificate

c:\demo>createcert
SQL Anywhere X.509 Certificate Generator Version 12.0.1.3356
Choose encryption type ((R)SA or (E)CC): r
Enter RSA key length (512-16384): 1024
Generating key pair…
Country Code: CA
State/Province: Ontario
Locality: Waterloo
Organization: Sybase
Organizational Unit: iAnywhere
Common Name: SimpleSync
Enter file path of signer’s certificate: rsa_cert.pem
Enter file path of signer’s private key: private_key.pem
Enter password for signer’s private key: pwd
Serial number [generate GUID]:
Generated serial number: 873b60b268754ce3ad00264bb8970a40
Certificate valid for how many years (1-100): 1
Certificate Authority (Y/N) [N]: n
1. Digital Signature
2. Nonrepudiation
3. Key Encipherment
4. Data Encipherment
5. Key Agreement
6. Certificate Signing
7. CRL Signing
8. Encipher Only
9. Decipher Only
Key Usage [3,4,5]:
Enter file path to save certificate:
Certificate not saved
Enter file path to save private key:
Private key not saved
Enter file path to save identity: identity.pem
Enter password to protect private key: pwd

Running the MobiLink Synchronization Server

Here is a MobiLink server command line that uses the identity file identity.pem (for either setup).

mlsrv12 -x https(port=443;tls_type=rsa;identity=identity.pem;identity_password=pwd) -c …

Client side code

Here is a synchronization profile that you can use at the client side, which needs access to the certificate (rsa_cert.pem). I use this for testing synchronization from Interactive SQL without needing to build an application. The statement is split across several lines for readability.

CREATE OR REPLACE SYNCHRONIZATION PROFILE https
‘MobiLinkUid=user_1;MobiLinkPwd=password_1;
Stream=https{host=localhost;port=443;
tls_type=rsa;trusted_certificates=rsa_root.pem};
ScriptVersion=version_1′

An Android client needs to get the certificate into the right place on the client, and then use it for synchronization. Here is the process:

First, you need to be sure that you include the encryption library in your project. I posted about the basic setup for an UltraLite Android project here, and all you need different is to make sure that libmlcsra12.so (from the UltraLite\UltraLiteJ\Android\ARM subdirectory of your SQL Anywhere install) is in the libs\armeabi folder of your Android project.

Next, in your Android project folder, create a folder res\raw, and add the certificate to that folder. In Eclipse this will look as follows:

Your startup code needs to read this resource and save it to the file system. Here is an example:

InputStream is = getResources().openRawResource(R.raw.rsa_cert);
FileOutputStream os = openFileOutput(“rsa_cert.pem”, MODE_PRIVATE);
byte[] buff = new byte[4096];
int n;
for(;;) {
n = is.read(buff);
if (n < 0) break;
os.write(buff, 0, n);
}

This adds the certificate to the files folder of your application’s private storage area, which is /data/data/<package-name>.

And here is the code to synchronize, reading the certificate and passing it to the synchronization function.

SyncParms sp = _conn.createSyncParms(SyncParms.HTTPS_STREAM, "user_1", "version_1");
sp.setPassword("password_1");
StreamHTTPSParms streamParms = (StreamHTTPSParms)sp.getStreamParms();
streamParms.setHost("10.0.2.2"); // This is the URL that identifies the host machine for the emulator
streamParms.setPort(443);
streamParms.setTrustedCertificates("/data/data/com.sybase.simplesync/files/rsa_cert.pem");
_conn.synchronize(sp);

So that describes how to create certificates for HTTPS synchronization on Android, how to use them at the server, and how to use them at the client.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks

Leave a Reply

Sybase privacy policy

*