We have created Mobile App on Pega 8.7.3. Able to build for ios and download app successfully after adding the certificate set. Able to install app also in ipad.
We are using SAML 2.0 based authentication service for login.
When app is launched in IPad, log in prompt comes, on click of which screen redirects to external screen for login and when user enters correct userid and password and submits, redirects to app but here error is showing “Could’nt establish secure connection”
From the Safari browser of IPad able to successfully login and pega dashboard is shown to user. Issue is from Pega Mobile App only.
Any suggestions on how to proceed further would be helpful.
@AnandI0386 Hi Anand. Did you find a resolution for this issue? We have the same issue with the Android app and couldn’t find a solution yet. We are running on 8.7.1 version.
@AnandI0386 Thank you Anand for the reply. Same here. We have also raised a INC and no resolution yet. Please post here if you get a resolution from Pega Support.
@AnandI0386 Not yet. Still trying to find what could be the issue with the cert and also checking with Pega support on the incident that we created. Can you tell me where you have the root CA cert, Intermediate cert and your domain cert, as part of the certificate you have in your server or just your domain cert? Also, are the certs part of the cacerts in the Java home directory or is it part of a different file in the server folder?
@SivaguruKrish Last week we observed that this issue is not happening in production environment.
Difference we could see is that our test(or dev) environment is using self-signed certificates and production is using external CA signed certificates.
@AnandI0386 Thanks for the reply. Glad that it is working for you in prod now. We suspected the issue with the cert and tried to rebuilt the app using the external CA cert. But still didn’t work. May be we will try that again. Quick question on the cert - The one which is working for you in prod, is that cert a combination of your self signed cert and the external CA cert, or just the external cert?
@AnandI0386 I can see that you logged INC-A10063 (Couldn’t establish secure connection error from ios mobile app) and our GCS team explained the cause to you December 26th 2023.
Cause:
The mobility team confirmed that we do not support self-signed certs.
Workaround:
GCS requested you use a CA cert in test env
Closure:
You confirmed that in your lower env, you are using a self signed certificate, whereas in the working scenario you are using a CA cert
Solution provided was to create a CA certificate for the lower env in order to resolve this problem.
From the documentation:
For Pega Mobile authentication, you need to prepare your app for signing by creating a certificate set. This certificate set consists of keys and certificates that sign the app when you generate the installation package. For Android apps, a signing certificate is created with the Java Keytool command line utility. For iOS apps, a signing certificate is generated in the Apple Developer Portal. These certificates provide a digital authentication for the app and guarantee that the app and its updates come from a legitimate source.
In this particular customer case the root cause turned out to be lack of PFS (Perfect Forward Secrecy) ciphers available on the server. After enabling such ciphers issue went away.
@AnandI0386 We were able to fix the issue. The issue was with the App Server SSL certificate as we suspected. It was not having the full chain cert (Intermediate + Root + domain cert), instead it was just having the domain cert. It didn’t impact the app access (https) on the regular chrome/edge browsers. But the App version on the mobile/tables were impacted. We generated a new cert with the fill chain and deployed it. The app on the mobile/tablets started working. Thank you for your responses here.
I can see that INC-A10063 was left closed but instead the question appears to be investigated in INC-B3469 (Couldn’t establish secure connection error from ios mobile app)
As soon as the solution is provided, please provide it as a Reply on this forum post and mark it with Accept Solution.