Configuration of WTLS in purchased product? | Search |
NowSMS Support Forums ⬆ Now.WAP Proxy Support ⬆ Archive through October 01, 2008 ⬆ |
◄ ► |
Author | Message | ||||
Magnus Krampell New member Username: Magnusk Post Number: 3 Registered: 10-2005 |
Hi ! I am using the purchased WTLS version, and wonder how to configure certificates for WTLS class 3. The documentation contains no help on the subject as far as I have found.... regards, /Magnus | ||||
Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 6378 Registered: 10-2002 |
There is no support for WTLS class 3 (client side certificates). Only Class 1 and 2. | ||||
Magnus Krampell New member Username: Magnusk Post Number: 4 Registered: 10-2005 |
OK, but how do I configure the server certificate for WTLS Class 2? | ||||
Kent Williams Moderator Username: Kent Post Number: 132 Registered: 10-2003 |
To enable WTLS Class 2, a WTLS WAP Server Certificate needs to be signed by a trusted certificate authority (CA). By default, without a certificate, NowWAP only operates in WTLS Class 1 mode. It is possible to configure NowWAP to operate in WTLS Class 2 using a simple certificate included with the gateway installation. To enable this behaviour, edit WAPGW.INI, and add WTLSUseTrialCert=Yes under the [WAPGW] section header. To generate a certificate request, the CERTREQ utility is used. CERTREQ.EXE is located in the NowWAP program directory. The certificate request will be stored in a file named WAPCERT.REQ, in the NowWAP program directory. The contents of this request file must be submitted to your certificate authority to be signed. When you receive the signed certificate back from your certificate authority, you must store the certificate in a file named WAPCERT.CRT in the WAP3GX program directory. Be sure to include the "---BEGIN" and "---END" lines of the certificate when creating the WAPCERT.CRT file. | ||||
Magnus Krampell New member Username: Magnusk Post Number: 6 Registered: 10-2005 |
The GW is used as a test system, so we do not have a commercial relationship with a CA that can sign for us. We tried the OpenSSL, but it cannot be used to sign certificates from other sources. Can you suggest a tool that we can use to get our certificates signed? We basically just want to test WTLS klass 2 in clients... /Magnus | ||||
Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 6494 Registered: 10-2002 |
I'm not sure that the web site is still alive (might just be down at the moment), but I have used www.freecerts.com in the past. Additionally, Verisign and Entrust have had 30 day trial certs available in the past, but I don't know if they are still available. (When asked what gateway you are using, select Materna if we are not listed.) | ||||
Magnus Krampell New member Username: Magnusk Post Number: 9 Registered: 10-2005 |
OK, we are trying these, but without success so for... As part of the installation, there is a file: wap3gx.crt This is an expired certificate(!) Do you have a valid certificate available? regards, /Magnus | ||||
Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 6681 Registered: 10-2002 |
Magnus, The test certificate is "semi-valid", it is self-signed, so it's a bit dodgy. I've had a colleague create one that is not expired, and it has been uploaded to http://www.nowwap.com/download/wtlsnewcert.zip. -bn | ||||
Aleksandra Jönsson New member Username: Flaflex Post Number: 1 Registered: 10-2006 |
Hi, I have now tested the gateway wit the new test certificate. My question to you is. When I make a secure connection through the wap gateway I get the response that the client does not have a matching CA certificate. Which certificate should then be downloaded to the client in order to make a secure connection through the gateway? | ||||
Kent Williams Moderator Username: Kent Post Number: 138 Registered: 10-2003 |
Hi, This is certainly a mind-bending trip down memory lane, as we are most definitely not experts on certificate management. A couple of years ago, there were a variety of services that offered trial certificates. But these days, I can only find commercial solutions that don't offer trial certificates first. To download a certificate to a client, what you need to do is convert the format from base64 encoding to raw binary format. Basically, the certificate data in the ".crt" file is the data between the "---BEGIN CERTIFICATE---" and "---END CERTIFICATE---" markers ... and it is base64 encoded. Decode the base64 data and convert it to raw binary format. Then, the standard method of downloading the certificate to a phone is to download it giving it a MIME content type of "application/vnd.wap.wtls-ca-certificate". But, you should note from this MIME type, that what would normally download to the phone is a CA (certificate authority) certificate, as opposed to a server certificate. The ".crt" file in that ZIP is a server certificate, not a CA certificate. And it is a self-signed certificate. Normally, the process of generating a server certificate is that you generate a certificate request to a certificate authority, and they sign the certificate with their CA certificate. The CA certificate is what gets installed on the device, so that the device will accept any server certificates signed by that CA certificate. In the self-signed example, the certificate is both a server certificate and a CA certificate. You can perform the binary conversion that I described on this certificate, and then download it to the client using the MIME content type of "application/vnd.wap.wtls-ca-certificate". But some clients may get confused about the certificate being self-signed. To avoid this confusion, I've uploaded new certificates to http://www.nowwap.com/download/wtlsnewcert.zip to replace the previous upload. Use the new private key and certificate instead (.key and .crt file) to replace the test certificate in the NowWAP installation. Then, you will note that there is an additional file ... cert.wtlscacert. This is a binary version of the CA certificate that signed the new server certificate. You need to download this certificate to your client device. The easiest way to do this is as follows: 1.) Create a WML subdirectory under the NowWAP installation directory. Copy cert.wtlscacert to this directory. 2.) Add a MIME content type definition for ".wtlscacert" to the Windows registry. The easiest way to do this is via REGEDIT. Go into REGEDIT ... click on HKEY_CLASSES_ROOT ... right click and select "New Key" ... name the key ".wtlscacert". Right click on ".wtlscacert", and select "New String Value". The name of the string value should be "Content Type". Click on the string value name to edit the string "value data" ... and enter the value data "application/vnd.wap.wtls-ca-certificate". 3.) Connect the client to the WAP gateway and request http://local/cert.wtlscacert ... this should download "cert.wtlscacert" from the WML subdirectory, using the MIME content type "application/vnd.wap.wtls-ca-certificate", and the client should recognise this as a CA certificate installation. Good luck. -- Kent Williams Now Wireless Support | ||||
Aleksandra Jönsson New member Username: Flaflex Post Number: 2 Registered: 10-2006 |
Thank you for your answer. I have another question. We keep the certificates that can be downloaded on a specific server. Is it possible to put the cert.wtlscacert on that server and download it to the client, providing that the same registry settings will be made? Regards Aleksandra | ||||
Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 6715 Registered: 10-2002 |
Hi Aleksandra, Yes, that is not a problem. All that matters is that the MIME type is returned correctly by the web server. You can rename the actual file extension however you want ... it is not important ... only the MIME type returned by the web server is important. -bn | ||||
Aleksandra Jönsson New member Username: Flaflex Post Number: 3 Registered: 10-2006 |
Is it ok to rename the entire wtls ca cert, i.e both name and file extension? Or must it be called cert.xxx? Aleksandra | ||||
Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 6737 Registered: 10-2002 |
The name and/or file extension can be changed. | ||||
Aleksandra Jönsson New member Username: Flaflex Post Number: 4 Registered: 10-2006 |
Hi, I have a final (I hope) question. We used to test 3DES respectively RC5 algorithms on another gateway we had. On this gateway there was the possibility to disable the RC5 algorithm in the gateway in order to test the 3DES algoritm since RC5 has highter priority than 3DES. My question is if it is possible to do the same in NowWAP? Regards Aleksandra | ||||
Aleksandra Jönsson New member Username: Flaflex Post Number: 5 Registered: 10-2006 |
Hello again, First of all I would like to thank you for your help with the certificate you have created. I have a question that concerns client certificates. In the past we have used our WTLS CA certificate and the corresponding key to create a client certificate. Do you have a key that was created when you created the cert.wtlscert ? And would it be possible for us to have it? Regards Aleksandra | ||||
Kent Williams Moderator Username: Kent Post Number: 143 Registered: 10-2003 |
Aleksandra, I'm sorry, but I do not know the answer to this question, as I don't have any direct experience on the client side development. I thought that the way that it works is that the client proposes the cipher suites that it wants to use. And the client lists the ciphers in its order of preference. The server then picks the first one from the client's list that it supports. So if the client lists 3DES first, that should be selected. -bn | ||||
Kent Williams Moderator Username: Kent Post Number: 144 Registered: 10-2003 |
I should have taken better notes when I generated it. But I think this is it:
And I believe the password is "NowSMS". |