SSL VPN
Reply
Trusted Contributor
mattspierce
Posts: 107
Registered: ‎07-27-2010
0
Accepted Solution

Android Junos Pulse will not accept Cert.

I'm attempting to get certificate authentication working.  I've tested it out on the Windows Client and the iOS Junos Pulse mobile so I know that the signin, realm, and auth servers are correct.  On my android device I can't seem to get the cert format correct.  First off, why doesnt adroid pulse client support pfx/p12?  That is the easiest most common format for an exported keypair and certificate.  Even better, why isn't the certificate interface integrated into the Android certfificate store? Your duiplicating work and making it more difficult to deploy.

 

So far I have exported my pfx file with the command line

openssl pkcs12 -in cred.p12 -out certkey.pem -nodes -clcerts

 

I've then setup the option to use certs in three different ways with the Junos Client

1)Point the client to certkey.pem for both dialog choices

2)Split certkey.pem into a cert.pem and key.pem.  In the pulse client I configured the certs as apropriate.

2)Split certkey.pem into a cert.pem and key.pem.  I then edited the .pem files and removed all headers leaving the begin cert and end cert header.  In the pulse client I configured the certs as apropriate.

3)I took the cert.pem and key.pem and removed all headers leaving only the ciphertext. I renamed those files cert.der and key.der respectivly.  In the pulse client I configured the certs as apropriate.

 

In all cases I get the error "Failed to connect to the server! Check your Certificate."  I have a trace running on the realm the client points to for the UPN the cert uses.  In all cases I never see a login attempt.  I have client cert logging on and the user log shows no attempt.  That tells me that the client isn't digesting the cert or even trying to login.  So where am I messing up?

Moderator
zanyterp
Posts: 2,317
Registered: ‎11-19-2007
0

Re: Android Junos Pulse will not accept Cert.

To answer your first question on the difficulty, android itself doesn't have good support for certificate authentication. Any changes needed are required by the OS itself.

If you don't have cert auth enabled, do you see the connection attempt?
Trusted Contributor
mattspierce
Posts: 107
Registered: ‎07-27-2010
0

Re: Android Junos Pulse will not accept Cert.

With Use Cert disable I get Missing Certificate Check that your Certificate is valid and up-to-date and try again on the client side.

 

Here are the user side logs.

 

InfoAUT234572012-04-27 15:10:55 - ive - [76.164.174.115System(pulse_cert)[] - Login failed using auth server Adtran-PKI (Certificate Server). Reason: NoCert
InfoAUT243272012-04-27 15:10:55 - ive - [76.164.174.115System(pulse_cert)[] - Primary authentication failed for /Adtran-PKI from 76.164.174.115
InfoCRT306632012-04-27 15:10:55 - ive - [76.164.174.115System()[] - client certificate received: -----BEGIN CERTIFICATE----------END CERTIFICATE-----
Trusted Contributor
mattspierce
Posts: 107
Registered: ‎07-27-2010
0

Re: Android Junos Pulse will not accept Cert.

About useing the certificate store, is the problem a lack of api access to the cert store?  I've installed certs there and used them for wifi auth and activesync.  But those are built in capabilities.

Moderator
zanyterp
Posts: 2,317
Registered: ‎11-19-2007
0

Re: Android Junos Pulse will not accept Cert.

I believe it may be an API access, yes; however, I am not sure. I only know the ability of pulse to use certificates is very limited on android.
Moderator Moderator
Moderator
AJA
Posts: 130
Registered: ‎05-07-2010
0

Re: Android Junos Pulse will not accept Cert.

May I know the Android OS version you are running on?

 

There are few certificate issues on 2.1 - Upgrading to 2.2 / 2.3 has helped many Android users.

Moderator Moderator
Moderator
AJA
Posts: 130
Registered: ‎05-07-2010
0

Re: Android Junos Pulse will not accept Cert.

We also have a KB - KB19692

 

Hope that helps.

Trusted Contributor
mattspierce
Posts: 107
Registered: ‎07-27-2010
0

Re: Android Junos Pulse will not accept Cert.

Thank you for the KB reference.  I was missing the PEM to DER conversion. Once I got that squareed it works like a champ.  The device interface allows you to reference a .PEM or .DER format file.  I had already trimmed the Bag header as requested in the KB.  Does the Pulse Mobile android client not suport .PEM then?  I'm also not happy having an unencrypted key file sitting on the filesystem.  In my minde it would make the most sense if you implemented a client keystore.  And allowed import of .pfx.  That seems to be the least worst option for provisioning the mobile client.  The key is encrypted right up to it being entered into the pulse mobile keystore and then the pfx file should be deleted.  

Moderator Moderator
Moderator
AJA
Posts: 130
Registered: ‎05-07-2010
0

Re: Android Junos Pulse will not accept Cert.

Please open a JTAC ticket to pass this information and I am sure you should get some help on the last comment of yours.

 

I am happ that my KB reference helped you.

 

 

 

Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks

Moderator
zanyterp
Posts: 2,317
Registered: ‎11-19-2007
0

Re: Android Junos Pulse will not accept Cert.


mattspierce wrote:

Thank you for the KB reference.  I was missing the PEM to DER conversion. Once I got that squareed it works like a champ.  The device interface allows you to reference a .PEM or .DER format file.  I had already trimmed the Bag header as requested in the KB.  Does the Pulse Mobile android client not suport .PEM then?  I'm also not happy having an unencrypted key file sitting on the filesystem.  In my minde it would make the most sense if you implemented a client keystore.  And allowed import of .pfx.  That seems to be the least worst option for provisioning the mobile client.  The key is encrypted right up to it being entered into the pulse mobile keystore and then the pfx file should be deleted.  


these are reasonable; however, this is not something that is/has been available on the android system. the kb you used is working around the limitation of what is available on this OS. i would recommend working with your account team for an enhancement request to get the desire noted through proper channels

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.