Open in app

Sign in

Write

Sign in

How to fix the SSL Issues when integrating android applications with Local IS.

Piraveena Paralogarajah
2 min readMay 2, 2020

You may end up in SSL issues when you are trying to integrate your android application with WSO2 identity server running in a local machine.

This may occur when your android emulator trying to call the local server through the ip-address 10.0.2.2

Fix the SSLHandshakeException

  • Sometimes you may get SSLHandshakeException in android application since WSO2 IS is using self-signed certificate. T
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
  • Follow this documentation of android to get rid of SSLHandshakeException.
  • To fix this exception, you need to add the public certificate of IS inside the res/raw folder and
  • Then add the following config in the mainifests/AndroidManifest.xml file
android:networkSecurityConfig="@xml/network_security_config"

Now the AndroidManifest.xml file will look like as below.

<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
    <application android:networkSecurityConfig="@xml/network_security_config"
                    ... >
        ...
    </application>
</manifest>

Fix SSLPeerUnverifiedException

  • Once you fix this issue, you may get this error.
javax.net.ssl.SSLPeerUnverifiedException: Hostname 10.0.2.2 not verified:
  • Since the application is using 10.0.2.2 ip address to connect to IS, this ip is not added as the CN name. And you can’t add an IP address as a CN name in a certificate. You have to add it as Subject Alternative Name (SAN).
  • You can’t add the SAN values into the existing certificate.
  • So you need to remove the existing Keystore of WSO2 Identity Server.
  • Navigate to <IS_HOME>/repository/resources/security/ directory and remove wso2carbon.jks file

Create a new keystore for IS with SAN

  • Create a new keystore and add the SAN value as 10.0.2.2
keytool -genkey -alias wso2carbon -keyalg RSA -keystore wso2carbon.jks -keysize 2048 -ext SAN=IP:10.0.2.2
  • Export the public certificate (name it as wso2carbon.pem)to add into the truststore.
keytool -exportcert -alias wso2carbon -keystore wso2carbon.jks -rfc -file wso2carbon.pem
  • Import the certificate in the client-truststore.jks file located in <IS_HOME>/repository/resources/security/
keytool -import -alias wso2is -file wso2carbon.pem -keystore client-truststore.jks -storepass wso2carbon
  • Now copy this public certificate (wso2carbon.pem) into the res/raw folder
Ssl
Wso2is
Android App Development
Android

--

--

Piraveena Paralogarajah

Written by Piraveena Paralogarajah

269 Followers

Software Engineer @WSO2, CSE Undergraduate @ University of Moratuwa, Former Software Engineering Intern @ WSO2

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams