We have an end-to-end iOS MDM implementation developed.
Now, I have a requirement that each customer (tenant) should have its own APNs certificate which will be used for sending push notification.
Using java I have created a .CSR referring the iOS Vendor CSR Signing Link which is used to create a Customer.CSR.
Using the Apple's Identity Portal then created the .pem file which is of format MDM_ <Vendor_Name> _Certificate.pem.
Query:
Say dated 28-10-2014, I uploaded the Customer.CSR to the identity portal and got MdM_Vendor_Certificate.pem (saved it on my local desktop as cert1.pem).
Say dated 29-10-2014, I uploaded the same Customer.CSR to the identity portal and got MdM_Vendor.Certificate.pem (saved it on my local desktop as cert2.pem).
Now when read both the certificate contents:
i find that cert1.pem has UID = com.apple.mgmt.External.26b... (lets call it as topic1)
and cert2.pem has UID = com.apple.mgmt.External.271.. (lets call it as topic2)
i.e. both the UID's are different.
So my question is:
As UID is used in Topic field of the MDM Payload which is internally used by APNs for sending push notifications.
Now Say I have installed an MDM Profile on the device with topic1 and till the time cert1.pem was used for APNs the device will receive push notifications as the UID match with topic in that case.
But,
Say When customer renews the APNs certificate the UID changes to topic2 and the certificate used will be cert2.pem, but the device still has mdm profile with topic1 installed (We will not be re-installing the MDM Profile on device i assume).
So how will the device (with topic1) receive push notifications as the APNs will now get certificate with topic2. Or is it handled by APNs that it will map all the devices with topic1 to topic2.
I am unsure about this behavior of APNs. Please help.
I hope i made myself clear.
Thanks.
Thanks
Samreen Shaikh
Whenever the customer renews a certificate using the Renew button in the apple's identity portal the Topic field does not change.
If ever the apns certificate has expired then the customer needs to redo the whole procedure. Right from getting the CSR uploading it to apple's identity portal and getting back a PEM certificate. A new topic is created.
All the devices which were enrolled with old apns has to remove the old profile and re-install the mdm payload with the new apns certificate created as the topic has changed and the device will not get any apns notifications.
Related
I'm writing an Android app that talks with my php backend server. I want to give sha1 fingerprint to server everytime when i make a request, in this way server will know it's my app and will answer the request. But as you know, apk datas will reverse engineered easly and the sha1 fingerprint can be discovered and can be hardcore written.
How can i really be sure that request comes from my app?
Thanks in advance
edit: to that s.. o. a b.... that dislikes my question. please come here and write why you disliked my question. thanks
You can't really do it as you don't have control over the application nor the network traffic. But here is some tricks :
Put HTTPS in the server so network traffic cannot be spoofed easily with an external app.
Create a HMAC from your server or SSL certificates (need an authority CA) and pass it to the application. Send the HMAC only if you have a specific MAC or PC id or IP address, you can check with files and so on that everything is okay but with reverse engineering, it can be reverted. You can use hash_hmac in PHP.
You should not keep sensitive information in your application but rely on your server-side for all sensitive informations and check.
If you need some data to be kept on the application and sent back afterwards, you can also use PGP keys to sign or encrypt data and then send it back to the sever, verify and/or decrypt it. You can do with GnuPG module or use pass_thru to pass shell args. As the application does not have access to keys, your data cannot be altered nor decrypted.
Could someone let me know whether the Azure IoT Java Service SDK has capability to register a device which authenticates using X.509 certificates?
Also, can the Azure IoT Java Device SDK send MQTT by authenticating using X.509 certificates?
Many thanks.
Pls Refer;
https://github.com/Azure/azure-iot-sdk-java
https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-security#supported-x509-certificates
jayaweera
This is work in progress and we expect to have CA signed certs support in both the device and the service clients by the end of the month.
You can track progress in the GitHub repo.
In google play game services, you have to link your apps to your Game service campaign. Whenever you link an app you have to authorize it by providing the package and then the SHA1 Signing certificate fingerprint. My question is if you generate the app's apk on a different computer, the SHA1 certificate will be different. So do you have to delete the linked app and re-add it with the new SHA1? The documentation is pretty unclear about this.
My question is if you generate the app's apk on a different computer,
the SHA1 certificate will be different
Why would the certificate be different? You must use the same keystore and provide the keystore password every time you generate the APK for a release. See the documentation about this.
Warning: Keep your keystore and private key in a safe and secure place, and ensure that you have secure backups of them. If you publish an app to Google Play and then lose the key with which you signed your app, you will not be able to publish any updates to your app, since you must always sign all versions of your app with the same key.
I want to write an application which takes application id and certificate of my client's app registered in APNS server and tries to push a notification to the concrete device in his name. I should recieve the data from my client in JSON form. The problem is I can't make him to send me a certificate in JSON.
I would like to use this method call later:
Push.alert("Hello World!", "keystore.p12", "keystore_password", false, "Your token");
Is there a way to do this without .cer file? Can client of mine send me just some text information to fill in place of "keystore.p12", "keystore_password"?
You cannot use push notifications through apple without a certificate. You should get the certificate from your client through some secure means and not through a service that is part of your app. A certificate, such s this, has a private key and should be guarded as it can be used to impersonate your server. If your client will not give you the certificate, either a development cert or a production cert, and you need to continue working on his project, you should create an entirely different app id for testing and when you get to a point where you are distributing to your client, change to the app id of you client.
I'm new to this. I generated Certificate Signing Request as in here. Then I used that certificate file which is in .p12 format to establish a connection to Apple push notification server via java-apns. Here is the code that I have used.
ApnsService service =
APNS.newService()
.withCert("/home/ApplePush/apple.p12", "abc")
.withProductionDestination()
.build();
service.testConnection();
But when I run this code it gives me following esception.
"Exception in thread "main" com.notnoop.exceptions.NetworkIOException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure".
What is the wrong I have done?
Hi I have had the exact same problem. Like you, I have followed raywenderlinch tutorial and used java-apns library in the backend to communicate with APNS. The certificates thing in the tutorial are focused for php and they are doing something with .pem files which is not needed for java-apns invocation.
I was feeding java-apns with the first .p12 certificate that you create at the beginning of the tutorial. And that was my mistake. What you need to do is generate the .p12 from the certificate generated by apple (aps_developer_identity.cer). Double-click on it and in the keystore manager mac app export as .p12 use some password and try to connect with java-apns using this .p12 and password.
Of course everything related to provisioning portal explained in the ray tutorial must be done correctly.
Thats what has solved my sslHandShakeException. I dont know if you are having the exact same problem but hope it is and this information could help you.
This can happen if you use the wrong cert, i.e. the one under "Certificates" in the provisioning portal as opposed to the one that you request specifically for a given app's notifications. Under "App IDs"-> (the specific app you want) -> Configure, check "Enable for Apple Push Notification service", then click the "Configure" button for either Dev or Prod. This will take you through the process of requesting a certificate for this specific app's push notifications.