Issue: Connection to LiveCycle/AEM Forms servers from iOS apps and certain Mac OS clients fail after introduction of Apple's App Transport Security (ATS)
Clients connect to LiveCycle/AEM Forms server using HTTPS. For iOS 9 or Mac OS 10.11 clients connecting to LiveCycle/AEM Forms server via HTTPS, Apple requires the server to be App Transport Security (ATS) compliant. If the server is not ATS compliant, Apple blocks all HTTPS connections to the server.
For ATS compliance of your server, ensure that:
- The LiveCycle/AEM Forms server supports connections using TLS 1.2 standard over HTTPS.
- The TLS 1.2 connection uses ciphers that support perfect forward secrecy through Elliptic curve Diffie-Hellman Ephemeral (ECDHE) key exchange. For list of ciphers that have this property, see NSAppTransportSecurity under Information Property List Key Reference page in Apple pre-release documentation.
- The server certificate is signed with SHA-2 having a minimum digest length of 256 bits.
- The leaf server certificate is signed with one of the following types of keys:
- key with key > 2048 bytes
- ECC key with key > 256 bytes
See pre-release dcoumentation from Apple.
Using TLS 1.2 standard for all communications, even from non-Apple devices, is recommended for security reasons and enabling ATS compliance.
You can use one of the following methods to check if your server is ATS compliant:
- Using SSL Labs if server URL is public
- Using a Mac machine
Perform the following steps to check if your server is ATS compliant using SSL labs:
Perform the following steps to test if your server is ATS compliant using a Mac machine with Mac OS X 10.11 El Capitan:
Perform the following steps to resolve ATS compliance issue:
- Use a proxy, such as Apache proxy.
If your setup is already using a load balancer or a proxy, or if you have introduced a new proxy server, you can modify proxy settings to resolve SSL connection failure issue.
For the new proxy server: ensure that it bears the same domain name as your LiveCycle/AEM Forms server, and read proxy server/load balancer documentation to make your proxy server ATS compliant.
JBoss
With certain Java versions, TLS 1.2 is incompatible. To troubleshoot compatibility, before enabling TLS, see Troubleshooting TLS 1.2 compatibility with Java.
If your configuration supports TLS 1.2, perform the following steps for enabling TLS in JBoss server:
-
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/> <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl name="lc-ssl" password="password" protocol="TLSv1.2" key-alias="AEMformsCert" certificate-key-file="C:/Adobe/Adobe_Experience_Manager_Forms/jboss/standalone/configuration/aemformses.keystore" /> </connector>
If you are using JBoss Turnkey which ships with Oracle Java 6 update 26 or update 31, or if you have manually installed Oracle Java 6:
- If you have LiveCycle ES4 or earlier:
- Use a proxy, such as Apache proxy. See steps above.
If you are using JBoss Turnkey which ships with Oracle Java 6 update 26 or update 31, or if you have manually installed Oracle Java 6:
- If you have LiveCycle ES4 or earlier:
- Use a proxy, such as Apache proxy. See steps above.
WebLogic
With certain Java versions, TLS 1.2 is incompatible. To troubleshoot compatibility, before enabling TLS, see Troubleshooting TLS 1.2 compatibility with Java.
If your configuration supports TLS 1.2, perform the following steps for enabling TLS in WebLogic server:
-
To configure SSL, see Configuring SSL for WebLogic server.
Verify ATS compliance using the SSL labs or a Mac machine. Steps to verify ATS compliance are mentioned above.
If you are using WebLogic 10.x.x with Jrockit Java 6 R28 installed:
- Use a proxy, such as Apache proxy. See steps above.
WebSphere
With certain Java versions, TLS 1.2 is incompatible. To troubleshoot compatibility, before enabling TLS, see Troubleshooting TLS 1.2 compatibility with Java.
If your configuration supports TLS 1.2, perform the following steps for setting TLS on WebSphere Application Server:
-
To configure SSL, see Configuring SSL for WebSphere Application Server.
-
For configuring SSL with TLS, see steps in Configuring WebSphere Application Server to support TLS 1.2.
Verify ATS compliance using the SSL labs or a Mac machine. Steps to verify ATS compliance are mentioned above.
If you are using WebSphere Application Server 7.0.0.x, and IBM Java 6 isntalled:
- Update WebSphere Application Server to 7.0.0.35 and update IBM Java 6.
- Add bouncy castle provider (1.5.4)
- Enable ECDHE ciphers in WebSphere:
- Log in to the WebSphere Application Server Integrated Solutions Console.
- Navigate to Security > SSL Certificate & Key Management > SSL Configurations > NodeDefaultSSLSettings > Quality of protection (QoP settings).
- Sepcify cipher suite groups as custom and add appropriate ECDHE ciphers.
- Save and restart the server.
If you are using WebSphere Application Server 8.0.0.x, and IBM WebSphere Java SDK 1.6 installed:
- Update WebSphere Application Server to 8.0.0.10
- Update Java
Strong cipher suite groups has ECDHE ciphers by default. - Enable TLS 1.2 and restart the server.
If you are using WebSphere Application Server 8.x.x.x, with IBM J9 Virtual Machine (build 2.6 & 2.7, JRE 1.7.0) installed:
- Add bouncy castle provider (1.5.4). Perform the following steps to add Bouncy Castle Provider (1.5.4) in Java security file:
- Copy the bouncy castle provider jar to the JDK folder under your server installation. For example: C:\Adobe\Adobe LiveCycle ES4\Java\jdk1.6.0_31\jre\lib\ext.
To download the jar file click here. - Update the config file at $JAVA_HOME/jre/lib/security/java.security
with the entry:
security.provider.N=org.bouncycastle.jce.provider.BouncyCastleProvider
(replace N with the next logical number)
Do not install Bouncy Castle Provider 1.5.5 because of known signing issue.
- Copy the bouncy castle provider jar to the JDK folder under your server installation. For example: C:\Adobe\Adobe LiveCycle ES4\Java\jdk1.6.0_31\jre\lib\ext.
Note:
Add bouncy castle only if you do not see required ciphers in the ciphers list that appears in administration console.
Enable ECDHE ciphers in WebSphere:
- Log in to the WebSphere Application Server Integrated Solutions Console.
- Navigate to Security > SSL Certificate & Key Management > SSL Configurations > NodeDefaultSSLSettings > Quality of protection (QoP settings).
- Sepcify cipher suite groups as custom and add appropriate ECDHE ciphers.
- Save and restart the server.
Twitter™ and Facebook posts are not covered under the terms of Creative Commons.