In your browser, open: https://www.ssllabs.com/ssltest/analyze.html
Issue: Connection to LiveCycle/AEM Forms servers from iOS apps and certain Mac OS clients fail after introduction of Apple's App Transport Security (ATS)
Clients connect to LiveCycle/AEM Forms server using HTTPS. For iOS 9 or Mac OS 10.11 clients connecting to LiveCycle/AEM Forms server via HTTPS, Apple requires the server to be App Transport Security (ATS) compliant. If the server is not ATS compliant, Apple blocks all HTTPS connections to the server.
For ATS compliance of your server, ensure that:
See pre-release dcoumentation from Apple.
Using TLS 1.2 standard for all communications, even from non-Apple devices, is recommended for security reasons and enabling ATS compliance.
You can use one of the following methods to check if your server is ATS compliant:
Perform the following steps to check if your server is ATS compliant using SSL labs:
In your browser, open: https://www.ssllabs.com/ssltest/analyze.html
Type your server URL in the Hostname field and click Submit.
You can type acrobat.com or select one of the available options to see how it works.
In the SSL report page, find Apple ATS 9/iOS 9.
If your server is ATS compliant, you can see a message in green against the ATS 9/iOS 9. If your server is not ATS 9/iOS 9 compliant, you can see a message in red.
Perform the following steps to test if your server is ATS compliant using a Mac machine with Mac OS X 10.11 El Capitan:
In the terminal, type: /usr/bin/nscurl --ats-diagnostics <url>
Replace <url> with the server url for which you want to verify ATS compliance.
Your server is ATS compliant if you see the following message:
--- ATS Default Connection Result: PASS ---
You can use one of the procedures above to validate ATS compliance.
Perform the following steps to resolve ATS compliance issue:
If you cannot use a proxy server, perform the steps according to the app server you are using.
With certain Java versions, TLS 1.2 is incompatible. To troubleshoot compatibility, before enabling TLS, see Troubleshooting TLS 1.2 compatibility with Java.
If your configuration supports TLS 1.2, perform the following steps for enabling TLS in JBoss server:
Configure SSL using LCM.
Open lc_turnkey.xml file in editor.
Path:
For LiveCycle: <LC-install-directory>\jboss\server\lc_turnkey\deploy\jbossweb.sar\server.xml
For AEM Forms: <AEM-install-directory>\jboss\standalone\configuration\lc_turnkey.xml
Change ssl protocol value to TLSv1.2 as shown below:
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/> <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl name="lc-ssl" password="password" protocol="TLSv1.2" key-alias="AEMformsCert" certificate-key-file="C:/Adobe/Adobe_Experience_Manager_Forms/jboss/standalone/configuration/aemformses.keystore" /> </connector>
Restart the server.
Steps to verify that the browser is using the updated TLS
Open secure adminui page in Firefox:
URL: https://<server>:<port>/adminui
Click the green lock icon on the left of the URL, then click the next button > More Information.
You can see TLS version under technical details.
If you are using JBoss Turnkey which ships with Oracle Java 6 update 26 or update 31, or if you have manually installed Oracle Java 6:
If you are using JBoss Turnkey which ships with Oracle Java 6 update 26 or update 31, or if you have manually installed Oracle Java 6:
With certain Java versions, TLS 1.2 is incompatible. To troubleshoot compatibility, before enabling TLS, see Troubleshooting TLS 1.2 compatibility with Java.
If your configuration supports TLS 1.2, perform the following steps for enabling TLS in WebLogic server:
To configure SSL, see Configuring SSL for WebLogic server.
Restart all the servers.
In Domain Configurations, click Servers > [Managed Server] > Configuration > Server Start tab.
Under Arguments box, add -Dweblogic.security.SSL.protocolVersion=TLSV1.2.
Click Save.
Steps to verify that the browser is using the updated TLS
Open secure adminui page in Firefox:
URL: https://<server>:<port>/adminui
Click the green lock icon on the left of the URL, click the next button > More Information.
You can see TLS version under technical details.
Verify ATS compliance using the SSL labs or a Mac machine. Steps to verify ATS compliance are mentioned above.
If you are using WebLogic 10.x.x with Jrockit Java 6 R28 installed:
With certain Java versions, TLS 1.2 is incompatible. To troubleshoot compatibility, before enabling TLS, see Troubleshooting TLS 1.2 compatibility with Java.
If your configuration supports TLS 1.2, perform the following steps for setting TLS on WebSphere Application Server:
To configure SSL, see Configuring SSL for WebSphere Application Server.
Restart the server.
For configuring SSL with TLS, see steps in Configuring WebSphere Application Server to support TLS 1.2.
Restart the server.
Steps to verify that the browser is using the updated TLS
Open secure adminui page in Firefox:
URL: https://<server>:<port>/adminui
Click the green lock icon on the left of the URL, click the next button > More Information.
You can see TLS version under technical details.
Verify ATS compliance using the SSL labs or a Mac machine. Steps to verify ATS compliance are mentioned above.
If you are using WebSphere Application Server 7.0.0.x, and IBM Java 6 isntalled:
If you are using WebSphere Application Server 8.0.0.x, and IBM WebSphere Java SDK 1.6 installed:
If you are using WebSphere Application Server 8.x.x.x, with IBM J9 Virtual Machine (build 2.6 & 2.7, JRE 1.7.0) installed:
Add bouncy castle only if you do not see required ciphers in the ciphers list that appears in administration console.
Enable ECDHE ciphers in WebSphere:
Sign in to your account