Document Security: Apple's App Transport Security (ATS) Compliance

Issue: Connection to LiveCycle/AEM Forms servers from iOS apps and certain Mac OS clients fail after introduction of Apple's App Transport Security (ATS)

Clients connect to LiveCycle/AEM Forms server using HTTPS. For iOS 9 or Mac OS 10.11 clients connecting to LiveCycle/AEM Forms server via HTTPS, Apple requires the server to be App Transport Security (ATS) compliant. If the server is not ATS compliant, Apple blocks all HTTPS connections to the server. 

For ATS compliance of your server, ensure that:

  • The LiveCycle/AEM Forms server supports connections using TLS 1.2 standard over HTTPS.
  • The TLS 1.2 connection uses ciphers that support perfect forward secrecy through Elliptic curve Diffie-Hellman Ephemeral (ECDHE) key exchange. For list of ciphers that have this property, see NSAppTransportSecurity under Information Property List Key Reference page in Apple pre-release documentation. 
  • The server certificate is signed with SHA-2 having a minimum digest length of 256 bits.
  • The leaf server certificate is signed with one of the following types of keys:
    • key with key > 2048 bytes
    • ECC key with key > 256 bytes

 See pre-release dcoumentation from Apple

Using TLS 1.2 standard for all communications, even from non-Apple devices, is recommended for security reasons and enabling ATS compliance.

You can use one of the following methods to check if your server is ATS compliant:

  • Using SSL Labs if server URL is public
  • Using a Mac machine

Perform the following steps to check if your server is ATS compliant using SSL labs:

  1. In your browser, open: https://www.ssllabs.com/ssltest/analyze.html

  2. Type your server URL in the Hostname field and click Submit

    You can type acrobat.com or select one of the available options to see how it works. 

  3. In the SSL report page, find Apple ATS 9/iOS 9.

    If your server is ATS compliant, you can see a message in green against the ATS 9/iOS 9. If your server is not ATS 9/iOS 9 compliant, you can see a message in red. 

Perform the following steps to test if your server is ATS compliant using a Mac machine with Mac OS X 10.11 El Capitan:

  1. In the terminal, type: /usr/bin/nscurl --ats-diagnostics <url>

    Replace <url> with the server url for which you want to verify ATS compliance. 

  2. Your server is ATS compliant if you see the following message:

    ---
    
    ATS Default Connection
    
    Result: PASS
    
    ---
    

You can use one of the procedures above to validate ATS compliance. 

If your server fails ATS compliance test

Perform the following steps to resolve ATS compliance issue: 

  • Use a proxy, such as Apache proxy.
    If your setup is already using a load balancer or a proxy, or if you have introduced a new proxy server, you can modify proxy settings to resolve SSL connection failure issue. 
    For the new proxy server: ensure that it bears the same domain name as your LiveCycle/AEM Forms server, and read proxy server/load balancer documentation to make your proxy server ATS compliant. 

If you cannot use a proxy server, perform the steps according to the app server you are using.

Configure TLS 1.2 on JBoss server

With certain Java versions, TLS 1.2 is incompatible. To troubleshoot compatibility, before enabling TLS, see Troubleshooting TLS 1.2 compatibility with Java

If your configuration supports TLS 1.2, perform the following steps for enabling TLS in JBoss server:

  1. Configure SSL using LCM.

  2.  Open lc_turnkey.xml file in editor.

    Path: 

    For LiveCycle: <LC-install-directory>\jboss\server\lc_turnkey\deploy\jbossweb.sar\server.xml

    For AEM Forms: <AEM-install-directory>\jboss\standalone\configuration\lc_turnkey.xml

  3. Change ssl protocol value to TLSv1.2 as shown below:

    <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
    <ssl name="lc-ssl" password="password" protocol="TLSv1.2" key-alias="AEMformsCert" certificate-key-file="C:/Adobe/Adobe_Experience_Manager_Forms/jboss/standalone/configuration/aemformses.keystore" />
    </connector>
  4. Restart the server.

Steps to verify that the browser is using the updated TLS

  1. Open secure adminui page in Firefox:

    URL: https://<server>:<port>/adminui

  2. Click the green lock icon on the left of the URL, then click the next button > More Information.

    You can see TLS version under technical details. 

Troubleshooting TLS 1.2/ATS compatibility with Java:

If you are using JBoss Turnkey which ships with Oracle Java 6 update 26 or update 31, or if you have manually installed Oracle Java 6:

  • If you have LiveCycle ES4 or earlier:

If you are using JBoss Turnkey which ships with Oracle Java 6 update 26 or update 31, or if you have manually installed Oracle Java 6:

  • If you have LiveCycle ES4 or earlier:

Configure TLS 1.2 on WebLogic server

With certain Java versions, TLS 1.2 is incompatible. To troubleshoot compatibility, before enabling TLS, see Troubleshooting TLS 1.2 compatibility with Java

If your configuration supports TLS 1.2, perform the following steps for enabling TLS in WebLogic server:

  1. To configure SSL, see Configuring SSL for WebLogic server

  2. Restart all the servers.

  3. In Domain Configurations, click Servers > [Managed Server] > Configuration > Server Start tab.

  4. Under Arguments box, add -Dweblogic.security.SSL.protocolVersion=TLSV1.2.

  5. Click Save

Steps to verify that the browser is using the updated TLS

  1. Open secure adminui page in Firefox:

    URL: https://<server>:<port>/adminui

  2. Click the green lock icon on the left of the URL, click the next button > More Information.

    You can see TLS version under technical details. 

Verify ATS compliance using the SSL labs or a Mac machine. Steps to verify ATS compliance are mentioned above. 

Troubleshooting TLS 1.2/ATS compatibility with Java:

If you are using WebLogic 10.x.x with Jrockit Java 6 R28 installed:

Configure SSL/TLS 1.2 on WebSphere Application Server

With certain Java versions, TLS 1.2 is incompatible. To troubleshoot compatibility, before enabling TLS, see Troubleshooting TLS 1.2 compatibility with Java

If your configuration supports TLS 1.2, perform the following steps for setting TLS on WebSphere Application Server:

  1. Restart the server. 

  2. For configuring SSL with TLS, see steps in Configuring WebSphere Application Server to support TLS 1.2.

  3. Restart the server. 

Steps to verify that the browser is using the updated TLS

  1. Open secure adminui page in Firefox:

    URL: https://<server>:<port>/adminui

  2. Click the green lock icon on the left of the URL, click the next button > More Information.

    You can see TLS version under technical details. 

Verify ATS compliance using the SSL labs or a Mac machine. Steps to verify ATS compliance are mentioned above. 

Troubleshooting TLS 1.2 compatibility with Java:

If you are using WebSphere Application Server 7.0.0.x, and IBM Java 6 isntalled:

  • Update WebSphere Application Server to 7.0.0.35 and update IBM Java 6.
  • Add bouncy castle provider (1.5.4)
  • Enable ECDHE ciphers in WebSphere:
    1. Log in to the WebSphere Application Server Integrated Solutions Console.
    2. Navigate to Security > SSL Certificate & Key Management > SSL Configurations > NodeDefaultSSLSettings > Quality of protection (QoP settings). 
    3. Sepcify cipher suite groups as custom and add appropriate ECDHE ciphers.
    4. Save and restart the server.

If you are using WebSphere Application Server 8.0.0.x, and IBM WebSphere Java SDK 1.6 installed: 

  • Update WebSphere Application Server to 8.0.0.10
  • Update Java
    Strong cipher suite groups has ECDHE ciphers by default.
  • Enable TLS 1.2 and restart the server. 

If you are using WebSphere Application Server 8.x.x.x, with IBM J9 Virtual Machine (build 2.6 & 2.7, JRE 1.7.0) installed:

  • Add bouncy castle provider (1.5.4). Perform the following steps to add Bouncy Castle Provider (1.5.4) in Java security file:
    1. Copy the bouncy castle provider jar to the JDK folder under your server installation.  For example: C:\Adobe\Adobe LiveCycle ES4\Java\jdk1.6.0_31\jre\lib\ext.
      To download the jar file click here.
    2. Update the config file at $JAVA_HOME/jre/lib/security/java.security
      with the entry:
      security.provider.N=org.bouncycastle.jce.provider.BouncyCastleProvider
      (replace N with the next logical number)
      Do not install Bouncy Castle Provider 1.5.5 because of known signing issue. 

Opomba:

Add bouncy castle only if you do not see required ciphers in the ciphers list that appears in administration console. 

  • Enable ECDHE ciphers in WebSphere:

    1. Log in to the WebSphere Application Server Integrated Solutions Console.
    2. Navigate to Security > SSL Certificate & Key Management > SSL Configurations > NodeDefaultSSLSettings > Quality of protection (QoP settings). 
    3. Sepcify cipher suite groups as custom and add appropriate ECDHE ciphers.
    4. Save and restart the server.