Introduction

This document contains a short description of how to setup an EHS5 module to run a HTTPS Demo Java Midlet that securely communicates with Application Engineering’s test server ae.c-wm.net using mutual authentication.

Infrastructure

Certificate hierarchy

·         rootCA is a self signed certification authority (CA)

·         rootCA signs second level intermediate CAs serverCA and clientCA

·         serverCA signs third level server endpoint certificate ae.c-wm.net

·         clientCA signs third level client endpoint certificates client01 and client02

The Apache server sends the complete certificate chain. In addition to its client certificate, the module stores the root certificate to validate this chain. Because of the module doesn't send the entire certificate chain, but only it's endpoint certificate, the apache server must store the clientCA as well.

Certificate creation with OpenSSL

automated script

In order to create your own certificate chain, you can use the certs.sh script in a cygwin environment with openssl and ssh installed. You can find the script and all its dependencies in the attached archive in the subdirectory Certs.

The instructions below contain the following placeholders:

·         <comport> - the COM port to with the module is attached

·         <server> - the web server you want create the certificates for

·         <user> - a user which can ssh into the <server>

step-by-step

• create new certificate chain:
•       run ./certs.sh create <server>
• export client and root certificate to other formats:
•       .der-files are used by the module, .p12-files are for the use in web browsers
•       run ./certs.sh export
• install the certs to a EHSX module at modem port COM103:
•       Please replace COM103 with your modem port.
•       run ./certs.sh moduleDeploy <comport>
• install certs on server:
•       You need to be able to ssh to the server without password. You can use ssh-keygen and ssh-copy-id for this.
•       run ./certs.sh serverDeploy <user> <server>
• (optional) remove all created certificates:
•       run ./certs.sh clean

all-in-one

Running ./certs.sh all will execute the above standing steps. Before running please adjust the COM port, user and server in the script according to the step-by-step instructions above.

GUI

If you prefer a graphical user interface instead of OpenSSL, I recommend using the cross platform tool XCA (http://sourceforge.net/projects/xca/ ).

Web server setup

Step 1

The following listing contains an example configuration for an apache2 webserver.

$ cat /etc/apache2/sites-enabled/ssl_demo_mutual_443

NameVirtualHost *:443

<virtualhost *:443>

        ServerName ae.c-wm.net

        SSLEngine On

        SSLVerifyClient require

        SSLVerifyDepth 10

        # server certs

        SSLCertificateFile /etc/apache2/ssl/serverEP.crt

        SSLCertificateKeyFile /etc/apache2/ssl/serverEP.key

        SSLCertificateChainFile /etc/apache2/ssl/serverChain.crt

        SSLCACertificateFile /etc/apache2/ssl/clientChain.crt

        DocumentRoot /var/wwws/

        SSLOptions +ExportCertData

</virtualhost>

Step 2

A server script displaying the available and currently used cipher suites and protocols can be found in this archive in the subdirectory Server.

Step 3

Please note that this script ***** read-permissions for the file /var/log/apache2/ssl_engine.log and read- and execute-permissions on all parent directories. The file's permissions will be reset, when the log is rotated. To prevent this, you can adjust your /etc/logrotate.conf or /etc/logrotate.d./apache2.

$ cat /etc/logrotate.d/apache2

/var/log/apache2/*.log {

        weekly

        missingok

        rotate 52

        compress

        delaycompress

        notifempty

        create 644 root adm

        sharedscripts

        postrotate

                if [ -f "`. /etc/apache2/envvars ; echo ${APACHE_PID_FILE:-/var/run/apache2.pid}`" ]; then

                        /etc/init.d/apache2 reload > /dev/null

                fi

        endscript

}

Step 4

Also you have to enable debug logging for the ssl engine:

$ cat /etc/apache2/conf.d/ssl_log

<IfModule mod_ssl.c>

        ErrorLog /var/log/apache2/ssl_engine.log

        LogLevel debug

</IfModule>

Demonstration

This chapter contains a short description of how to setup an EHS5 module in order to show a HTTPS Demo using Internet Service Commands. The Demo securely communicates with Application Engineering’s test server ae.c-wm.net under mutual authentication. If you don't want to use Java for this, you can skip all steps marked with "(java only)". All files mentioned here and for further information is contained in this archive.

Prerequisites

·         SIM card (tested with German provider T-D1)

·         EHSx Rev 2 or higher

·         Gemalto Module Exchange Suite (MES)

·         Gemalto IMP Debug Connection for EHSx (optional)

·         Gemalto EHSx Software Development Kit (optional)

Setup

·         Transfer Java Midlet and Security Command files to the module's root directory

o   https_demo.zip\HttpsDemo\.mtj.tmp\emulation\HttpsDemo.jad (java only)

o   https_demo.zip\HttpsDemo\.mtj.tmp\emulation\HttpsDemo.jar (java only)

o   https_demo.zip\Certs\AddHttpsCertificateUntrusted.bin (create with certs.sh)

o   https_demo.zip\Certs\AddHttpsClientCertificateUntrusted.bin (create with certs.sh)

·         Install certificates and activate server authentification (note: this can be skipped if "./certs.sh moduleDeploy" was executed for the current module)

at^sjmsec="cmd",0B00310001000500020001

at^sjmsec="file",AddHttpsCertificateUntrusted.bin

at^sjmsec="file",AddHttpsClientCertificateUntrusted.bin

·         Test if HTTPS is setup correctly:

at^sjmsec? 

^SJMSEC: 1,1,1,1 

OK 

·         Install HTTPS Demo Midlet (java only)

at^sjam=0,"a:/HttpsDemo.jad",""

Run

You can demonstrate HTTPS communication with a Java Midlet or with Internet Service Commands.

Java Midlet

·         Redirect Java’s stdout to the serial console at asc0

at^scfg="userware/stdout","asc0" 

^SCFG: "Userware/Stdout","asc0",,,,"off" 

OK

·         Run HTTPS Demo Midlet

at^sjam=1,"a:/HttpsDemo.jad","" 

·         You should see something similar to the following lines on stdout

started HTTPS Demo app 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 

       "http://www.w3.org/TR/html4/loose.dtd"> 

<html> 

        <head> 

                <title>Gemalto M2M HTTPS demo</title> 

        </head> 

        <body> 

                Welcome to the Gemalto M2M HTTPS demo page. 

Sending dispose command to the VM. 

        </body> 

</html> 

MIDlet:HttpsDemo exited 

Internet Service Commands

at+cops? 

+COPS: 0,0,"Telekom.de",2 

OK 

at^sici? 

OK 

at^sics? 

^SICS: 0,"conType","" 

^SICS: 1,"conType","" 

^SICS: 2,"conType","" 

^SICS: 3,"conType","" 

^SICS: 4,"conType","" 

^SICS: 5,"conType","" 

OK 

+PBREADY 

at^sics=1,contype,GPRS0 

OK 

at^sics=1,inactTO,2000 

OK 

at^sics=1,passwd,t-d1 

OK 

at^sics=1,user,internet 

OK 

at^sics=1,apn,"internet.t-d1.de" 

OK 

at^sics? 

^SICS: 0,"conType","" 

^SICS: 1,"conType","GPRS0" 

^SICS: 1,"inactTO","2000" 

^SICS: 1,"user","internet" 

^SICS: 1,"passwd","*****" 

^SICS: 1,"apn","internet.t-d1.de" ^SICS: 2,"conType","" 

^SICS: 3,"conType","" 

^SICS: 4,"conType","" 

^SICS: 5,"conType","" 

OK 

at^siss=1,srvtype,http 

OK 

at^siss=1,conid,1 

OK 

at^siss=1,cmd,"get" 

OK 

at^siss=1,address,"https://ae.c-wm.net/ssltest/?format=plaintext" 

OK 

at^siso=1 

OK 

^SIS: 1,0,2200,"Http ae.c-wm.net:443" 

^SISR: 1,1 

at^sist=1 

CONNECT 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 

       "http://www.w3.org/TR/html4/loose.dtd"> 

<html> 

        <head> 

                <title>Gemalto M2M HTTPS demo</title> 

        </head> 

        <body> 

                Welcome to the Gemalto M2M HTTPS demo page. 

        </body> 

</html> 

NO CARRIER 

^SISR: 1,2 

Further info

Please also see our Java Users Guide on your EHSX install CD\program files\Cinterion\CMTK\EHS5\Documentation\wm02_java_usersguide_v04.pdf