SSL certificates

As the connection between the DME server and the devices is run through a secure (SSL) connection, an SSL certificate must be installed on the server and on each device, affirming that the data received through the SSL connection is in fact coming from the right server. The certificate is also required for bootstrapping devices.

When the DME server is installed, you can choose to deploy a SSL certificate. This is called a self-signed certificate. Or, you can choose to purchase a certificate from a trusted certificate authority (CA), such as VeriSign or Thawte, and deploy that on the server. Soliton Systems recommends using a certificate from a trusted CA, as some issues may arise when deploying the client to devices, if the device does not trust the self-signed certificate. Such issues are outlined below.

OMA DM

The following applies when installing DME clients using OMA DM:

• Non-commercial, self-signed certificates are not native to any mobile devices. The device management (DM) client built into the devices requires a known root certificate in order to process OMA provisioning commands from the DME server. Therefore, if you want to provision the DME software to the devices using OMA DM, you need to either use a commercial CA from VeriSign or others (recommended), or to send the root certificate to your devices using the Send SSL certificate function prior to installing any software using OMA DM. See Send SSL certificate for more information.

OMA DM deployment does not apply to Apple iOS devices, and the Send SSL certificate function cannot be used with Apple iOS devices, as they cannot receive WAP push.

The following applies when installing DME clients using the self-signed certificate and using SMS push:

• Symbian (including UIQ) devices: Installing the DME client will automatically install the root certificate without user interaction. If you are not using the root certificate, or if the certificate you use cannot be verified, the Symbian device will behave as a Java device (see below).
• Java devices: These devices do not allow the automatic installation of root certificates, so the user will need to trust the connection every time he or she connects to the DME server (or every time DME is launched, depending on device model). For a solution to this issue, send the certificate to the devices using the Send SSL certificate function as mentioned in the paragraph about OMA DM above.
• Windows Mobile devices: When the DME client makes the first connection to the server, the user will be asked if he or she wants to accept the untrusted connection to the server. The device will remember the user's choice.

Apple iOS devices

DME for iPhone and other iOS devices (iPod touch, iPad) cannot be installed using SMS push or OMA DM, but is installed through Apple App Store. When the user launches the client for the first time, and enters the server path, the DME client 3.5.4 and later silently accepts the self-signed certificate (and certificates from any trusted CA).

Android devices

It is not possible to install root certificates on Android devices. It might be possible in the future if Google decides to implement it, but until that happens, the DME servers must use SSL certificates signed by a major certificate vendor such as Thawte or VeriSign, which have their root certificates pre-installed on Android devices. This means that no self-signed certificates are valid for connecting with the DME server.

This means that you need to install a certificate from a major certificate vendor on your DME server in order to connect using the DME client for Android. Note that different device vendors pre-install different root certificates, so you should contact your device vendor to make sure that the device you intend to purchase supports the certificate installed on your DME server.

If you already own a device, you can use the Test connection button in the Android client (Settings > General > Server path) to test the secure connection to the DME server. If no error is shown, the Android device is able to establish a secure connection to DME using the certificate installed. If DME displays an error, the device will not be able to connect to the DME server.

To assist you in trying out different certificates from your Android device browser, we have assembled a small collection of URLs for secure sites, using different certificates. See below.

https://www.thawte.com
https://www.verisign.com/
https://www.buypass.no/
https://www.digicert.com/
https://secure.entrust.com/
https://www.geotrust.com/
https://www.globalsign.com/
https://www.verizon.net/
https://www.wellsfargo.com/
https://www.godaddy.com/

This list is not complete.

We have provided a tool that can help you test this. On some older devices, it can be necessary to use this tool rather than the built-in Test connection function. Go to the DME Resource Center, and go down the page to find the Android utility to test server certificate.

Summary

For all platforms, Soliton Systems recommends using a 3rd party, trusted SSL certificate in order to ensure a smooth roll-out of DME to all supported platforms.