Configuring Secure Sockets Layer (SSL)

Learn about configuring SSL for the Application Center on supported application servers and the limitations of certificate verification on mobile operating systems.

You can configure the Application Center with SSL or without SSL, unless you intend to install applications on iOS devices. For iOS applications, you must configure the Application Center server with SSL and enable the TLS v1.2 protocol.

SSL transmits data over the network in a secured channel. You must purchase an official SSL certificate from an SSL certificate authority. The SSL certificate must be compatible with Android, iOS, and BlackBerry OS 6 and 7. Self-signed certificates do not work with the Application Center.

When the client accesses the server through SSL, the client verifies the server through the SSL certificate. If the server address matches the address filed in the SSL certificate, the client accepts the connection. For the verification to be successful, the client must know the root certificate of the certificate authority. Many root certificates are preinstalled on Android, iOS, and BlackBerry devices. The exact list of preinstalled root certificates varies between versions of mobile operating systems.

You should consult the SSL certificate authority for information about the mobile operating system versions that support its certificates.

If the SSL certificate verification fails, a normal web browser requests confirmation to contact an untrusted site. The same behavior occurs when you use a self-signed certificate that was not purchased from a certificate authority. When mobile applications are installed, this control is not performed by a normal web browser, but by operating system calls.

Some versions of Android, iOS, and Windows Phone operating systems do not support this confirmation dialog in system calls. This limitation is a reason to avoid self-signed certificates or SSL certificates that are not suited to mobile operating systems. On Android, iOS, and Windows Phone operating systems, you can install a self-signed CA certificate on the device to enable the device to handle system calls with respect to this self-signed certificate. This practice is not appropriate for Application Center in a production environment, but it may be suitable during the testing period. For details, see Configuring SSL by using untrusted certificates and Managing and installing self-signed CA certificates in an Application Center test environment.

The following topics describe how to enable SSL on the application servers. If your server is behind a reverse proxy that decrypts the SSL-encoded packets before passing them the application server, you must configure this reverse proxy. For IBM® HTTP Server, see the IHS documentation.