Installing your own root certificate on Android and running Citrix XenApp Web Interface

    In principle, shoguevara and I quite a long time bothering with the question of installing the root certificate in an Android device and even found a couple of not the most trivial instructions, but before that there was no need for such an action. The need appeared after the acquisition of the tablet on Android.

    A little background:


    It is in our office at Citrix XenApp to provide remote work from the office. What kind of animal it is and what it is eaten with will not be discussed - those who need it have been in the know for a long time.
    In this joint recording we want to talk about installing the root certificate and setting up the client part - Citrix Receiver for Android .

    A picture to attract attention

    In principle, the client is not the most miserable - you can use it, and if you are somewhere on a trip and you only have an Android phone or tablet on your hands, this is the only way to quickly connect and fix something through a working computer.
    It seems that the software is not very tricky and it doesn’t require much settings, and if you use the web interface to run applications, as is done in our organization, then absolutely nothing ...
    But not everything is so cloudless!

    What kind of problems could arise?


    To organize this kind of remote access architecture, certificates are often used that are signed by centers that are not included in the standard list. Why Google is so bad, and did not include such a simple function in its OS, (along with such, again, the necessary function as the ability to register a proxy server) like installing additional CA root certificates, we are not going to discuss here.
    The first sign that the server uses a self-signed certificate is that when you open a web resource from anywhere using, for example, the Mozilla Firefox browser, the program displays a message that it cannot decide on trust whether it is a certificate for establishing a secure connection or not, it gives you the right to choose.
    If you have such a picture, then this article is just for you!

    So what does it take to run applications published on your company’s Citrix XanApp through Citrix Receiver?



    First of all, as it turned out, you need to install Mozilla Firefox for Android . Very strange, but no other browser transfers the file (launch.ica) needed for the connection to the client program. We only know that everything works fine with Firefox.

    Secondly, the client program itself is needed. Here on the Android Market we have a choice: a stable Citrix Receiver, or being at the testing phase of Citrix Labs Receiver. The second one we did not want to accept a certificate in any, the first - stable, after a sleepless night, we still earned it.

    Thirdly, you must have root access to your device, or the ability to extract and write files back through adb, although in this case you also need root access (you can learn how to configure it by spending a little time on viewing the results that gave you Google for a query like "<your device name> root access howto" or "<your device name> adb configure howto").

    We didn’t bother with the adb configuration issue, again, since we prefer to work directly through the file managers with the system. In any case, the network has a lot of information about this (the Russian-language resource on which the most information of this kind is http://w3bsit3-dns.com/forum , the English-language is http://forum.xda-developers.com) In case you will use direct access to system files, you need a file manager that can use root rights (for example, Root Explorer).

    Fourth, you need a machine with any of the popular Linux distributions and an installed Java machine from Oracle (we used Ubuntu 10.10 with JRE installed ).

    And the last on the list, but far from the last in importance, is the root certificate of the certification authority (let it be called CompanyCA.crt).

    From the requirements (if they are all fulfilled), we proceed to action.


    For convenience, we will list everything item by item.

    1. We go from the device to the Android Market and install Firefox.
    2. We go from the device to the Android Market and install the Citrix Receiver.
    3.1.1 (3.1.x for those who prefer direct access) Using the file manager, copy the file /system/etc/security/cacerts.bks cacerts.bks to the SD card.
    3.1.2 Connect the device as a drive to a computer with Linux.
    3.1.3 Copy the cacerts.bks file from the root of the card to your home folder.
    3.2.1 (adb) copy the certificate
    $ adb pull /system/etc/security/cacerts.bks cacerts.bks

    4. This item assumes that you have already installed and configured JRE 1.6 and the environment variable JAVA_HOME (in my case JAVA_HOME = / usr / lib / jvm / java-6-sun /).
    Download the bouncycastle.org/download/bcprov-jdk16-146.jar package and drop it into the $ JAVA_HOME / jre / lib / ext / folder.
    If you have JDK installed, then this package must also be put into the / usr / lib / folder jvm / java-6-openjdk / jre / lib / ext 5. We drop the certificate file CompanyCA.crt also in the home folder. If you don’t have one, but you agreed to accept the certificate when switching to the XenApp web interface, then you can export it from Firefox. How to do this - tell Google . We can only clarify that encryption is needed X.509 PEM. 6. Download and install the Android SDK (if you do not plan to use adb, then you can skip this step):
    wget bouncycastle.org/download/bcprov-jdk16-146.jar
    sudo cp bcprov-jdk16-146.jar $JAVA_HOME/jre/lib/ext/bcprov-jdk16-146.jar
    # или sudo cp bcprov-jdk16-146.jar /usr/lib/jvm/java-6-sun/jre/lib/ext/bcprov-jdk16-146.jar





    wget dl.google.com/android/android-sdk_r10-linux_x86.tgz
    tar -xvzf android-sdk_r10-linux_x86.tgz
    sudo mv android-sdk-linux_x86 /usr/lib/android-sdk-linux_x86

    Running anything from the kit is not required for our task. But you need to register the SDK executable files in the environment variables export PATH = $ {PATH}: / usr / lib / android-sdk-linux_x86 / tools.
    In our case, the issue with environment variables is solved by adding ~ / .bashrc lines to the end of the file 7. Open the console and execute the command Be careful - do not change the -storepass changeit parameter, there really is such a password) In response to this command, you should get information about the certificate and the request "Trust this certificate? [no]: "- correspondingly answer" y ". That's it, our file is prepared. Now you need to download it to the device. 8.1.1 (direct access) We connect the device as a drive to the computer; 8.1.2 Download the cacerts.bks file to the map;
    export PATH=${PATH}:/usr/lib/android-sdk-linux_x86/tools
    export JAVA_HOME=/usr/lib/jvm/java-6-sun/jre



    keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -importcert -trustcacerts -alias CACERT -file CompanyCA.crt









    8.1.3 Transfer the cacerts.bks file manager from the / sdcard folder to the / system / etc / security / folder, pre-mounting it for recording;
    8.2.1 (adb) Mount the system for writing:
    $ adb shell mount -o remount, rw / system;
    8.2.2 Download the file:
    $ adb push cacerts.bks / system / etc / security /;
    8.2.2 Mount the system read-only:
    $ adb shell mount -o remount, ro / system.

    The hard part is over. There was a couple of "feint ears."

    9. Reboot the device.

    10. Launch Firefox and open the web access page.
    A picture like this will appear:
    Result

    Here we need to click on the “Already installed” link at the top of the screen;

    11. Select an application from the list and try to run;

    12. Profit!

    In preparing the instructions, the following resources were used:
    http://wiki.cacert.org/ImportRootCert#Android_Phones
    http://blog.dest-unreach.be/2010/05/03/installing-an-additional-x-509-root-certificate -on-android
    http://bouncycastle.org/
    As a bonus - a useful utility for working with certificates (Java): http://portecle.sourceforge.net

    Also popular now: