How to enable login Orchestrator Mobile app for iOS ?

Error Message: Unable to connect to Orchestrator Instance due to an issue with SSL Certificate. Check that Certificate meets Apple's minimum configuration requirements.(Error Code: NSURLErrorSecureConnectionFailed)

Root Cause:

Orchestrator iOS application has ATS (App Transport Security) enabled to ensure that secure connections are used between the mobile application and external web services. This is a known best practice used by a large number of iOS applications. A number of connection requirements need to be met by every node in the connection process in-order for ATS to allow the connection to succeed. This issue tends to happen more frequently for customers when they have some kind of VPN or load balancer sitting in front of their on-premise Orchestrator instance.

Some typical causes that trigger ATS to deny a connection are as follows:

• One of the SSL certificates used in the connection is utilizing SHA-1 as its signature algorithm. ATS requires SHA-2 to be used.
• One of the SSL certificates was using TLS 1.1 or lower. ATS requires TLS 1.2 or greater to be used.
• During the SLL handshake with the server, TLS connection cipher suite that was chosen did not support PFS (perfect forward secrecy).
  • A list of supported ciphers can be seen here.

Diagnosing Steps:

1. Check the potential connection issues on Chrome

• On a computer, open up the Google Chrome Web Browser
• Navigate to the Orchestrator instance by typing it’s URL into the browser, see that the Orchestrator login page appears.
• Right click the web page, and click the “Inspect” option.

2. In the menu that appears, click on the “Security” tab.
   • Potential issues with the connection will be listed here if Chrome is able to detect them .

Chrome may not be able to detect all of the potential issues with the connection, as ATS has a number of specific requirements that Chrome is not necessarily aware of. If no issues are revealed, an IT professional should review all of the nodes used in the connection process with the Orchestrator instance, and ensure that they all meet the minimum level of requirements for ATS.

The mobile application team will continue to work on adding more detailed error messaging into the mobile application for these types of issues in the future, so that they may be more easily identified and resolved.

Additionally, if Orchestrator instance is publicly hosted, enter Orchestrator instance’s domain into https://www.ssllabs.com/ssltest/ to obtain detailed information on the configuration of the SSL Certificate being used in the https connection, which may help diagnose any potential SSL configuration issues.

Diagnose SSL Issue

1. Click the "Diagnose SSL Issue" button on the error page and share the below information to us.

Resolution for Non - Connection issue:

If Orchestrator instance with a certificate has ATS issues in the iOS app, and there is no connection issue or not being able to solve it, a possible solution for this would be to install the root certificate for the instance on your device and trust it. This will allow the user to authenticate with instance without any ATS/SSL related issues.

Find Root Certificate Authority

The first step is to find the Root CA of instance so that it can be exported. If using a Self-Signed Certificate, that shall be the Root CA. Before it can be exported, ensure that it will appear as a Root CA to Apple. Check this by viewing the Details of certificate and looking for the Basic Constraints Field and checking that includes a Subject Type of CA.

If certificate already has Basic Constraints setup correctly, skip forward to the section on Exporting the Root Certificate Authority. Otherwise take a look at sections directly below.

How to Create a Root CA

If certificate does not have a Basic Constraints field set to SubjectType=CA, make a new certificate that includes this. Do this through Powershell, by specifically including -TextExtension @("2.5.29.19={text}cA=true) when making a new one. This will add the Basic Constraint with a Subject Type of CA to a new certificate that can be used.

Here is a Powershell script used to create a Self-Signed CA Certificate:

$cert = New-SelfSignedCertificate -certstorelocation cert:

\localmachine\my -dnsname DNS-NAME-HERE -KeySpec KeyExchange -

HashAlgorithm "SHA256" -TextExtension @("2.5.29.19={text}cA=true")

$pwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -

AsPlainText

$path = ‘cert:\localMachine\my\’ + $cert.thumbprint

Export-PfxCertificate -cert $path -FilePath c:

\Users\uipath\Desktop\cert.pfx -Password $pwd

If a Root CA certificate needs to be made that signs a separate certificate, do the following instead:

$rootcert = New-SelfSignedCertificate -certstorelocation cert:

\localmachine\my -dnsname ROOT-CA-NAME-HERE -KeySpec KeyExchange -

HashAlgorithm "SHA256" -KeyUsage CertSign, CRLSign, DigitalSignature -

KeyExportPolicy Exportable -TextExtension @("2.5.29.19={text}cA=true")

$rootpwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -

AsPlainText

$rootpath = ‘cert:\localMachine\my\’ + $rootcert.thumbprint

$rootCA = Export-PfxCertificate -cert $rootpath -FilePath c:

\Users\uipath\Desktop\root-cert.pfx -Password $rootpwd

$cert = New-SelfSignedCertificate -certstorelocation cert:

\localmachine\my -dnsname DNS-NAME-HERE -KeySpec KeyExchange -

HashAlgorithm "SHA256" -Signer $rootcert

$pwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -

AsPlainText

$path = ‘cert:\localMachine\my\’ + $cert.thumbprint

Export-PfxCertificate -cert $path -FilePath c:

\Users\uipath\Desktop\signed-cert.pfx -Password $pwd

The end goal here is to have a Root CA certificate with a correctly set Basic Constraints field. This is required so that iOS will correctly identify and import the certificate.

Set New Certificate to Orchestrator

1. If the above method is used to create a new certificate, set it to Orchestrator instance. First import certificate. Double-click on the .pfx made by the Powershell script to start the Import Wizard. Select Local Machine and press Next

2. Continue importing until the Certificate Store section is obtained. Select Place all certificates in the following store and select Personal, then press Next. On the next screen, press Finish.

3. Import the Certificate twice. Once placing it in the Personal Store, and once again placing it in the Trusted Root Certificate Authorities store.
4. After importing the certificate into both certificate stores, set it to the Orchestrator instance. Open IIS and navigate to UiPath Orchestrator Home

5. In the Actions bar on the right side, tap on Bindings… under the Edit Site header

6. In the Site Bindings window, we’ll need to change the certificate used by ALL of the bindings. For each Binding, select it and press Edit

7. In the Edit Site Binding window, under the SSL Certificate section select new certificate. Then press OK to close the window

8. After updating all of the Bindings, press Restart in the Actions bar on the right side under the Manage Website header

Exporting the Root Certificate Authority

1. After all is set with certificate, export it into a format that iOS will more easily recognize. Open Certificate Manager by opening the Run program and typing in certmgr.msc, then pressing OK

2. With Certificate Manager open, find certificate. Right-click on your Certificate, then Navigate to All Tasks > Export

3. When exporting select DER encoded binary X.509 (.CER), and once exporting is complete you should have a .cer file

Download to Device and Trust

1. Once you have the .cer file, send it to users.Do this via email, slack, a link hosted on a Website, etc... As long the user the can tap on it and it downloads, and the user gets the following pop-up:

2. Now the user can go to the Settings app > General > Profiles & Device Management and then the certificate should appear as a Downloaded Profile. Tap on it.

3. On the next screen tap I3nstall. If received any Warnings, tap on Install again

4. Now see a success Profile Installed screen. Press Done

5. Now that the profile is installed, go back General in the Settings app, and then go to About > Certificate Trust Settings. The newly installed certificate should be here. (If it doesn’t appear here, this is because Apple doesn’t believe the certificate is a Root CA and you’ll need to return back to the Install and Trust Certificate on Device section of this doc to ensure that the CA Basic Constraint is there.)
6. If the toggle is off, toggle it on.

7. Now return to the On-Premises Login screen in the mobile app, enter instance’s URL (if it isn’t already entered), and press Next. See a loading spinner and on taken to the next screen to authenticate with instance without any ATS/SSL errors

8. On Orchestrator instances with a version 2019.10 or below, the basic On-Premises Server login screen should be visible as pictured below:

9. On Orchestrator instances with version of 2020.4 or higher, instance’s login screen will be displayed via WebView as pictured below:

Further Troubleshooting:

If all the above steps doesn't work, follow the below steps to collect the information and send it to us:

1. Follow the Installation instructions on the GitHub page to setup the tool on your machine. The cli tool TestSSLServer is a free Windows command line tool that can be used to diagnose SSL issues : https://github.com/pornin/TestSSLServer/
2. Run the tool and collect the report.

• After you installed the TestSSLServer tool you can run the following command.

TestSSLServer2.exe -v https://myorchestrator.com > report.txt

• Replace https://myorchestrator.com with the domain or IP address that your Orchestrator instance is hosted on.
• This MUST be run on a device that can access the Orchestrator instance via that domain
• Navigate to the Orchestrator instance via web browser on this machine.
• Generate a report.txt file to send back to us, it will be created in the same directory where TestSSLServer2.exe was located.