Worklight Push notification (APNS) fails with javax.net.ssl.SSLHandshakeException

Question

I have a Worklight 6.1 app on iOS with push notifications. It works fine, until something goes wrong on the Worklight server. All push notifications after that fail until

Answer 1

Once again … this took long enough to figure out.

The underlying problem was that the Worklight server was hosted on SoftLayer, and evidently the SoftLayer firewall by default monitors socket connections, and if a connection is idle for ~10 minutes, drops it.

So, the worklight server connected to APN and push worked. Then 10 minutes passed without any push notifications, and the firewall dropped the socket between the Worklight server and the APNS server. All subsequent push requests failed silently because Worklight had a dead socket for the APNS service.

We reconfigured the firewall to allow the connection to APNS to sit idle indefinitely and the problem was resolved.

Answer 2

After upgrading to the Worklight 6.0.0.2 fix pack, we've seen the same issue on Websphere running JDK 7. After some research I found this issue reported for IBM JDK 7. There is an issue with the Entrust certificate that is included in the JDK. I tried the workaround with replacing the cacerts file from the JDK 6 and this worked.

 Replace jre\lib\security\cacerts file in JDK 7 with
 jre\lib\security\cacerts file in JDK 6

http://www-01.ibm.com/support/docview.wss?uid=swg1IV43936

Note: To establish a TLS session with APNs, an Entrust Secure CA root certificate must be installed on the provider’s server. If the server is running OS X, this root certificate is already in the keychain. On other systems, the certificate might not be available. You can download this certificate from the Entrust SSL Certificates website.

https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/CommunicatingWIthAPS.html