Push notification is failing for Android devices

Problem

When sending push notifications to Android Devices an error is returned.  Devices logs show the following error when connecting to the Transaction Service:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

TIP: To capture device logs, follow the steps outlined below:

1. Launch IdentityGuard mobile.
2. Click on the triple bar icon on the upper left hand corner of the screen
3. Click on Settings.
4. Scroll to the bottom and select the option to 'Email Logs'.

Cause

Self Service Module OR the server which is terminating the SSL connection for the Transaction Service is not sending out the full certificate chain.   Unlike IOS,  Android does not use AIA ( Authority Information Access ) to download the chain.

Solution

Install the missing intermediate and/or root certificate authorities for your SSL certificate.   If all SSL connections terminate at SSM, then follow the steps below:

For SSM Version 12 or newer:

1. Open a browser and navigate to the SSM properties editor:  https://<ssmhostname>:8446/IdentityGuardSelfServiceConfig
2. Click on 'Key Store Management'
3. Verify that all root and intermediate authorities associated with the 'tomcat' certificate are present.   New certificates can be imported under the 'Import Trusted Certificate' tab.
4. Restart Services.

TIP: To verify that the web server is sending out all authorities check the website using a SSL Check tool ( e.g. https://www.sslshopper.com/ssl-checker.html )

If SSL terminates at a load balancer or VIP then you will need to contact your system administrator or the system vendor to properly configure the certificate chain.