Access Installation

Connected Articles

Components

Identity Manager Appliance

  • The Service; User portal, Built-in AuthN and idP (TCP443)
  • Certificate Proxy Service (TCP5262)
  • Kerberos Key Distribution Center (KDC) (TCP/UDP 88)
  • User database (vPostgres OR external MS SQL)
  • OS = PhotonOS
  • Main WS1 Access service = horizon-workspace

Enterprise Connector

  • ❗️Old connector version 1811 needed for ThinApp publishing
  • Modern Connector is a Java Microservices app, with 4 microservices: User Auth, Kerberos Auth, Virtual App (1Gb RAM set for each service) and Directory Sync (4Gb RAM)

Increasing memory of services on connector:

  1. Log in to the Windows server in which the Workspace ONE Access enterprise service is installed.
  2. Navigate to the INSTALL_DIR\Workspace ONE Access\serviceName folder.
  3. Open the serviceName.xml file in a text editor.
  4. Change the Xmx1g entry to Xmxng where n is the maximum heap memory you want to allocate. Example: Xmx5g
  5. Save file, restart service.

Network ports for connector: Inbound & outbound TCP443 (many uses); Outbound TCP389, TCP636, TCP3268, TCP3269 (LDAP); Outbound TCP88, UDP88, TCP464, TCP135, TCP445 (Kerberos, Directory Sync); Outbound TCP53, UDP53 (DNS); Outbound TCP5555 (RSA SecurID); Outbound UDP514 (Syslog).

Intelligent Hub This is a client simultaneously for WS1 UEM and WS1 Access (Corp apps marketplace + Hub Services: people search, notifications)

Old components

Identity Manager on Windows Server (Old, uses only Cloud KDC)

  • The Service; User portal, Built-in AuthN and idP (TCP443)
  • The Connector; AuthN and User, ThinApp and Horizon Sync (TCP8443)
  • Certificate Proxy Service (TCP5262)

! For IDM on Windows do NOT use non-English localized Windows versions. Workaround: change the regional number setting for decimal to use a period “.” instead of a comma “,”. ! For IDM on Windows shutdown IIS to free up port TCP80. It is not used, but it is needed for IDM install.

Workspace One Client Mobile App App Bundle ID: com.air-watch.appcenter

Subsections of Access Installation

Managing Certificates

External links:

General Commands

Most common command is to build PFX-file from PEM files:

openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in fullchain.pem -certfile cert.pem

WS1 Access always has to be signed with corporate or trusted certificates. If Access is clustered, sign the load-balanced name with external trusted certificate and the 3 nodes - with certs from corporate CA. 

  • Go to WS1 Access web console
  • On the top, click the Appliance Settings tab,
  • On the left, click the VA Configuration node.
  • On the right, click Manage Configuration. You will be redirected to a separate portal
  • Login as admin account
  • On the left, click Install TLS Certificates.
  • On the right, in the upper box, delete the certificate and key that are currently displayed.
  • Paste in the new PEM certificate and RSA private key. Paste every certificate in the chain: server + intermediate + root. Click Save.

❗️The order of certificates is important! First server, then intermediate, then root.

Certificate Requests

######### The cert request in idm01.domain.local.inf file

[Version]
Signature= "$Windows NT$" 
 
[NewRequest]
Subject = "CN=idm01.domain.local,OU=IT,O=Horn_n_hooves,L=Moscow,S=Moscow,C=RU"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
FriendlyName = "vdm" ; needed for Horizon Connection Server only!
 
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
 
[RequestAttributes]
CertificateTemplate = WebServerExportable2008
 
[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format.Note 2.5.29.17 is the OID for a SAN extension.
 
2.5.29.17 = "{text}"
_continue_ = "dns=idm01.domain.local&dns=idm01&dns=idm02.domain.local&dns=idm02&dns=idm03.domain.local&dns=idm03&dns=idm.domain.local"
##################################################################################

Bat script to submit certificate request:

set srvname=idm01.domain.local
cd C:\temp

Certreq -New -f %srvname%.inf %srvname%.req
Certreq -submit %srvname%.req %srvname%.crt
Certreq -accept %srvname%.crt
Certutil -exportpfx -p 12345 %srvname% "%srvname%.pfx"

In order to copy and paste the private key from PFX certificate for vIDM, you need a decrypted version of the key. Use OpenSSL to obtain this key:

openssl pkcs12 -in idm01.domain.local.pfx -nocerts -out idm01.domain.local_encrypted.key
openssl rsa -in idm01.domain.local_encrypted.key -out idm01.domain.local_decrypted.key

Open idm01.domain.local_decrypted.key with a text editor and copy the key from there. After inserting certificates, click OK to restart WS1 Access web service.

Password Reset

External Links:

❗️The admin user password must be at least 12 characters in length.

SSH User Password Change

Connect to WS1 Access Appliance by SSH, run command:

passwd sshuser

Web Console Admin Password Reset

  1. Log in to the URL as a root user: https://ApplianceFQDN:8443/cfg/changePassword

  2. Access WS1 Access using ssh (sshuser password needed), do su and use this command to reset password:

  • Admin console site:
/usr/sbin/hznAdminTool setOperatorPassword --pass newsecretpassword
  • Configurator page:
/usr/sbin/hznAdminTool setSystemAdminPassword --pass newsecretpassword

Root User Password Reset

WS1 Access works on VMware PhotonOS variation of Linux. It has a Single User Mode.

  1. Go to vCenter Server list of VMs;
  2. Right-click the affected WS1 Access OVA and click Open Console;
  3. Under the VM menu, click Power->Shut Down Guest;
  4. When the shutdown completes, Power On the WS1 Access Appliance;
  5. When the GNU GRUB menu displays, press p and enter the configured bootloader password = ⭐️ H0rizon! ⭐️ ; ❗️GRUB menu appears for a few seconds. If you miss it, reboot and try again;
  6. Use the up and down arrow keys to navigate to the first entry, and press e to edit the relevant boot parameters;
  7. Use the arrow keys to navigate to the line beginning with kernel and press e to edit;
  8. The cursor is at the end of the line, type a space and then append init=/bin/bash to the line;
  9. Press Enter to confirm the changes;
  10. Press b to execute the boot;
  11. After boot, you have ROOT access and you are able to set new passwords, for root: passwd and for sshuser: passwd sshuser; ❗️Follow password policies on new passwords!
  12. Shutdown by using command: shutdown -h -P now; ❗️VMware Tools do NOT work in Single User Mode, so shutdown from vCenter will NOT work;
  13. Start WS1 Access Appliance.

SQL Preparation

Attachments

Manual

Internal PostgreSQL

To login into the DB, get the PostgreSQL password: first login to console with SSH.

cat /usr/local/horizon/conf/db.pwd

Copy password, then login with it:

psql saas horizon

External MS SQL Preparation

❗️ Database schema name must be ‘saas’, cannot be changed. ❗️Collation must be ‘Latin1_General_CS_AS’, could be changed but change not recommended. ❗️The server role used to grant server-wide security privileges is set to public. The database role membership is db_owner.

Microsoft SQL Database Using Local SQL Server Authentication Mode for Workspace ONE Access (replace values in brackets < > ):

CREATE DATABASE saas
COLLATE Latin1_General_CS_AS;
ALTER DATABASE saas SET READ_COMMITTED_SNAPSHOT ON;
GO

BEGIN
CREATE LOGIN <loginusername> WITH PASSWORD = N'<password>';
END
GO

USE <saasdb>; 
IF EXISTS (SELECT * FROM sys.database_principals WHERE name=N'<loginusername>')
DROP USER [<loginusername>]
GO

CREATE USER [<loginusername>] FOR LOGIN [<loginusername>]
WITH DEFAULT_SCHEMA=saas;
GO

CREATE SCHEMA saas AUTHORIZATION <loginusername>
GRANT ALL ON DATABASE::saas TO <loginusername>;
GO

ALTER ROLE [db_owner] ADD MEMBER <loginusername>;
GO

JDBC URLs

SQL local user jdbc:sqlserver://<DB_VM_IP_ADDR>;DatabaseName=saas

jdbc:sqlserver://<DB_VM_IP_ADDR>\INSTANCE_NAME:PORT;DatabaseName=saas (you can remove the instance name if default)

AD domain user jdbc:jtds:sqlserver://<DB_VM_IP_ADDR>:1433/saas;integratedSecurity=true;domain=LAB.LOCAL;useNTLMv2=true

Multi-site, SQL Always On jdbc:sqlserver://;DatabaseName=saas;multiSubnetFailover=true

Troubleshooting Issues

Troubleshooting JDBC URL Wizard page

Back and continue buttons become greyed out and unclickable.

  • Use Web Admin tools of the Browser (Firefox, Chrome);
  • Right click and “Inspect Element” on the disabled button. Find the ID tag for “nextButton”;
  • Within this line of text there is a value = “is-disabled”. Remove “is-disabled” from the line by clicking and typing into the inspector;
  • Return to web page, button should start working. Click & proceed.

Database Locked Error

See resolution link

Check the result of the following DB query, If DB is locked, you should see an entry with the locked value set to 1 or TRUE.

	
SELECT * FROM DATABASECHANGELOGLOCK 

if locked=TRUE then run the below UPDATE statement to release/reset the DB lock.

USE [DBNAME]
GO 

UPDATE [saas].[DATABASECHANGELOGLOCK]
   SET [LOCKED] = 0 

 ,[LOCKGRANTED] =NULL 

 ,[LOCKEDBY] = NULL
 WHERE ID = 1 

GO

Restart horizon-workspace service on each node one after another. ❗️DO NOT restart all nodes of WS1 Access cluster simultaneously.

Important Queries

Update the Connector if there is more than 1 sync and Authentication

UPDATE Connector SET isDirectorySyncEnabled=false WHERE host=<auth_connector_hostname>
	

Check if IDM certificate is present in the console from DB side

SELECT * from dbo.coreuser WHERE isactivedirectoryuser=0  
SELECT * from dbo.certificate WHERE certificatethumbprint like '%%'  
SELECT * from dbo.UserLink WHERE coreuserid = < username >
SELECT * from dbo.role WHERE roleid =3
	

List of UUID with Super Admin access

SELECT strUsername, strFirstName, StrLastName,strExternalId, stremail, uuid FROM slesdb.saas.Users U (nolock) INNER JOIN  
(SELECT * FROM Slesdb.saas.ACS_RuleSetAssociation (nolock)  
WHERE ruleSetId LIKE  
(SELECT id FROM slesdb.saas.ACS_RuleSet (nolock)  
WHERE name LIKE 'Super Admin)) as A  
On U.uuid = A.SubjectUUID
ORDER BY strUsername
	

Update email address of the user or admin

UPDATE sles.saas.Users
SET strEmail = 'value'  
WHERE username LIKE 'value'
	

Update the value of the Identity Provider with correct connector name

UPDATE slesdb.saas.IdentityProviders  
SET strDescription = (  
SELECT host FROM slesdb.saas.Connector WHERE id = (

SELECT idConnector FROM slesdb.saas.IdpJoinConn WHERE idIdentityProvider = (  
SELECT id FROM slesdb.saas.IdentityProviders WHERE strFriendlyName LIKE '%Workspace%'))) 
	

Update the attribute column to make it mandatory or non-mandatory

 SELECT id, * FROM slesdb.saas.userattributedefinition WHERE idorganization IS NOT NULL AND ownerUuid IS NULL AND strName LIKE '<attribute to be updated>
	

Then run:

UPDATE slesdb.saas.userattributedefinition SET bIsRequired = 0 WHERE id = <id identified above>
	

Connector Sync Validation

SELECT id, uuid, tenantID, host, domainJoined, createdDate, oAuth2ClientId, isDirectorySyncEnabled FROM saas.Connector;

SELECT idSyncProfile, directoryConfigId, syncConnectors FROM saas.DirectorySyncProfile
	

⭐️ FROM saas.Connector isDirectorySyncEnabled = 1 means connector is the connector set as Sync. If not, you can update:

UPDATE saas.connector SET isDirectorySyncEnabled=0 WHERE id=1;
	

⭐️ FROM saas.DirectorySyncProfile syncConnector = saas.Connector uuid value. You can update if needed as well:

SET isDirectorySyncEnabled=0 WHERE id=1;  
update saas.DirectorySyncProfile SET syncConnectors='["12345678-abcd-1234-1234-0123a678b78"]' WHERE idSyncProfile=1;