Page tree
Skip to end of metadata
Go to start of metadata

Disclaimer

My postings are my own and don’t necessarily represent VMware’s positions, strategies or opinions.

General Rules

  1. Do not install Enterprise Service Connector/AirWatch Cloud Connector (ESC/ACC), until you are absolutely sure AWCM is working
  2. Do not install AWCM or ESC (ACC) in Global tenant
  3. Check there is a Device Root Certificate in the Organization Group, in which work is done. It is located in  \system configuration\system\advanced\device root certificate. If there is nothing, click Generate.

AWCM installation

See AirWatch configuration page (RUS), or see below.


 AWCM Installation...

1. When installing AWCM, DO NOT use the self signed SSL certificate, check the box for “custom SSL” which really means the public SSL Cert you put in IIS for Device Services. Notice that in the installation dialog box the two fields for password are NOT the same. One is for the SSL Cert you are importing and one is for the password to the Java Keystore.

2. Make sure that REST API is enabled in the OG where you are enabling AWCM.

3. Make sure that AWCM is enabled in the Site URL’s page. Also, put the correct information in the two fields. The External URL should NOT contain http:// or https://. The Internal Service URL should contain https:// instead of http:// and should have the port number after the URL and “/awcm” at the end. It should look like https://{url}:2001/awcm.

4. Download and run the AWCM Secure Channel Certificate program from the Secure Channel Certificate page ON THE SERVER RUNNING AWCM.

DO NOT download the program onto another computer and copy it to the AWCM server!

Download and run this program “As Administrator”.

There is a possibility that you will receive an error message that the application can’t find the Java Folder, this can be a result of not running the program “As Administrator”.

5. Browse to the AWCM Status page by going to https://{url}:2001/awcm/status. If this page doesn’t come up or if there is an SSL error stop and fix it before you go on. Check the SSL Certificate common name, it should match the name of the DS URL. If it says “Air Watch “ then you need to uninstall and reinstall AWCM, this time installing the correct SSL Certificate (see #1).

ESC/ACC WILL NOT WORK if you use the self signed certificate!

AWCM Status page MUST BE TRUSTED by AirWatch Console AND by ESC. Test by opening https://{url}:2001/awcm/status status page in browser - there MUST BE NO CERTIFICATE WARNING!

6. Confirm that the awcm.truststore and the awcm.keystores are not corrupt and contain the correct certificates. Run the keytool application (see next section) and list the contents of both stores.

  • In awcm.keystore there should be 1 certificate and it should contain the SSL certificate for the site.
  • In the awcm.truststore there should be 2 or 3 certificates: one of them is Secure Channel Certificate.

If the certificates do not exist in the stores then you may need to re-install AWCM. If the password is not accepted then the store may be corrupt and you will need to reinstall AWCM.

Java KeyStore

AWCM is a Java web application and stores its certificates in the Java Keystore as opposed to the Microsoft Certificate store. The Java Keystore and Java Truststore are located in the \airwatch\airwatch {version}\awcm\config folder.

There is a utility in Windows called “keytool”. With this utility you can view, add, and delete certificates from the Java Keystores.

Password to awcm.truststore = "password"
Password to awcm.keystore = password to the PFX certificate uploaded on installation of AWCM. DO NOT use password less than 6 characters! Or you will not be able to change certificate in awcm.keystore.

Example of keytool commands:

# List the certificates in the store:
keytool –list –v –keystore awcm.truststore

# Import a certificate into a store:
keytool –import –trustcacerts –file {cert file} –alias {common name} –keystore $JAVA_HOME/jre/lib/security/cacerts

Replace database of AWCM

  • Run the following command to replace SSL cert on AWCM servers:

keytool -importkeystore -srckeystore <new-pfx-cert-name>.pfx -srcstoretype pkcs12 -destkeystore awcm.keystore.new -deststoretype JKS
  • Once this has completed successfully, you will now see a new file named awcm.keystore.new in the config directory.

  • Stop the AWCM service.

  • Rename the awcm.keystore to awcm.keystore.old.

  • Rename the awcm.keystore.new to awcm.keystore.

  • Start the AWCM service.

Reinstall of Secure Channel Certificate

If ESC is installed, then uninstall it and delete all its' folders before reinstall of Secure Channel Certificate.

Before reinstall of Secure Channel Certificate, you must delete the old certificate from the AWCM Java database. Delete a certificate in the store:

keytool –delete –alias “aw secure channel certificate – {url}” –keystore awcm.truststore

AWCM Logs 

See General Article on AirWatch Logs.

AirWatch Logs
To verbose the AWCM logs, please perform the following steps:
  1. Open the logback.xml file. The path to access the file:\AirWatch\AirWatch x.x\AWCM\config\logback.xml.
  2. Search for the following:
    • <logger name="com.airwatch" level="info" />
    • <logger name="com.airwatch.awcm.jvm" level="info" />
    • <logger name="com.airwatch.awcm.channel" level="info" />
  3. Change the state from error to debug.
  4. Save the file and restart the AWCM services.

Once the issue is reproduced, return logging level back to info and restart the AWCM services. Or the AWCM disk may overflow with logs.

Verify correct work of AWCM

Perform the following to make sure that AWCM is functioning accurately:

  • Confirm that there is a device root certificate in the relevant OG by navigating to Settings / System / Advanced / Device Root Certificate.
  • Make sure that REST API is enabled.
  • Make sure that AWCM is enabled in the URL page of the site.
  • Browse to the AWCM Status page by selecting https://{url}:2001/awcm/status (You should see "OK") and https://{url}:2001/awcm/statistics

For clustering infrastructure on SaaS, browse over port 443 instead of 2001 (https://awcm118.awmdm.com/awcm/statistics) while testing the status page.

For lor load balanced deployments:

  • Ensure that clients who are required to connect to AWCM are pointed to and are able to reach the endpoint on the load balancer. This means that if installation of AWCM is on the DS servers, then ensure that the requests for AWCM from the DS services are still accessing the load balancer so that they are subject to the set rules.
  • As per the Installation Guide, the preferred deployment for a customer using ESC/ACC with AWCM is to deploy multiple AWCM nodes in an active-passive configuration. This makes everything easier since persistence of connections doesn't matter. There are no specific advantages with having two active nodes as the network load is not much while using only ESC/ACC.

Common Errors 

AWCM Status Error - DNS name

AWCM not working - page https://<DS_URL>:2001/awcm/status unavailable.

 AWCM Status Troubleshooting...

Error log seen:

2017-08-15 12:02:44,229 ERROR (nioEventLoopGroup-3-3) [com.airwatch.awcm.event.AWCMChannelConnectedEventHandler] - java.nio.channels.ClosedChannelException
java.util.concurrent.ExecutionException: java.nio.channels.ClosedChannelException
<...>
at io.netty.handler.ssl.SslHandler.channelInactive(...)(Unknown Source) [netty-all-4.0.43.Final.jar:4.0.43.Final]

Solution: DNS name of Device Services is registered on external proxy and not known to servers. Go to C:\Windows\System32\drivers\etc\hosts file on AirWatch Admin Console, and also on server with Enterprise Connector Service and add the EXTERNAL public DNS name (listed in public certificate) of AWCM binded to its' internal IP.

AWCM Status Error - Cryptography

AWCM not working - page https://<DS_URL>:2001/awcm/status unavailable.

 AWCM Status Troubleshooting...

Error log seen:

2017-08-15 14:49:41,044 ERROR (nioEventLoopGroup-3-7) [com.airwatch.awcm.event.AWCMChannelConnectedEventHandler] - javax.net.ssl.SSLHandshakeException: no cipher suites in common
java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: no cipher suites in common

Solution: AWCM was installed AFTER crypto algorithms were disabled in IIS hardening, and it cannot launch normally. Reinstall of AWCM needed.

AWCM SSL Certificate Error

Certificate error while browsing the AWCM status page

 Troubleshooting AWCM...

1. Login to the AWCM server.

2. Open a command prompt, navigate to the following directory (E:\airwatch\airwatch<version>\AWCM\config) and run the following:

keytool -list -v -keystore awcm.keystore

3. Enter the password when prompted

4. Export a new SSL certificate from a machine.

Make sure that the full signing chain is exported (settings that you select when exporting the certificate) and that the password used to export is same as the one used for the current awcm.keystore.

If the passwords are not same, the import happens but an error message appears when AWCM starts and the status page does not load (as the pre-configured password will be incorrect and the AWCM app will not be able to open the keystore).

  • AWCM_BRIDGE_FILE_TRANSFER_TIMEOUT_IN_MINUTES : 15 2013-09-23 10:46:22,036
  • Error (main) [com.airwatch.awcm.ssl.AWCMSSLContext]:
java.security.UnrecoverableKeyException: Cannot recover key java.security.UnrecoverableKeyException: Cannot recover key
<...>
2013-09-23 10:46:22,036 ERROR (main) [com.airwatch.awcm.server.AWCMServer] - Error initializing server environment, exiting

5. When the certificate is on the AWCM server (copy into the C:\airwatch\airwatch<version>\AWCM\config directory), run the following command to replace SSL certificate:

keytool -importkeystore -srckeystore <new-pfx-cert-name>.pfx -srcstoretype pkcs12 -destkeystore awcm.keystore.new -deststoretype JKS

6. Once this has completed successfully, you will now see a new file named awcm.keystore.new in the config directory. Stop the AWCM service.

7. Rename the awcm.keystore to awcm.keystore.old.

8. Rename the awcm.keystore.new to awcm.keystore.

9. Start the AWCM service.

10. Using a valid AWCM URL, try to access the page (https://{url}:2001/awcm/status) and if the status page loads, then check the certificate details. It should display the values for the newly uploaded certificate.

  • If the status page does not load, check the log files.
  • If rollback is required, rename the awcm.keystore to awcm.keystore.new.
  • Then rename awcm.keystore.old to awcm.keystore. Restart AWCM to restore the old settings.

AWCM and Admin Console trust error

ESC/ACC starts and generates no errors in log, also no errors in AWCM. But error in console while performing Test connection for ESC/ACC: Undefined Error; Please check server logs

 Troubleshooting...
Reason: there is no trust between AWCM and AirWatch Admin Console

Remedy:
Import Intermediate and Root certificates for public PFX certificate in AWCM server and AirWatch Admin Console Server

ESC/ACC Errors

ESC/ACC service does not start.

 Troubleshooting ESC/ACC...

Error log contains error:

System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
<...>

Reason: ESC/ACC service does not start because there is no trust between ESC/ACC and AWCM.

If this error is present after trying to hit Update/Check URL on the console, check the SSL certificate on the console and do the following:

keytool -list -v -keystore “{AWCM install path}/awcm.truststore” > c:\test.txt

In the .txt file, search for the secure channel and it should match with the secure channel certificate in the console.

Remedy:

  • Generate new certificates for ESC/ACC and download the installer. Then, uninstall ACC and install the new ACC with the renewed certificates. Restart the AWCM service, if required.
  • Reinstall AWCM and download the installer from the console.
  • No labels