Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
When the Secure Socket Layer (SSL) certificate on an AirWatch Cloud Messaging (AWCM) server has expired, you might see an error similar to "Access denied" or "Unable to login" when attempting to login to the Workspace ONE UEM Console.
This article provides instructions on how to renew or replace the SSL certificate on an AWCM server for on premise Workspace ONE deployment.Note: The process illustrated in this article only applies to on premise Workspace ONE deployments. SSL certificate renewal for Shared SaaS environments is completed internally by Workspace ONE.SSL certificate renewal for Dedicated SaaS environments is completed by the combined efforts of Workspace ONE and Workspace ONE customers.
Within on premise Workspace ONE UEM Console environments, users may experience the error messages listed above due to an expired Secure Socket Layer (SSL) certificate on their AirWatch Cloud Messaging (AWCM) server.
Before proceeding, please review this article to verify that you are not experiencing the issue outlined here: Unable to login to Workspace ONE ConsoleThe SSL certificate used by the AWCM application can be replaced in one of two methods: Manually update the java key store using keytool commands.Reinstall the AWCM application component with the new certificate. Important: Before moving forward with either method, ensure take a snapshot of your database per Workspace ONE best practices. Keytool method Note: The password with which the new certificate is exported needs to match the password with which the old certificate was exported. Moreover, this password is also the keystore password. Log into the relevant AWCM server.Open a command prompt, and navigate to the AWCM config directory.(C:\AirWatch\AirWatch<version>\AWCM\config by default) and run the following: keytool -list -v -keystore awcm.keystoreType in the password when prompted (make a note of this password as the new awcm.keystore file needs to use the same password). Password to awcm.truststore = "password" Password to awcm.keystore = password to the PFX certificate uploaded upon installation of AWCM. Do not use a password less than 6 characters, or you will not be able to change the certificate in awcm.keystore. Export the new SSL certificate from the appropriate third-party Certificate Authority (CA) or local CA for certain on-premise deployments, and make sure the full signing chain is exported. Additionally, make sure that the password used to export is the same as the one used for the current awcm.keystore, otherwise the import will succeed but when AWCM starts an error message will appear and the status page will refuse to load (as the pre-configured password will be incorrect and the AWCM app will not be able to open the keystore).Copy the certificate into the AWCM config directory (C:\AirWatch\AirWatch<version>\AWCM\config by default).Run the following command to replace SSL cert on AWCM servers: keytool -importkeystore -srckeystore <new-pfx-cert-name>.pfx -srcstoretype pkcs12 -destkeystore awcm.keystore.new -deststoretype JKS When this has completed successfully, you will now see a new file named keystore.new in the config directory. Stop the AWCM service.Rename the keystore to awcm.keystore.old.Rename the keystore.new to awcm.keystore.Start the AWCM service.Using a valid AWCM url, try to hit the page (https://<External_AWCM_URL>/awcm/statistics), and if the status page loads then check the certificate details. It should now display the values for the newly uploaded cert.If the status page fails to load, check the log files.If rollback is required, rename the keystore to awcm.keystore.new Then, rename awcm.keystore.old to awcm.keystore and restart AWCM. This will restore the previous settings. AWCM reinstallation method Obtain the full chain (.pfx or .p12) of your renewed SSL certificate.If your AWCM is shared with other Workspace ONE or AirWatch components, then on the server where they are all installed, navigate to Programs and Features (Add/Remove Programs), locate Workspace ONE (this may also be labeled as AirWatch), and click Change. Then select Add/Remove Workspace ONE Features (this may be listed as AirWatch Features) and proceed to step 4. If you installed AWCM on a standalone server, then: Obtain the full Workspace ONE installer that corresponds to the current Workspace ONE UEM version your environment is running and copy it to the server AWCM is on. If you kept your last-used installer, you can use it. Otherwise, contact Workspace ONE Support via the My Workspace ONE portal to receive the installer for your specific Workspace ONE version.Run the installer on the server where AWCM is installed. Important: Depending on which components are installed on your server with AWCM, you could experience disruptions in service or functionality during the re-installation process. Refer to the Workspace ONE Upgrade Guide or more details on stopping and restarting services. During installation, on the Workspace ONE Features (may be listed as AirWatch Features) screen, right-click AirWatch Cloud Messaging and select This feature will not be available. Proceed with the remainder of the installation to completion.If your AWCM is shared with other Workspace ONE/AirWatch components, then once again navigate to Programs and Features and select Change for the Workspace ONE/AirWatch application. Then select Add/Remove Workspace ONE features (may be listed as AirWatch features) and skip the next step.If your AWCM is installed as a standalone server, then run the installer again.On the Workspace ONE Features screen, right-click AirWatch Cloud Messaging and select This feature will be installed on the local hard drive. Proceed with the installation until you reach the AWCM server settings screen with the Use custom SSL certificate? check box.Browse to the location of the full chain (.pfx or .p12) of your renewed SSL certificate.Enter the certificate password and click Next. Proceed with the remainder of the installation to completion. Other Languages: 日本語
Please refer to this resource for additional information on certificates utilized with Workspace ONE: Updating Certificates for Workspace ONE UEM Services