AWCM: Identity doesn't tally with subject alternative name

Error/Symptom

This error is observed in the AWCM  (AirWatch Cloud Messaging) logs on the AWCM Server. This prevents the functioning of AWCM, that impacts ACC, MAG and any other component that leverages AWCM.

The AWCM status page (https://awcm_URL:2001/awcm/status)  does not give an OK when accessed from the AWCM server. Port 2001 is typically used for an on premise instance of AirWatch. If a custom port was used then it needs to be replaced in the URL.

A detailed description of the error is listed below.

2016-02-15 10:56:32,717 INFO (nioEventLoopGroup-3-7) [com.airwatch.awcm.crypto.AWCMCMSUtil] - Identity doesn't tally with subject alternative name listing in certificates accompanying signature: 723d2fac-d07a-44cb-8318-a25c3be2a5cc

2016-02-15 10:58:26,628 INFO (nioEventLoopGroup-3-2) [com.airwatch.awcm.event.AWCMMessageReceivedEventHandler] - No origin found for queried identifier: A474BD6EFAAC1029ECFE20D06EE5035C

2016-02-15 10:58:32,728 INFO (pool-2-thread-4) [com.airwatch.awcm.statistics.AWCMStatistics] - Updating last Heart beat of AWCMLookupKey{id: {723D2FAC-D07A-44CB-8318-A25C3BE2A5CC}, authenticatedScheme: {CMS_WITH_SAN_SKIP}}

2016-02-15 10:58:32,728 INFO (nioEventLoopGroup-3-7) [com.airwatch.awcm.crypto.AWCMCMSUtil] - Identity doesn't tally with subject alternative name listing in certificates accompanying signature: 723d2fac-d07a-44cb-8318-a25c3be2a5cc

2016-02-15 11:00:32,739 INFO (pool-2-thread-45) [com.airwatch.awcm.statistics.AWCMStatistics] - Updating last Heart beat of AWCMLookupKey{id: {723D2FAC-D07A-44CB-8318-A25C3BE2A5CC}, authenticatedScheme: {CMS_WITH_SAN_SKIP}}

2016-02-15 11:00:32,739 INFO (nioEventLoopGroup-3-7) [com.airwatch.awcm.crypto.AWCMCMSUtil] - Identity doesn't tally with subject alternative name listing in certificates accompanying signature: 723d2fac-d07a-44cb-8318-a25c3be2a5cc

2016-02-15 11:02:32,750 INFO (pool-2-thread-32) [com.airwatch.awcm.statistics.AWCMStatistics] - Updating last Heart beat of AWCMLookupKey{id: {723D2FAC-D07A-44CB-8318-A25C3BE2A5CC}, authenticatedScheme: {CMS_WITH_SAN_SKIP}}

 

Cause

This is caused because of the following reasons.

1. AWCM was installed with a wrong SSL certificate.

2. The certificates in the Java Key store were removed or replaced. (As AWCM stores its certificates in the java key store instead of using the MMC (Microsoft Management Console))

3. The certificates in the AWCM trust store were removed or replaced. The awcm.truststore has the Secure Channel certificate which is downloaded from the Admin Console. (The Secure Channel certificate establishes security between the AirWatch Admin Console and AWCM)

 

Resolution

1. This error can be fixed by re-installing the AWCM on the AWCM Server, followed by re-running the secure channel certificate.

2.  We can also add the certificates manually by using key tool commands.

Command to replace certificate in java key store

Navigate to the awcm\config folder on the AWCM server which has the java key store certificates and run the command with the appropriate values.

keytool –import –trustcacerts –file {cert file} –alias {common name} –keystore $JAVA_HOME/jre7/lib/security/cacerts

Command to replace certificate in AWCM trust store

Navigate to the AWCM\config directory, run the following command with the appropriate values:

keytool -importkeystore -srckeystore <new-pfx-cert-name>.pfx -srcstoretype pkcs12 -destkeystore awcm.keystore.new -deststoretype JKS

Have more questions? Submit a request

0 Comments

Article is closed for comments.