cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error IPH6035 after upgrade to Afaria 7 SP5

Former Member

on ‎11-19-2014 10:39 AM

0 Kudos

HI!
I just upgraded our Afaria7SP4HF6 server to SP5.

Now, even all services are running fine, i am not able anymore to communicate with our iOS devices.

In the server log i can see folloging fault message whenever i try to send something (e.g."Lock Device"):

IPH6035: PutMDM Message Signing Validation Failure. UDID: xxx.

Also the afaria app on the ipones says communication established, the "last connection"-time of any device is from before the upgrade.

I applied sp5hf6 without any change.

I reverted the machine back to sp4 and applied lates sp4 hotfix (hf13), with same resulat.

When i restore the snapshot to previous version sp4hf6, everything runs fine again.

I guess it is somehow related to the communication with the ca-server.

Does anybody have a idea, what was changed in SP4HF14 and SP5 and causes our installation to stop working?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎04-09-2015 2:04 PM
0 Kudos

Just in case, someone face this rare error message (not very likely):

It turned out, that our problem is related to the relay server. Since it seems, that we are the only customer worldwide running a linux relay server, the problem could still not get fixed.

All i can say is, that we are very disappointed by the SAP service, not being able to fix a complete system outage for almost half a year. Since we cannot stand the pressure in our house anymore, we have to consider looking for another mdm from a competitor.

Show replies
Show replies
Former Member
‎12-04-2014 1:17 PM
0 Kudos

Hello there,

Just an FYI , When upgrading your Afaria system and applying patches multiple times you should just do a quick check to see that all the componets are running at the same patch level.

Take a look at KBA: 2053554 and it seem to address the same issue from the original post.

I hope that also helps.

Zoe

Show replies
Show replies
tracy_barkley
Employee
Employee
‎11-19-2014 12:46 PM
0 Kudos

There is a new security feature added in the new code lines you applied.  Each needs to sign the iOS payload.  There are a couple of possible issues you can run into.  These two are the first things to try.

1) Make sure your CA Root Cert has been installed on the Enrollment server (this is the one that trips up most customers)

2) Do a device refresh action which will trigger the devices to check in with the server for an inventory and they should begin signing. 

Beyond these two,  make sure you are proxying, not relaying your CA. Check the SignMdmMessages column in the a_iphone_device table if things aren't working after this, and let us know the value of this column.

Tracy Barkley

SAP, Active Global Support

Show replies
Show replies
Former Member
‎11-19-2014 2:00 PM
0 Kudos

Thx for your reply.

1). is installed (was actually already)

2.) After this action, at least some devices are connected again according to the "Last Connection" tab under Devices. But i got lots of "IPH6011: mdm: InstallProfile for xxx err" messages in the servers log file.

Where can i find the setting regarding proxying/relaying our CA?

I also checked the SignMdmMessages column, the value there is always 20 (see pic)

But when i try to remote lock a phone, i still get the IPH6035 error and phone does not get locked, even i see communication on the device:

Nov 19 14:56:32 iPhone-Test-5S mdmd[198] <Notice>: (Note ) MDM: mdmd starting...

Nov 19 14:56:32 iPhone-Test-5S mdmd[198] <Notice>: (Note ) MDM: Network reachability has changed.

Nov 19 14:56:32 iPhone-Test-5S mdmd[198] <Notice>: (Note ) MDM: Network reachability has changed.

Nov 19 14:56:32 iPhone-Test-5S mdmd[198] <Notice>: (Note ) MDM: Push token received.

Nov 19 14:56:32 iPhone-Test-5S mdmd[198] <Notice>: (Note ) MDM: Received push notification.

Nov 19 14:56:32 iPhone-Test-5S mdmd[198] <Notice>: (Note ) MDM: Polling MDM server https://xxx.xxx.xx.at:xx443/cli/iarelayserver/SRVAPIPM01iOSFarm/aips2/aipService.svc/PutMdm for next command.

Nov 19 14:56:33 iPhone-Test-5S mdmd[198] <Notice>: (Note ) MDM: Transaction completed. Status: 200

Nov 19 14:56:33 iPhone-Test-5S mdmd[198] <Notice>: (Note ) MDM: Server has no commands for this device.

Nov 19 14:56:35 iPhone-Test-5S mdmd[198] <Notice>: (Note ) MDM: mdmd stopping.

tracy_barkley
Employee
Employee
‎11-19-2014 2:08 PM
0 Kudos

20 is the final state before signing.  It generally means the CA is not available.  Check the KBA 1957644.  Although not specifically for this issue, it covers the proxying of the CA and should help with that step.  The generals are use the utility to point to the internal CA address and check the proxy option in SP.  In Sp5 this will not be a check box, but you can test the connectivity.  The CA needs to be added as an internal address.  Are you using a relay server?

Tracy

Former Member
‎11-19-2014 10:25 PM
0 Kudos

we have the same errors on several of our Afaria systems SP4 and SP5. it all seemed to happen roughly at the same time and the systems are completely separate and so its not a local issue.

I've just checked KBA 1957644 and still no luck so I hope you can fix it Tracy 🙂

Peter

tracy_barkley
Employee
Employee
‎11-20-2014 12:13 PM
0 Kudos


Peter,

I certainly try  Is the error the same install profile failed or does it mention the revocation server being off line.  I would more expect the latter if it is affecting multiple Afaria servers on the CA.  Have you turned on the debug on the enrollment server yet? If it is the Revocation server, it is most likely configuration on the CA.  By default most CA present it as file:// or ldap:// which may or may not be available.  You can uncheck the option in the CA to present those, and let it only present the HTTP:// address instead.  You can check what is being presented by going to a cert the CA delivered and look into the details and look down at the URI section for CRL.

The other thing I have seen affect this, is if the IPSEC offline template is missing or does not allow enrollments.  Generally this latter part only affects standalone CA.

Can I get any specific details of the errors you are seeing, and a snippet of the debug if you have it?  I know you work with AGS a lot so I am making an assumption you have it on.

Tracy

Former Member
‎11-20-2014 12:17 PM
0 Kudos

As you mentioned, with SP5 it is not possible anymore to set proxy mode. I did the test with the mentioned tool, got this result:

"Exception: ASN1 bad tag value met" could point to a fault.

And yes, we are using a relay server (linux).

Interrestingly, others have this fault too.

Y.

tracy_barkley
Employee
Employee
‎11-20-2014 12:40 PM
0 Kudos


Y,

Two things on this.  First make sure you get HF 6 which was released last week, and second, I believe you are relaying the call from the enrollment server to the CA.  On the Certificate Authority page in the configuration, uncheck the option to relay the CA if you have it checked.  Then test the connection again in the utility.  Once we have that working you should be good to go.

Former Member
‎11-20-2014 1:11 PM
0 Kudos

Hi Tracy!

We had this problem after upgrade to SP4HF13 and also with SP5HF5, so we reverted back to SP4HF6 which was running fine.

Now since SP5HF6 was released, i gave it another try. Unfortunately the problem persisted.

I removed the relaying for the CA server. Now the connectivity test on the same site passes. The test tool delivers following:

Is "ASN1 bad tag value met" ok, or does it point to another fault?

When trying to lock a device, i still get "IPH6035: PutMDM Message Signing Validation Failure" and nothing happens on the device.

Y.

tracy_barkley
Employee
Employee
‎11-20-2014 1:40 PM
0 Kudos

We are getting there, now that connectivity is restored.  I think the bad tag value is still a concern.  can you reboot the CA? In general I have seen this type of error clear after a CA reboot.

Tracy

Former Member
‎11-20-2014 2:01 PM
0 Kudos

Just did a reboot (gets rebooted once every week anyway) but nothing changed.

tracy_barkley
Employee
Employee
‎11-20-2014 2:36 PM
0 Kudos

Well it is definitely a certificate error on the CA.  At this point, I would recommend opening an incident with support and one of us in AGS can help with more detailed troubleshooting. 

Former Member
‎11-20-2014 2:49 PM
0 Kudos

Ok, will do that.

But what i do not understand is, that when i revert afaria back to sp4hf6 (vm snapshot) it works again.

If it would be a general error in our CA, then this would fail with older versions too, right?

Y.

tracy_barkley
Employee
Employee
‎11-20-2014 2:52 PM
0 Kudos

Not at all.  Your CA can service general enrollment requests.  It is having trouble with the specific new payload signing feature we added in post HF 10 on sp4/Sp5.  All new feature, all new method of communicating.   That is why the CA servers root certificate needs to be installed on the enrollment server now.  Prior to these code levels it was not installed on the Enrollment server.  Personally that is where I believe the problem may lie.

Former Member
‎11-20-2014 3:00 PM
0 Kudos

One more question: Where/how does the CA servers root certificate have to be installed? Either via MMC on afaria server or via the afaria applikation?

What CA version is needed? We run 2008R2 PKI.

Is there a document where these steps are described? Actually all other customers moving to SP5 would face this issue too.

Y.

tracy_barkley
Employee
Employee
‎11-20-2014 3:16 PM
0 Kudos

The root certificate needs to be imported into the certificate store on the Enrollment server, which may or may not be the Afaria server, depending on your environment.  This is done via MMC.  The install of the Enrollment server will also have the CA cert specified.  You already did this on install.  The additional step of adding the root and intermediate(if needed) cert to the cert store is new.  

CA version supported is listed here.  http://help.sap.com/Download/Multimedia/zip-afaria/SP5_System_Requirements.pdf

As for the steps, I took this from the HF 14 release notes. It is in the Sp5 documentation as well. Yes, every customer will face this, and I understand the difficulty, but this feature is implemented as a security feature and is very important as such:

iOS Signing requires that the Enrollment Server have the certificate chain (required root and intermediate certificates) installed on the server Local Computer certificate store for the CA configured for the Enrollment Server. If a new CA definition is added to your Afaria Server Configuration, please make sure to restart the iPhoneServer service to ensure the database is updated with the certificate information required for signing.

Tracy

Former Member
‎11-21-2014 8:19 AM
0 Kudos

Hi!

Thx for the info.

Since we run all our servers on one windows machine, the certificates were already on that machine.

We just doublechecked that again.

How is the common name of the certificate used for iOS payload signing?

We found a certificate in the store which is called WMSvc-serverhostname and is not signed by the internal CA.

Could this point to our problem?

tracy_barkley
Employee
Employee
‎11-21-2014 12:25 PM
0 Kudos

I haven't run into that scenario. We should be looking for the root cert of the CA specified in enrollment server install.

Former Member
‎12-03-2014 6:24 AM
0 Kudos

We opened a ticket last week. Unfortunately no response till now...

tracy_barkley
Employee
Employee
‎12-03-2014 12:10 PM
0 Kudos

I don't see any outstanding incidents.  What number is it and I will go find it.

Former Member
‎12-04-2014 9:09 AM
0 Kudos

It took a while till it found the way into the system
But now you shoud be able to find it: 1157396 / 2014

tracy_barkley
Employee
Employee
‎12-04-2014 12:13 PM
0 Kudos

I am glad it made its way in.  My excellent colleague in Emea has it now, so I have every confidence we will get this fixed right up for you.

Tracy

former_member194958
Participant
‎12-05-2014 5:25 AM
0 Kudos

Hi Tracy,

Did you find the issue? I've faced with the same problem.

Thank you.

Best regards,

Olga

tracy_barkley
Employee
Employee
‎12-05-2014 12:09 PM
0 Kudos

Olga,

There are a few causes for this.  It depends on the error being thrown on the server/client.  Check out the two following KBA and see if either help in out this situation.  https://i7p.wdf.sap.corp/sap/support/notes/2072565

https://i7p.wdf.sap.corp/sap/support/notes/2073302

Ask a Question