The server PKI digital certificate installed on the BES12 Server to support Consoles and BlackBerry Web Services authentication must be a DoD PKI issued certificate. A self-signed certificate will not be used.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-68705	BS12-3X-101100	SV-83195r2_rule		Medium

Description
When a self-signed PKI certificate is used, a rogue BDS server can impersonate the DoD BDS server during SA connections to the BAS or when a BlackBerry user uses BWDM to connect to the BAS. In addition, DoDI 8520-02 requires that PKI certificates come from a trusted DoD PKI. SFR ID: FIA

STIG	Date
BlackBerry BES 12.5.x MDM Security Technical Implementation Guide	2017-06-05

Details

Check Text ( C-69211r1_chk )
On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings” tab at the top of the screen. 2. Expand the Infrastructure tab on the left pane. 3. Select Server certificates. 4. In the SSL certificate for consoles and BlackBerry Web Services, click "View details". 5. Verify the issuer's CN is from the DoD root Certificate Authority (CA). If the PKI digital certificate installed on the BES12 Server to support consoles and BlackBerry Web Services authentication is not a DoD PKI issued certificate, this is a finding.

Check Text ( C-69211r1_chk )

On the BES12, do the following:
1. Log on to the BES12 console and select the "Settings” tab at the top of the screen.
2. Expand the Infrastructure tab on the left pane.
3. Select Server certificates.
4. In the SSL certificate for consoles and BlackBerry Web Services, click "View details".
5. Verify the issuer's CN is from the DoD root Certificate Authority (CA).

If the PKI digital certificate installed on the BES12 Server to support consoles and BlackBerry Web Services authentication is not a DoD PKI issued certificate, this is a finding.

Fix Text (F-74827r1_fix)
NOTE: Before you begin, you must obtain an SSL certificate signed by the DoD root Certificate Authority (CA). BES12 supports certificates in the PFX format with either a .pfx or .p12 file name extension. If you configure high availability, you must obtain an SSL certificate that uses the name of the BES12 domain. You can find the BES12 domain name in the management console under Settings >> Infrastructure >> BES12 instances. On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings" tab at the top of the screen. 2. Expand the "Infrastructure" tab on the left pane. 3. Select "Server certificates". 4. In the SSL certificate for consoles and BlackBerry Web Services section, click "View details". 3. Click "Replace certificate". 4. Click "Browse". 5. Select the certificate file that you want to use. 6. Click "Open". 7. Type the encryption password. 8. Click "Replace". 9. Restart the BES12 Core service on all servers.

Fix Text (F-74827r1_fix)

NOTE: Before you begin, you must obtain an SSL certificate signed by the DoD root Certificate Authority (CA). BES12 supports certificates in the PFX format with either a .pfx or .p12 file name extension. If you configure high availability, you must obtain an SSL certificate that uses the name of the BES12 domain. You can find the BES12 domain name in the management console under Settings >> Infrastructure >> BES12 instances.

On the BES12, do the following:
1. Log on to the BES12 console and select the "Settings" tab at the top of the screen.
2. Expand the "Infrastructure" tab on the left pane.
3. Select "Server certificates".
4. In the SSL certificate for consoles and BlackBerry Web Services section, click "View details".
3. Click "Replace certificate".
4. Click "Browse".
5. Select the certificate file that you want to use.
6. Click "Open".
7. Type the encryption password.
8. Click "Replace".
9. Restart the BES12 Core service on all servers.