The BES must be configured to accept only trusted connections to back-office enclave application or web push servers. Push servers are set up to push content to BlackBerry users (e.g., Remedy ticket notification system).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19201	WIR1315-03	SV-21090r3_rule	ECSC-1	Low

Description
Only authorized servers should be able to push content to Blackberry devices.

STIG	Date
BlackBerry Enterprise Server, Part 2 Security Technical Implementation Guide	2011-04-11

Details

Check Text ( C-23137r2_chk )
Verify that the site has configured the BES to require trusted connections to Push enclave application or web servers, using the following procedure: For BES 5.0 - On the BAS, go to Servers and components > BlackBerry Solution topology > BlackBerry Domain > MDS Connection Service. -Click Edit components. -Click the HTTPS tab. -Verify Allow untrusted servers is set to “No.” -Click the TLS tab. -Verify Allow untrusted servers is set to “No.” For BES 4.1.x - In the BlackBerry Manager, click the BlackBerry MDS Connection Service in the left pane. - On the Connection Service tab, click Edit Properties. - Click TLS/HTTPS. - Verify Allow Untrusted HTTPS Connections is set to False. - Verify Allow Untrusted TLS Connections is set to False. Mark as a finding if any of these settings are not correct Verify a keystore file has been set up (webserver.keystore) at the following location on the BES: :\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\webserver. Look for the keystore file. - Mark as a finding if the keystore file is not found.

Check Text ( C-23137r2_chk )

Verify that the site has configured the BES to require trusted connections to Push enclave application or web servers, using the following procedure:

For BES 5.0
- On the BAS, go to Servers and components > BlackBerry Solution topology > BlackBerry Domain > MDS Connection Service.
-Click Edit components.
-Click the HTTPS tab.
-Verify Allow untrusted servers is set to “No.”
-Click the TLS tab.
-Verify Allow untrusted servers is set to “No.”

For BES 4.1.x
- In the BlackBerry Manager, click the BlackBerry MDS Connection Service in the left pane.
- On the Connection Service tab, click Edit Properties.
- Click TLS/HTTPS.
- Verify Allow Untrusted HTTPS Connections is set to False.
- Verify Allow Untrusted TLS Connections is set to False.

Mark as a finding if any of these settings are not correct

Verify a keystore file has been set up (webserver.keystore) at the following location on the BES: :\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\webserver. Look for the keystore file.
- Mark as a finding if the keystore file is not found.

Fix Text (F-23374r1_fix)
The BES must be configured to accept only trusted connections to back-office enclave application or web push servers.