UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The server PKI digital certificate installed on the BES to support BAS and BWDM authentication will be a DoD PKI issued certificate. A self signed certificate will not be used.


Overview

Finding ID Version Rule ID IA Controls Severity
V-25548 WIR1355-03 SV-31764r1_rule IATS-1 Low
Description
When a self signed PKI certificate is used, a rogue BES can impersonate the DoD BES during SA connections to the BlackBerry Administration Service (BAS) or when a BlackBerry user uses BlackBerry Web Desktop Manager (BWDM) to connect to the BAS. In addition, DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.
STIG Date
BlackBerry Enterprise Server, Part 2 Security Technical Implementation Guide 2011-07-14

Details

Check Text ( C-32097r1_chk )
Verify that a DoD server certificate has been installed on the BES and that the self signed certifacate, available as an option during the setup of the BES, has not been installed.

Ask the BlackBerry Administrator to access the BAS login console using Internet Explorer. Verify no certificate error occurs. Click the Lock icon next to the address bar then select “view certificates.” On the General tab, verify that the “Issued to:” and “Issued by:” fields do not show the same value. Then on the Certification Path tab, verify the top certificate is a trusted DoD Root certificate authority (e.g. DoD Root CA 2) and the certificate status field states “This certificate is OK.”

Remediation: If a certificate error occurs either the default self-signed certificate is still installed, the BlackBerry Enterprise Server has not been rebooted since the DoD issued certificate has been installed, or the computer accessing the BAS does not have the DoD Root and Intermediate certificate authorities installed. The reviewer can select the “Continue to this website” option and follow the same procedure above. If the certificate is issued from an approved DoD PKI, ask the BlackBerry Administrator to run InstallRoot on the computer accessing the BAS. Otherwise, have the BlackBerry Administrator follow the procedures outlined in the STIG to request/install a certificate issued from a trusted DoD PKI.
Fix Text (F-28492r1_fix)
Use a DoD issued digital certificate on the BES to support BAS and BWDM authentication.