The server PKI digital certificate installed on the BlackBerry Device Service (BDS) Server to support BlackBerry Administration Service and BlackBerry Web Desktop Manager (BWDM) authentication must be a DoD PKI issued certificate.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-48593	BBDS-00-000325	SV-61469r1_rule		Low

Description
When a self signed PKI certificate is used, a rogue BDS server can impersonate the DoD BDS server during SA connections to the BAS or when a BlackBerry user uses BWDM to connect to the BAS. In addition, DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.

STIG	Date
BlackBerry Enterprise Service v10.2.x BlackBerry Device Service STIG	2015-07-23

Details

Check Text ( C-50919r1_chk )
Examine the server configuration to determine if a DoD PKI issued certificate has been installed. Otherwise, this is a finding.

Fix Text (F-52199r1_fix)
Configure the Blackberry Device Service server to use a DoD issued digital certificate on the BES to support BAS and BlackBerry Web Desktop Manager authentication. Open Internet Explorer, and navigate to BlackBerry Administration Service. Click on the Lock icon located to the right of the Address bar (or click "Certificate error", if the certificate is untrusted) and select "View certificates" Ensure the certificate is issued by a valid DoD CA. Steps to replace self-signed, or non-DoD certificate: Log into the server as the BlackBerry Enterprise Server (BES) service account and complete the following tasks to replace the self-signed Secure Socket Layer (SSL) certificate used by the BAS and the BWDM with a custom certificate (such as, one from VeriSign or from a Windows certificate authority). Task 1 - Retrieve your web.keystore password: 1. Login to the BAS as an administrator with Security Administrator role. 2. Under "BlackBerry Solution topology" on the left side, navigate to "BlackBerry Domain > Component view > BlackBerry Administration Service". 3. In the "Security settings", check the value for "Default password to encrypt the web.keystore file" and note it. Task 2 - Back up the web.keystore file: 1. Open a Windows Command prompt as an Administrator. 2. Type copy "c:\Program Files (x86)\Research In Motion\BlackBerry Device Service\BAS\bin\web.keystore" "c:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore.OLD" Note: Do not remove or rename the existing web.keystore file. Task 3 - Delete the self-signed SSL certificate from inside the web.keystore file: 1. Open a Command prompt as an Administrator. 2. Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool.exe" -delete -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -storepass "" Note: The -storepass parameter must be the password you retrieved from step 1. The quotes are required due to special characters. Task 4 - Generate the BlackBerry Administration Service certificate key pair: * Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool.exe" -genkey -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -storepass "" -dname "CN=, OU=BAS, O=Company, L=City, ST=ST, C=US" Note: Some Certificate Authority (CA) servers require RSA encryption of the certificate request. If this is the case, add -keyalg RSA to this keytool command. Also, the -keyalg RSA switch defaults to 1024 as a keysize. For environments that require 2048 as a keysize, use the -keysize 2048 command switch, e.g., -keyalg RSA -keysize 2048 STOP: After following this step, the web.keystore file now contains a private key entry. This exact private key MUST be matched with the reply generated from your Certificate Authority below in order for this process to succeed. It is highly recommended that the web.keystore file be backed up after this step has been performed, so that this private key is retained. If this is not done, and any of the following steps are not successful, then it will be necessary to clear out the key store and start again from Task 1. This is especially important to note for environments with manual certificate request processes. Task 5 - Generate a certificate request to the certification authority: * Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certreq.csr" -storepass "" Note: If the -keyalg switch was used in Task 3 for a CA that requires RSA encryption, it is recommended to also use it here. Also, the -keyalg RSA switch defaults to 1024 as a keysize. For environments that require 2048 as a keysize, use the -keysize 2048 command switch. e.g. -keyalg RSA -keysize 2048 * Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certreq.csr" -storepass "" -keyalg RSA -keysize 2048. Task 6 - Request the certificate from the certificate authority (CA): Note: The steps in this task are based on the steps required to request a certificate from a Windows certificate authority. If requesting a certificate from a third-party certificate authority, see the information in the Additional Information section. Domain administrator permission is required to complete this task. 1. Log off the server as the BlackBerry Enterprise Server service account. 2. Log into the server with a domain account with domain administrator permissions or permissions to submit a webserver template request. 3. Browse to the organization's certificate server using Windows Internet Explorer. (For example: http:///certsrv) 4. Click "Request a certificate". 5. Click "Advanced certificate request". 6. Click "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file", or "submit a renewal request by using a base-64-encoded PKCS#7 file". 7. Paste the full contents of the certreq.csr file into the "Saved Request" field. 8. Choose "Web Server" from the "Certificate Template" drop-down list. 9. Click "Submit". 10. Click "Download certificate". 11. Save the file to c:\bascert.cer when prompted. Note: If the error "The certificate is not valid for the requested usage" appears, choose Subordinates Certification Authority from the Certificate Template drop-down list instead of Web Server. Task 7 - Download the CA certificate from the certificate authority: 1. Browse to the organization's certificate server using Windows Internet Explorer. (For example: http:///certsrv) 2. Click "Download a CA certificate, certificate chain, or CRL". 3. Click "Download CA certificate". Save it as c:\certnewCA.cer. Task 8 - Import the CA certificate into the BlackBerry Administration Service key store: 1. Log off the server as the domain account used in Tasks 6 and 7 above to request the certificate from the certificate authority (CA). 2. Log onto the server as BES service account. 3. Open a command prompt window as Administrator in the same manner as used in Task 2. 4. Type: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias cacert -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certnewCA.cer" -storepass "" If the BlackBerry Administration Service certificate is issued by an Intermediate CA, perform step 4 to import certificates of every Intermediate CA in the certificate chain. Use a unique alias name for every imported certificate. If the error "keytool error: java.lang.Exception: Failed to establish chain from reply" is displayed when performing Task 9 below, this step needs to be completed. To import an Intermediate Certificate Authority certificate: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias cacert2 -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certnewCA2.cer" -storepass "" Task 9 - Import the BlackBerry Administration Service certificate to the BlackBerry Administration Service key store: * In the command prompt window used in Task 8, type: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\bascert.cer" -storepass "" Task 10 - Restart the BlackBerry Administration Service.

Fix Text (F-52199r1_fix)

Configure the Blackberry Device Service server to use a DoD issued digital certificate on the BES to support BAS and BlackBerry Web Desktop Manager authentication.

Open Internet Explorer, and navigate to BlackBerry Administration Service. Click on the Lock icon located to the right of the Address bar (or click "Certificate error", if the certificate is untrusted) and select "View certificates" Ensure the certificate is issued by a valid DoD CA.

Steps to replace self-signed, or non-DoD certificate:
Log into the server as the BlackBerry Enterprise Server (BES) service account and complete the following tasks to replace the self-signed Secure Socket Layer (SSL) certificate used by the BAS and the BWDM with a custom certificate (such as, one from VeriSign or from a Windows certificate authority).

Task 1 - Retrieve your web.keystore password:
1. Login to the BAS as an administrator with Security Administrator role.
2. Under "BlackBerry Solution topology" on the left side, navigate to "BlackBerry Domain > Component view > BlackBerry Administration Service".
3. In the "Security settings", check the value for "Default password to encrypt the web.keystore file" and note it.

Task 2 - Back up the web.keystore file:
1. Open a Windows Command prompt as an Administrator.
2. Type copy "c:\Program Files (x86)\Research In Motion\BlackBerry Device Service\BAS\bin\web.keystore" "c:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore.OLD"
Note: Do not remove or rename the existing web.keystore file.

Task 3 - Delete the self-signed SSL certificate from inside the web.keystore file:
1. Open a Command prompt as an Administrator.
2. Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool.exe" -delete -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -storepass ""
Note: The -storepass parameter must be the password you retrieved from step 1. The quotes are required due to special characters.

Task 4 - Generate the BlackBerry Administration Service certificate key pair:
* Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool.exe" -genkey -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -storepass "" -dname "CN=, OU=BAS, O=Company, L=City, ST=ST, C=US"

Note: Some Certificate Authority (CA) servers require RSA encryption of the certificate request. If this is the case, add -keyalg RSA to this keytool command. Also, the -keyalg RSA switch defaults to 1024 as a keysize. For environments that require 2048 as a keysize, use the -keysize 2048 command switch, e.g., -keyalg RSA -keysize 2048
STOP: After following this step, the web.keystore file now contains a private key entry. This exact private key MUST be matched with the reply generated from your Certificate Authority below in order for this process to succeed. It is highly recommended that the web.keystore file be backed up after this step has been performed, so that this private key is retained. If this is not done, and any of the following steps are not successful, then it will be necessary to clear out the key store and start again from Task 1. This is especially important to note for environments with manual certificate request processes.

Task 5 - Generate a certificate request to the certification authority:
* Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certreq.csr" -storepass ""
Note: If the -keyalg switch was used in Task 3 for a CA that requires RSA encryption, it is recommended to also use it here. Also, the -keyalg RSA switch defaults to 1024 as a keysize. For environments that require 2048 as a keysize, use the -keysize 2048 command switch. e.g. -keyalg RSA -keysize 2048
* Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certreq.csr" -storepass "" -keyalg RSA -keysize 2048.

Task 6 - Request the certificate from the certificate authority (CA):
Note: The steps in this task are based on the steps required to request a certificate from a Windows certificate authority. If requesting a certificate from a third-party certificate authority, see the information in the Additional Information section. Domain administrator permission is required to complete this task.
1. Log off the server as the BlackBerry Enterprise Server service account.
2. Log into the server with a domain account with domain administrator permissions or permissions to submit a webserver template request.
3. Browse to the organization's certificate server using Windows Internet Explorer. (For example: http:///certsrv)
4. Click "Request a certificate".
5. Click "Advanced certificate request".
6. Click "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file", or "submit a renewal request by using a base-64-encoded PKCS#7 file".
7. Paste the full contents of the certreq.csr file into the "Saved Request" field.
8. Choose "Web Server" from the "Certificate Template" drop-down list.
9. Click "Submit".
10. Click "Download certificate".
11. Save the file to c:\bascert.cer when prompted.
Note: If the error "The certificate is not valid for the requested usage" appears, choose Subordinates Certification Authority from the Certificate Template drop-down list instead of Web Server.

Task 7 - Download the CA certificate from the certificate authority:
1. Browse to the organization's certificate server using Windows Internet Explorer. (For example: http:///certsrv)
2. Click "Download a CA certificate, certificate chain, or CRL".
3. Click "Download CA certificate". Save it as c:\certnewCA.cer.

Task 8 - Import the CA certificate into the BlackBerry Administration Service key store:
1. Log off the server as the domain account used in Tasks 6 and 7 above to request the certificate from the certificate authority (CA).
2. Log onto the server as BES service account.
3. Open a command prompt window as Administrator in the same manner as used in Task 2.
4. Type: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias cacert -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certnewCA.cer" -storepass ""
If the BlackBerry Administration Service certificate is issued by an Intermediate CA, perform step 4 to import certificates of every Intermediate CA in the certificate chain. Use a unique alias name for every imported certificate. If the error "keytool error: java.lang.Exception: Failed to establish chain from reply" is displayed when performing Task 9 below, this step needs to be completed.

To import an Intermediate Certificate Authority certificate: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias cacert2 -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certnewCA2.cer" -storepass ""

Task 9 - Import the BlackBerry Administration Service certificate to the BlackBerry Administration Service key store:
* In the command prompt window used in Task 8, type: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\bascert.cer" -storepass ""

Task 10 - Restart the BlackBerry Administration Service.