An error occurred:

Check: BEMS-03-014300

BlackBerry Enterprise Mobility Server 3.x STIG: BEMS-03-014300 (in versions v1 r2 through v1 r1)

Title

If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable SSL support for BlackBerry Proxy and use only DOD approved certificates. (Cat II impact)

Discussion

Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS) or SSL. Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.

Check Content

This requirement is not applicable if the BlackBerry Connect service is not enabled on BEMS. Verify SSL is enabled for the BlackBerry Connect service and a DOD certificate is used as follows: 1. Browse to FQDN of the BEMS Connect server(s) on port 8082. 2. Click on the SSL certificate to verify it has been issued by the DOD CA. 3. Repeat steps 1 and 2 for each BEMS server that has the Connect service added to it. If SSL is not enabled for BlackBerry Connect and if the SSL certificate is not a DOD CA issued certificate, this is a finding.

Fix Text

Configure BlackBerry Connect to enable SSL with a DOD certificate. 1. Submit a CSR request to the DOD CA. 2. In BEMS Select "SSL Certificate". 3. Select "Choose File" and select the new SSL Certificate and type the "Password". 4. Configure BlackBerry Connect to send the request over SSL (see page 20 of the BEMS Configuring the BlackBerry Connect Service document). 5. Configure Connect to use SSL with BlackBerry Proxy (see page 20 of the BEMS Configuring the BlackBerry Connect Service document).

Additional Identifiers

Rule ID: SV-254724r879887_rule

Vulnerability ID: V-254724

Group Title: SRG-APP-000516-AS-000237

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001453

The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-17 (2)

Protection Of Confidentiality / Integrity Using Encryption