Check: BBDS-00-000325
Policy SRG:
BBDS-00-000325
(in version v1 r1)
Title
The server PKI digital certificate installed on the BlackBerry Device Service (BDS) Server to support BlackBerry Administration Service and BlackBerry Web Desktop Manager (BWDM) authentication must be a DoD PKI issued certificate. A self signed certificate will not be used. (Cat III impact)
Discussion
When a self signed PKI certificate is used, a rogue BDS server can impersonate the DoD BDS server during SA connections to the BAS or when a BlackBerry user uses BWDM to connect to the BAS. In addition, DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.
Check Content
Steps to replace self-signed certificate: Log into the server as the BlackBerry Enterprise Server (BES) service account and complete the following tasks to replace the self-signed Secure Socket Layer (SSL) certificate used by the BAS and the BWDM with a DoD PKI issued certificate. If a DoD PKI issued certificate was used during the installation of BlackBerry Device Service, this requirement has been met. Task 1 - Retrieve your keystore password: 1. Login to the BAS as an administrator with Security Administrator role 2. Click BlackBerry Solution topology -> BlackBerry Domain -> Component view -> BlackBerry Administration Service 3. In the Security Settings, check the value for Default password to encrypt the web.keystore file, and note it. Task 2 - Back up the web.keystore file 1. Open a Windows Command prompt as an Administrator 2. Type copy "c:\Program Files (x86)\Research In Motion\BlackBerry Device Service\BAS\bin\web.keystore" "c:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore.OLD" Note: Do not remove or rename the existing web.keystore file. Task 3 - Delete the self-signed SSL certificate from inside the keystore file 1. Open a Command prompt as an Administrator. 2. Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool.exe" -delete -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -storepass "<password>" Note: The -storepass parameter must be the password you retrieved from step 1. The quotes are required due to special characters. Task 4 - Generate the BlackBerry Administration Service certificate key pair. * Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool.exe" -genkey -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -storepass "<password>" -dname "CN=<BAS Server or BAS Pool full name>, OU=BAS, O=Company, L=City, ST=ST, C=US" Note: Some Certificate Authority (CA) servers require RSA encryption of the certificate request. If this is the case, add -keyalg RSA to this keytool command. Also, the -keyalg RSA switch defaults to 1024 as a keysize. For environments that require 2048 as a keysize, use the -keysize 2048 command switch, e.g., -keyalg RSA -keysize 2048 STOP: After following this step, the web.keystore file now contains a private key entry. This exact private key MUST be matched with the reply generated from your Certificate Authority below in order for this process to succeed. It is highly recommended that the web.keystore file be backed up after this step has been performed, so that this private key is retained. If this is not done, and any of the following steps are not successful, then it will be necessary to clear out the keystore and start again from Task 1. This is especially important to note for environments with manual certificate request processes. Task 5 - Generate a certificate request to the certification authority * Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certreq.csr" -storepass "<passwprd>" Note: If the -keyalg switch was used in Task 3 for a CA that requires RSA encryption, it is recommended to also use it here. Also, the -keyalg RSA switch defaults to 1024 as a keysize. For environments that require 2048 as a keysize, use the -keysize 2048 command switch. e.g. -keyalg RSA -keysize 2048 * "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certreq.csr" -storepass "<passwprd>" -keyalg RSA -keysize 2048 Task 6 - Request the certificate from the certificate authority (CA). Note: The steps in this task are based on the steps required to request a certificate from a Windows certificate authority. If requesting a certificate from a third-party certificate authority, see the information in the Additional Information section. Domain administrator permission is required to complete this task. 1. Log off the server as the BlackBerry Enterprise Server service account. 2. Log into the server with a domain account with domain administrator permissions or permissions to submit a webserver template request. 3. Browse to the organization's certificate server using Windows Internet Explorer. (For example: http://>certificate_server_name</certsrv) 4. Click Request a certificate. 5. Click Advanced certificate request. 6. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file. 7. Paste the full contents of the certreq.csr file into the Saved Request field. 8. Choose Web Server from the Certificate Template drop-down list. 9. Click Submit. 10. Click Download certificate. 11. Save the file to c:\bascert.cer when prompted. Note: If the error "The certificate is not valid for the requested usage" appears, choose Subordinates Certification Authority from the Certificate Template drop-down list instead of Web Server. Task 7 - Download the CA certificate from the certificate authority. 1. Browse to the organization's certificate server using Windows Internet Explorer. (For example: http://>certificate_server_name</certsrv) 2. Click Download a CA certificate, certificate chain, or CRL. 3. Click Download CA certificate. Save it as c:\certnewCA.cer. Task 8 - Import the CA certificate into the BlackBerry Administration Service key store. 1. Log off the server as the domain account used in Tasks 6 and 7 above to request the certificate from the certificate authority (CA). 2. Log onto the server as BES service account. 3. Open a command prompt window as Administrator in the same manner as used in Task 2. 4. Type: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias cacert -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certnewCA.cer" -storepass "<password>" If the BlackBerry Administration Service certificate is issued by an Intermediate CA, perform step 4 to import certificates of every Intermediate CA in the certificate chain. Use a unique alias name for every imported certificate. If the error keytool error: java.lang.Exception: Failed to establish chain from reply is displayed when performing Task 9 below, this step needs to be completed. To import an Intermediate Certificate Authority certificate: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias cacert2 -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certnewCA2.cer" -storepass "<password>" Task 9 - Import the BlackBerry Administration Service certificate to the BlackBerry Administration Service key store. * In the command prompt window used in Task 8, type: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\bascert.cer" -storepass "<password>" Task 10 - Restart the BlackBerry Administration Service. If the PKI digital certificate installed on the BlackBerry Device Service server to support BAS and BWDM authentication is not a DoD PKI issued certificate, this is a finding.
Fix Text
Use a DoD issued digital certificate on the BES to support BAS and BlackBerry Web Desktop Manager authentication.
Additional Identifiers
Rule ID:
Vulnerability ID: BBDS-00-000325
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001159 |
The organization issues public key certificates under an organization-defined certificate policy or obtains public key certificates from an approved service provider. |
Controls
Number | Title |
---|---|
SC-17 |
Public Key Infrastructure Certificates |