KB05539 - Unable to connect to BlackBerry MDS Services using HTTPS

Environment

• BlackBerry® Enterprise Server software version 4.1 Service Pack 2 (4.1.2) to Service Pack 6 (4.1.6)
• BlackBerry® Mobile Data System (BlackBerry MDS)
• IBM® Lotus® Domino®
• Microsoft® Exchange
• SDR100044

---

Overview

In BlackBerry Manager, you are unable to connect to the BlackBerry MDS Services using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS).
The BlackBerry Manager (MNGR) file displays the following:
[20000] (09/18 14:42:40.678):{0x1EE8} CMDSAGView: Bad hResult, -2147467261 - Object reference not set to an instance of an object., from AG web service call MDSAGAdminMgmt(testWsAccess - getServerStatus. Asking user to get SSL certificate.)

[30000] (09/18 14:42:44.100):{0x2758} Bad hResult 0x80004003, at mdsagview.cpp line 376, from AG call CMDSAGView::PrepareData - getServerStatus, source - MDSAGAdminMgmt, error - Object reference not set to an instance of an object.

[40000] (09/18 14:42:46.350):{0x1A38} [rimdevicemanagementimpl::ThreadProc] Destroying RIMDeviceMonitor

---

Cause

The following are possible causes for this problem:

1. The default.jks key store does not contain the fully qualified domain name (FQDN) of the BlackBerry MDS Services for the Apache Tomcat™ alias.
2. A proxy server is preventing access to http://<FQDN>:7443/mdss and allowing access to http://<NETBIOS>:7443/mdss.
3. The computer hosting BlackBerry Enterprise Server software version 4.1.2 has multiple hard drives and the JKS file was installed on an incorrect drive.

---

Resolution

Complete the appropriate resolution or workaround for the cause.
Cause 1
The default.jks (server.key) key store does not contain the FQDN of the BlackBerry MDS Services for the Apache Tomcat alias.
Note: For BlackBerry Enterprise Server software version 4.1 Service Pack 3 (4.1.3) and later, server.key replaces the default.jks key store.
The server.key key store is located in the following directory:
<installation directory>:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDSS\config\security\
Resolution 1

1. Browse to the following directory from a command prompt: <installation directory>:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDSS\bin
2. Type the following command (do not include quotes or parentheses): >jks-generate.bat <KEYSTORE_PASSWORD> <FQDN>
   where <KEYSTORE_PASSWORD> is the keystore password, which by default is changeme, and <FQDN> is the FQDN of the BlackBerry Enterprise Server BlackBerry MDS Services host, e.g., blackberry.testnet.com
3. If BlackBerry Manager is open, close it.
4. In Microsoft® Internet Explorer®, select Tools > Internet Options.
5. On the Content tab, select Certificates.
6. Click Trusted Root Certification Authorities.
7. Look for any certificates that resemble the computer name or FQDN of the BlackBerry Enterprise Server, or that reference MDS Services.
8. Remove those certificates.
9. Restart the BlackBerry MDS Services Apache Tomcat service.
10. Open BlackBerry Manager and install the certificate.

---

Cause 2
A proxy server is preventing access to http://<FQDN>:7443/mdss, and allowing access to http://>:7443/mdss.
For example, you cannot connect using http://computer_name.domain.com:7443/mdss but you can connect using http://computer_name:7443/mdss
Note: The BlackBerry Enterprise Server uses Microsoft Internet Explorer components to access the MDSS page. A proxy server could be blocking access to the site.
Workaround
Disable the proxy server.
Note: If a proxy server is required, correct the proxy configuration to let Microsoft Internet Explorer connect back to itself.
To disable the proxy server, from Microsoft Internet Explorer perform the following steps:

1. Click on Tools > Internet Options
2. Select the Connections tab and click LAN Settings.
3. Clear the options in the LAN Settings section.

---

Cause 3
The computer hosting BlackBerry Enterprise Server software version 4.1.2 has multiple hard disks. The BlackBerry Enterprise Server software was not installed on the default hard disk, but the setup program installed a JKS file used by the BlackBerry MDS Services to accept Secure Sockets Layer (SSL) certificates, in the default drive.
Resolution 3
This is a previously reported issue that has been escalated internally to our development team. No resolution time frame is currently available.
Workaround

1. Search for the default.jks (server.key) file in the default disk (for example, C:\) of the computer hosting the BlackBerry Enterprise Server.
2. Copy and paste the file into the following directory: :\<installation_directory>\BlackBerry Enterprise Server\MDSS\config\security

---

Additional Information

If you cannot import the certificate using BlackBerry Manager, import it using Microsoft Internet Explorer. To do this, open Microsoft Internet Explorer and type https://computer_name.domain.com:7443/mds. You should be prompted for the BlackBerry MDS Services administration account user name and password. Type the account name and password as specified during the BlackBerry MDS Services installation. You can also locate the user name and password in the BlackBerry Configuration Database.
Note: You will only be able to access the BlackBerry MDS Services using the HTTPS link in BlackBerry Manager once you can successfully connect to the BlackBerry MDS Services using the HTTPS link in Microsoft Internet Explorer without being prompted to install a certificate.

updated.

__________________
http://blog.port3101.org/hdawg/

The views expressed by me on Port3101 and its affiliated sites are my own and do not necessarily reflect the views of my employer.

I cannot log into https://:/mds-admin
I can log into http://:8080 and get the mds welcome screen
I have checked the following all to no avail
KB12235
KB05539
When I try and start the MDS Integration it just starts runs a few seconds then restarts one minute afterwards continuosly (sp)
I have serached and search and it seems everyone points to KB05539 which does not help me at all
I have looked inside the server.key and it indeed shows my
any hints or ideas are welcome
I also noted that many people that asked this same question have had the threads simply die and no hey that worked for me etc added.
I do not have a proxy server nor more than one hard drive on the BES as well
only oddity I see is the has a name-name which I understand is legal characters to use
Anyway thanks in advance to all who have helped

SkyPilot 9530 Bell

what do the MDS-IS logs show for errors?

__________________
http://blog.port3101.org/hdawg/

The views expressed by me on Port3101 and its affiliated sites are my own and do not necessarily reflect the views of my employer.

CMDSAGView: Bad hResult, -2147467261 - Object reference not set to an instance of an object., from AG web service call MDSAGAdminMgmt(testWsAccess - getServerStatus. Asking user to get SSL certificate.)
that is the error I last got
I am not sure if this is from the MDS-IS log or not
what specifics could I provide?
thanks again

Can you post more data from the MDS-IS log? Do you have an app that you're integrating back-end data to?

__________________
http://blog.port3101.org/hdawg/

The views expressed by me on Port3101 and its affiliated sites are my own and do not necessarily reflect the views of my employer.

Yes I will gather that and post it which log exactly are you looking for none have the name MDS-IS

Do you have logs with prefixes MDSS?

__________________
http://blog.port3101.org/hdawg/

The views expressed by me on Port3101 and its affiliated sites are my own and do not necessarily reflect the views of my employer.

That said ... are you using any apps integrated with MDSS?

__________________
http://blog.port3101.org/hdawg/

The views expressed by me on Port3101 and its affiliated sites are my own and do not necessarily reflect the views of my employer.

Yes I do
these files are quite large is there a particular area I should look at and copy here?
Sorry for the delay getting back with you

The reason I am going through all this is I need to have MDS as I am installing a new ap from flow finity that uses MDS services so i need to get it working
but till now have not had the need
Tom

Look at the logs matching the times when you attempt to start up the service and then the following few minutes where it dies ... those lines in particular.

Are you sure the flowfinity app requires MDSS? Just want to make sure as I've used apps with them before and never used MDSS only MDS-CS.

__________________
http://blog.port3101.org/hdawg/

The views expressed by me on Port3101 and its affiliated sites are my own and do not necessarily reflect the views of my employer.

That is a good point to ponder
Am I able to run the mds-cs without the mds integration?
seems that the mds integration is where the communication would be
also upon reading the documentaion from flow finity it states "MDS Connection Service is the only component required for flow finity applications"

MDS-CS and MDSS are two very different things.
MDS-CS does not require MDSS to function.

Sounds like you only need MDS-CS for your applications.

__________________

Yup, you only need MDS-CS. Like 99.9% of everyone else I've ever spoken to about MDSS/MDS-IS you don't need it. MDSS/MDS-IS is a totally separate function of BES that does integration with back-end applications. If you need to simply access the app from the HH you just need MDS-CS ... which is what does the connection.

__________________
http://blog.port3101.org/hdawg/

The views expressed by me on Port3101 and its affiliated sites are my own and do not necessarily reflect the views of my employer.