Welcome to Port3101.org : Your BES Connection Mark forums read | View Forum Leaders
Port3101.org : Your BES Connection



Reply
LinkBack (4) Thread Tools Display Modes
BES 5.0 - Installing an SSL Certificate for BAS/WDM
 
  4 links from elsewhere to this Post. Click to view. #1 (permalink)  
Old 05-25-2009, 06:34 PM
Otto's Avatar
Proprietor
 
Join Date: Nov 2008
Location: Atlanta, GA
Posts: 2,033
Blog Entries: 14
Default BES 5.0 - Installing an SSL Certificate for BAS/WDM

RIM's documentation (also on page 221 in the Admin Guide):
Import a new SSL certificate for the BlackBerry Administration Service and BlackBerry Web Desktop Manager

BBF member pmyersuk's information:
Nondefault SSL Certificate Installation on BB Administration Service - BlackBerryForums.com : Your Number One BlackBerry Community

Below are the CORRECT instructions for installing an SSL certificate from a Certificate Authority (internal or external) where an intermediate certificate needs to be installed. Unfortunately, RIM left out a fairly important note in their instructions with regards to the alias names used in their examples.

As I've been pulling my hair out and cursing a few people in the Northern Country all morning, I figured I'd document this and share with the group.
  1. On the computer that hosts the BlackBerry Administration Service, in <drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin, rename the web.keystore file to web.keystore.bak.
  2. Update the cacerts key store password by performing the following actions:
  3. Click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration.
  4. On the Administration Service - Cacerts keystore tab, type and confirm the new password for the key store.
  5. Click Apply.
  6. Click OK.
  7. Update the web key store password by performing the following actions (see note at the end for an alternate method):
  8. Open the Registry Editor (Start > Run > regedit.exe)
  9. Navigate to HKCU\Software\Research In Motion\BlackBerry Enterprise Server\Administration Service\Key Store
  10. Double-click on WebKeyStorePass and update the value to the new password you want to set
  11. Restart the BlackBerry Administration Service services
  12. Using the keytool in <drive>:\Program Files\Java\<JRE_version>\bin and the password that you updated in step 2, generate a new web.keystore file and private key (for example, keytool -genkey -alias <alias_name> -keypass <password> -keystore "<drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"). When the key tool prompts you for the first name and last name, type the FQDN of the computer that hosts the BlackBerry Administration Service. For alias name, use something descriptive, such as the FQDN of the BAS pool name or the service type (for example, -alias httpssl)
  13. If you want to use a trusted certificate, using the keytool, import the root certificate of the certificate authority (for example, keytool -import -alias <alias1_name> -file <root_certificate_file>.cer -trustcacerts -keystore "<drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"). The alias name used in this step must be different than the one created in Step 12 (for example, -alias root).
  14. Using the keytool, generate a certificate signing request (for example, keytool -certreq -alias <alias_name> -file <certreq_filename>.csr -keystore "<drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"). The alias name used in this step must be the same as the one created in Step 12 (for example, -alias httpssl).
  15. Send the certificate signing request to a certificate authority so that the certificate authority can create the certificate.
  16. When the certificate authority returns the certificate, copy it into a text file and save it with a .cer extension.
  17. Using the keytool, import the certificate to the web.keystore file (for example, keytool -import -alias <alias_name> -keystore "<drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore" -file "<certificate_filename>.cer"). The alias name used in this step must be the same as the one created in Step 12 (for example, -alias httpssl).
  18. In the Windows® Services, restart the BlackBerry Administration Service services.
* Note: You can use webGenKey.bat to change/update the web key store password (for example, webGenKey.bat "<drive>:\Program Files\Java\<JRE_version>" "<drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS" <newKeyStorePassword> <FQDN_of_BAS>
I currently have a case open with RIM with the request for an update to the documentation, so perhaps someone will realize that people who have never performed this process won't be able to complete it and the documentation will be corrected.
__________________
BCSA (4.1, 5.0) | BCSD (4.1, 5.0)

The views expressed by me on Port3101.org are my own and do not necessarily reflect the views of my employer.
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 11-02-2009, 01:10 PM
BES Administrator
 
Join Date: Jan 2009
Location: Chicago
Posts: 44
Default

For those who have multiple BAS with a single dns name but just want to use a self-signed certificate, it is a fairly simple process which took me awhile to figure out:

C:\PROGRA~2\Java\jre1.6.0_07\bin>keytool -genkey -alias bbadmin.company.com -keypass mypassword -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: bbadmin.company.com
What is the name of your organizational unit?
[Unknown]: bbadmin.company.com
What is the name of your organization?
[Unknown]: bbadmin.company.com
What is the name of your City or Locality?
[Unknown]: Chicago
What is the name of your State or Province?
[Unknown]: Illinois
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=bbadmin.company.com, OU=bbadmin.company.com, O=bbadmin.company.com, L=Chicago, ST=Illinois, C=US correct?
[no]: yes


C:\PROGRA~2\Java\jre1.6.0_07\bin>keytool -selfcert -alias bbadmin.company.com -keypass mypassword -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"
Enter keystore password:

C:\PROGRA~2\Java\jre1.6.0_07\bin>

Done!
Reply With Quote
  #3 (permalink)  
Old 11-02-2009, 02:43 PM
BES Addict
 
Join Date: Feb 2009
Location: Toronto
Posts: 69
Default Speaking of BES & SSL.... Wildcard Certs

Hi Everybody,

Anyone know if its possible to setup BAS/WDS with a wildcard cert?

Much appreciated!
Reply With Quote
  #4 (permalink)  
Old 11-04-2009, 12:36 AM
Otto's Avatar
Proprietor
 
Join Date: Nov 2008
Location: Atlanta, GA
Posts: 2,033
Blog Entries: 14
Default

In all honesty, if you look at my instructions, skip steps 14 and 15. Let us know if that works. I don't see why it wouldn't. I'll be in the same boat sooner than later (as soon as we ink our deal with VeriSign).
__________________
BCSA (4.1, 5.0) | BCSD (4.1, 5.0)

The views expressed by me on Port3101.org are my own and do not necessarily reflect the views of my employer.
Reply With Quote
  #5 (permalink)  
Old 01-11-2010, 03:51 PM
RadHaz75's Avatar
BES Expert
 
Join Date: May 2009
Location: Philadelphia, PA
Posts: 98
Default

whats the point of steps 1-10? i already know what my key store pass is because im the one that created it.
__________________
Two months ago, I saw a provocative movie on cable TV. It was called The Net, with that girl from the bus.
Reply With Quote
  #6 (permalink)  
Old 01-11-2010, 05:31 PM
RadHaz75's Avatar
BES Expert
 
Join Date: May 2009
Location: Philadelphia, PA
Posts: 98
Default

also, if you have multiple bas, do you need to do this on each BAS or just 1?
__________________
Two months ago, I saw a provocative movie on cable TV. It was called The Net, with that girl from the bus.
Reply With Quote
  #7 (permalink)  
Old 05-28-2010, 04:45 PM
BES Addict
 
Join Date: Feb 2009
Location: Toronto
Posts: 69
Default Finally SSL it working with an external wildcard cert

It took me 2 days but I finally figured it out.

First my platform:
2 Node BES 5 SP1 MR2 HA
OS W2k8 SP2 x64
Load balancing - via DNS Round Robin.

My biggest problem is just about all documentation everywhere mentioned to (re) set the keystore password. When I did and restarted the BAS services the BAS-AS.exe process would not full start. It normally consumes ~400-500 MB, but after resetting the keystore password (and making no other changes) it would consume ~16MB after service restart... weird... anyone know if this is a bug? Issue? Etc?

Regardless here's how I setup my wild card certs. First off the keystore app is icky. I found a Java applet called porticle (Portecle: Home) which allows you to manage java keystores via a GUI. NOTE when running on W2k8 I needed to launch it via a command prompt with administrator privlages and using the following command:
C:\Program Files (x86)\Java\jre1.6.0_15\bin>java.exe -hotspot -jar "D:\portecle-1.5\portecle.jar"

Here's what you need to do:
  1. Launch Porticle
  2. Open web.keystore
  3. Iport any root/intermidiate certs that you need by using Tools->Import Trusted Certificate
  4. delete the SSL cert pair with an alias of "httpssl"
  5. Import your wildcard cert using TOOLS-> Import Key Pair - IMPORTANT - on import you will be prompted for an alias set it to :httpssl" (lower case no quotes)
  6. Restart you BAS services & wait for BAS-AS.exe to consume about 400 MB
  7. connect to your BAS site via HTTPS/ssl and enjoy

Remember the important tidbits:
  • Launch porticle as an admin on windows 2008 otherwise you will no be able to save the web.keystore file
  • import your wildcard cert with an alias of lowercase httpssl

Hope this helps and saves others the frustration I went through.. Sorry I don't have time to post pretty pics,etc.. but if you have questions post and I'll do my best to answer

Regards,
Z
Reply With Quote
  #8 (permalink)  
Old 05-28-2010, 04:46 PM
BES Addict
 
Join Date: Feb 2009
Location: Toronto
Posts: 69
Default One more thing..

After you finish your primary node, copy the keysore to the seconday and enjoy
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


LinkBacks (?)
LinkBack to this Thread: http://www.port3101.org/port-3101-bes-admin-bar-grill/1013-bes-5-0-installing-ssl-certificate-bas-wdm.html
Posted By For Type Date
Bes Certification at Askives This thread Refback 10-10-2012 10:26 PM
The Unofficial BlackBerry Support Forum This thread Refback 01-20-2011 03:30 AM
BlackBerry Forum - MDS-IS Service bricht bei Start ab. This thread Refback 02-07-2010 12:01 PM
BlackBerry Forum - MDS-IS Service bricht bei Start ab. This thread Refback 10-16-2009 07:38 AM

Similar Threads
Thread Thread Starter Forum Replies Last Post
Where is the Blackberry MDS certificate?????? gpalmer Port 3101: The BES Admin Bar & Grill 13 09-15-2010 03:08 AM
Load Balancer Configuration and SSL Certificate Placement with BAS Otto Port 3101: The BES Admin Bar & Grill 3 11-17-2009 12:01 AM
KB13355 - How to load a network security certificate on a BlackBerry smartphone hdawg Featured BlackBerry KB Articles 0 07-30-2009 03:39 PM
KB12887 - How to import a non-default SSL certificate after the installation of BAS hdawg Featured BlackBerry KB Articles 0 07-21-2009 05:27 PM
KB16159 - How to import and use a third-party signed certificate with BES MDS IS hdawg Featured BlackBerry KB Articles 0 06-18-2009 04:53 PM


All times are GMT -4. The time now is 04:20 PM.
Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2019, vBulletin Solutions, Inc.


 

SEO by vBSEO 3.3.2 PL2