From BlackBerry BES 12.5.x MDM Security Technical Implementation Guide
Part of PP-MDM-991000
Associated with: CCI-000366
When a self-signed PKI certificate is used, a rogue BDS server can impersonate the DoD BDS server during SA connections to the BAS or when a BlackBerry user uses BWDM to connect to the BAS. In addition, DoDI 8520-02 requires that PKI certificates come from a trusted DoD PKI.
On the BES12, do the following: 1. Log on to the BES12 console and select the "Settingsā tab at the top of the screen. 2. Expand the Infrastructure tab on the left pane. 3. Select Server certificates. 4. In the SSL certificate for consoles and BlackBerry Web Services, click "View details". 5. Verify the issuer's CN is from the DoD root Certificate Authority (CA). If the PKI digital certificate installed on the BES12 Server to support consoles and BlackBerry Web Services authentication is not a DoD PKI issued certificate, this is a finding.
NOTE: Before you begin, you must obtain an SSL certificate signed by the DoD root Certificate Authority (CA). BES12 supports certificates in the PFX format with either a .pfx or .p12 file name extension. If you configure high availability, you must obtain an SSL certificate that uses the name of the BES12 domain. You can find the BES12 domain name in the management console under Settings >> Infrastructure >> BES12 instances. On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings" tab at the top of the screen. 2. Expand the "Infrastructure" tab on the left pane. 3. Select "Server certificates". 4. In the SSL certificate for consoles and BlackBerry Web Services section, click "View details". 3. Click "Replace certificate". 4. Click "Browse". 5. Select the certificate file that you want to use. 6. Click "Open". 7. Type the encryption password. 8. Click "Replace". 9. Restart the BES12 Core service on all servers.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer