The server PKI digital certificate installed on the BES12 Server to support Consoles and BlackBerry Web Services authentication must be a DoD PKI issued certificate. A self-signed certificate will not be used.

From BlackBerry BES 12.5.x MDM Security Technical Implementation Guide

Part of PP-MDM-991000

Associated with: CCI-000366

SV-83195r2_rule The server PKI digital certificate installed on the BES12 Server to support Consoles and BlackBerry Web Services authentication must be a DoD PKI issued certificate. A self-signed certificate will not be used.

Vulnerability discussion

When a self-signed PKI certificate is used, a rogue BDS server can impersonate the DoD BDS server during SA connections to the BAS or when a BlackBerry user uses BWDM to connect to the BAS. In addition, DoDI 8520-02 requires that PKI certificates come from a trusted DoD PKI.SFR ID: FIA

Check content

On the BES12, do the following: 1. Log on to the BES12 console and select the "Settingsā€ tab at the top of the screen. 2. Expand the Infrastructure tab on the left pane. 3. Select Server certificates. 4. In the SSL certificate for consoles and BlackBerry Web Services, click "View details". 5. Verify the issuer's CN is from the DoD root Certificate Authority (CA). If the PKI digital certificate installed on the BES12 Server to support consoles and BlackBerry Web Services authentication is not a DoD PKI issued certificate, this is a finding.

Fix text

NOTE: Before you begin, you must obtain an SSL certificate signed by the DoD root Certificate Authority (CA). BES12 supports certificates in the PFX format with either a .pfx or .p12 file name extension. If you configure high availability, you must obtain an SSL certificate that uses the name of the BES12 domain. You can find the BES12 domain name in the management console under Settings >> Infrastructure >> BES12 instances. On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings" tab at the top of the screen. 2. Expand the "Infrastructure" tab on the left pane. 3. Select "Server certificates". 4. In the SSL certificate for consoles and BlackBerry Web Services section, click "View details". 3. Click "Replace certificate". 4. Click "Browse". 5. Select the certificate file that you want to use. 6. Click "Open". 7. Type the encryption password. 8. Click "Replace". 9. Restart the BES12 Core service on all servers.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer