The server PKI digital certificate installed on the BES to support BAS and BWDM authentication must be a DoD PKI issued certificate. A self signed certificate will not be used.

From BlackBerry Enterprise Server (version 5.x), Part 2 Security Technical Implementation Guide

Part of BES server PKI certificate

SV-31764r3_rule The server PKI digital certificate installed on the BES to support BAS and BWDM authentication must be a DoD PKI issued certificate. A self signed certificate will not be used.

Vulnerability discussion

When a self-signed PKI certificate is used, a rogue BES can impersonate the DoD BES during SA connections to the BlackBerry Administration Service (BAS) or when a BlackBerry user uses BlackBerry Web Desktop Manager (BWDM) to connect to the BAS. In addition, DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.

Check content

Verify a DoD server certificate has been installed on the BES and the self-signed certificate, available as an option during the setup of the BES, has not been installed. Ask the BlackBerry Administrator to access the BAS login console using Internet Explorer. Verify no certificate error occurs. Click the "Lock" icon next to the address bar then select "view certificates". On the "General" tab, verify the "Issued to:" and "Issued by:" fields do not show the same value. Then on the "Certification Path" tab, verify the top certificate is a trusted DoD Root certificate authority (e.g., DoD Root CA 2) and the certificate status field states "This certificate is OK". Remediation: If a certificate error occurs either the default self-signed certificate is still installed, the BlackBerry Enterprise Server has not been rebooted since the DoD-issued certificate has been installed, or the computer accessing the BAS does not have the DoD Root and Intermediate certificate authorities installed. The reviewer can select the "Continue to this website" option and follow the same procedure above. If the certificate is issued from an approved DoD PKI, ask the BlackBerry Administrator to run InstallRoot on the computer accessing the BAS. Otherwise, have the BlackBerry Administrator follow the procedures outlined in the STIG to request/install a certificate issued from a trusted DoD PKI.

Fix text

Use a DoD-issued digital certificate on the BES to support BAS and BWDM authentication.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer