Update BES 5.X to use TLS + 2048 SSH Keys.

If you found this post you are probably here because you installed KB3061518. Here is a quote from the KB article:

After you install this security update, the minimum allowed DHE key length on client computers is changed to 1,024 bits by default, instead of the previous minimum allowed key length of 512 bits.

As you can guess this will cause some havoc with accessing the BES web interface and with any software that is used to control BES via API. We could potentially edit the registry on EVERY SINGLE client computer that accesses the BES interface, but that would open them up to security threats that the KB was intended to close. The better option is to secure the jboss web server on the BES server.

Step 1 create a new 2048 sha256 key Certificate.

To do this we first need to create a new keystore.

Lets backup the old keystore before we create the new one. On my server the keystore file was located in:
c:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore

Next, open a Command Prompt window as the user that the BES services are running as.

Next, navigate to the installed JRE. For me this was located in c:\Program Files (x86)\Java\jre...\bin and run the following command substituting your information as needed:

keytool -genkey -dname "CN=SUBDOMAIN.DOMAIN.COM,OU=BES,O=RIM,C=CA" -alias httpssl -keypass PASSWORDHERE -keystore "c:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore" -storepass PASSWORDHERE -validity 99999 -keyalg RSA -sigalg SHA256withRSA -keysize 2048

If the above runs without error you now need to get the keystore password into the registry, do this by running the BES Server Configuration and selecting the Administration Service Web Keystore tab. Enter the PASSWORDHERE as the old password and a new password for the keystore. Click OK and we are off to the next part.

As an addendum to the above, if you have run the BES Server Configuration on a different user and changed the password there you can go into the HKCU\SID\SOFTWARE\Research In Motion\Administration Service\Key Store\webkeystore password registry entry and copy the password hash to the user sid that runs the BES services. I also like to store the current keystore password in a text file in the c:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\ directory so it does not get lost.

Step 2 Configure the server to use the TLS protocols.

Now we need to change the connector config for the jBoss server. RIM's documentation for doing this is WRONG. After a lot of trial and error I modified one of their xlst files to output the correct connector configuration as it is generated on the fly.

Backup the service-port-binding.xml file located in C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\server\default\conf

Open the service-port-binding.xml in your favorite text editor, and search for **** tomcat **** you will want to add a xsl parameter under <xsl:param name="port"/> (on approx line 365) called sslProtocol, do this like:

<xsl:param name="sslProtocol"/>

Next, in the variables section under <xsl:variable name="portHttp" select="18180"/> (line 371) add:

<xsl:variable name="sslProtocolTypes"> <xsl:text>TLSv1,TLSv1.1,TLSv1.2</xsl:text> </xsl:variable>

Now, under
<xsl:when test="(name() = 'port' and . = '8443')"> <xsl:attribute name="port"><xsl:value-of select="$portHttps" /></xsl:attribute> </xsl:when> (line 398)

Add:

<xsl:when test="(name() = 'sslProtocol')"> <xsl:attribute name="sslProtocols"><xsl:value-of disable-output-escaping="yes" select="string($sslProtocolTypes)" /> </xsl:attribute> </xsl:when>

And that's it, you can save the document. Restart all the BES services. Wait a few minutes and connect to the Web Interface.

Bes  Image

Jeremy Tirrell

Read more posts by this author.