Posted on

How to configure BlackBerry MDS Connection Service to perform certificate searches using LDAPS

How to configure the BlackBerry MDS Connection Service to enable certificate searching using Lightweight Directory Access Protocol (LDAP) certificate server.

Task 1 – Configure the MDS Connection Service

 

BlackBerry Enterprise Server 4.1

  1. Enter the LDAP certificate server host name.
  2. Enter the LDAP certificate server port configured on the LDAP certificate server. The default is 636.
  3. Enter the Microsoft® Active Directory® account and password that has permission to query the LDAP certificate server.
  4. Enter a default base query.
  5. Amend the query limit and data compression settings if necessary.

 

BlackBerry Enterprise Server version 5.0

  1. Open the BlackBerry Administration Service.
  2. Navigate to BlackBerry Solution topology > BlackBerry Domain > Component view > Edit (MDS Connection Service) > LDAP.
  3. Enter the LDAP certificate server host name and port in the Service URL field in the format:
    • Hostname:Port
  4. Set Secure connection enabled to Yes.
  5. Click Save All.
  6. Navigate to BlackBerry Solution topology > BlackBerry Domain > Component view > Edit (MDS Connection Service) > Configuration sets.
  7. Add the LDAP configuration to a new or existing configuration set.
  8. Click Save all.
  9. Navigate to each BlackBerry MDS Connection Service instance in BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service > Edit (Servername_MDS-CS_x) > Component Configuration Sets and specify the configuration set that a BlackBerry MDS Connection Service instance will use.
  10. Click Save all.

 

Task 2 – Amend rimpublic.property file

  1. In C:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\<SERVER_NAME>\config, open rimpublic.property.
  2. Add Adding application.handler.ldap.DEFAULT_USE_SSL_TLS=true.
  3. Save.

Task 3 – Restart the BlackBerry MDS Connection Service to allow the changes to MDS_CS and rimpublic.property to apply.

Task 4 – Import company root certificate to the MDS keystore.

Refer to KB11623 – How to add a certificate for the web server to the BlackBerry MDS or BlackBerry MDS Keystore – and add the root certificate to the BlackBerry MDS keystore.

If the root certificate does not contain a CRL distribution point entry it will be necessary to add Intermediate certificates to the BlackBerry MDS keystore.

—————————————————————–

How to add a certificate for the web server to the BlackBerry Mobile Data Service or BlackBerry MDS keystore

CollapseOverview

The cacerts file is a keystore with certificate authority (CA) certificates, and it includes multiple trusted root CA certificates, such as VeriSign®. For the BlackBerry® Mobile Data System (MDS) or BlackBerry MDS Connection Service to trust a web server, the BlackBerry MDS Connection Service must check that the web server certificate with the certificate authority. If the web server certificate is purchased from a trusted certificate authority, the check is successful because the issuer’s root CA certificate is in the cacerts file by default. If a private certificate authority is used to issue the web site certificate, the check fails and access to the website from the BlackBerry smartphone is either denied or a prompt to trust the certificate appears on the BlackBerry smartphone screen. Any of the following can be done in order to change this behaviour and to allow the BlackBerry smartphone to access the website successfully:

  • Import the private certificate authority’s root CA certificate and any relevant intermediate certificates into the cacerts file.
  • Import the web server certificate into the cacerts file.

Note: The BlackBerry MDS is included with BlackBerry Enterprise Server 3.6 to 4.0. BlackBerry MDS Connection Service is included with BlackBerry Enterprise Server 4.1 to 4.1 SP7.

To import the certificate into the cacerts file, complete the following tasks:

Task 1 – Check which version of JRE is used by the BlackBerry MDS or BlackBerry MDS Connection Service

As multiple versions of the JRE can be installed on a server, it is necessary to check which version is currently in use by the BlackBerry MDS or BlackBerry MDS Connection Service.

Perform the following steps to do so:

  1. Open the Windows Services® snap-in.
  2. Open properties of the BlackBerry MDS Connection Service.
  3. On General tab in Path to executable find the value of jvmpath parameter. It is populated with a path to the JRE in use. See the following example:jvmpath=”C:\Program Files\Java\jre1.6.0_15\bin\client\jvm.dll”
  4. Write down part of the path which points to the JRE installation directory. See the following example:C:\Program Files\Java\jre1.6.0_15

Task 2 – Add a certificate to the BlackBerry MDS or BlackBerry MDS-CS certificate store

Note: The default keystore password is changeit. The aliasname used in the following commands must be unique.

To add a certificate to the BlackBerry MDS or BlackBerry MDS Connection Service certificate store, complete the following steps:

  1. Copy the certificatename.cer file to <PATH_FROM_TASK1_STEP4>\lib\security
  2. Type the following commands in the command prompt:cd <PATH_FROM_TASK1_STEP4>\bin

    keytool -import -trustcacerts -alias aliasname -file ..\lib\security\certificateName.cer -keystore ..\lib\security\cacerts

  3. Check that the cacerts file contains the updated information for the new alias and certificate:

    keytool -list -v -keystore ..\lib\security\cacerts

  4. Restart the BlackBerry MDS or BlackBerry MDS Connection Service for the changes to take effect.
ExpandEnvironment
  • BlackBerry® Enterprise Server 3.6 to 5.0 SP1
  • Java® Runtime Environment (JRE)
CollapseAdditional Information

If the following error message appears in the BlackBerry MDS or the BlackBerry MDS log file after accessing an HTTPS site from a BlackBerry smartphone, it might be caused by the web server’s certificate not being added to the cacerts file:

BlackBerry Enterprise Server 3.6 to 4.1 SP5

<MDS-CS_1>:<DEBUG>:<LAYER = IPPP, URL [https://testsite/test.css] SSLException
[sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]>

BlackBerry Enterprise Server 4.1 SP6 to 4.1 SP7

<MDS-CS_SERVERNAME_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, Access Denied: Insecure SSL Request>

*information was provided by blackberry technical solution center.

kb20197 and kb11623

Posted on

Windows 2003 + Active Directory Support Tools

I was looking for ways to show domain controller information and or changing domain controller name and came across a few pages on the net that helped me achieve this.

You can download the kit from windows here:

http://download.microsoft.com/download/3/e/4/3e438f5e-24ef-4637-abd1-981341d349c7/WindowsServer2003-KB892777-SupportTools-x86-ENU.exe

other tools in the kit:

http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx

this site is awesome for windows related support and how-to’s:

http://www.petri.co.il/windows_2003_domain_rename.htm

http://www.petri.co.il/download_windows_2003_sp1_support_tools.htm

Honestly, this is just for my reference 🙂

Posted on

MS Windows 2003 SBS pop3 connector / Blackberry Enterprise Server Express

I have built a new server on VMWare to accommodate the new Blackberry Enterprise Server Express 5.0.1 that was just recently released. I was quite ecstatic to hear RIM was giving this up for free. Since I had a 5 CAL license for Windows 2003 Small Business Server, I setup this on my VM, which also included Exchange Server 2003. Setup was easy, did all the updates to this ancient OS. Then setup the BESX on the same server. Since I only plan to host personal/SOHO domain, this is totally acceptable. Blackberry suggests I can have upto 75 users on this server. The server itself is pretty decent – Xeon, 4GB ECC Ram, Raid5.

Blackberry has this great video tutorial that shows how to set the BESX up in a jiffy.

you can view the video here

Going forward, I had redirected my domains email to the exchange server, this entailed me to purchase anti spam software as it was getting ridiculous with out it.

What I decided to do is activate POP3 Connector which comes with the SBS 2003 OS. The downside was that it only polls every 15 minimum. Boo! Doesnt that defeat having push email to the blackberry?

Well I found a reg edit hack that will accelerate the polling.

You can set the polling interval in the GUI if you view the properties of
the POP3 Connector Manager, and then click the “Scheduling” tab. To set the
polling interval so that polling occurs more frequently than every 15
minutes, you must configure the ScheduleAccelerator registry entry.

1. Locate and then click the following registry subkey:

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SmallBusinessServer\Network\POP3
Connector”

2. On the “Edit” menu, point to “New”, and then click “DWORD Value”.

3. Type “ScheduleAccelerator” (without the quotation marks) as the entry
name, and then press ENTER.

5. On the “Edit” menu, click “Modify”.

6. In the “Value data” box, click decimal, type the value that you want, and then click
“OK”. To determine the polling interval, the value that is configured on the
“Scheduling” tab in the GUI is divided by the value that you type for the
ScheduleAccelerator entry. For example, if a 15 minute interval is specified
in the GUI and you set the value of the ScheduleAccelerator entry to 3, the
connector will poll ever five minutes.

7. Quit Registry Editor

Posted on

Cron Job wizard

Ever have those blonde moments when you are secure shell tunneled into you unix/linux box and cant remember the proper way to setup a cron job. Well now you dont have to rely on memory to make that happen. I came across this site that has create this wizard. The downfall is on every item you choose, a damn pop-up happens, but easy enough to close and continue. I guess buddy has to pay for his/her site with ppc.

the url is:

http://www.htmlbasix.com/crontab.shtml

I give props to the creator of this site mentioned above.

Posted on

automated cPanel backup

I came across this blog of this genius that has created a script to automate cPanel backups. Previously, I would have to do this manually. I have shared boxes, VPS and am currently in the process of shipping a pimped  box for colo. In the mean time, as on WHM on my shared account doesnt allow automated backups, i have installed this script to create full backups and push via ftp to my remote server! This also includes all domains, emails, “sql” as well. So happy I found this script. I am currently looking to see if I can use SFTP instead of ftp. Why not make the transfer as secure as possible.. Shout out to Justin Cook

Posted on

xcopy – a great tool

So, tired of copy and paste between folders/drives, and all of a sudden access is denied on a particular file so the transfer stops.. that sucks!

xcopy is a great tool on command prompt.

go to the directory you want to copy to and type:

xcopy {copy path} /C /H /K /R /E /Y

also note that if any of your paths have spaces in them, you need to enclose them with quotes, ie. xcopy c:\"documents and settings\administrator" /SWITCHES.
This does:
/C Continues copying even if errors occur.
/H Copies hidden and system files also.
/K Copies attributes. Normal Xcopy will reset read-only attributes.
/E Copies directories and subdirectories, including empty ones. Same as /S /E. May be used to modify /T.
/R Overwrites read-only files.
/Y Suppresses prompting to confirm that you want to overwrite an existing destination file. May be preset in the COPYCMD environment variable

I give credit to commandwindows.com
The link for all xcopy commands are:
here

Xcopy provides an excellent tool for backing up selected folders. With appropriate switches, a variety of backup scenarios can be created. One possible backup configuration would be to copy only those files that have been changed. Here is an example command:
xcopy C:\somefolder E:\backupfolder /D /E /C /R /H /I /K /Y
This command will copy all files, including those in sub-folders, that are newer in the source folder. It will copy hidden as well as read-only files and will create the destination folder and/or sub-folders if they do not already exist.

Posted on

Avira Antivir Free personal edition

I recently started using avira antivir, the free personal edition. One thing i found annoying was everytime it would update the virus definitions, it would pop up an ad to buy the better edition. While searching on google, I found this page that explains how to block that pop up. Instead of c/p this info, i will give credit where it is due. So just go check out that link.

http://www.tipsfor.us/2007/08/15/make-avira-antivir-free-edition-more-usable/

The thing that this antivir is lacking is the scanning of incoming email. Most non-power users have free mail, ie, gmail or hotmail, so in my opinion, you dont need the email scanning option. This would be an issue if you use outlook / express; then I would recommend buying the better version or go for another great free product – AVG.