Tag: certificate searches

The cacerts file is a keystore with certificate authority (CA) certificates, and it includes multiple trusted root CA certificates, such as VeriSign®. For the BlackBerry® Mobile Data System (MDS) or BlackBerry MDS Connection Service to trust a web server, the BlackBerry MDS Connection Service must check that the web server certificate with the certificate authority. If the web server certificate is purchased from a trusted certificate authority, the check is successful because the issuer’s root CA certificate is in the cacerts file by default. If a private certificate authority is used to issue the web site certificate, the check fails and access to the website from the BlackBerry smartphone is either denied or a prompt to trust the certificate appears on the BlackBerry smartphone screen. Any of the following can be done in order to change this behaviour and to allow the BlackBerry smartphone to access the website successfully:

• Import the private certificate authority’s root CA certificate and any relevant intermediate certificates into the cacerts file.
• Import the web server certificate into the cacerts file.

Note: The BlackBerry MDS is included with BlackBerry Enterprise Server 3.6 to 4.0. BlackBerry MDS Connection Service is included with BlackBerry Enterprise Server 4.1 to 4.1 SP7.

To import the certificate into the cacerts file, complete the following tasks:

Task 1 – Check which version of JRE is used by the BlackBerry MDS or BlackBerry MDS Connection Service

As multiple versions of the JRE can be installed on a server, it is necessary to check which version is currently in use by the BlackBerry MDS or BlackBerry MDS Connection Service.

Perform the following steps to do so:

1. Open the Windows Services® snap-in.
2. Open properties of the BlackBerry MDS Connection Service.
3. On General tab in Path to executable find the value of jvmpath parameter. It is populated with a path to the JRE in use. See the following example:jvmpath=”C:\Program Files\Java\jre1.6.0_15\bin\client\jvm.dll”
4. Write down part of the path which points to the JRE installation directory. See the following example:C:\Program Files\Java\jre1.6.0_15

Task 2 – Add a certificate to the BlackBerry MDS or BlackBerry MDS-CS certificate store

Note: The default keystore password is changeit. The aliasname used in the following commands must be unique.

To add a certificate to the BlackBerry MDS or BlackBerry MDS Connection Service certificate store, complete the following steps:

1. Copy the certificatename.cer file to <PATH_FROM_TASK1_STEP4>\lib\security
2. Type the following commands in the command prompt:cd <PATH_FROM_TASK1_STEP4>\bin

   keytool -import -trustcacerts -alias aliasname -file ..\lib\security\certificateName.cer -keystore ..\lib\security\cacerts

3. Check that the cacerts file contains the updated information for the new alias and certificate:

   keytool -list -v -keystore ..\lib\security\cacerts

4. Restart the BlackBerry MDS or BlackBerry MDS Connection Service for the changes to take effect.

• Back to top

• BlackBerry® Enterprise Server 3.6 to 5.0 SP1
• Java® Runtime Environment (JRE)

• Back to top

If the following error message appears in the BlackBerry MDS or the BlackBerry MDS log file after accessing an HTTPS site from a BlackBerry smartphone, it might be caused by the web server’s certificate not being added to the cacerts file:

BlackBerry Enterprise Server 3.6 to 4.1 SP5

<MDS-CS_1>:<DEBUG>:<LAYER = IPPP, URL [https://testsite/test.css] SSLException
[sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]>

BlackBerry Enterprise Server 4.1 SP6 to 4.1 SP7

<MDS-CS_SERVERNAME_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, Access Denied: Insecure SSL Request>