How to configure the BlackBerry MDS Connection Service to enable certificate searching using Lightweight Directory Access Protocol (LDAP) certificate server.
Task 1 – Configure the MDS Connection Service
BlackBerry Enterprise Server 4.1
- Enter the LDAP certificate server host name.
- Enter the LDAP certificate server port configured on the LDAP certificate server. The default is 636.
- Enter the Microsoft® Active Directory® account and password that has permission to query the LDAP certificate server.
- Enter a default base query.
- Amend the query limit and data compression settings if necessary.
BlackBerry Enterprise Server version 5.0
- Open the BlackBerry Administration Service.
- Navigate to BlackBerry Solution topology > BlackBerry Domain > Component view > Edit (MDS Connection Service) > LDAP.
- Enter the LDAP certificate server host name and port in the Service URL field in the format:
- Set Secure connection enabled to Yes.
- Click Save All.
- Navigate to BlackBerry Solution topology > BlackBerry Domain > Component view > Edit (MDS Connection Service) > Configuration sets.
- Add the LDAP configuration to a new or existing configuration set.
- Click Save all.
- Navigate to each BlackBerry MDS Connection Service instance in BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service > Edit (Servername_MDS-CS_x) > Component Configuration Sets and specify the configuration set that a BlackBerry MDS Connection Service instance will use.
- Click Save all.
Task 2 – Amend rimpublic.property file
- In C:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\<SERVER_NAME>\config, open rimpublic.property.
- Add Adding application.handler.ldap.DEFAULT_USE_SSL_TLS=true.
Task 3 – Restart the BlackBerry MDS Connection Service to allow the changes to MDS_CS and rimpublic.property to apply.
Task 4 – Import company root certificate to the MDS keystore.
Refer to KB11623 – How to add a certificate for the web server to the BlackBerry MDS or BlackBerry MDS Keystore – and add the root certificate to the BlackBerry MDS keystore.
If the root certificate does not contain a CRL distribution point entry it will be necessary to add Intermediate certificates to the BlackBerry MDS keystore.
How to add a certificate for the web server to the BlackBerry Mobile Data Service or BlackBerry MDS keystore
The cacerts file is a keystore with certificate authority (CA) certificates, and it includes multiple trusted root CA certificates, such as VeriSign®. For the BlackBerry® Mobile Data System (MDS) or BlackBerry MDS Connection Service to trust a web server, the BlackBerry MDS Connection Service must check that the web server certificate with the certificate authority. If the web server certificate is purchased from a trusted certificate authority, the check is successful because the issuer’s root CA certificate is in the cacerts file by default. If a private certificate authority is used to issue the web site certificate, the check fails and access to the website from the BlackBerry smartphone is either denied or a prompt to trust the certificate appears on the BlackBerry smartphone screen. Any of the following can be done in order to change this behaviour and to allow the BlackBerry smartphone to access the website successfully:
- Import the private certificate authority’s root CA certificate and any relevant intermediate certificates into the cacerts file.
- Import the web server certificate into the cacerts file.
Note: The BlackBerry MDS is included with BlackBerry Enterprise Server 3.6 to 4.0. BlackBerry MDS Connection Service is included with BlackBerry Enterprise Server 4.1 to 4.1 SP7.
To import the certificate into the cacerts file, complete the following tasks:
Task 1 – Check which version of JRE is used by the BlackBerry MDS or BlackBerry MDS Connection Service
As multiple versions of the JRE can be installed on a server, it is necessary to check which version is currently in use by the BlackBerry MDS or BlackBerry MDS Connection Service.
Perform the following steps to do so:
- Open the Windows Services® snap-in.
- Open properties of the BlackBerry MDS Connection Service.
- On General tab in Path to executable find the value of jvmpath parameter. It is populated with a path to the JRE in use. See the following example:jvmpath=”C:\Program Files\Java\jre1.6.0_15\bin\client\jvm.dll”
- Write down part of the path which points to the JRE installation directory. See the following example:C:\Program Files\Java\jre1.6.0_15
Task 2 – Add a certificate to the BlackBerry MDS or BlackBerry MDS-CS certificate store
Note: The default keystore password is changeit. The aliasname used in the following commands must be unique.
To add a certificate to the BlackBerry MDS or BlackBerry MDS Connection Service certificate store, complete the following steps:
- Copy the certificatename.cer file to <PATH_FROM_TASK1_STEP4>\lib\security
- Type the following commands in the command prompt:cd <PATH_FROM_TASK1_STEP4>\bin
keytool -import -trustcacerts -alias aliasname -file ..\lib\security\certificateName.cer -keystore ..\lib\security\cacerts
- Check that the cacerts file contains the updated information for the new alias and certificate:
keytool -list -v -keystore ..\lib\security\cacerts
- Restart the BlackBerry MDS or BlackBerry MDS Connection Service for the changes to take effect.
- BlackBerry® Enterprise Server 3.6 to 5.0 SP1
- Java® Runtime Environment (JRE)
If the following error message appears in the BlackBerry MDS or the BlackBerry MDS log file after accessing an HTTPS site from a BlackBerry smartphone, it might be caused by the web server’s certificate not being added to the cacerts file:
BlackBerry Enterprise Server 3.6 to 4.1 SP5
<MDS-CS_1>:<DEBUG>:<LAYER = IPPP, URL [https://testsite/test.css] SSLException
[sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]>
BlackBerry Enterprise Server 4.1 SP6 to 4.1 SP7
<MDS-CS_SERVERNAME_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, Access Denied: Insecure SSL Request>
*information was provided by blackberry technical solution center.