Tuesday, April 30, 2013

Blackberry Device Service 10 SSL Certificate

After you install your brand new Blackberry 10 server (Blackberry Device Service 10), you might want to replace the default self-signed SSL certificate. I do, because I think this what caused my Blackberry Management Studio not talking properly with the BAS 10, e.g. I have got bad_certificate error on the log file.

So, in summary you need to do the followings:

  • Backup BAS keystore
  • Delete the default alias from keystore
  • Generate a new key in keystore
  • Generate CSR
  • Submit CSR to your CA
  • Import CA(s)
  • Import public key for your SSL certificate
Now, I am using Microsoft CA to generate the SSL certificate and my BAS 10 is running on Windows 2008 R2 (x64). All the commands below is using keytool.exe which is located in your JAVA JRE\bin folder.

You need either reset your web keystore password or get the current password from BES10 console- Servers and components - Blackberry Solution Topology - Blackberry Domain - Component View - Blackberry Administration Service. Under Security settings, there is a Default password to encrypt the web.keystore file

Backup BAS keystore
Just take a copy of the following file:

C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore

Delete the default alias from keystore
This will delete the key pair with an alias of httpssl - which is being used by BAS 10

keytool -delete -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore"

This will ask for the keystore password - enter it

Generate aa New Key in Keystore
Replace the -dname with your own value. CN is the FQDN of the SSL to be used

keytool -genkey -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -dname "CN=bes.domain.local, OU=IT, O=Laurence Blog, L=Sydney, ST=NSW, C=AU" -keyalg RSA -keysize 2048

Generate CSR
This generates a certreq.csr file which will be used for the next step

keytool -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -file "C:\Temp\certreq.csr" -keyalg RSA -keysize 2048

Submit CSR to your CA
Navigate to your CA using IE browser: https://caserver.domain.local/certsrv
Navigate to Request a certificate
Navigate to Submit a certificate request by using a base-64-encoded CMC or ...
Paste the content of the CSR file to the Saved Request field
Use the default: Web Server template
Submit
Download the certificate
Download all the Root and issuing/intermediate CA as well

Import CA(s)
Import all the CA you have (e.g. root/issuing/intermediate). Make sure you are using a unique alias name for each CA

keytool -import -alias rootca -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -file "C:\Temp\rootca.cer"

keytool -import -alias intermediateca -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -file "C:\Temp\issuingca.cer"

Import Public Key for SSL Certificate
This imports the certificate from your CA to the keystore

keytool -import -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -file "C:\Temp\public.cer"

Restart the Blackberry Administration Service - Native Code Container

You can also do the same thing for the Blackberry Management Studio (*Fusion) using the same steps above
The keystore location is:

C:\Program Files (x86)\Research In Motion\BlackBerry Management Studio\BlackBerryMobileFusion.keystore

The keypair name is: fusionssl


Wednesday, April 17, 2013

Active Directory Domain Controller GPO Reset

I have these 2x Windows 2012 Domain Controllers that inherited policies from the old GPO which were created since Windows 2003 days. I did not realize there were problems until some of the features that I want to use started acting badly (e.g. access denied, etc).

Obviously the DCs have been joined to the domain and be put in the "Domain Controllers" OU by default after they were dcpromo-ed, which then got the old GPO applied to them.

So to clean them up all the registries, file systems security configuration that have been applied to DC, I need to reset the default domain policy and the default domain controllers policy. Before I do that, I back them up first, just in case.

To clean up the GPO run the following command:

C:\> DCGPOFIX

Then I need to clean up the actual settings that have been applied to my DCs by running the following command on each DC:

C:\> secedit /configure /cfg C:\windows\inf\defltdc.inf /db defltdc.sdb /overwrite

Reboot the DC

Thursday, April 04, 2013

Citrix StoreFront Authentication Check URL

Use the following URL to check the Authentication Method being used by a user:

https://storefront.domain.tld/Citrix/Authentication/Integrated/test.aspx