Showing posts with label bes. Show all posts
Showing posts with label bes. Show all posts

Tuesday, April 30, 2013

Blackberry Device Service 10 SSL Certificate

After you install your brand new Blackberry 10 server (Blackberry Device Service 10), you might want to replace the default self-signed SSL certificate. I do, because I think this what caused my Blackberry Management Studio not talking properly with the BAS 10, e.g. I have got bad_certificate error on the log file.

So, in summary you need to do the followings:

  • Backup BAS keystore
  • Delete the default alias from keystore
  • Generate a new key in keystore
  • Generate CSR
  • Submit CSR to your CA
  • Import CA(s)
  • Import public key for your SSL certificate
Now, I am using Microsoft CA to generate the SSL certificate and my BAS 10 is running on Windows 2008 R2 (x64). All the commands below is using keytool.exe which is located in your JAVA JRE\bin folder.

You need either reset your web keystore password or get the current password from BES10 console- Servers and components - Blackberry Solution Topology - Blackberry Domain - Component View - Blackberry Administration Service. Under Security settings, there is a Default password to encrypt the web.keystore file

Backup BAS keystore
Just take a copy of the following file:

C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore

Delete the default alias from keystore
This will delete the key pair with an alias of httpssl - which is being used by BAS 10

keytool -delete -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore"

This will ask for the keystore password - enter it

Generate aa New Key in Keystore
Replace the -dname with your own value. CN is the FQDN of the SSL to be used

keytool -genkey -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -dname "CN=bes.domain.local, OU=IT, O=Laurence Blog, L=Sydney, ST=NSW, C=AU" -keyalg RSA -keysize 2048

Generate CSR
This generates a certreq.csr file which will be used for the next step

keytool -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -file "C:\Temp\certreq.csr" -keyalg RSA -keysize 2048

Submit CSR to your CA
Navigate to your CA using IE browser: https://caserver.domain.local/certsrv
Navigate to Request a certificate
Navigate to Submit a certificate request by using a base-64-encoded CMC or ...
Paste the content of the CSR file to the Saved Request field
Use the default: Web Server template
Submit
Download the certificate
Download all the Root and issuing/intermediate CA as well

Import CA(s)
Import all the CA you have (e.g. root/issuing/intermediate). Make sure you are using a unique alias name for each CA

keytool -import -alias rootca -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -file "C:\Temp\rootca.cer"

keytool -import -alias intermediateca -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -file "C:\Temp\issuingca.cer"

Import Public Key for SSL Certificate
This imports the certificate from your CA to the keystore

keytool -import -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -file "C:\Temp\public.cer"

Restart the Blackberry Administration Service - Native Code Container

You can also do the same thing for the Blackberry Management Studio (*Fusion) using the same steps above
The keystore location is:

C:\Program Files (x86)\Research In Motion\BlackBerry Management Studio\BlackBerryMobileFusion.keystore

The keypair name is: fusionssl


Posted by at No comments:
Labels: , , , , , , ,

Thursday, March 04, 2010

BES Upgrade 4.1.7 to 5.0.1

Recently we had to upgrade BES 4.1.7 to BES 5.0.1.
We use the following methods and upgrade was a success:

- Prepare the new server (e.g. set local permission for BESadmin, install MAPI Client and CDO, etc)

- Stop and disable all the BES Services on the old BES

- (optional) Take a backup of the BESMgmt database from the old SQL server

- From the new BES Server, run the Tools\BB50preptool.exe, specify the old SQL server and the BESMgmt database. This will prepare the database to be upgradable to ver 5.x

- Take another backup of the BESMgmt database

- Restore the database to the new SQL server

- Edit the database

In SQL Manager expand the BESMgmt database and select Tables. In the centre window right mouse click ServerConfig and select Open Table. Now edit the columns below and update them to display the new server name

-ServiceName
-MachineName
-RPCEndPoint (only edit the name after “\pipe\BESMonitor” )

Still within the ServerConfig table scroll to the MDSAGConfigId column and ensure it is set to NULL. Now close the ServerConfig table and reselect the Tables fold in the left column and locate the MDSAGConfig table in the centre section. Once again right mouse click and select Open Table and ensure you can only see one row containing all NULL values. If a row containing server settings appears select that entire row and delete it.

You can now close the MDSAGConfig table and we can now be assure no old MDS Service settings are migrated and they can be installed fresh on this new server.

Now select the Tables folder in the left column again. In the centre window right mouse click MDSConfig and select Open Table. Now edit the columns below and update them to display the new server name.
-MDSHost
-MachineName
-ServerName (only edit the name before “_MDS-CS_X”)

- From the new BES Server, run the setup.exe. Select use existing database and point it to the new SQL server

After finished installing, reboot the BES Server

You may get the following error in the System Event Log:

Application popup: BBConvert.exe - System Error : The program can't start because WMVCore.DLL is missing from your computer. Try reinstalling the program to fix this problem.

If so, run the following command: (for Windows 2008 R2)

Pkgmgr.exe /ip /m:"%windir%\servicing\Packages\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.mum"
Posted by at No comments:
Labels: , ,

Monday, December 24, 2007

BlackBerry Enterprise Server Upgrade

If you have a plan to upgrade your BES from version 4.0 to version 4.1, read on...

There are 3 methods of upgrade options: in-place, cutover and phased. I am going to show you the cutover method which installs the new BES on the new computer and migrates database from the old BES to the new one.

Let's assume your existing server name is oldbes, the new server name is newbes. You have an AD service account called: besadmin and your MSDE configuration database is stored in BESMgmt

Step-by-step

  • Install Windows 2003 + SP2 on the new server and name it newbes. Join to the domain where the oldbes server domain is located. Give a temporary static IP address
  • Add besadmin as a local administrator and give right to 'Log on as a service' in the local security settings of the newbes computer
  • Login to the oldbes computer as besadmin; we are going to backup the database (MSDE): Open the cmd prompt and run:

osql -E
1> backup database BESMgmt to disk="C:\BESMgmt.bak"
2> go
3> quit

  • Login to the newbes computer as besadmin; install the MSDEA from microsoft with the following command, and start the MSSQLSERVER service and change the startup type to automatic:

setup.exe SAPWD="yoursapassword"

  • Download the MAPI client and CDO from Microsoft, and install it on newbes computer
  • Restore the database to the newbes computer (login as besadmin); copy the BESMgmt.bak file from the oldbes computer to C:\ drive of newbes computer. Open the command prompt:

osql –E
1> restore database BESMgmt from disk = “C:\BESMgmt.bak” with recovery, replace
2> go
3> quit

  • Login to oldbes computer as besadmin, and stop all BES services and change all the services startup type to disabled. Change the IP address of oldbes to different IP address; Change the IP address of newbes to oldbes's old IP address - this to make sure the Firewall still allow port 3101 outbound to RIM from the newbes computer
  • Now depending on your service pack level of BES installed on the oldbes computer, you need to install them again exactly to the same service pack level on the newbes computer. For example: if your oldbes is version 4.0.6, then you need to install the same version of BES to the newbes computer
  • During the installation on the newbes, it will ask you for the "BlackBerry Server Name:" you need to give the oldbes computer name, NOT the newbes!
  • Once you have got to the same service pack level installed on the newbes computer, start install the 4.1 version of BES; It will ask you to upgrade the database, and Click Yes to upgrade the database
  • Follow the rest of the installation and you are done!

Posted by at No comments:
Labels: ,