The connection to the License Infrastructure fails in BlackBerry Enterprise Service 10

Article ID: KB34316

Type: Support Content

Last Modified: 07-10-2014

 

Product(s) Affected:

  • BlackBerry Enterprise Service 10
CollapseEnvironment
  • BlackBerry Enterprise Service 10 version 10.1 to 10.2
CollapseOverview

In BlackBerry Management Studio, the License tab shows a red warning indicator. When clicking on the License tab, the connection to the License Infrastructure is red and is unable to connect. Polling the License Infrastructure fails.

Note: A telnet to license.blackberry.com:443 may still be successful.

The following log lines may be seen in the EMWS Logs if an issue exists when attempting to enroll a BlackBerry 10 smartphone:

[ERROR] (07/17 09:45:50:901):{http-38444-exec-4} BESLEClientImpl:{BlackBerry/10.1.0.1720 EMA/10.1.0.1720 IMEI/xxxxxxxxxxxxxxx PIN/12G34H56.User Name (EXT).154}:Failed canAcquire license at https://10.219.240.43/weblicensing/restws/licensing/acquirelicense/individualLiable/1 with exception:

com.certicom.net.ssl.a: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
Description: TLSState: Key Exchange Alert.
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
at com.certicom.tls.record.handshake.R.a(Unknown Source)

CollapseCause

Cause 1

The website for licensing, https://license.blackberry.com:443 uses a third party certificate signed by Thawte Certificate Authority. The BlackBerry Enterprise Service 10 License Service will fail to connect if the server hosting the service does not have the Thawte Root Certificate installed on the local computer account.

Cause 2

The BlackBerry Administration Service contains a custom SSL certificate and one of the certificates in the chain contains an invalid URI for the field CRL Distribution Points.  The format of the invalid URI is URL=file://\\\\DC\\CRL\\entrust_ca_crlfile.crl. 

CollapseResolution

Cause 1

The website for licensing, https://license.blackberry.com:443 uses a third party certificate signed by Thawte Certificate Authority. The BlackBerry Enterprise Service 10 License Service will fail to connect if the server hosting the service does not have the Thawte Root Certificate installed on the local computer account.

Resolution 1

Install the thawte Primary Root CA certificate on the server that hosts the BlackBerry Enterprise Service 10 License Service.

Follow these steps:

  1. Obtain the Thawte Root Certificate pack located at Thawte's website here: https://www.verisign.com/support/thawte-roots.zip
  2. Extract the zip file to the server that hosts the BlackBerry Enterprise Service 10 License Service.
  3. Go to Start > Run and type mmc to bring up the Microsoft Management Console.
  4. Go to File > Add/Remove Snap-in
  5. In the left hand pane, select the Certificates snap-in and click the Add button.
  6. In the pop-up window select the Computer Account and hit Next.
  7. Select the Local Computer: (the computer this console is running on) and select Finish.
  8. Click OK.
  9. Expand Certificates in the left-hand pane.
  10. Highlight the folder Trusted Root Certificate Authorities.
  11. Right-click on the right-hand pane and select All Tasks > Import.
  12. Click Next on the pop-up window.
  13. Select Browse and navigate the location of the extracted Thawte Root Certificates zip file.
  14. Find the folder in the zip file called thawte Primary Root CA - G1 (EV) and double-click it.
  15. Select the file thawte_Primary_Root_CA.cer and select Open.
  16. Click Next
  17. Click Next again and then Finish.

The BlackBerry Enterprise Service 10 License Service may need to be restarted.

Cause 2

The BlackBerry Administration Service contains a custom SSL certificate and one of the certificates in the chain contains an invalid URI for the field CRL Distribution Points.  The format of the invalid URI is URL=file://\\\\DC\\CRL\\entrust_ca_crlfile.crl.  As a result a java exception is encountered.

Resolution 2

Remove the the invalid URL or reference the following java bug report for guidance on how to correct the invalid URI.

http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6931888

CollapseAdditional Information

Be sure to load the certificate on all BlackBerry Enterprise Service 10 nodes and also restart the Enterprise Management Web Service on the nodes.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.