How to replace the self-signed certificate for Universal Device Service console

Article ID: KB31084

Type: Support Content

Last Modified: 01-29-2014

 

Product(s) Affected:

  • Universal Device Service
Jump to: Environment | Overview
CollapseEnvironment
  • Universal Device Service 6.0 to 6.2
  • BlackBerry Enterprise Service 10 version 10.1 to 10.2
CollapseOverview

During the installation of the Universal Device Service, the installation process creates a self-signed certificate to support SSL communications with a web browser and the administrative console. This certificate is created following the SHA-2 security standards using Java 7. This certificate is not the same as the certificates used for the Communication or Core modules, and is also not the same as the Apple Push Notification Service certificate. This SSL certificate is stored in the Java keystore similar to other BlackBerry Administration Service console products. Administrators accessing the Universal Device Service administrative console can either import the self-signed certificate into their workstations via the browser, or administrators can choose to replace the self-signed certificate with one issued by a trusted Certificate Authority.

Some key factors to know ahead of time:

For Universal Device Service 6.0 to 6.2:

  • The Java Keytool installed with Universal Device Service 6.0 to 6.2 is located at C:\Program Files (x86)\Research In Motion\Universal Device Service\RIM.BUDS.Gui\jre\bin
  • The certificate keystore is located at : C:\Program Files (x86)\Research In Motion\Universal Device Service\RIM.BUDS.Gui\ssl
  • The keystore used to store the certificate is keystore with no extension.

For BlackBerry Enterprise Service 10 version 10.1:

  • The Java Keytool for BES10 version 10.1 is located at C:\Program Files (x86)\Java\jre1.7.0_05\bin
  • The certificate keystore for BES10 version 10.1 is located (by default) at: C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\RIM.BUDS.Gui\ssl
  • The keystore used to store the certificate is keystore with no extension.

Additional information required:

  • These steps assume that the keystore password is password, and that the new keypair password will be password.
    • In Universal Device Service 6.0 to 6.2, the keystore password was entered during the installation of the product.
    • In BlackBerry Enterprise Service 10 version 10.1 environment, the keystore password is the same as the keystore password used for the BlackBerry Administration Service for the BlackBerry Device Service.
      To verify the current password for the web.keystore file:,
      1. Log in to the BlackBerry Administration Service using an administrator account with the Security Administrator role
      2. On the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
      3. Click BlackBerry Administration Service
      4. Check the Security settings section.
  • Requirements for a Webserver SSL certificate from the Trusted Certificate Authority will be needed (see Task 2), like Private Key Size, Key Algorithm (RSA), and Distinguished Name.


Task 1 - Delete the existing Self-Signed Certificate from the keystore

  1. Open a Command Window as Administrator.
  2. Navigate to the folder where the certificate keystore is located.
    • For Universal Device Service 6.0 to 6.2:
      cd "C:\Program Files (x86)\Research In Motion\Universal Device Service\RIM.BUDS.Gui\ssl"
    • For BlackBerry Enterprise Service 10 version 10.1:
      cd "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\RIM.BUDS.Gui\ssl"
  3. Backup the keystore file.
  4. List the contents of the keystore file:
    • For Universal Device Service 6.0 to 6.2:
      ..\jre\bin\keytool.exe -list -keystore keystore -v -storepass password
    • For BlackBerry Enterprise Service 10 version 10.1:
      "c:\Program Files (x86)\Java\jre1.7.0_05\bin\keytool.exe" -list -keystore keystore -v -storepass password
  5. An example output is displayed here (obtained without the -v switch) :

    Keystore type: JKS
    Keystore provider: SUN
    Your keystore contains 2 entries
    buds.gui.sslcert, Aug 11, 2012, trustedCertEntry,
    Certificate fingerprint (SHA1): 7B:45:8F:2C:F2:FF:AF:3A:8F:8B:1E:D0:2C:12:83:3F:1D:F3:77:E0
    buds.gui.ks.tomcat, Aug 11, 2012, PrivateKeyEntry,
    Certificate fingerprint (SHA1): F4:24:8E:B7:3C:91:18:87:53:5A:8F:05:ED:F0:47:28:98:BB:BB:51

  6. Delete the self-signed certificate with the alias of buds.gui.ks.tomcat:
    • For Universal Device Service 6.0 to 6.2:
      ..\jre\bin\keytool.exe -delete -alias buds.gui.ks.tomcat -keystore keystore -storepass password -v
    • For BlackBerry Enterprise Service 10 version 10.1:
      "c:\Program Files (x86)\Java\jre1.7.0_05\bin\keytool.exe" -delete -alias buds.gui.ks.tomcat -keystore keystore -storepass password -v
  7. List the keystore file to ensure it is only has one reference (for buds.gui.sslcert):
    • For Universal Device Service 6.0 to 6.2:
      ..\jre\bin\keytool.exe -list -keystore keystore -v -storepass password
    • For BlackBerry Enterprise Service 10 version 10.1:
      "c:\Program Files (x86)\Java\jre1.7.0_05\bin\keytool.exe" -list -keystore keystore -v -storepass password


Task 2 - Generate a new certificate with a private key

  1. Reference the Trusted Certificate Authority for settings to use here.
  2. While still in the same command window as in Task 1:
    • For Universal Device Service 6.0 to 6.2:
      ..\jre\bin\keytool.exe -genkeypair -alias buds.gui.ks.tomcat -dname "cn=fqdn_of_server.example.com, ou=OU_Info, o=UDS, l=City, s=State, c=US" -keyalg RSA -keysize 2048 -keystore keystore -storepass password -validity 180
      Enter key password for buds.gui.ks.tomcat
      (Return if same as keystore password):
    • For BlackBerry Enterprise Service 10 version 10.1:
      "c:\Program Files (x86)\Java\jre1.7.0_05\bin\keytool.exe" -genkeypair -alias buds.gui.ks.tomcat -dname "cn=fqdn_of_server.example.com, ou=OU_Info, o=UDS, l=City, s=State, c=US" -keyalg RSA -keysize 2048 -keystore keystore -storepass password -validity 180
      Enter key password for buds.gui.ks.tomcat
      (Return if same as keystore password):
  3. This command will prompt to enter a password for this specific key. By pressing Enter or Return, the command will use the same password for this entry as the keystore password.


Task 3 - Generate a certificate request to be submitted to the Trusted Certificate Authority

  1. Create a folder to store the certificate request and subsequent certificates for easy access (These steps assume C:\Downloads\ ).
  2. Reference the Certificate Authority for settings to use here.
  3. Create the certificate request:
    • For Universal Device Service 6.0 to 6.2 :
      ..\jre\bin\keytool.exe -certreq -alias buds.gui.ks.tomcat -keystore keystore -storepass password -keyalg RSA -keysize 2048 -file "c:\Downloads\UDSGUICert.req"
    • For BlackBerry Enterprise Service 10 version 10.1:
      "c:\Program Files (x86)\Java\jre1.7.0_05\bin\keytool.exe" -certreq -alias buds.gui.ks.tomcat -keystore keystore -storepass password -keyalg RSA -keysize 2048 -file "c:\Downloads\UDSGUICert.req"


Task 4 - Submit the request to the Trusted Certificate Authority.

This process will assume an internal Microsoft Certificate Authority is being used.

  1. Connect to the certificate authority web service via a supported web browser.
    http://domaincontroller.example.com/certsrv
  2. Click on Request a certificate
  3. Click on Advanced certificate request
  4. Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
  5. Open the certificate file generated from Task 3 with Notepad.
  6. Copy the entire contents of the file except the last carriage return. Select the -- Begin -- to the -- End -- segments.
  7. Paste the contents into the available box in the browser.
  8. Select a Web Server Template from the template drop-down list.
  9. In the Additional Attributes section, add any valid Subject Alternative Names with this format (should include the name used in the CN= section of Task 2) :
    dns=udsserver.example.com&dns=fqdn_of_uds_server.example.com
    This is useful if the primary URL for the BlackBerry Mobile Fusion Studio is a DNS alias for a physical server name. It is best practices to load the first Subject Alternative Name to be the same name as the primary URL, and then load any physical server names as Fully Qualified Domain Names. Do not prefix with http.
  10. Click Submit.
  11. Save the certificate.
    1. Select DER encoded.
    2. Click Download certificate.
    3. Save the certificate as udsguicert.cer, and save to a folder easily accessible by the command window session.
  12. Save any root and intermediate certificate authority certificates.
    1. Click Home
    2. Click on Download a CA certificate, certificate chain, or CRL
    3. Click on Download a CA certificate
    4. Save the certificate as udsguirootcacert.cer


Task 5 - Import the certificates into the keystore

  1. Locate the downloaded certificates from Task 4 and place them in an easy folder for command line access below. These steps assume that the folder is C:\Downloads\
  2. Import the Root Certificate Authority certificate into the keystore:
    • For Universal Device Service 6.0 to 6.2:
      ..\jre\bin\keytool.exe -import -alias cacert -keystore keystore -storepass password -file "c:\Downloads\udsguirootcacert.cer"
    • For BlackBerry Enterprise Service 10 version 10.1:
      "c:\Program Files (x86)\Java\jre1.7.0_05\bin\keytool.exe" -import -alias cacert -keystore keystore -storepass password -file "c:\Downloads\udsguirootcacert.cer"
  3. When prompted to Trust this certificate, enter Yes.
  4. The response will be Certificate has been added to keystore
  5. Import any Intermediate Certificate Authority certificates into the keystore with the same command as in step 1. However, use a different alias. Sample commands would look like these:
    • For Universal Device Service 6.0 to 6.2:
      ..\jre\bin\keytool.exe -import -alias cacert2 -keystore keystore -storepass password -file "C:\Downloads\rootcacert2.cer"
    • For BlackBerry Enterprise Service 10 version 10.1:
      "c:\Program Files (x86)\Java\jre1.7.0_05\bin\keytool.exe" -import -alias cacert2 -keystore keystore -storepass password -file "C:\Downloads\rootcacert2.cer"
  6. Import the signed certificate response to match the certificate request generated in Task 3:
    • For Universal Device Service 6.0 to 6.2:
      ..\jre\bin\keytool.exe -import -alias buds.gui.ks.tomcat -keystore keystore -storepass password -file "C:\Downloads\udsguicert.cer"
    • For BlackBerry Enterprise Service 10 version 10.1:
      "c:\Program Files (x86)\Java\jre1.7.0_05\bin\keytool.exe" -import -alias buds.gui.ks.tomcat -keystore keystore -storepass password -file "C:\Downloads\udsguicert.cer"
  7. The response will be Certificate Reply was installed in keystore.


Task 6 - Restart the BlackBerry services

For Universal Device Service 6.0 to 6.2:
  1. Open the Services applet.
  2. Locate the service BlackBerry Administration Console.
  3. Right-click on BlackBerry Administration Console service and select Stop.
  4. Right-click on BlackBerry Scheduler service and select Stop.
  5. Right-click on BlackBerry Web Services service and select Stop.
  6. Start these same services in order.
For BlackBerry Enterprise Service 10 version 10.1:
  1. Open the Services applet.
  2. Locate the service BES10 - Administration Console.
  3. Right-click on BES10 - Administration Console service and select Stop.
  4. Right-click on BES10 - Scheduler service and select Stop.
  5. Right-click on BES10 - BlackBerry Web Services service and select Stop.
  6. Right-click on BES10 - BlackBerry Secure Connect Service service and select Stop.
  7. Right-click on BES10 - BlackBerry Work Connect Notification Service service and select Stop.
  8. Start these same services in order.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.