SSL Certificates, Blackberries, BES, and SilverDust

Introduction

Potential connection issues can occur between the SilverDust server, BES, and SilverDust blackberry client if SSL encryption is used. We recommended SSL be used in every production SilverDust environment to encrypt SharePoint content between SD Server and the BES/blackberry.

This post also serves as a general guide for accessing any SSL enabled website from the blackberry.

The Handshake

There are two ways a blackberry can complete a SSL handshake. The first option, called proxy mode, allow’s the BES to complete the handshake on a blackberry’s behalf. The second option, called handheld mode, allows the blackberry to directly complete the handshake.

Handheld Mode

To enabled handheld mode change the TLS default setting on the blackberry. This setting can be adjusted on the handheld by navigating to options->security options->advanced security options->TLS Default->change the setting between proxy and handheld. The default is proxy mode or set an IT policy value to force handheld mode.

The minor inconvenience with this setting is that the user will be prompted to import the web server certificate to their device (if it has not already been added). Certificates can be added beforehand through desktop manager or published for OTA deployment (i.e on the company intranet).

There is a slight performance hit because the handheld is handling the handshake, encryption/decryption overhead. Also, you realize you are allowing users to pass their own judgment when deciding to access secure or insecure websites.

Proxy Mode

In order for BES (on a blackberrys behalf) to complete the SSL handshake with a secure web server, you have to add that web server’s SSL certificate to the java keystore on the BES. If there are intermediate certificates in the certificate chain then import those certificates to the key store as a precaution.

  1. Save the certificate from a secure web site to a .cer file.
  2. On the computer that hosts the BlackBerry MDS Connection Service, copy the .cer file to <drive>:\Program Files\Java
    \<JRE_version>\lib\security.
  3. At a command prompt, navigate to <drive>:\Program Files\Java\<JRE_version>\bin.
  4. Type keytool -import -trustcacerts -alias <alias_name> -file <cert_filename> -keystore cacerts.
    Include the full filepath (<drive>:\Program Files\Java
    \<JRE_version>\lib\security) in the -file switch and -keystore switch or else you could be writing to wrong JRE/JDK ca keystore instead of the JRE one.
  5. Type the key store password. Default is changeit.
  6. To add the certificate to the key store, at the command prompt, type Yes.
  7. Restart the MDS-CS services.

There is another option that allows you to point your BES to an LDAP server that hosts the Certificate Authority for you organization. MDS-CS will then pull the necessary web server certificate down when needed. I haven’t tested this, but I will follow up on an updated blog post when completed.

Proxy Mode Certificate Issues

There are some proxy mode certificate issues I ran into when testing.

The BES 5.0 issues were fixed in SP1 -> MR3 (see kb)

Certificate Type BES 5.0/Express BES 4.1+ Notes
Wildcard SSL Certificates known issue in BES 5.0. There were issues in 4.1.7, which were fixed in MR2 (check the kb link)
SSL Certificates Issued from a internal/external CA for a single site
Self-Signed SSL Certificates Typically used for testing or a small scale deployment
BES 4.0/4.1 – Proxy Mode Certificate Issue Workaround(s)

There is a MDS-CS setting (under properties ->HTTPS/TLS) in BES 4.0/4.1 that allows untrusted HTTPS and TLS connections. This setting can be enabled to bypass adding a web server’s certificate to the keystore. However, you are allowing blackberry clients to potentially access invalid or insecure SSL enabled sites unless other measurements are in place (i.e. proxy server).

or

Set the TLS default to handheld on the blackberry.

BES 5.0 and up – Proxy Mode Certificate Issue Workaround(s)

Set the TLS default to handheld on the blackberry.

General Troubleshooting

  • If an internal server error 500 is thrown on the handheld then check the MDS-CS logs (MDAT) on the BES for error entries (it could be a MDS-CS issue out of your control).
  • If an insecure SSL msg is thrown on the blackberry then add or check the SSL certificate you added in java keystore.
  • Check TLS IT policies set on the BES
  • Try changing the TLS default to handheld on the blackberry to rule out issues with the site/bes.

Troubleshooting Tools

Wireshark – useful for running a package capture between the secure webserver (ie. SilverDust Server and the BES) to look for packet level errors.
KeyTool IUI – allows you to see the java keystore in a GUI instead of trying to scroll through a query at the command line.

Related posts: