BlackBerry Enterprise Server Konsolenfehler seit Microsoft Sicherheitsupdates Mai 2015

BlackBerry Server Verwaltungskonsolenfehler seit Microsoft Sicherheitsupdates Mai 2015

 

Problembeschreibung

Sie setzen einen BlackBerry Enterprise Server 5.0 (bis SP4), einen BlackBerry Enterprise Server 10 oder einen BlackBerry Enterprise Server für Office 365 ein haben die Windows Sicherheitsupdates aus Mai 2015 eingespielt.

Wenn Sie die administrative Verwaltungskonsole Ihres BlackBerry Enterprise Servers öffnen wollen stellen Sie eine der folgenden Dinge fest

  • Die Fehlerprotokolldatei Ihres BlackBerry Administration Service (BAS) meldet die Zeile ‘0 [main] INFO com.rim.beip.Beip – BEIP Disabled: init’ aus
  • Ihr Internet Explorer oder Firefox zeigt Ihnen die Mitteilung ‘Diese Seite kann nicht angezeigt werden’
  • Ihr Google Chorme zeigt Ihnen die erweiterte Fehlerbeschreibung ‘ERR_SSL_VERSION_OR_CIPHER_MISMATCH’ an

 

Ursache

Das Windows Sicherheitsupdate KB3061518 ist auf dem System installiert, von dem aus Sie versuchen auf die administrative Verwaltungskonsole des BlackBerry Enterprise Server zuzugreifen.

Das Sicherheitsupdate KB3061518 hebt die zulässige minimale DHE (Diffie-Hellman ephemeral) -Schlüssellänge von 512 auf 1024Bit an.

 

Lösung lt. BlackBerry KB Artikel #37047 mit Stand vom 10.07.2015

Regenerate the web.keystore as per KB36882

Note: SSL password is required, if password is unknown refer to steps in Task 2., to generate a Web.keystore refer to KB27980.

Note: If SSL password is known and want to replace a self-signed SSL certificate with a custom certificate for BlackBerry Device Service 6.2 follow KB32802

Task 1: Back up the web.keystore file

Note: Do not remove or rename the existing web.keystore file.

  1. Browse to the appropriate path:
    • For 32-bit operating systems: C:\Program Files\Research In Motion\BlackBerry Enterprise Server\bas\bin\web.keystore
    • For 64-bit operating systems: C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\bas\bin\web.keystore
  2. Right-click on web.keystore and select Copy.
  3. Right-click on a blank space in this folder and select Paste.
  4. Rename the copy of web.keystore to web.keystore.OLD.

Task 2: How reset the web.keystore SSL password (For BES 5.0.x)

Note: If password is known skip to Task 3.

Note: If the original BlackBerry Administration Service SSL Password is unknown, or if the web.keystore file was deleted or modified, a new one will need to be generated.

Note: If the password is encrypted, additional steps from KB27980 will be required.

  1. Log on to the server on which the BlackBerry Administration Service is installed, using the correct BlackBerry service account.
  2. Stop the following BlackBerry Administration Service services:
    • BlackBerry Administration Service – Application Server
    • BlackBerry Administration Service – Native Code Container
  3. Back up the existing web.keystore file (should already have been done from Task 1)
  4. Open a command prompt (Run as Administrator)
  5. Change the directory to <drive>: Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin
    1. The following commands can be used to recreate the web.keystore file:
      • For a 32-bit Windows operating system:
        webGenKey.bat “JavaPath” “<drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS” NewKeyStorePassword FQDN_of_BAS_or_BAS_Pool_Name
      • For a 64-bit Windows operating system:
        webGenKey.bat “JavaPath” “<drive>:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS” NewKeyStorePassword FQDN_of_BAS_or_BAS_Pool_NameNote:
        Replace JavaPath with the installation location of Java.
        Replace NewKeyStorePassword with the password from step 1 or 2.
        Replace FQDN_of_BAS_or_BAS_Pool_Name with the fully qualified domain name of either the server on which the BlackBerry Administration Service is installed, or the BlackBerry Administration Service pool name used in the environment.

        Example:
        webGenKey.bat “C:\Program Files\Java\jre1.6.0_18\” “C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS” keystorepass fqdn.of.bas.or.bas.pool.name.com

  6. Once the command has been executed, verify that a new or updated web.keystore file now exists in the following folder:
    • 32-bit Windows operating system:
      <drive>:Program Files\Research In Motion\ BlackBerry Enterprise Server\BAS\bin
    • 64-bit Windows operating system:
      <drive>:Program Files (x86)\Research In Motion\ BlackBerry Enterprise Server\BAS\bin
  7.  Start the following BlackBerry Administration Service services:
    • BlackBerry Administration Service – Application Server
    • BlackBerry Administration Service – Native Code Container
  8. Open the BlackBerry Administration Service web console and confirm it is accessible.

Task 3: Delete the self-signed SSL certificate

  1. On the task bar, click Start > All Programs > Accessories > Command Prompt.
  2. Change the directory to the bin folder for the appropriate version of the Java Runtime Environment (JRE). For example:
    • For 32-bit operating systems:
      C:\Program Files\Java\jrex.x.x_xx\bin
    • For 64-bit operating systems:
      C:\Program Files (x86)\Java\jrex.x.x_xx\bin
  3. Type the appropriate command line:
    • For 32-bit operating systems:
      keytool -delete -alias httpssl -keystore “C:\Program Files\Research In Motion\BlackBerry Enterprise Server\bas\bin\web.keystore”
    • For 64-bit operating systems:
      keytool -delete -alias httpssl -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\bas\bin\web.keystore”
  4. Enter SSL password.

Task 4: Generate the BlackBerry Administration Service certificate

  1. Open a command window (with admin privilege).
  2. Apply this command line to the keystore:
    keytool -genkey -dname “CN=<FQDN>,OU=BES,O=RIM,C=CA” -alias httpssl -keypass <keystore password> -keystore <path>\web.keystore -storepass <keystore password> -validity 99999 –keyalg RSA -sigalg SHA256withRSA -keysize 2048

    Example:
    “C:\Program Files (x86)\Java\jre1.7.0_65\bin\keytool” -genkey -dname “CN=<FQDN>,OU=BES,O=RIM,C=CA” -alias httpssl -keypass blackberry -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore” -storepass blackberry -validity 99999 -keyalg RSA -sigalg SHA256withRSA -keysize 2048Note: The Following command can be used to verify the httpssl certificate is generated in the web.keystore file:
    keytool -list -v -keystore “<drive> :\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”
  3. Restart BAS AS/NCC services.
  4. Login to BAS with Google Chrome, Mozilla Firefox, or Internet Explorer.

In addition to the Primary, if there is a Standby server (HA configuration):

To repeat this process on another BlackBerry Administration Service, perform the following steps:

  1. Stop the BlackBerry Administration Service Native Code Container service. This will also stop the BlackBerry Administration Service Application Server service.
  2. Navigate to C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin from a machine that already has the certificates properly loaded into the web.keystore file.
  3. Copy the web.keystore file and paste this file in the same path on the target machine of the new BlackBerry Administration Service.
  4. If the keystore password was changed per the Additional Information section on the first BlackBerry Administration Server (per KB18260), then it will be necessary to update the Registry on the additional server with the same encoded password.
  5. Start the BlackBerry Administration Service Application Server service. This will automatically start the BlackBerry Administration Service Native Code Container service.

 

Möglichkeiten das Problem zu umgehen

  1. Evtl. ist der HTTP Zugriff auf die adminsitrative Verwaltungskonsole des BlackBerry Enterprise Servers noch gegeben. Diese erreichen Sie i.d.R. über den Link http://FQDN:18180/webconsole/login wobei FQDN durch den vollqualifizierten Domänennamen des Servers ersetzt werden muss, auf dem der BlackBerry Enterprise Server installiert ist.
  2. Deinstallation des Microsoft Sicherheitsupdates KB3061518 und Neustart der betroffenen Maschine.
  3. Rücksetzen der minimal zulässigen DHE (Diffie-Hellman ephemeral) -Schlüssellänge auf 512Bit via des DWORD ClientMinKeyBitLength mit Wert 00000200 unterhalb des Registrierungsschlüssels HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman

 

Posted in Allgemein
Tags: , ,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.