Article Index

This snnt (Show 'n Tell Thursdays) will explain how to set up the BAS (or BlackBerry Web Desktop Manager) when you run a BES 5.0.x with Lotus Domino.

 


 

Requirements:

- Windows 2003 SP2 - 32 bit (English OS in that example, if you use a 64bit OS some folder names must be changed)

- BlackBerry Enterprise Server 5.0.1 (or above)

- Lotus Domino 8.5 (or above)

- a browser (for example Internet Explorer)

- Java VM 6 (or above installed on the BlackBerry Server)

 


 

1.) enable DIIOP

Normally when you install BES 5.0 you already have DIIOP enabled. With DIIOP you can allow your Lotus Notes user to use there Internet password in the Web Desktop Manager. Because of the reason that RIM/BlackBerry limited the Domino Server running on the BES (for example you couldn´t start the Domino HTTP Server), the best way is to choose another server for DIIOP. In theorie it should be possible to change the config from the Domino Server on your BES but this isn´t part from this HowTo. To enable DIIOP on a Domino Server (I normaly enable DIIOP on a Sametime Server) open the Server Document and go to Ports -> Internet Ports -> DIIOP. For Security Reason I strongly recommend to change the Anonymous sections (point 4+5) to NO and change the port status to enabled (point 6). After that edit the notes.ini on that server where you wish to enable DIIOP and add DIIOP to the SERVERTASKS line. Here is an example from my test sametime server: "SERVERTASKS=Update,AMgr,AdminP,HTTP,STAddin,Router,DIIOP" [Note: If you are familar with the console you can also use the set config command to change this]. The DIIOP Servertask will now start every time when you reboot this server.

After that open the console from the server where you have enabled DIIOP and load the DIIOP task via "lo diiop". You should now see the following on the console:

2009-10-07 11:05:40   DIIOP Server: Starting...
2009-10-07 11:05:41   DIIOP Server: Started

Note: It is also a good idea to change the firewall and grant only the BlackBerry access via the default DIIOP port 63148.

 


 

2.) add a signed SSL certificate to BAS

This step is optional.

If you install BES 5.0.x for the first time, it will create a self signed SSL certificate for you. Self signed certificates often produce issues, because they aren´t trusted by the browser on the user pc and in the end, your helpdesk is dealing with a wide range of issues which are caused by such a certificate. So a good idea is to install a signed certificate (from Verisign, Comodo, Thawte, ... or your own CA). This section will help you to create such a certificate.

 

2a.)

At first we will rename the existing key store so that we have a backup (from the original one) if needed.

Go to c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\ and rename web.keystore to web.keystore.old

 

2b.)

You now need to add the new keystore password your your keyOpen the BlackBerry Server Configuration (Note: this is normally installed on your BlackBerry server). Switch to "Administration Service - Cacert keystore". If you never changed the SSL config the current password is greyed out and you need to enter only the new password in both fields. Please keep that new password on a save place, you will need it in later steps and if you wish to renew that certificate!

 

2c.)

Open a CMD and navigate to c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\ and run the following command:

webGenKey.bat "C:\Program Files\Java\jre6" "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS" <your password> <BB FQND>

For example:

webGenKey.bat "C:\Program Files\Java\jre6" "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS" asd3563sad blackberry01.mycompany.com

After that please verify that you have a new web.keystore in c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\

 

2d.)

We use a comodo certificate in that example, so we will import the comodo trusted certs (I saved them to C:\00install) in our keyring. If you use another certificate authority (for example your own) you need to add that root into your keyring.

Perform the following steps:

keytool -import -alias COMODOHigh-AssuranceSecureServerCA -file c:\00install\COMODOHigh-AssuranceSecureServerCA(base64).cer -trustcacerts -keystore "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"

keytool -import -alias COMODOAddTrustExternalCARoot -file c:\00install\AddTrustExternalCARoot(base64).cer -trustcacerts -keystore "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"

 

2e.)

Now we will delete the private key which was autom. created by the BES environment, so that we can create a new one in a later step. Use the following command for that

keytool -delete -alias httpssl -keystore "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"

 

2f.)

Now create a new certificate with the following command:

keytool -genkey -alias httpssl -keyalg RSA -keysize 2048 -keystore "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"

Please note that the keytool will ask you for a "first and last name" this is the FQND from your blackberry server. In our example we will add "blackberry01.mycompany.com" to it.

Example:

What is your first and last name?
[Unknown]:
blackberry01.mycompany.com
What is the name of your organizational unit?
[Unknown]:  IT
What is the name of your organization?
[Unknown]:  Wieczorek inc.
What is the name of your City or Locality?
[Unknown]:  Dortmund
What is the name of your State or Province?
[Unknown]:  Nordrhein-Westfalen
What is the two-letter country code for this unit?
[Unknown]:  DE
Is CN=
blackberry01.mycompany.com, OU=IT, O=Wieczorek inc., L=Dortmund, ST=Nordrhein-Westfalen, C=DE correct?

 

2g.)

In the last step we need to generate a certification request which can be signed by the certification authority (CA). Run the following command for that

keytool -certreq -keyalg RSA -alias httpssl -file C:\00Install\my_new_bas_certificate_request.csr -keystore "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"

 

2h.)

Now you need to let the certification authority (CA) sign your certificate (included in the csr file). Please note that if you can choose the certification type you should choose Tomcat.

2i.)

When you got your signed certificate back, save it on the BlackBerry server. You need to add it now to the keystore via:

keytool -import -alias httpssl -keystore "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore" -trustcacerts -file C:\00Install\my_signed_certificate.cer

 

2j.)

The last step is now to restart the BAS services:

BlackBerry Administration Service - Application Server

BlackBerry Administration Service - Native Code Container

After some minutes you should be able to access your BES webadmin and the BlackBerry Web Desktop Manager again.

 

Troubleshooting:

A.) If the BES webadmin and the BlackBerry Web Desktop manager aren´t working after the restart from the services please open the taskmanager and check if the BAS-AS.exe and BAS-NC.exe are taking more then 12-15MB (on the most environments they use arround 500 and 80 MB). If that is the case open regedit and go to HKCU\software\Research in Motion\Blackberry Enterprise Server\Administration Service\Key Store. And copy the value from WebKEyStore to Cacerts and added CacertsKeyStorePassIsEncrypted REG_SZ 1 (if it isn´t already on 1). Please make a copy from the old values, so that you can put them back if that didn´t solve the issue. After changing the regestry save it and restart the services from 2j.

B.) Do not try to use different passwords here. This will not work!

 

Further information:

Import a new SSL certificate for the BlackBerry Administration Service and BlackBerry Web Desktop Manager

 


 

3.) Add a company logo to the BlackBerry Web Desktop Manager

If you wish to brand the BlackBerry Web Desktop Manager with your own company graphic you need to copy this image (in this example we use the filename logo.jpg) into the following folder:

C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\server\default\deploy\basclientwebdesktop.war\assets\images\corporate

After that check if you can access the file via the following URL (not that you need to change the FQND):

https://blackberry.mycompany.com/webdesktop/assets/images/corporate/mylogo.jpg

If you can access the file, login to the BlackBerry Web Desktop and switch to

BlackBerry Solution topology > BlackBerry Domain > Component view > View (BlackBerry Administration Service)

after that switch to the company logos tab and add the URL from above into the fields. When you save these settings the BAS will automatically restart which might take some m

This snnt (Show 'n Tell Thursdays) will explain how to set up the BAS (or BlackBerry Web Desktop Manager) when you run a BES 5.0.x with Lotus Domino.

 


 

Requirements:

- Windows 2003 SP2 - 32 bit (English OS in that example, if you use a 64bit OS some folder names must be changed)

- BlackBerry Enterprise Server 5.0.1 (or above)

- Lotus Domino 8.5 (or above)

- a browser (for example Internet Explorer)

- Java VM 6 (or above installed on the BlackBerry Server)

 


 

1.) enable DIIOP

Normally when you install BES 5.0 you already have DIIOP enabled. With DIIOP you can allow your Lotus Notes user to use there Internet password in the Web Desktop Manager. Because of the reason that RIM/BlackBerry limited the Domino Server running on the BES (for example you couldn´t start the Domino HTTP Server), the best way is to choose another server for DIIOP. In theorie it should be possible to change the config from the Domino Server on your BES but this isn´t part from this HowTo. To enable DIIOP on a Domino Server (I normaly enable DIIOP on a Sametime Server) open the Server Document and go to Ports -> Internet Ports -> DIIOP. For Security Reason I strongly recommend to change the Anonymous sections (point 4+5) to NO and change the port status to enabled (point 6). After that edit the notes.ini on that server where you wish to enable DIIOP and add DIIOP to the SERVERTASKS line. Here is an example from my test sametime server: "SERVERTASKS=Update,AMgr,AdminP,HTTP,STAddin,Router,DIIOP" [Note: If you are familar with the console you can also use the set config command to change this]. The DIIOP Servertask will now start every time when you reboot this server.

After that open the console from the server where you have enabled DIIOP and load the DIIOP task via "lo diiop". You should now see the following on the console:

2009-10-07 11:05:40   DIIOP Server: Starting...
2009-10-07 11:05:41   DIIOP Server: Started

Note: It is also a good idea to change the firewall and grant only the BlackBerry access via the default DIIOP port 63148.

 


 

2.) add a signed SSL certificate to BAS

This step is optional.

If you install BES 5.0.x for the first time, it will create a self signed SSL certificate for you. Self signed certificates often produce issues, because they aren´t trusted by the browser on the user pc and in the end, your helpdesk is dealing with a wide range of issues which are caused by such a certificate. So a good idea is to install a signed certificate (from Verisign, Comodo, Thawte, ... or your own CA). This section will help you to create such a certificate.

 

2a.)

At first we will rename the existing key store so that we have a backup (from the original one) if needed.

Go to c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\ and rename web.keystore to web.keystore.old

 

2b.)

You now need to add the new keystore password your your keyOpen the BlackBerry Server Configuration (Note: this is normally installed on your BlackBerry server). Switch to "Administration Service - Cacert keystore". If you never changed the SSL config the current password is greyed out and you need to enter only the new password in both fields. Please keep that new password on a save place, you will need it in later steps and if you wish to renew that certificate!

 

2c.)

Open a CMD and navigate to c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\ and run the following command:

webGenKey.bat "C:\Program Files\Java\jre6" "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS" <your password> <BB FQND>

For example:

webGenKey.bat "C:\Program Files\Java\jre6" "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS" asd3563sad blackberry01.mycompany.com

After that please verify that you have a new web.keystore in c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\

 

2d.)

We use a comodo certificate in that example, so we will import the comodo trusted certs (I saved them to C:\00install) in our keyring. If you use another certificate authority (for example your own) you need to add that root into your keyring.

Perform the following steps:

keytool -import -alias COMODOHigh-AssuranceSecureServerCA -file c:\00install\COMODOHigh-AssuranceSecureServerCA(base64).cer -trustcacerts -keystore "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"

keytool -import -alias COMODOAddTrustExternalCARoot -file c:\00install\AddTrustExternalCARoot(base64).cer -trustcacerts -keystore "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"

 

2e.)

Now we will delete the private key which was autom. created by the BES environment, so that we can create a new one in a later step. Use the following command for that

keytool -delete -alias httpssl -keystore "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"

 

2f.)

Now create a new certificate with the following command:

keytool -genkey -alias httpssl -keyalg RSA -keysize 2048 -keystore "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"

Please note that the keytool will ask you for a "first and last name" this is the FQND from your blackberry server. In our example we will add "blackberry01.mycompany.com" to it.

Example:

What is your first and last name?
[Unknown]:
blackberry01.mycompany.com
What is the name of your organizational unit?
[Unknown]:  IT
What is the name of your organization?
[Unknown]:  Wieczorek inc.
What is the name of your City or Locality?
[Unknown]:  Dortmund
What is the name of your State or Province?
[Unknown]:  Nordrhein-Westfalen
What is the two-letter country code for this unit?
[Unknown]:  DE
Is CN=
blackberry01.mycompany.com, OU=IT, O=Wieczorek inc., L=Dortmund, ST=Nordrhein-Westfalen, C=DE correct?

 

2g.)

In the last step we need to generate a certification request which can be signed by the certification authority (CA). Run the following command for that

keytool -certreq -keyalg RSA -alias httpssl -file C:\00Install\my_new_bas_certificate_request.csr -keystore "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"

 

2h.)

Now you need to let the certification authority (CA) sign your certificate (included in the csr file). Please note that if you can choose the certification type you should choose Tomcat.

2i.)

When you got your signed certificate back, save it on the BlackBerry server. You need to add it now to the keystore via:

keytool -import -alias httpssl -keystore "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore" -trustcacerts -file C:\00Install\my_signed_certificate.cer

 

2j.)

The last step is now to restart the BAS services:

BlackBerry Administration Service - Application Server

BlackBerry Administration Service - Native Code Container

After some minutes you should be able to access your BES webadmin and the BlackBerry Web Desktop Manager again.

 

Troubleshooting:

A.) If the BES webadmin and the BlackBerry Web Desktop manager aren´t working after the restart from the services please open the taskmanager and check if the BAS-AS.exe and BAS-NC.exe are taking more then 12-15MB (on the most environments they use arround 500 and 80 MB). If that is the case open regedit and go to HKCU\software\Research in Motion\Blackberry Enterprise Server\Administration Service\Key Store. And copy the value from WebKEyStore to Cacerts and added CacertsKeyStorePassIsEncrypted REG_SZ 1 (if it isn´t already on 1). Please make a copy from the old values, so that you can put them back if that didn´t solve the issue. After changing the regestry save it and restart the services from 2j.

B.) Do not try to use different passwords here. This will not work!

 

Further information:

Import a new SSL certificate for the BlackBerry Administration Service and BlackBerry Web Desktop Manager

 


 

3.) Add a company logo to the BlackBerry Web Desktop Manager

If you wish to brand the BlackBerry Web Desktop Manager with your own company graphic you need to copy this image (in this example we use the filename logo.jpg) into the following folder:

C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\server\default\deploy\basclientwebdesktop.war\assets\images\corporate

After that check if you can access the file via the following URL (not that you need to change the FQND):

https://blackberry.mycompany.com/webdesktop/assets/images/corporate/mylogo.jpg

If you can access the file, login to the BlackBerry Web Desktop and switch to

BlackBerry Solution topology > BlackBerry Domain > Component view > View(BlackBerry Administration Service)

after that switch to the company logos tab and add the URL from above into the fields. When you save these settings the BAS will automatically restart which might take some min.