Import the CA certificate into the Java certificate store
You can use the following steps to import certificate authority certificates into the
Javacacerts keystore as an alternative to uploading certificate authority certificates into the
BEMSdatabase using the Dashboard. Some
BEMSfeatures may not support verifying certificate trusts using certificates stored in the database (for example, the
Presenceservice for on-premises
Skype for Businessusing non-trusted application mode). If you use this method to import the CA certificate, you must complete the following steps on each
BEMSinstance in the cluster.
Save a copy of the exported certificate to a convenient location on the computer that hosts
BEMS(for example, C:\bemscert). For instructions, see Export the BlackBerry Proxy or Good Proxy CA certificate chain to your desktop.
- If necessary, verify theJavabin directory is correctly specified in your environment PATH.
Verify that the JAVA_HOME System variable is set to the correctJavadirectory and that the PATH System variable includes the path to the sameJavadirectory. For instructions about setting the JAVA_HOME and PATH system variables, see 'Configure the Java Runtime Environment' in the installation content.
- In a command prompt, typeset | findstr "JAVA_HOME".
- In the command prompt, typeset | findstr "Path"
- Obtain a copy of the non-public CA certificate and any necessary intermediate certificates from the server thatBEMSmust communicate with. For more information, contact your administrator of the servers thatBEMSneeds to have trusted SSL connections to.
- On theBEMShost, make a backup of theJavakeystore file. TheJavakeystore file is located at%JAVA_HOME%\lib\security\cacerts, where JAVA_HOME is confirmed in Step 1.
- Copy the non-public CA certificate to a convenient location on the computer that hostsBEMS(for example, C:\bemscert).
- Open a command prompt and change directory to theJava_HOME folder (for example, typecd %JAVA_HOME%).
- Import the root certificate. Consider the following guidelines:
For more information about keystore commands, see Keystore commands.
- The -alias value must be unique in the destination keystore. If it is duplicated, you might experience import errors. You can output the cacerts keystore to a text file to manually confirm the existing certificates using a text editor. Typekeytool.exe -list -v -keystore lib\security\cacerts > c:\bemscert\cacertsoutput.txt
- Where the -file value is the path and the file name of the non-public certificate. If this is the path to the file, add quotation marks (" ") around the full path, filename, and extension.
- The following is an example of importing the certificate using keystore commands:keytool.exe -importcert -trustcacerts -file "c:\bemscert\cacert1.cer" -keystore lib\security\cacerts -alias myalias1 -storepass changeit
- There are no spaces between the dash (-) and the parameter name.
- You must specify the -keystore parameter correctly. If it is incorrect or it is omitted, the keytool creates a new keystore.BEMSservices do not use the new keystore.
- Repeat step 6 for any additional certificates that you want to import into theJavakeystore.
- If you haveConnectinstalled and configured, and did not import theBlackBerry ProxyorGood Proxyroot certificate into theWindowskeystore, import it now. For instructions, see Import the Good Proxy or BlackBerry Proxy CA certificate to the BEMS Windows keystore.
- In theWindowsService Manager, restart theGood Technology Common Servicesservice.
Configure the Core
BEMSservice for communicating to
BlackBerry Dynamics. For instructions, see Configure the BlackBerry Dynamics server in BEMS.