Import the CA certificate into the Java certificate store
Java
certificate store You can use the following steps to import certificate authority certificates into the
Java
cacerts keystore as an alternative to uploading certificate authority certificates into the BEMS
database using the Dashboard. Some BEMS
features may not support verifying certificate trusts using certificates stored in the database (for example, the Presence
service for on-premises Skype for Business
using non-trusted application mode). If you use this method to import the CA certificate, you must complete the following steps on each BEMS
instance in the cluster.Save a copy of the exported certificate to a convenient location on the computer that hosts
BEMS
(for example, C:\bemscert). For instructions, see Export the BlackBerry Proxy CA certificate chain to your desktop. - If necessary, verify theJavabin directory is correctly specified in your environment PATH.
- In a command prompt, typeset | findstr "JAVA_HOME".
- PressEnter.
- In the command prompt, typeset | findstr "Path"
- PressEnter.
Verify that the JAVA_HOME System variable is set to the correctJavadirectory and that the PATH System variable includes the path to the sameJavadirectory. For instructions about setting the JAVA_HOME and PATH system variables, see 'Set an environment variable for the Java location' in the installation content. - Obtain a copy of the non-public CA certificate and any necessary intermediate certificates from the server thatBEMSmust communicate with. For more information, contact your administrator of the servers thatBEMSneeds to have trusted SSL connections to.
- On theBEMShost, make a backup of theJavakeystore file. TheJavakeystore file is located at%JAVA_HOME%\lib\security\cacerts, where JAVA_HOME is confirmed in Step 1.
- Copy the non-public CA certificate to a convenient location on the computer that hostsBEMS(for example, C:\bemscert).
- Open a command prompt and change directory to theJava_HOME folder (for example, typecd %JAVA_HOME%).
- Import the root certificate. Consider the following guidelines:
- The -alias value must be unique in the destination keystore. If it is duplicated, you might experience import errors. You can output the cacerts keystore to a text file to manually confirm the existing certificates using a text editor. Typekeytool.exe -list -v -keystore lib\security\cacerts > c:\bemscert\cacertsoutput.txt
- Where the -file value is the path and the file name of the non-public certificate. If this is the path to the file, add quotation marks (" ") around the full path, filename, and extension.
- The following is an example of importing the certificate using keystore commands:keytool.exe -importcert -trustcacerts -file "c:\bemscert\cacert1.cer" -keystore lib\security\cacerts -alias myalias1 -storepass changeit
- There are no spaces between the dash (-) and the parameter name.
- You must specify the -keystore parameter correctly. If it is incorrect or it is omitted, the keytool creates a new keystore.BEMSservices do not use the new keystore.
For more information about keystore commands, see Keystore commands. - Repeat step 6 for any additional certificates that you want to import into theJavakeystore.
- If you haveConnectinstalled and configured, and did not import theBlackBerry Proxyroot certificate into theWindowskeystore, import it now. For instructions, see Import the Good Proxy or BlackBerry Proxy CA certificate to the BEMS Windows keystore.
- In theWindowsService Manager, restart theGood Technology Common Servicesservice.
Configure the Core
BEMS
service for communicating to BlackBerry
Dynamics
. For instructions, see Configure the BlackBerry Dynamics server in BEMS.