Installing and configuring BlackBerry UEM in a BSI-certified environment
- Requirements and considerations for a BSI-certified UEM environment
- Prerequisites for installing BlackBerry UEM 12.21 MR1 in a BSI-certified environment
Install BlackBerry UEM version 12.21 MR1 in a BSI-certified environment
Create an LDAP client certificate used for mutual authentication and connect to an LDAP directory
Configure BlackBerry UEM for a BSI-certified environment
- Administrator roles in a BSI-certified UEM environment
Exporting audit records to a syslog server
- Set up the export of device audit records to a syslog server
  - Script to enable the export of server audit records to syslog
- Set up the export of server audit records to a syslog server
  - Script to enable the export of device audit records to syslog

Set up the export of server audit records to a syslog server

The syslog server must be using TLS version 1.2, x509v3 certificates for authentication, and must use one of the following cipher suites:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Using the same account that you used to install

UEM

, open a command prompt and run the following commands to upload a syslog CA certificate. The commands cannot contain any line breaks.

SET BESRoot=C:\Program Files\BlackBerry\UEM

SET KEYSTORE_PATH=<path_to_CA_certificate>

java -cp “%BESRoot%\tools\lib\*” --add-exports java.base/sun.nio.ch=ALL-UNNAMED --add-exports java.base/jdk.internal.ref=ALL-UNNAMED --add-exports java.base/sun.security.provider.certpath=ALL-UNNAMED -Djava.library.path=“%BESRoot%\tools\lib\dll\x64” com.rim.platform.mdm.keymaster.KeyMaster -keystore “%KEYSTORE_PATH%” load -keystoreType SECURITY_AUDIT_SYSLOG_CACERTS -trusted -BESRoot “%BESRoot%”

Run the following commands to configure mutual authentication and upload a client certificate for

UEM

to the syslog server. The commands cannot contain any line breaks.

SET BESRoot=C:\Program Files\BlackBerry\UEM

SET KEYSTORE_PATH=<path_to_client_certificate>

SET KEYSTORE_PASSWORD=<user_defined_password>

java -cp “%BESRoot%\tools\lib\*” --add-exports java.base/sun.nio.ch=ALL-UNNAMED --add-exports java.base/jdk.internal.ref=ALL-UNNAMED --add-exports java.base/sun.security.provider.certpath=ALL-UNNAMED -Djava.library.path=“%BESRoot%\tools\lib\dll\x64” com.rim.platform.mdm.keymaster.KeyMaster -keystore “%KEYSTORE_PATH%” -password “%KEYSTORE_PASSWORD%” load -keystoreType SECURITY_AUDIT_SYSLOG_CLIENT -BESRoot “%BESRoot%”

Prepare the script in Script to enable the export of server audit records to syslog:

Change the hostname and port number to match your environment. For example:

SET @v_hostname = ‘localhost’;
SET @v_port = ‘31000’;

Set any syslog specific formatting attributes as described in the script.

Execute the script against the

UEM

database.

Restart the

BlackBerry UEM Core

service.

Section:

Exporting audit records to a syslog server

Script to enable the export of device audit records to syslog