If you wish to implement the "BlackBerry Enterprise Service 10" in a PCI environment your are forced to disable all weak cipher and must enforce SSL 2.0.

Because according to section 4.1 of the the Payment Card Industry Data Security Standard (PCI-DSS) v1.2, merchants handling credit card data are required to “use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.”

So in order to validate your PCI DSS compliance in this area you will need to ensure that your "BlackBerry Enterprise Service 10" Server within your PCI environment is configured to disallow Secure Sockets Layer (SSL) version 2 as well as "weak" cryptography. So to disable the weak cipher do the following:

1.) Open the "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\jetty\etc\jetty-bio-ssl.xml" file.

2.) add the following section:

    <Set name="ExcludeCipherSuites">
          <Array type="java.lang.String">
                <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
                <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
                <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
          </Array>
    </Set>

so that your config file section would now look like similar like the example here:

<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
<Set name="Port">9443</Set>
<Set name="maxIdleTime">30000</Set>
...
<Set name="Keystore"><Property name="jetty.home" default="." />/etc/keystore</Set>
...
<Set name="ExcludeCipherSuites">
<Array type="java.lang.String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
</Array>
</Set>
</New>
</Arg>
</Call>

 After that reboot your server (or restart only the "BES10 - BlackBerry Administration Service - Native Code Container" service which will also restart the "BES10 - BlackBerry Administration Service - Application Server").

Comments (0)

There are no comments posted here yet

Leave your comments

Posting comment as a guest.
Attachments (0 / 3)
Share Your Location