Posts Tagged BlackBerry
BlackBerry Enterprise Server 5 Virtualization
Posted by Brian in Uncategorized on October 26, 2009
I’m currently sitting at the airport waiting on my flight home from a conference. I still have quite awhile so I figured I would post something quick about BES on virtual hardware.
It is fully supported on VMWare 3.5+ and mostly supported on VMWare 4. In our environment, we have 2 primary BES servers with 2 failover at a regional datacenter. SQL is also separate with a failover. There is a new initiative to virtualize everything and my team decided that BES would make a good candidate. For the most part, the hardware requirements for 1200 users was minimal. When we did the BES 5 migration we decided to move off the physical hardware and go completely virtual.
This hasn’t turned out well for us so far. Even though we have a pretty massive VM environment, we are still having troubles. It isn’t due to the most common problems you see. We aren’t disk I/O bound. We have plenty of memory and processing power. Our problem is because of the network. The BES servers need a pristine connection to your mail servers. Normally they do but occasionally they hit some bottlenecks. The BES servers can handle a few of these but if it is an outage lasting a few minutes or several shorter ones, it can cause the agents to hit the max 10 restarts per 24 hours. When that happens, you have no choice but to restart. This has happened to us more times than I can count. Part of the reason is we have been running the hosts at their max. That is something you should be able to do with VMWare but if it spikes, it can cause latency and kill the agents. Another thing that has happened is our DR snapshotting software has issues. It queries for changes every hour and if you have a lot of hosts, it can cause brief locks. Even though it is only for a few seconds, it can still cause agent restarts.
Now I’m not saying don’t virtualize. I’m not saying our problem is related to BES or even VMWare. It is due to how we have VMWare implemented. If you are running your hosts at their max, you might want to rethink virtualizing BES. I would also recommend installing some networking monitoring software on hardware separate from the virtual hosts and see if you have any drop offs. We experience the drop offs on other non BES services but it only affects the BES.
Virtualizing BES can save a lot of money but make sure you truly have that pristine connection. Without it, you will have a lot of headaches.
BlackBerry Enterprise Server 5 (BES 5) Maintenance Release Upgrade process
Posted by Brian in Uncategorized on June 19, 2009
I was asked to step through the process I took to install Maintenance Release 1 for BES 5 last night. It was pretty basic but I made some pretty pictures I’ll post below. The process is mostly the same as in BES 4 but with the added benifit of being able to use failover servers.
Our environment has multiple primary servers as well as standby failover servers in a second datacenter. This allows us to keep functioning if one datacenter were to become unavailable. That also means I can update the BES without and loss in connectivity for clients.
I started by updating the failover servers. If I wanted to, I could have updated one failover server, made it the primary and check connectivity. If all went well, I could fail back and update the other servers. This might be overkill but it could also save me in the future. It is something I’ll consider next time.
Once I have the Maintenance Release on all the servers, I stop all of the BlackBerry services that are running. There are a bunch of them so I’ll probably write up a script to do it faster next time. Start the upgrade:
Enter your BESAdmin account and Password:
And now you wait:
Once you are done with the install, you need to restart the services. I prefer to restart the machine to make sure everything comes up cleanly but it isn’t necessary.
Now that the failovers are updated, you need to actually failover to them in order to patch the primary servers. This is accomplished in the BAS (BlackBerry Administration Service). Under Servers and components, expand High Availability, expand Highly available BlackBerry Enterprise Servers, and select the instance you want to update. Now you simply click Change primary instance to standby instance and confirm:
Update these servers like I wrote above and once you are done, make them the primary again. That’s all there is to it.
BlackBerry Administration Service Thawte SSL Certificate install
Posted by Brian in Uncategorized on June 3, 2009
I ran into a couple of problems earlier while trying install a new certificate for our BlackBerry Enterprise Servers. We are running BES 5 and had been using the default self-signed certificate that is made during the install. We are still in pilot mode so that wasn’t a problem. Well we are now gearing up to go production so we needed to get a trusted cert.
I followed the instructions to make the request that RIM provides in the administration guide and sent the CSR off to our security group to get a cert issued from Thawte. The CSR was rejected! Thawte could not determine the key size. By default the keytool utility chooses 1024 and DSA but it couldn’t figure out the size. Even if I told it to use 1024 with the -keysize flag, it would still fail. Viewing the CSR in openssl also did not show the size. It was not until I chose RSA that it was able to determine the size. To do this I ran:
keytool.exe -genkey -keysize 1024 -keyalg “RSA” -alias <alias name> -keypass <password> -keystore “<location to web.keystore>
After that I was able to successfully create the certificate. Unfortunately I wasn’t done! Once I tried to import it, I got the error “keytool error: java.lang.Exception: Failed to establish chain from reply.” A quick Bing/Google search and I was able to find out that I needed to add the Thawte root CA to the keystore. I downloaded the CA and ran:
keytool.exe -import -trustcacerts -alias “Whatever you want” -file <location to thawte .cer> -keystore <location of keystore>
It gave me a warning that “Certificate already exists in system-wide CA keystore under alias <#####> Do you still want to add it to your own keystore?” I said yes and was then able to add our cert. I copied the web.keystore file to each BES server and restarted the BAS services.
This may be obvious to people more familiar with the keytool utility but I’m a Windows guy and usually handle certificates in IIS or the certificates MMC snap-in. This was new territory for me but thankfully we got it figured out. Now I need to start the process to move our users to the new environment.