How to configure BlackBerry Enterprise Server 5.0 to support S/MIME messaging

Article ID: KB18777

Type: Support Content

Last Modified: 12-15-2011

 

Product(s) Affected:

  • S/MIME Support Package for BlackBerry smartphones
  • BlackBerry Enterprise Server for Microsoft Exchange
CollapseEnvironment
  • BlackBerry® Enterprise Server for Microsoft® Exchange versions 5.0 to 5.0 SP3
CollapseOverview

This article describes how to configure BlackBerry® Enterprise Server 5.0 to support Secure Multipurpose Internet Mail Extensions (S/MIME) messaging.

After the changes have been applied to the BlackBerry® Enterprise Server, BlackBerry smartphone users can only send and open secure messages from their BlackBerry smartphones, if the correct version of the S/MIME support package and personal certificates are added to the BlackBerry Smartphone keystore or a Smart Card.

Task 1: Configure each BlackBerry Enterprise Server to support S/MIME processing

  1. Go to Servers and Components > BlackBerry Solution topology > BlackBerry Domain > Component view > Email > View (SERVERNAME_EMAIL)
  2. Click edit, then select the Messaging tab.
  3. Under Security settings, set Turn on S/MIME message processing to True.

Task 2:  Configure the BlackBerry MDS Connection Service to perform certificate searches

  1. Go to Servers and Components > BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service
  2. Click the LDAP (Lightweight Directory Access Protocol) tab, choose Edit.
  3. The following options can be configured or amended: Query Limit, Enable data compression, Name, Friendly description, Service URL, Secure Connection enabled, User name, Password, and Base Query.
  4. The Service URL field should be entered in the format LDAPServerhostname:389 or LDAPServerFQDN:389.  In Windows® 2003 environments, anonymous LDAP searches are not permitted by default, and it will be necessary to specify a user name and password.
  5. Click Save all.

Task 3: Configure BlackBerry MDS Connection Service to retrieve the status of certificates by specifying an OCSP (Online Certificate Status Protocol) or CRL (Certificate Revocation List) Server.

If OSCP servers are used to retrieve certificate revocation information, complete the following:

  1. Go to Servers and Components > BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service
  2. Click on the OCSP tab, choose Edit.
  3. The following options can be configured or amended:  Use device responder URLs, Use certificate extension responder URLs, Name, Friendly description, Service URL.
  4. The Service URL should be entered in the format http://ocsp.OSCPServerhost or http://ocsp.FQDN .
  5. Click Save all.

If CRL servers are used to retrieve certificate revocation information, complete the following:

  1. Go to Servers and components > BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service
  2. Click the CRL tab.
  3. Choose Edit.
  4. The following options can be configured or amended:  Use device responder URLs, Use certificate extension responder URLs, Name, Friendly description, Service URL.
  5. The Service URL can be entered in the format http://CertificateServerFQDN/certenroll/CertificateServerHost.crl  or ldap:///CN=CertificateServerHostName,CN=CertificateServerHostName,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=SubDomain,DC=SubDomain,DC=SubDomain,DC=Domain,DC=Root?certificateRevocationList?base?objectClass=cRLDistributionPoint
    THE CRL Server URL's can be verified by referring to the CRL distribution point on the certificate server or within the ObjectClass cRLDistributionpoint attribute in a certificate.
  6. Click Save all.

Note:  Multiple LDAP, OCSP and CRL Server entries can now be specified in BlackBerry Enterprise Server 5.0.

Task 4: Configure Configuration sets in BlackBerry MDS Connection Service 

  1. Go to Servers and components > BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service.  
  2. Select the Configuration Sets tab, and then choose Edit.
  3. To create a configuration set, in the Configuration set name section, type a name and description for the configuration set.
  4. In the Priority Service group drop-down list, choose the name of the service group required.
  5. In the Service (Name : Description) drop-down list, select the service name / description required.
  6. Click the Add icon.
  7. To specify the communication method that the BlackBerry® Mobile Data System (BlackBerry MDS) Connection Service should try first to connect to the server, click the Up and Down icons. The order of communication methods that are configured applies to LDAP, OCSP, and file communication methods individually. The order permits the BlackBerry MDS Connection Service to resolve conflicts between domains if created multiple communication methods are added for a specific URL.
  8. Click Save all.

Note: It is possible to configure multiple configuration sets with any combination of LDAP, CRL and OCSP Server entries.

Task 5: Assign a BlackBerry MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance

  1. Go to Servers and Components > BlackBerry Solution Topology > BlackBerry Domain > Component View > MDS Connection Service > ServerName_MDS-CS_1
  2. Click on the Component Configuration Sets tab, choose Edit.
  3. Under Available component Configuration Sets, select the required configuration set, then click Save all.
  4. Restart each instance of the BlackBerry MDS Connection Service. 
CollapseAdditional Information
Additional information can be found in BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Administration Guide.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.