Administration Guide

Local Navigation

BlackBerry Manuals & Help   Administrator Documentation   BlackBerry Enterprise Server 5   BlackBerry Enterprise Server for Microsoft Exchange   Administration Guide BlackBerry Enterprise Server for Microsoft Exchange - 5.0.3

Configuring a BlackBerry MDS Connection Service to trust web servers

You can configure the BlackBerry® MDS Connection Service to permit BlackBerry devices to pull application data and updates from trusted or untrusted web servers. If you want to open trusted connections between web servers and the BlackBerry MDS Connection Service, you must import the certificate for the web server into the JRE™ certificates keystore file (JRE cacerts).

The BlackBerry MDS Connection Service supports LDAP, OCSP, and CRL to retrieve certificates and certificate status, and HTTPS and SSL/TLS for connections that use trusted certificates.

Specify whether the BlackBerry MDS Connection Service requires trusted HTTPS connections from web servers

  1. In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. Click Edit component.
  4. On the HTTPS tab, in the Name field, type the name of a web server.
  5. In the Service URL field, type the regular expression for the web address of the web server. For example, type * to represent all web servers, or type https://<domain>.com* to specify all web servers in a specific domain. For more information about regular expressions in Java®, visit java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html and java.sun.com/docs/books/tutorial/essential/regex/literals.html.
  6. In the Settings section, in the Allow untrusted servers drop-down list, perform one of the following actions:
    • To permit only trusted HTTPS connections from the web server, click No.
    • To permit untrusted HTTPS connections from the web server, click Yes.
  7. Click the Add icon.
  8. Repeat steps 4 to 7 for each web server that you want to specify.
  9. Click Save all.
After you finish: Restart the BlackBerry MDS Connection Service.
Back To Top

Specify whether the BlackBerry MDS Connection Service requires trusted TLS connections from web servers

  1. In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. Click Edit component.
  4. On the TLS tab, in the Name field, type the name of a web server.
  5. In the Service URL field, type the regular expression for the web address of the web server.
  6. In the Settings section, in the Allow untrusted servers drop-down list, perform one of the following actions:
    • To permit only trusted TLS connections from the web server, click No.
    • To permit untrusted TLS connections from the web server, click Yes.
  7. Click the Add icon.
  8. Repeat steps 4 to 7 for each web server that you want to specify.
  9. Click Save all.
After you finish: Restart the BlackBerry MDS Connection Service.
Back To Top

Configuring certificate server information for the BlackBerry MDS Connection Service

The certificate for the BlackBerry® MDS Connection Service permits push applications to make HTTPS connection to the BlackBerry MDS Connection Service. You can configure the BlackBerry MDS Connection Service to search for and retrieve certificates and the status of the certificates that external web servers use to make HTTPS connections.

To search for and retrieve certificates from an LDAP server, you can configure the BlackBerry MDS Connection Service to use LDAP or DSML. The BlackBerry MDS Connection Service searches each LDAP server using LDAP or DSML in the order that you specify. If you configure the BlackBerry MDS Connection Service to use both LDAP and DSML to search and retrieve certificates, the BlackBerry MDS Connection Service searches the servers using LDAP and then searches the servers using DSML. After the BlackBerry MDS Connection Service retrieves the certificate, the BlackBerry® Enterprise Server sends the certificate to the BlackBerry device, and the BlackBerry device displays the certificate so that the user can accept it. The BlackBerry MDS Connection Service supports DSML version 2.

To search for and retrieve the status of the certificates, you can configure the BlackBerry MDS Connection Service to search the OCSP servers or CRL servers. If you search for the status of the certificates using an OCSP server or a CRL server, which server you choose to search for the status of the certificates first does not matter because each server creates a prioritized list automatically.

For more information about certificates, see the BlackBerry Enterprise Solution Security Technical Overview.

Back To Top

Configure the LDAP servers that the BlackBerry MDS Connection Service uses to retrieve certificates

You can create a user name and password so that the BlackBerry® MDS Connection Service can authenticate to LDAP servers on behalf of BlackBerry devices.

If you change the LDAP port number or host server information, you must stop and restart the BlackBerry MDS Connection Service so that the BlackBerry MDS Connection Service can use the new port number or host server information immediately.

  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. On the LDAP tab, click Edit component.
  4. Perform one of the following tasks:

    Task

    Steps

    Create an LDAP server configuration.
    1. In the Name field, type the LDAP server name.
    2. In the Service URL field, type the web address for the server.
    3. In the Settings section, configure the LDAP server settings.
    4. Click the Add icon.

    Change an existing LDAP server configuration.
    1. Click the Edit icon beside the LDAP server.
    2. In the Settings section, change the LDAP server settings.
    3. Click the Update icon.
  5. Click Save all.
After you finish:
  • To configure the BlackBerry MDS Connection Service to retrieve the status of certificates, configure the OCSP and CRL server information.
  • Add the communication information that you configured for the LDAP server to the BlackBerry MDS Connection Service configuration set.
Back To Top
LDAP server settings

Field

Description

Base Query

This field specifies the base query for the default LDAP server. You can use %20 for spaces. Each LDAP server can host multiple Windows® domains but can search in only one Windows domain at a time. You might need to configure a default base query for some LDAP servers.

Password and Confirm Password

These fields specify a password if the LDAP server requires simple authentication.

Query Limit

This field specifies the maximum number of entries that you want to return for each query.

Service URL

This field specifies the FQDN and port number of the LDAP server. You must use the <FQDN>:<Port> format.

User name

This field specifies the user name if the LDAP server requires simple authentication.

Back To Top

Configure the BlackBerry MDS Connection Service to use DSML to retrieve certificates

  1. In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. On the DSML tab, click Edit component.
  4. In the Protocol service information section, in the Query limit field, type the maximum number of certificates that the BlackBerry MDS Connection Service can retrieve during each search it performs.
  5. Perform one of the following tasks:

    Task

    Steps

    Create a configuration for a DSML certificate server.
    1. In the Name field, type a name for the DSML certificate server that you want the BlackBerry MDS Connection Service to search.
    2. In the Service URL field, type the FQDN of the DSML certificate server (for example, http://server01.rim.com:1234/dsml/adssoap.dsmlx).
    3. In the Settings section, if you do not want the BlackBerry MDS Connection Service to search the entire directory tree, in the Base query field, type the search base that the BlackBerry MDS Connection Service can use.
    4. To permit the BlackBerry MDS Connection Service to authenticate with the DSML certificate server on behalf of BlackBerry devices, in the User name field, type the user name that the BlackBerry MDS Connection Service can use to authenticate with the DSML certificate server.
    5. In the Password and Confirm password fields, type the password for the user name that the BlackBerry MDS Connection Service can use to authenticate with the DSML certificate server.
    6. Click the Add icon.

    Change a configuration for an existing DSML certificate server configuration.
    1. Click the Edit icon that is beside the DSML certificate server that you want to change.
    2. In the Settings section, change the DSML certificate server settings.
    3. Click the Update icon.
  6. Click Save all.
After you finish:
  • To configure the BlackBerry MDS Connection Service to retrieve the status of certificates from an OCSP server or CRL server, you must configure the OCSP server and CRL server information.
  • Add the communication information that you configured for the DSML server to the BlackBerry MDS Connection Service configuration set.
Back To Top

Configure the OCSP servers that the BlackBerry MDS Connection Service uses to retrieve the status of certificates

You can configure the BlackBerry® MDS Connection Service to authenticate to OCSP servers on behalf of BlackBerry devices and to retrieve the status of certificates.
  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. On the OCSP tab, click Edit component.
  4. Perform the following actions:
    • Configure the BlackBerry MDS Connection Service to accept OCSP servers that BlackBerry devices specify.

    • Configure the OCSP handler to use the OCSP responder extension in a certificate.

  5. Perform one of the following tasks:

    Task

    Steps

    Create an OCSP server configuration.
    1. In the Name field, type the OCSP server name.
    2. In the Service URL field, type the web address for the server.
    3. Click the Add icon.

    Change an existing OCSP server configuration.
    1. Click the Edit icon that is beside the OCSP server that you want to change.
    2. In the Settings section, change the OCSP server settings.
    3. Click the Update icon.
  6. Click Save all.
After you finish: Add the communication information that you configured for the OCSP server to the BlackBerry MDS Connection Service configuration set.
Back To Top

Configure the CRL servers that the BlackBerry MDS Connection Service uses to retrieve the status of certificates

You can configure the BlackBerry® MDS Connection Service to authenticate to CRL servers on behalf of BlackBerry devices and to retrieve the status of certificates.
  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. On the CRL tab, click Edit component.
  4. In the CRL Service information section, perform the following actions:
    • Configure the BlackBerry MDS Connection Service to accept CRL servers that BlackBerry devices specify.

    • Configure the CRL handler to use the CRL responder extension in a certificate.

  5. Perform one of the following tasks:

    Task

    Steps

    Create a CRL server configuration.
    1. Type the CRL server name and the web address for the server.
    2. Click the Add icon.

    Change an existing CRL server configuration.
    1. Click the Edit icon beside the CRL server.
    2. Click the Accept icon.
  6. Click Save all.
After you finish: Add the communication information that you configured for the CRL server to the BlackBerry MDS Connection Service configuration set.
Back To Top

Add communication information to a BlackBerry MDS Connection Service configuration set

A BlackBerry® MDS Connection Service configuration set is a set of service configurations that the BlackBerry MDS Connection Service instances in your organization can use to communicate with a remote file system, an LDAP server, a DSML server, a CRL server, an OCSP server, or a certification authority. You must add the communication information that the BlackBerry MDS Connection Service requires to communicate with servers to a configuration set so that a BlackBerry MDS Connection Service instance can communicate with the servers after you assign the configuration set to the instance.
  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. Click Edit component.
  4. On the Configuration Sets tab, perform one of the following actions:
    • To create a configuration set, in the Configuration set name section, type a name and description for the configuration set.
    • To change an existing configuration set, click the Edit icon.
  5. In the Priority Service group drop-down list, click the name of the service that you want to configure the communication method for.
  6. In the Service (Name : Description) drop-down list, click the name of the communication method that you want to configure.
  7. Click the Add icon.
  8. To specify the communication method that the BlackBerry MDS Connection Service should try to connect to the server with first , click the Up and Down arrows. The BlackBerry MDS Connection Service resolves conflicts by applying communication methods in the order that you specify. The order of that you specify for LDAP, DSML, or file communication applies to each communication method separately. The order permits the BlackBerry MDS Connection Service to resolve conflicts between domains if you created multiple communication methods for a specific URL.
  9. Perform one of the following actions:
    • To add a new configuration set, click the Add icon.
    • To update an existing configuration set, click the Update icon.
  10. Click Save all.
After you finish:
  • To confirm your changes, click the View icon.
  • Assign the configuration set to a BlackBerry MDS Connection Service.
Back To Top

Assign a BlackBerry MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance

You can assign a BlackBerry® MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance so that BlackBerry device users can access documents on remote file systems from devices, the BlackBerry MDS Connection Service can search for certificates and check for the status of the certificates from LDAP servers, DSML servers, CRL servers, or OCSP servers, and the BlackBerry MDS Connection Service can send certificate requests to a certificate authority.
  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. Click the instance that you want to change.
  4. Click Edit instance.
  5. On the Component Configuration Sets tab, in the Available component configuration sets section, in the Service configuration sets drop-down list, click the configuration set that you want to assign to the BlackBerry MDS Connection Service instance.
  6. Click Save all.
  7. To restart the BlackBerry MDS Connection Service instance, on the Instance information tab, in the Status list, click Restart instance.
  8. To assign the BlackBerry MDS Connection Service configuration set to another BlackBerry MDS Connection Service instance, repeat steps 3 to 7.
Back To Top

Add a retrieved certificate for a web server to the key store

You can use the Java® keytool to add a certificate for a web server to the BlackBerry® MDS Connection Service key store. The certificate permits the BlackBerry MDS Connection Service to connect to the trusted web server.
  1. Save the certificate from a secure web site to a .cer file.
  2. On the computer that hosts the BlackBerry MDS Connection Service, copy the .cer file to <drive>:\Program Files\Java\<JRE_version>\lib\security.
  3. At a command prompt, navigate to <drive>:\Program Files\Java\<JRE_version>\bin.
  4. Type keytool -import -trustcacerts -alias <alias_name> -file <cert_filename> -keystore cacerts.
  5. Type the key store password.
  6. To add the certificate to the key store, at the command prompt, type Yes.
After you finish: For more information about using the Java keytool, visit java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html.
Back To Top
Next topic: Permitting users to access intranet sites on BlackBerry devices using global login information
Previous topic: Permit push applications to select the transport protocol for PAP requests

Was this information helpful? Send us your comments.