Administration Guide

Local Navigation

Extending messaging security to a BlackBerry device

If your organization's messaging environment supports highly secure messaging technology such as PGP® encryption or S/MIME encryption, you can configure the BlackBerry® Enterprise Solution to encrypt a message using PGP encryption or S/MIME encryption so that the message remains encrypted when the BlackBerry® Enterprise Server Express forwards the message to the email applications of recipients. To extend messaging security, the sender and recipient must install highly secure messaging technology on the computers that host the email applications and on their BlackBerry devices, and you must configure the BlackBerry devices to use the highly secure messaging technology.

Extending messaging security using PGP encryption

You can extend messaging security for the BlackBerry® Enterprise Solution and permit a BlackBerry device user to send and receive PGP® protected email messages and PGP protected PIN messages on a BlackBerry device. The BlackBerry Enterprise Solution supports the OpenPGP format and PGP/MIME format on the BlackBerry device.

To extend messaging security, you must instruct the BlackBerry device user to install the PGP® Support Package for BlackBerry® smartphones on the BlackBerry device and to transfer the PGP private key of the BlackBerry device user to the BlackBerry device. The BlackBerry device user can use the PGP private key to digitally sign, encrypt, and send PGP protected messages from the BlackBerry device. If a BlackBerry device user does not install the PGP Support Package for BlackBerry smartphones, the BlackBerry device displays an error message when the BlackBerry device user tries to open PGP protected messages.

To require the BlackBerry device user to use PGP encryption when forwarding or replying to messages, you can configure the PGP Force Digital Signature IT policy rule and the PGP Force Encrypted Messages IT policy rule.

The PGP Support Package for BlackBerry smartphones is designed to support encoding and decoding Unicode messages and permits PGP encryption using keys or passwords. The PGP Support Package for BlackBerry smartphones permits the BlackBerry device to encrypt PGP protected email messages or PGP protected PIN messages using a password that the sender and recipient both know.

For more information about the OpenPGP format, see RFC 2440. For more information about the PGP/MIME format, see RFC 3156.

Configure the BlackBerry Enterprise Solution to support PGP encryption

  1. Configure the PGP Universal Server Address IT policy rule in the IT policy that you assign to BlackBerry® device users.
  2. Instruct users to install the PGP® Support Package for BlackBerry® smartphones on BlackBerry devices.
  3. Instruct users to enroll with the PGP® Universal Server when the BlackBerry devices prompt them to so that the BlackBerry devices can process PGP protected messages.

Extending messaging security using S/MIME encryption

You can extend messaging security for the BlackBerry® Enterprise Solution and permit a BlackBerry device user to send and receive S/MIME-protected email messages and S/MIME-protected PIN messages on a BlackBerry device.

To extend messaging security, you or the BlackBerry device user must install the S/MIME Support Package for BlackBerry® smartphones on the BlackBerry device and transfer the S/MIME private key of the BlackBerry device user to the BlackBerry device. The S/MIME Support Package for BlackBerry smartphones is designed to work with email applications such as Microsoft® Outlook®, Microsoft Outlook Express, and IBM® Lotus Notes®, and with PKIs such as Netscape®, Entrust Authority™ Security Manager version 5 and later, and Microsoft certification authorities.

The BlackBerry device user uses the S/MIME private key to decrypt S/MIME-protected messages on the BlackBerry device and to sign, encrypt, and send S/MIME-protected messages from the BlackBerry device. If the BlackBerry® Enterprise Server Express receives an S/MIME-encrypted message but the BlackBerry device user did not install the S/MIME Support Package for BlackBerry smartphones, the BlackBerry Enterprise Server Express sends a message to the BlackBerry device to indicate that the BlackBerry device does not support S/MIME-encrypted messages.

After the BlackBerry device user installs the S/MIME Support Package for BlackBerry smartphones, the BlackBerry device user can synchronize and manage S/MIME certificates and S/MIME private keys using the certificate synchronization tool of the BlackBerry® Desktop Manager. The BlackBerry Enterprise Server Express does not apply an appended disclaimer to S/MIME-protected messages that the BlackBerry device user sends from the BlackBerry device. Digital signatures on S/MIME-protected messages that the BlackBerry device sends are not valid if disclaimers are appended to the messages.

To require the BlackBerry device user to use S/MIME encryption when forwarding or replying to messages, you can configure the S/MIME Force Digital Signature IT policy rule and the S/MIME Force Encrypted Messages IT policy rule.

The S/MIME Support Package for BlackBerry smartphones is also designed to support the following features:
  • encoding and decoding of Unicode messages
  • ability to use a password, which the sender and recipient each know, to encrypt S/MIME-protected email messages or PIN messages
  • ability to read S/MIME certificates that are stored on a smart card

Configure the BlackBerry Enterprise Solution to support S/MIME encryption

  1. Configure encryption options for S/MIME-protected messages on the BlackBerry® Enterprise Server Express.
  2. If required, configure the BlackBerry MDS Connection Service to retrieve certificates and the status of certificates from LDAP servers, DSML certificate servers, OCSP servers, or CRL servers.
  3. Instruct users to install the S/MIME Support Package for BlackBerry® smartphones on BlackBerry devices.
  4. Perform one of the following tasks:
    • Instruct users to add the Certificate Synchronization Manager to the BlackBerry® Desktop Manager so that the BlackBerry Desktop Manager can manage certificates for the BlackBerry devices.
    • Configure the BlackBerry Enterprise Server Express to permit users to enroll certificates over the wireless network.

Configure encryption options for S/MIME-protected messages

You can configure encryption options to control how the BlackBerry® Enterprise Server Express processes S/MIME-protected messages.
  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. In the Email section, click the instance that you want to change.
  3. Click Edit instance.
  4. On the Messaging tab, in the Security settings section, perform any of the following actions:
    • To require that the BlackBerry Enterprise Server Express encrypts messages using S/MIME encryption for a second time when the BlackBerry Enterprise Server Express processes S/MIME-protected messages that an S/MIME-enabled application weakly encrypted or only signed, in the Turn on S/MIME encryption on signed and weakly encrypted messages drop-down list, click True.
    • To permit BlackBerry device users that have email applications that do not support S/MIME to read the text of an S/MIME-protected message, in the Send S/MIME messages in clear-signed format drop-down list, click True.
    • To require that the BlackBerry Enterprise Server Express deletes attachment data from any signed-only S/MIME-protected messages so that the BlackBerry Enterprise Server Express conserves bandwidth, in the Remove attachment data from signed S/MIME messages drop-down list, click True.
    • To require that the BlackBerry Enterprise Server Express sends encrypted S/MIME-protected messages using an updated MIME content-type that is in accordance with PKCS#7 instead of the default legacy MIME content-type, in the Use PKCS #7 MIME type drop-down list, click True.
  5. Click Save all.
  6. To make sure that the changes take effect immediately, perform the following actions to restart the BlackBerry Messaging Agent:
    1. On the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > BlackBerry Enterprise Server.
    2. Click the BlackBerry Enterprise Server Express instance that includes the BlackBerry Messaging Agent.
    3. Click Restart instance.

Turn off support for processing S/MIME-protected messages on the BlackBerry Enterprise Server Express

By default, the BlackBerry® Enterprise Server Express can process S/MIME-protected messages. You can turn off support for processing S/MIME-protected messages if the BlackBerry Enterprise Server Express experiences issues when it processes S/MIME-protected messages or if your organization does not use S/MIME encryption.

  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. In the Email section, click the instance that you want to change.
  3. On the Messaging tab, click Edit instance.
  4. In the Security settings section, in the Turn on S/MIME message processing drop-down list, click False.
  5. Click Save All.

Extending messaging security using IBM Lotus Notes encryption

By default, if your organization's environment includes the BlackBerry® Enterprise Server Express for IBM® Lotus® Domino® 5.0 SP2 or later and IBM® Lotus Notes® API 7.0 or later, a BlackBerry device can decrypt messages that are encrypted using Lotus Notes encryption.

In BlackBerry Enterprise Server Express 5.0 SP2 or later and BlackBerry® Device Software 5.0 or later, a BlackBerry device user can encrypt messages using Lotus Notes encryption. When the BlackBerry device user creates, forwards, or replies to a message, the BlackBerry device user can indicate whether the BlackBerry Enterprise Server Express must encrypt the message before it sends the message to the recipients.

To use Lotus Notes encryption on the BlackBerry device, the BlackBerry device user must import a copy of the Lotus Notes .id file into the user's message database using the BlackBerry Desktop Software or Lotus® iNotes®. If your organization's environment includes Lotus Domino 8.5.1 or later and BlackBerry Enterprise Server Express 5.0 SP2 or later, you can configure the BlackBerry Enterprise Server Express to import the Lotus Notes .id file automatically into the BlackBerry device from the Lotus Notes ID vault.

Configure BlackBerry Enterprise Server Express instances to import Lotus Notes .id files to BlackBerry devices

If your organization's environment includes IBM® Lotus® Domino® 8.5.1 or later and BlackBerry® Enterprise Server Express 5.0 SP2 or later, you can configure the BlackBerry Enterprise Server Express to export the IBM® Lotus Notes® .id file automatically from the Lotus Notes ID vault and send it to the BlackBerry device.

  1. Copy the BlackBerry Enterprise Server Express installation files to the computer that hosts a BlackBerry Enterprise Server Express instance.
  2. Extract the contents to a folder on the computer.
  3. At the command prompt, navigate to <extracted_folder>\tools.
  4. Perform one of the following actions:
    • To configure all BlackBerry Enterprise Server Express instances to import Lotus Notes .id files, type traittool.exe -global -trait EnableNNEIDFileProvisioning -set true.
    • To configure a specific BlackBerry Enterprise Server Express instance to import Lotus Notes .id files for the user accounts that you assigned to the BlackBerry Enterprise Server Express instance, type traittool.exe -server <instance_name> -trait EnableNNEIDFileProvisioning -set true, where <instance_name> is the name of the BlackBerry Enterprise Server Express instance.
  5. In the Windows® Services, restart the BlackBerry Controller service and BlackBerry Dispatcher service.
After you finish:
  • To stop a BlackBerry Enterprise Server Express from importing Lotus Notes .id files, type traittool.exe -server <instance_name> -trait EnableNNEIDFileProvisioning -set false, where <instance_name> is the name of the BlackBerry Enterprise Server Express instance.
  • To stop all BlackBerry Enterprise Server Express instances from importing the Lotus Notes .id files, type traittool.exe -global -trait EnableNNEIDFileProvisioning -set false.

Turning off support for IBM Lotus Notes encryption

To turn off support for decrypting IBM® Lotus Notes® encrypted messages and S/MIME-encrypted messages on BlackBerry® devices, users can detach their Notes .id files from their mail files using the BlackBerry® Desktop Software or IBM® Lotus® Domino® Web Access software.

For more information about turning off support for decrypting IBM Lotus Notes encrypted messages and S/MIME-encrypted messages, see the online help that is available in the BlackBerry® Desktop Software.


Was this information helpful? Send us your comments.