Help Center

Local Navigation

BlackBerry Manuals & Help   Administrator Documentation   BlackBerry Enterprise Server 5   BlackBerry Enterprise Server for Microsoft Exchange   Administration Guide BlackBerry Enterprise Server for Microsoft Exchange - 5.0

Configuring a BlackBerry MDS Connection Service to trust web servers

You can configure the BlackBerry® MDS Connection Service to permit BlackBerry devices to pull application data and updates from trusted or untrusted web servers. If you want to open trusted connections between web servers and the BlackBerry MDS Connection Service, you must import the certificate for the web server into the JRE™ certificates keystore file (JRE cacerts).

The BlackBerry MDS Connection Service supports LDAP, OCSP, and CRL to retrieve certificates and certificate status, and HTTPS and SSL/TLS for connections that use trusted certificates.

Specify whether the BlackBerry MDS Connection Service requires trusted HTTPS connections from web servers

  1. In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. Click Edit component.
  4. On the HTTPS tab, in the Name field, type the name of a web server.
  5. In the Service URL field, type the regular expression for the web address of the web server. For example, type * to represent all web servers, or type https://<domain>.com* to specify all web servers in a specific domain. For more information about regular expressions in Java®, visit java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html and java.sun.com/docs/books/tutorial/essential/regex/literals.html.
  6. In the Settings section, in the Allow untrusted servers drop-down list, perform one of the following actions:
    • To permit only trusted HTTPS connections from the web server, click No.
    • To permit untrusted HTTPS connections from the web server, click Yes.
  7. Click the Add icon.
  8. Repeat steps 4 to 7 for each web server that you want to specify.
  9. Click Save all.
After you finish: Restart the BlackBerry MDS Connection Service.

Specify whether the BlackBerry MDS Connection Service requires trusted TLS connections from web servers

  1. In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. Click Edit component.
  4. On the TLS tab, in the Name field, type the name of a web server.
  5. In the Service URL field, type the regular expression for the web address of the web server.
  6. In the Settings section, in the Allow untrusted servers drop-down list, perform one of the following actions:
    • To permit only trusted TLS connections from the web server, click No.
    • To permit untrusted TLS connections from the web server, click Yes.
  7. Click the Add icon.
  8. Repeat steps 4 to 7 for each web server that you want to specify.
  9. Click Save all.
After you finish: Restart the BlackBerry MDS Connection Service.

Configuring certificate server information for the BlackBerry MDS Connection Service

The BlackBerry® MDS Connection Service self-signed certificate permits push applications to make HTTPS connection to the BlackBerry MDS Connection Service. You can configure the BlackBerry MDS Connection Service to search for and retrieve certificates and the status of the certificates that external web servers use for HTTPS connections.

You can configure and manage the order of multiple LDAP, OCSP, and CRL servers for the BlackBerry MDS Connection Service. If a BlackBerry device requests certificate information from a server, the certificate information for all of the servers that you configure is combined in the result. For example, if you search for a LDAP server certificate, all of the server certificate information is displayed in the same order that the LDAP server appears in the list of servers. If you search for an OCSP or CRL server certificate, the order of the servers does not matter, because each server creates a prioritized list automatically.

For more information about certificates, see the BlackBerry Enterprise Solution Security Technical Overview.

Configure the LDAP servers that the BlackBerry MDS Connection Service uses to retrieve certificates for web servers

You can create a user name and password for the BlackBerry® MDS Connection Service so that it can authenticate to LDAP servers on behalf of BlackBerry devices.

If you change the LDAP port number or host server information, you must stop and restart the BlackBerry MDS Connection Service so that the BlackBerry MDS Connection Service can use the new information immediately.

  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. On the LDAP tab, click Edit component.
  4. In the LDAP Service Information section, perform one of the following tasks:

    Task

    Steps

    Create an LDAP server configuration.
    1. Type the LDAP server name and the web address of the server.
    2. In the Settings section, configure the LDAP server settings.
    3. Click the Add icon.

    Change an existing LDAP server configuration.
    1. Click the Edit icon beside the LDAP server.
    2. In the Settings section, change the LDAP server settings.
    3. Click the Accept icon.
  5. Click Save All.
After you finish: To configure the BlackBerry MDS Connection Service to retrieve the status of the certificates for the web servers, configure the OCSP and CRL server information.

Configure the OCSP servers that the BlackBerry MDS Connection Service uses to retrieve the status of certificates for web servers

You can configure the BlackBerry® MDS Connection Service to authenticate to OCSP servers on behalf of BlackBerry devices and to retrieve the status of the certificates for web servers.
  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. On the OCSP tab, click Edit component.
  4. In the Protocol Service Information section, perform the following actions:
    • Configure the BlackBerry MDS Connection Service to accept OCSP servers that BlackBerry devices specify.

    • Configure the OCSP handler to use the OCSP responder extension in a certificate.

  5. Perform one of the following tasks:

    Task

    Steps

    Create an OCSP server configuration.
    1. Type the OCSP server name and the web address of the server.
    2. Click the Add icon.

    Change an existing OCSP server configuration.
    1. Click the Edit icon beside the OCSP server.
    2. In the Settings section, type a user name and password.
    3. Click the Accept icon.
  6. Click Save All.

Configure the CRL servers that the BlackBerry MDS Connection Service uses to retrieve the status of the certificates for web servers

You can configure the BlackBerry® MDS Connection Service to authenticate to CRL servers on behalf of BlackBerry devices and to retrieve the status of the certificates for web servers.
  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. On the CRL tab, click Edit component.
  4. In the Protocol Service Information section, perform the following actions:
    • Configure the BlackBerry MDS Connection Service to accept CRL servers that BlackBerry devices specify.

    • Configure the CRL handler to use the CRL responder extension in a certificate.

  5. Perform one of the following tasks:

    Task

    Steps

    Create a CRL server configuration.
    1. Type the CRL server name and the web address of the server.
    2. Click the Add icon.

    Change an existing CRL server configuration.
    1. Click the Edit icon beside the CRL server.
    2. In the Settings section, type a user name and password.
    3. Click the Accept icon.
  6. Click Save All.

Add communication information to a BlackBerry MDS Connection Service configuration set

A BlackBerry® MDS Connection Service configuration set is a collection of service configurations that the BlackBerry MDS Connection Service instances in your organization can use to communicate with a remote file system, LDAP server, CRL server, OCSP server, or certificate authority. You must add the communication information that the BlackBerry MDS Connection Service requires to communicate with servers to a configuration set so that a BlackBerry MDS Connection Service instance can communicate with the servers after you assign the configuration set to the instance.
  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. Click Edit component.
  4. On the Configuration sets tab, perform one of the following actions:
    • To create a configuration set, in the Configuration set name section, type a name and description for the configuration set.
    • To change an existing configuration set, click the Edit icon.
  5. In the Priority Service group drop-down list, click the name of the service that you want configure the communication method for.
  6. In the Service (Name : Description) drop-down list, click the name of the communication method that you want to configure.
  7. Click the Add icon.
  8. To specify the communication method that the BlackBerry MDS Connection Service should try first to connect to the server, click the Up and Down icons. The order of communication methods that you configure applies to LDAP, OCSP, and file communication methods individually. The order permits the BlackBerry MDS Connection Service to resolve conflicts between domains if you created multiple communication methods for a specific URL.
  9. Perform one of the following actions:
    • To add a new configuration set, click the Add icon.
    • To update an existing configuration set, click the Update icon.
  10. Click Save all.
After you finish:
  • To confirm your changes, click the View icon.
  • Assign the configuration set to a BlackBerry MDS Connection Service.

Assign a BlackBerry MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance

You can assign a BlackBerry® MDS Connection Service configuration set to a BlackBerry MDS Connection Service instance so that users can access documents on remote file systems from the BlackBerry® devices, the BlackBerry MDS Connection Service can check certificates and certificate status from LDAP servers, CRL servers, or OCSP servers, or the BlackBerry MDS Connection Service can send certificate requests to a certificate authority.
  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. Click the instance that you want to change.
  4. Click Edit instance.
  5. On the Component configuration sets tab, in the Available component configuration sets section, in the Service configuration sets drop-down list, click the configuration set that you want to assign to the BlackBerry MDS Connection Service instance.
  6. Click Save all.
  7. To restart the BlackBerry MDS Connection Service instance, on the Instance information tab, in the Status list, click Restart instance.
  8. To assign the BlackBerry MDS Connection Service configuration set to another BlackBerry MDS Connection Service instance, complete steps 3 to 7.

Add a retrieved certificate for a web server to the key store

You can use the Java® keytool to add a certificate for a web server to the BlackBerry® MDS Connection Service key store. The certificate permits the BlackBerry MDS Connection Service to connect to the trusted web server.
  1. Save the certificate from a secure web site to a .cer file.
  2. On the computer that hosts the BlackBerry MDS Connection Service, copy the .cer file to <drive>:\Program Files\Java\<JRE_version>\lib\security.
  3. At a command prompt, navigate to <drive>:\Program Files\Java\<JRE_version>\bin.
  4. Type keytool -import -trustcacerts -alias <alias_name> -file <cert_filename> -keystore cacerts.
  5. Type the key store password.
  6. To add the certificate to the key store, at the command prompt, type Yes.
After you finish: For more information about using the Java keytool, visit java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html.
Next topic: Permitting users to access intranet sites on BlackBerry devices using global login information
Previous topic: Import the BlackBerry MDS Connection Service certificate to the key store of a push application

Was this information helpful? Send us your comments.