Configure the Certificate Directory Lookup
The Certificate Directory Lookup service retrieves S/MIME digital certificates from the user's
Microsoft Active
Directory
. These certificates enable email encryption and signature functionality in BlackBerry Work
apps. For more information about configuring and using S/MIME on devices, see the BlackBerry Work
Tasks, and Notes Administration Guide.- In theBlackBerry Enterprise Mobility Server Dashboard, underBlackBerry Services Configuration, clickMail.
- ClickCertificate Directory Lookup.
- Optionally, select theInclude expired certificates in resultscheckbox.
- By default, theEnable Contact Lookupcheckbox andEnable GAL Lookupcheckbox are selected. If you clear theEnable GAL Lookupcheckbox, users can't send encrypted email messages to public distribution lists and private or personal distribution lists (for example, distribution lists in the user’s contact folder).
- Optionally, select theEnable LDAP Lookupcheckbox to use LDAP lookup to validate digital certificate connections to the LDAP server.
- In theLDAP Server Namefield, type the name of the LDAP Server. For example, ldap.<DNS_domain_name>.
- In theLDAP Server portfield, type the port number of the LDAP Server. By default, the port number is 389.
- Optionally, select theEnable SSL LDAPcheckbox to tunnel data through an SSL-encrypted connection. If you enable SSL LDAP, the port number defaults to 636. This step requires you to import the LDAP certificate chain into the BEMS dashboard. For instructions, see "Upload the SSL certificate to the BEMS database" in the BEMS-Core configuration content.
- Optionally, edit theLDAP User Name Query Templatefield. The LDAP user name query searches for a user by their user name. BEMS replaces the "{key}" with the user name when performing the query. The default template is(&(|(mail=*{key}*)(name=*{key}*)(displayName=*{key}*)(sAMAccountName=*{key}*) (givenName=*{key}*)(sn=*{key}*))(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
- Optionally, in theLDAP Base DNfield, provide a base DN for the LDAP search. BEMS will try to find the base DN in the namingContexts attribute if this entry is not set. If this field is not completed, BEMS tries to find the base DN in the namingContexts attribute.
- In theAuthentication Typedrop-down list, select an authentication type. By default, the Authentication Type is Anonymous.
- If you selectBasic, enter the LDAP Logon User name and password. In a Microsoft Active Directory environment, enter the username in the formatdomain\usernameor User Principal Name (UPN)username@domain.
- If you selected theEnable SSL LDAPcheckbox and selectClient Certificateauthentication, enter the keystore password and certificate file.
- Optionally, specify the timeout before the BEMS connection attempt to the LDAP server times out. In theLDAP Connection Timeoutfield, increase or decrease the value, in seconds, as required. The default value is 30 seconds. You can specify between zero and 300 seconds.
- Optionally, specify the timeout before the BEMS search for users and their S/MIME digital certificates from the users’ Active Directory times out. In theLDAP Search Timeoutfield, increase or decrease the value, in seconds, as required. The default value is 30 seconds. You can specify between zero and 300 seconds.
- In theEnd User Email Addressfield, type an end-user email address to search for.
- ClickTest.
- ClickSave.
If you selected
Certificate
authentication, you can view the certificate information. Click Certificate Directory Lookup
. The following certificate information is displayed:
- Subject
- Issuer
- Validation period
- Serial number