Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.21
  3. UEM BSI-certified
  4. Create an LDAP client certificate used for mutual authentication and connect to an LDAP directory

Create an LDAP client certificate used for mutual authentication and connect to an LDAP directory

Verify that the certificates that you will upload to
BlackBerry UEM
 (syslog and LDAP) are trustworthy and have the basic constraints and key usage fields set. You must use mutual X.509v3 authentication for the connection between
UEM
 and an LDAP server. The certificate that you use must be signed by a Certificate Authority that the LDAP server trusts and must be using one of the following ciphersuites:
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
The .pfx file that you specify in step 1 must contain only the client certificate and the private key.
  1. To upload an LDAP client certificate to use when you are connecting to an LDAP directory, in a batch file, type the following:
    SET BESRoot=C:\Program Files\BlackBerry\UEM
SET KEYSTORE_PATH=C:\Users\Administrator\Desktop\LDAP_Info\ldapClientCert\clientauth.pfx
SET KEYSTORE_PASSWORD=password
java -cp "%BESRoot%\tools\lib\*" --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-exports java.base/jdk.internal.ref=ALL-UNNAMED --add-exports java.base/sun.security.provider.certpath=ALL-UNNAMED -Djava.library.path="%BESRoot%\tools\lib\dll\x64" com.rim.platform.mdm.keymaster.KeyMaster -keystore "%KEYSTORE_PATH%" -password "%KEYSTORE_PASSWORD%" load -keystoreType DIRECTORY -BESRoot "%BESRoot%"
  2. Restart the
    UEM Core
     service.
  3. Log in to the
    UEM
     management console.
  4. Navigate to
    Settings > External Integration > Company Directory
    .
  5. When you configure the LDAP directory, enable SSL and import the trusted CA certificate (not a private key or PFX file).
  6. Click
    Save
    .