Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry AtHoc
  3. 7.19
  4. Install and Configure BlackBerry AtHoc
  5. Postinstallation or upgrade configuration
  6. (Optional) Set the SSL client certificate

(Optional) Set the SSL client certificate

In installations that require SSL client certificates on the application servers, such as smart card support, IIS folders must be set to
Require
 client certificates instead of accepting client certificates.
Indications that this setting has not been made include: desktop pop-ups display one or more security prompts, the Weather Alerting Module is not functional, and integration with external systems that use the
AtHoc
 SDK APIs do not work.
To set the preference for client certificates, complete the following steps:
  1. Open the
    Internet Information Services Manager
    .
  2. Expand
    Sites
    , then expand
    Default Web Site
     or the named site. Select a Web application and open SSL Settings.
  3. Select the
    Ignore
    ,
    Accept
    , or
    Require
     option under client certificates. Use the recommendations for each folder, provided in the table below.
  4. Click
    Apply
    .
The following table provides a reference for client certificate settings for customers that use smart cards or soft certificates for client authentication to web servers.
Application or virtual directory
SSL client certificates
Aspnet_client
Require
api
Ignore
ast
Require
athoc-cdn
Require
athoc-iws
Require
AuthConfig
Ignore
CascadeAlertAgent
Require
client
1
Require
config
2
Ignore if you have desktop clients deployed. Require if not.
csi
2
Ignore if you have desktop clients deployed. Require if not.
D911Server
Require
Data
Require
DataExport
Require
Default Web Site
Require
EasyConnect
Require
EmailResponse
Require
Help
Require
Graphics
2
Ignore if you have desktop clients deployed. Require if not.
Gw
Require
Icons
Require
Images
Require
Include
Require
Integrated Weather Alerts
3
Require
monitor
Ignore if your web server monitoring solution will not work with client certificates. Require if it does.
Redirector
Require
sdk
Ignore if your custom code integration does not support client certificates. Require if it does.
SelfService
Require
Self Service/AuthWin
Require
sps
2
Ignore if you have desktop clients deployed. Require if not.
Sso
Require
Syndication
Require if your IIM devices have client certificates installed, or If no IIM devices are deployed. Ignore if not.
TwitterConfig
Require
User
Require
wis
Require
  1. BlackBerry AtHoc
     health monitors do not currently support client certificate authentication. Setting the
    client
     Web directory to “Require Client Certificates” might cause the
    BlackBerry AtHoc
     management system health monitor to falsely show that the system is down.  You should disable this monitor in this configuration.
  2. If
    config
    ,
    csi
    ,
    Graphics
    , and
    sps
     are set to “Require Client Certificates” and you have desktop clients deployed, one of two things can happen:
    • Users experience periodic prompts for client certificate pin authentication.
    • The SSL stack on the IIS web server becomes overwhelmed with SSL renegotiation issues. This condition looks like your web server is under a denial of service attack, with page loads becoming slower and eventually timing out with errors.
  3. Make sure the Symantec/Verisign certificate chain for the target system is properly represented in the Windows Certificate Manager.