BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 09-14-2006, 02:58 AM   #1 (permalink)
Knows Where the Search Button Is
 
Join Date: Jan 2006
Model: 9800
Carrier: T-Mobile
Posts: 31
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Experiences with S/MIME

Please Login to Remove!

Hi Everyone!

We are currently testing a PKI / SMIME enviroment and considering rolling it out.

What types of experiences have you had with the package and what should be considered?

Thanks in advance!
Offline  
Old 09-14-2006, 10:01 PM   #2 (permalink)
Knows Where the Search Button Is
 
Join Date: Nov 2005
Model: 7290
Posts: 32
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

there's a 4.0 and 4.1 version of the SMIME for the handheld. 2003 DC's don't have anonymous LDAP queries allowed by default.
Where's your CRL? Or, OCSP for verification? Local?
Do you have multiple domains? Check your base query to make sure every user you want to get usercertificate attribute is not above base query. For example dc=blackberryforums,dc=com in query.

Note you can setup certificate sync to get certs on the handheld(that's customer Desktop manager install). You can configure your queries from the handheld, or set it to default and use your MDS settings...

if there are specific questions, it would not be so random. But, just somethings to consider.
Offline  
Old 09-14-2006, 10:44 PM   #3 (permalink)
BlackBerry God
 
jibi's Avatar
 
Join Date: Oct 2004
Location: Jibi's Secret Place
Model: 8900
OS: 4.6.1.174
Carrier: AT&T
Posts: 11,310
Post Thanks: 0
Thanked 1 Time in 1 Post
Default

is the S/MIME support package required if you downloaded the desktop/client-side application and configured it from there? just something i've been personally wondering
__________________
In the beginning the Universe was created. This has made a lot of people very angry and is widely regarded as a bad move.
Offline  
Old 09-15-2006, 03:36 AM   #4 (permalink)
Knows Where the Search Button Is
 
Join Date: Jan 2006
Model: 9800
Carrier: T-Mobile
Posts: 31
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Many thanks for the input.

In the test enviroment we have a 4.1 Bes setup with MDS running and are testing devices with 4.0 and 4.1. For test purposes the CRL is located locally at the moment.

Thanx for the info about the 2003 ldap queries. It took a little bit of playing around to figure out that anonymous wasn't allowed by default. Somehow when using the "default" LDAP server settings on the devces, we receive an error. Maybe it is due to the simple authentication which is currently required on the 2003 DC. There does not seem to be a setting on the MDS which handles this (authentication type)? When defining the settings for the ldap server directly on the device instead of using the default, it works fine.

Surprisingly enough, there does not appear to be an predefined IT Policy Template which would allow pushing the setting for LDAP, CRL, etc. This would certainly be a big help if it were available.

@jibi; I am not to sure if I understand your question directly, but the S/MIME package mut be installed via the desktop manager (application launcher) on every device which uses S/MIME encryption. There appears to be no possibilty of pushing it OTA.

One thing I was wondering is if there are any advantages to upgrading all BESs to 4.1 prior to deploying S/MIME or it would be ok to continue using the 4.0 servers?

Thanks again!
Offline  
Old 09-17-2006, 08:15 PM   #5 (permalink)
Knows Where the Search Button Is
 
Join Date: Nov 2005
Model: 7290
Posts: 32
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Currently there is no way to configure MDS to authenticate. The only thing you could do is install and LDAP proxy. For example, google sourceforge.net and ldap proxy. You put it on a Lynux box, but it's very conifurable and auth is supported. Also, i agree that your error is because you can't authenticate the LDAP query. If you used an LDAP browser, or LDP, just open up without authenticating, view the "tree," you'll see what is allowed is much more restricted.

If you don't want your users to have to authenticate, or think much...check out that LDAP proxy. It's pretty slick and you can just point LDAP queries to the proxy. The only thing I've found (and I'm not an expert on the LDAP proxy, I just installed it and got it going for fun). You can only search on the handheld by email address. If you test it out, you'll see what I mean.

There is no IT Policy for LDAP and CRL... I also, don't think there is an easy way to push those out (unfortunately.)

I can't see there being an issue running a 4.1/4.0 mixed with S/MIME. I think you should be fine... also, I can't see any advantages from a functionality perspective at all.

One more thing.... if you are using a CRL that's external and you need to pass a proxy, you will have some trouble. MDS doesn't pass the proxy settings to the CRL or OCSP. You'll either have to download it internally (an script that or whatever) Or, stick in the LDAP proxy (which I believe you'll be able to do this with).
Offline  
Old 09-18-2006, 03:14 AM   #6 (permalink)
Knows Where the Search Button Is
 
Join Date: Jan 2006
Model: 9800
Carrier: T-Mobile
Posts: 31
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Great Stuff!!!

Thanks for the Info!!
Offline  
Old 11-20-2006, 10:00 AM   #7 (permalink)
Knows Where the Search Button Is
 
Join Date: Aug 2006
Model: 8100
Carrier: Telecom Personal
Posts: 46
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Great info, thanks
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.