[Max_MBit]

Hi Everyone!

We are currently testing a PKI / SMIME enviroment and considering rolling it out.

What types of experiences have you had with the package and what should be considered?

Thanks in advance!

[blablabla13]

there's a 4.0 and 4.1 version of the SMIME for the handheld. 2003 DC's don't have anonymous LDAP queries allowed by default.
Where's your CRL? Or, OCSP for verification? Local?
Do you have multiple domains? Check your base query to make sure every user you want to get usercertificate attribute is not above base query. For example dc=blackberryforums,dc=com in query.

Note you can setup certificate sync to get certs on the handheld(that's customer Desktop manager install). You can configure your queries from the handheld, or set it to default and use your MDS settings...

if there are specific questions, it would not be so random. But, just somethings to consider.

[jibi]

is the S/MIME support package required if you downloaded the desktop/client-side application and configured it from there? just something i've been personally wondering

[Max_MBit]

Many thanks for the input.

In the test enviroment we have a 4.1 Bes setup with MDS running and are testing devices with 4.0 and 4.1. For test purposes the CRL is located locally at the moment.

Thanx for the info about the 2003 ldap queries. It took a little bit of playing around to figure out that anonymous wasn't allowed by default. Somehow when using the "default" LDAP server settings on the devces, we receive an error. Maybe it is due to the simple authentication which is currently required on the 2003 DC. There does not seem to be a setting on the MDS which handles this (authentication type)? When defining the settings for the ldap server directly on the device instead of using the default, it works fine.

Surprisingly enough, there does not appear to be an predefined IT Policy Template which would allow pushing the setting for LDAP, CRL, etc. This would certainly be a big help if it were available.

@jibi; I am not to sure if I understand your question directly, but the S/MIME package mut be installed via the desktop manager (application launcher) on every device which uses S/MIME encryption. There appears to be no possibilty of pushing it OTA.

One thing I was wondering is if there are any advantages to upgrading all BESs to 4.1 prior to deploying S/MIME or it would be ok to continue using the 4.0 servers?

Thanks again!

[blablabla13]

Currently there is no way to configure MDS to authenticate. The only thing you could do is install and LDAP proxy. For example, google sourceforge.net and ldap proxy. You put it on a Lynux box, but it's very conifurable and auth is supported. Also, i agree that your error is because you can't authenticate the LDAP query. If you used an LDAP browser, or LDP, just open up without authenticating, view the "tree," you'll see what is allowed is much more restricted.

If you don't want your users to have to authenticate, or think much...check out that LDAP proxy. It's pretty slick and you can just point LDAP queries to the proxy. The only thing I've found (and I'm not an expert on the LDAP proxy, I just installed it and got it going for fun). You can only search on the handheld by email address. If you test it out, you'll see what I mean.

There is no IT Policy for LDAP and CRL... I also, don't think there is an easy way to push those out (unfortunately.)

I can't see there being an issue running a 4.1/4.0 mixed with S/MIME. I think you should be fine... also, I can't see any advantages from a functionality perspective at all.

One more thing.... if you are using a CRL that's external and you need to pass a proxy, you will have some trouble. MDS doesn't pass the proxy settings to the CRL or OCSP. You'll either have to download it internally (an script that or whatever) Or, stick in the LDAP proxy (which I believe you'll be able to do this with).

[Max_MBit]

Great Stuff!!!

Thanks for the Info!!

[homeroarg]

Great info, thanks