Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
New Contributor
pchoi
Posts: 4
Registered: ‎03-26-2013
My Device: Z10
My Carrier: TMOBILE

Certificate based authentication

Trying to figure out how to enable certificate based authentication for SCEP profiles. BDS install document only states that you can use this setting, but doesnt explain how. Do we have to buy something from a CA? I contacted a lot of CA's- SYMANTEC, ENTRUST, DIGICERT- they all say they don't support BB10. can anyone help shed some light on how to go about this?

 

Thank you

 

Please use plain text.
Super Contributor
swotam
Posts: 323
Registered: ‎05-10-2011
My Device: Z10

Re: Certificate based authentication

It's all very vague in their documentation and they provide little in the way of assistance in figuring out how to use this, but basically you would need to have your own CA configured (i.e. Microsoft AD CA) to use SCEP. Once this is done you would configure the SCEP profiles to interact with this server.

I've been trying to figure it out myself, including directly asking some RIM staff at their events, and everyone seems very unclear as to what actually needs to be done.

IMO this is an area where BB really needs to step up and provide some examples of how you would set this up, perhaps with some example walkthrough's using a couple of the more popular CA's on the market.

This isn't a service that's offered by companies like Symantec, Entrust, etc. You need to have your own certificate infrastructure in place so that it can be used with SCEP to generate certificates that the devices will use.
----------
BESX 5.0.4, SQL 2008, Exchange 2010 SP2 RU4a
Please use plain text.
New Contributor
pchoi
Posts: 4
Registered: ‎03-26-2013
My Device: Z10
My Carrier: TMOBILE

Re: Certificate based authentication

I agree, I ran across this issue when my Active Directory pwd expired. Didnt know I had to manually change the Z10 Exchange ActiveSync pwd. When I spoke to BB support, they were unclear as to how to proceed. Users managing AD are going to have to consider these points. The Z10 is basically an additional workstation on their network now.

 

Please use plain text.
BlackBerry Technical Advisor
-BD-
Posts: 487
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers

Re: Certificate based authentication


swotam wrote:

I've been trying to figure it out myself, including directly asking some RIM staff at their events, and everyone seems very unclear as to what actually needs to be done.

What questions are you trying to get answered?

Please use plain text.
Super Contributor
swotam
Posts: 323
Registered: ‎05-10-2011
My Device: Z10

Re: Certificate based authentication

I had asked one of the senior enterprise product managers if they had any documentation or examples of how you might configure BES10 SCEP profiles with a Microsoft CA. I specifically gave examples of what we wanted to do in our environment and his response was "use SCEP" which is fine, however they weren't able to provide much clarity as to how you might actually get the two talking to each other.

My main complaint regarding the way they've handled this is that all they really say in their documents is "use SCEP" but they don't really provide any examples of how someone who is unfamiliar with the concept might get it up and running. As the OP indicates, they don't even really understand what SCEP is or how it might be implemented.

I've reviewed the Microsoft info on NDES, but it would be very helpful if RIM was able to provide more detail on SCEP, what it is for, how you can utilize it within BES10, and perhaps provide some example whitepapers regarding how you might implement this in an enterprise environment.
----------
BESX 5.0.4, SQL 2008, Exchange 2010 SP2 RU4a
Please use plain text.
New Contributor
pchoi
Posts: 4
Registered: ‎03-26-2013
My Device: Z10
My Carrier: TMOBILE

Re: Certificate based authentication

I asked an Exchange colleague about this, they recommend we set up an Internal CA.

Check this out-

Certificate based authentication-  The Exchange team blog

 

http://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-based-authentication-fo...

 

Requires some infrastructure-

 

http://www.buchatech.com/2010/07/setup-configure-a-certificate-authority-on-windows-server-2008/

 

 

 

 

 

Please use plain text.
BlackBerry Technical Advisor
-BD-
Posts: 487
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers

Re: Certificate based authentication

[ Edited ]

swotam wrote:
I had asked one of the senior enterprise product managers if they had any documentation or examples of how you might configure BES10 SCEP profiles with a Microsoft CA. I specifically gave examples of what we wanted to do in our environment and his response was "use SCEP" which is fine, however they weren't able to provide much clarity as to how you might actually get the two talking to each other.

My main complaint regarding the way they've handled this is that all they really say in their documents is "use SCEP" but they don't really provide any examples of how someone who is unfamiliar with the concept might get it up and running. As the OP indicates, they don't even really understand what SCEP is or how it might be implemented.

I've reviewed the Microsoft info on NDES, but it would be very helpful if RIM was able to provide more detail on SCEP, what it is for, how you can utilize it within BES10, and perhaps provide some example whitepapers regarding how you might implement this in an enterprise environment.

I get where you're coming from but I've never seen BlackBerry write a whitepaper for somebody elses product.  Microsoft however has written a whitepaper for their version of SCEP (NDES).

 

Here's a basic dataflow of how SCEP is utilized in BDS:

 

When a user activates their device the BDS server will push out the SCEP profile (minus the challenge key) to the device.  The challenge key is left on the server because it doesn’t expire and is reusable so it doesn't get sent outside of your network.  The device will read the profile and generate the CSR (certificate signing request).  It then sends the CSR back to the BDS server where the challenge key is added to it.  BDS then submits the CSR to the SCEP service URL and gets the certificate issued.  The completed certificate is then sent out to the device from BDS.

Please use plain text.