Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Contributor
Posts: 24
Registered: ‎08-08-2013
My Device: Z10
My Carrier: Swisscom

Configuring SCEP server with BB10

Dear All,

 

I am trying to setup our SCEP server with our BB10.2 servers.

 

I have created the SCEP Profile

I have assigned the SCEP profile to the users

 

It's not working. User still need to chnage their AD passwords on the devices (Z10).

 

I am now reading that we need to setup a shared folder to be used as a shared drive including the root certificate.

I have created a shared fodler on NetApp, and gave it the right permission (BB10 service account and SCEP service account in both read and write).

I can access the share sirectly through windows explorer on the BB+0 servers using the service accounts, but when I try to set it up in the  BB Administration service console, it returns me the follwowing error:

 

BlackBerry Administration Service shared network drive that you specified cannot be accessed. Please specify a valid file path.

 

I can't find anydocumentation for this... Anyone could help? Am I missing something here?

Also, if there is any doc on this, I would really appreciate if some one could link it here.

 

Thanks!

 

All the best,

Contributor
Posts: 23
Registered: ‎12-14-2008
My Device: Z10, 9900 & Playbook 64GB
My Carrier: Bell Mobility

Re: Configuring SCEP server with BB10

Hi.

Would you consider trying to create the share on the BDS server? Give it a try instead of using the NetApp.

 

Contributor
Posts: 24
Registered: ‎08-08-2013
My Device: Z10
My Carrier: Swisscom

Re: Configuring SCEP server with BB10

[ Edited ]

Hi,

 

Yes, it works like this...

However, what if the server goes down? ...I have a secondary server as failover, but the share won't synchronize on both.

 

EDIT:

I don't get it... I tested a few things:

1. I entered the direct link to the NetApp server in the field -> same result

2. I created a share locally on the BB10 server with the same permissions -> worked fine

3. Created a share on my local PC again, with the same permissions --> "unable to write"

 

Which account does the server try to access this folder/drive? 

Contributor
Posts: 23
Registered: ‎12-14-2008
My Device: Z10, 9900 & Playbook 64GB
My Carrier: Bell Mobility

Re: Configuring SCEP server with BB10

Good question,

 

Perhaps it is using a Local permission like "SYSTEM" or the local Admin group.

On my share, in file folder permissions I have "SYSTEM", the BES account, and "Administrators".

 

As for what if the server goes down, you could create a scheduled task to copy contents to the secondary server daily.  That should be sufficient.  If you want more realtime updating to the secondary server, using Robocopy with the -mir option would ensure instant copy. It's not a built in BlackBerry solution, but it would work.

 

For us, we just back up the folder to our backup system.  It contains root certificates and internal applications as well as background images for the Workspace.  The data would not take long to restore.

 

 

Contributor
Posts: 24
Registered: ‎08-08-2013
My Device: Z10
My Carrier: Swisscom

Re: Configuring SCEP server with BB10

Thanks for your answer.

 

I managed to get it to work.

By testing different setups on my local machine, I figured out that BAS doesn't handle group permissions so well. Giving the service account (as user, not as a memeber of a group) the read&write permission on the NetApp solved the issue.

 

Now, even the DFS address works.

 

 

Contributor
Posts: 24
Registered: ‎08-08-2013
My Device: Z10
My Carrier: Swisscom

Re: Configuring SCEP server with BB10

Sorry, I am double-posting...

 

It seems to be working now (when I change passwords in AD, the blackberry still can receive EMail).

But I don't get "how" it works.

 

On the Z10, under settings, when I check "certificates", I don't see the Root certificate I have copied to the folder on my shared drive.

 

So, how does it work? ...what is the flow of the certificate authentication on the BB10?

 

Seriously, isn't it documented anywhere? I didn't find ANYTHING on this except a few topics on the forum.

 

Thanks,

 

 

Highlighted
Contributor
Posts: 23
Registered: ‎12-14-2008
My Device: Z10, 9900 & Playbook 64GB
My Carrier: Bell Mobility

Re: Configuring SCEP server with BB10

I concur that it is not properly documented on how to do this. 

 

And, it is kind of SCEP related so not really a double post Smiley Happy

 

I did find help somewhere in the BlackBerry documents but I needed more informaton so google was and is my best friend.

 

I did document how I got it to work.  I will post something hopefully before end of day.

 

 

Contributor
Posts: 23
Registered: ‎12-14-2008
My Device: Z10, 9900 & Playbook 64GB
My Carrier: Bell Mobility

Re: Configuring SCEP server with BB10

 

Checking my notes,  In BES10 Administration guide page 144 or so it talks about Sending Certificates to Devices.
But not much detail.

 

I found this page which explains how to make a .PEM file:

http://www.digicert.com/ssl-support/pem-ssl-creation.htm

Basically a PEM file is a text file that is comprised of the contents of one or more certificates in your chain.

1. I logged onto my internal CA. I downloaded the Base64 version of "CA Certificate" as well as the "CA Certificate Chain". This gives you a .cer file and a .p7b file. 

2. Create a new text file and name it the common name of the certificate, ending in ".pem".

3. Open the .cer file and copy all the contents, past into the .pem file.

4. Open the .p7b file and copy all the contents, paste it into the .pem file below the other contents

 

Copy the .PEM file to the area of the "\Shared\Certificates\WWW"

 

Any time a file is modified in the shared folder, ANY file, aparently it will update all files to the device.

 

 

Contributor
Posts: 24
Registered: ‎08-08-2013
My Device: Z10
My Carrier: Swisscom

Re: Configuring SCEP server with BB10

Ok, it works when I change my AD password for already activated devices (the ones I have activated without SCEP profile).

Now, when I try to activate a device, I get this error:

 

"Device activation can't be completed because a SCEP profile is invalid."

 

Any idea?

 

Could it be caused by something else than my SCEP profile settings (which, I believe are correct).

 

THX

Contributor
Posts: 23
Registered: ‎12-14-2008
My Device: Z10, 9900 & Playbook 64GB
My Carrier: Bell Mobility

Re: Configuring SCEP server with BB10

That's interesting.

 

I just activated a new user and choose the scep email profile and it worked.

 

I'll send you my work email in private message and we can compare what scep settings we each have.