08-19-2013 10:06 AM
I am trying to setup our SCEP server with our BB10.2 servers.
I have created the SCEP Profile
I have assigned the SCEP profile to the users
It's not working. User still need to chnage their AD passwords on the devices (Z10).
I am now reading that we need to setup a shared folder to be used as a shared drive including the root certificate.
I have created a shared fodler on NetApp, and gave it the right permission (BB10 service account and SCEP service account in both read and write).
I can access the share sirectly through windows explorer on the BB+0 servers using the service accounts, but when I try to set it up in the BB Administration service console, it returns me the follwowing error:
BlackBerry Administration Service shared network drive that you specified cannot be accessed. Please specify a valid file path.
I can't find anydocumentation for this... Anyone could help? Am I missing something here?
Also, if there is any doc on this, I would really appreciate if some one could link it here.
All the best,
08-20-2013 02:16 AM - edited 08-20-2013 03:04 AM
Yes, it works like this...
However, what if the server goes down? ...I have a secondary server as failover, but the share won't synchronize on both.
I don't get it... I tested a few things:
1. I entered the direct link to the NetApp server in the field -> same result
2. I created a share locally on the BB10 server with the same permissions -> worked fine
3. Created a share on my local PC again, with the same permissions --> "unable to write"
Which account does the server try to access this folder/drive?
08-20-2013 10:28 AM
Perhaps it is using a Local permission like "SYSTEM" or the local Admin group.
On my share, in file folder permissions I have "SYSTEM", the BES account, and "Administrators".
As for what if the server goes down, you could create a scheduled task to copy contents to the secondary server daily. That should be sufficient. If you want more realtime updating to the secondary server, using Robocopy with the -mir option would ensure instant copy. It's not a built in BlackBerry solution, but it would work.
For us, we just back up the folder to our backup system. It contains root certificates and internal applications as well as background images for the Workspace. The data would not take long to restore.
08-20-2013 11:07 AM
Thanks for your answer.
I managed to get it to work.
By testing different setups on my local machine, I figured out that BAS doesn't handle group permissions so well. Giving the service account (as user, not as a memeber of a group) the read&write permission on the NetApp solved the issue.
Now, even the DFS address works.
08-21-2013 08:09 AM
Sorry, I am double-posting...
It seems to be working now (when I change passwords in AD, the blackberry still can receive EMail).
But I don't get "how" it works.
On the Z10, under settings, when I check "certificates", I don't see the Root certificate I have copied to the folder on my shared drive.
So, how does it work? ...what is the flow of the certificate authentication on the BB10?
Seriously, isn't it documented anywhere? I didn't find ANYTHING on this except a few topics on the forum.
08-21-2013 09:13 AM
I concur that it is not properly documented on how to do this.
And, it is kind of SCEP related so not really a double post
I did find help somewhere in the BlackBerry documents but I needed more informaton so google was and is my best friend.
I did document how I got it to work. I will post something hopefully before end of day.
08-21-2013 01:58 PM
Checking my notes, In BES10 Administration guide page 144 or so it talks about Sending Certificates to Devices.
But not much detail.
I found this page which explains how to make a .PEM file:
Basically a PEM file is a text file that is comprised of the contents of one or more certificates in your chain.
1. I logged onto my internal CA. I downloaded the Base64 version of "CA Certificate" as well as the "CA Certificate Chain". This gives you a .cer file and a .p7b file.
2. Create a new text file and name it the common name of the certificate, ending in ".pem".
3. Open the .cer file and copy all the contents, past into the .pem file.
4. Open the .p7b file and copy all the contents, paste it into the .pem file below the other contents
Copy the .PEM file to the area of the "\Shared\Certificates\WWW"
Any time a file is modified in the shared folder, ANY file, aparently it will update all files to the device.
08-22-2013 10:17 AM
Ok, it works when I change my AD password for already activated devices (the ones I have activated without SCEP profile).
Now, when I try to activate a device, I get this error:
"Device activation can't be completed because a SCEP profile is invalid."
Could it be caused by something else than my SCEP profile settings (which, I believe are correct).
08-22-2013 02:47 PM
I just activated a new user and choose the scep email profile and it worked.
I'll send you my work email in private message and we can compare what scep settings we each have.