background image

5.

In the drop-down list, select an encryption type.

6.

Click 

OK

.

Related topics

Assigning BlackBerry devices to user accounts, 54

Generating organization-specific encryption keys for PIN message
encryption

By default, all BlackBerry® devices store a common PIN encryption key that they use to protect PIN messages. To limit the number
of BlackBerry devices that can decrypt PIN messages that users in your organization send from their BlackBerry devices, you can
generate a new PIN encryption key that is stored on and known only to BlackBerry devices in your organization. BlackBerry
devices with a PIN encryption key that is specific to your organization can send and receive PIN messages only with other
BlackBerry devices that store the same PIN encryption key.

You should generate a new PIN encryption key if you know that your current organization-specific PIN encryption key is
compromised.

Generate a new peer-to-peer encryption key

1.

In the BlackBerry® Manager, in the left pane, click 

BlackBerry Domain

.

2.

On the 

Global

 tab, expand 

Service Control & Customization

.

3.

Click 

Update Peer-to-Peer Encryption Key

.

4.

Click 

Set or update the Peer-to-Peer encryption key for all devices within this organization

.

5.

Click 

Yes

.

Authenticating the BlackBerry MDS Integration Service to the BlackBerry
Manager and web services

After you install the BlackBerry® MDS Integration Service, you must install a digital certificate for the BlackBerry MDS Integration
Service in the key store on the same computer. This certificate allows server-authenticated communication between the
BlackBerry MDS Integration Service and the BlackBerry Manager.

You can install a self-signed certificate for the BlackBerry MDS Integration Service, or you can get a signed root certificate from
a certificate authority and install it in the key store using the Java® keytool. You can replace the self-signed certificate with a
signed root certificate at any time, but you should install the certificate that you want to use immediately after you install the
BlackBerry MDS Integration Service and before you allow authentication with the BlackBerry Manager or web services using that
certificate.

Administration Guide

Generating organization-specific encryption keys for PIN message encryption

13

Summary of Contents for Enterprise Server For MDS

Page 1: ...BlackBerry Enterprise Server for MDS Applications Version 4 1 Service Pack 7 Administration Guide...

Page 2: ...Published 2010 01 11 SWD 966846 0111050411 001...

Page 3: ...ager 14 Allow client authentication between the BlackBerry MDS Integration Service and web services 14 3 Setting up proxy servers for BlackBerry Enterprise Server components 16 Configuring certain Bla...

Page 4: ...lication push failures 28 Error messages Wireless application push 28 Install the BlackBerry Device Software or BlackBerry Applications on a BlackBerry device using the BlackBerry Manager 30 7 Making...

Page 5: ...ces to the RSA Authentication Manager 44 Configuring how the BlackBerry MDS Connection Service manages requests for web content 45 Configure the BlackBerry MDS Connection Service to manage HTTP cookie...

Page 6: ...inistrator accounts 57 Assign a BlackBerry Enterprise Server administrator to a different administrative role 57 Delete an administrator account from a BlackBerry Enterprise Server 57 11 Controlling t...

Page 7: ...on a BlackBerry device over the wireless network 72 Remove applications from BlackBerry devices over the wireless network 72 Change an application control policy 72 Managing software configurations 7...

Page 8: ...ewconnectionbetweenaBlackBerryMDSIntegrationServiceandaBlackBerryMDSConnectionService 83 Make a BlackBerry MDS Connection Service available to a BlackBerry MDS Integration Service 84 Make a BlackBerry...

Page 9: ...essaging Agent 96 Change how the BlackBerry Controller restarts the BlackBerry Enterprise Server services 99 Monitoring the BlackBerry MDS Integration Service notification messages 100 Set up monitori...

Page 10: ...e 108 Change the location where the BlackBerry MDS Connection Service writes log files 108 Change the interval at which the BlackBerry MDS Connection Service writes information to the log file 109 Cha...

Page 11: ...can perform all tasks and can view all information They are the only administrators who can manage role membership The administrator account that you created during the installation process is assigne...

Page 12: ...rprise and junior help desk roles sees only the tasks for the junior help desk role Before you begin Verify that you have the system administrator role on the database server If you are creating a new...

Page 13: ...tication automatically If you create database accounts for your administrators you must change the type of authentication that the BlackBerry Manager uses 1 In the BlackBerry Manager on the Tools menu...

Page 14: ...tectedonthetransportlayeruntiltheBlackBerryEnterpriseServer receives the message Symmetric key encryption algorithms that the BlackBerry Enterprise Solution uses Encryption type Description AES uses t...

Page 15: ...and Service Control Customization 3 Click Update Peer to Peer Encryption Key 4 Click Set or update the Peer to Peer encryption key for all devices within this organization 5 Click Yes Authenticating t...

Page 16: ...Integration Service allows client authentication between the BlackBerry MDSIntegrationServiceandwebserviceshosts IftheBlackBerry MDSRuntimeApplicationsinyourorganization senvironment use HTTPS to com...

Page 17: ...ed export the certificate for each BlackBerry MDS Integration Service Allow BlackBerry MDS Runtime Applications to access web services using HTTPS Administration Guide Authenticating the BlackBerry MD...

Page 18: ...at it receives from a direct connection with the BlackBerry MDS Connection Service If you configured the BlackBerry MDS Connection Service to use a proxy server you must configure proxy rules to permi...

Page 19: ...HTTPS if the proxy server supports basic authentication only 1 In the BlackBerry Manager in the left pane click a BlackBerry Enterprise Server component 2 On the appropriate tab for a BlackBerry Ente...

Page 20: ...the user name that the BlackBerry Enterprise Server component can use to connect to the proxy server that is defined for the web address 8 In the Password field type the password for the user name 9 I...

Page 21: ...Berry Enterprise Server instances to use the same central push server to transfer application data from BlackBerry devices and to manage HTTP requests from the BlackBerry Browser Before you begin You...

Page 22: ...lackBerry Manager Complete the instructions on the screen the first time that you click the BlackBerry MDS Integration Service 1 In the BlackBerry Manager in the left pane click a BlackBerry Enterpris...

Page 23: ...g multiple users on a separate line for each user type the full name of the user followed by a comma and the PIN of the user 7 Click OK Creating user groups Youcancreateusergroupsandassignuseraccounts...

Page 24: ...left pane click a BlackBerry Enterprise Server 2 On the Users tab click one or more user accounts 3 Click Assign User to Group 4 Click a group name 5 Click OK When you add user accounts to a group th...

Page 25: ...ckBerry devices Making software and applications available on a network drive To make the BlackBerry Device Software or applications available for users to install on or add to their BlackBerry device...

Page 26: ...ons 3 Create a folder for the BlackBerry MDS Runtime 4 From the zip file that you downloaded extract the MdsRuntime alx file and the cod files for the applicable BlackBerry Device Software version to...

Page 27: ...ckBerry devices from behind the organization s firewall You must create a separate software configuration for each BlackBerry device series in your organization You must either install all of the appl...

Page 28: ...ion control policy to an application Before you begin To assign an application control policy other than the default application control policy settings you must first define an application control po...

Page 29: ...t you want to assign 6 Click OK Send an application to a BlackBerry device over the wireless network You can send a BlackBerry Java Application the collaboration client and the BlackBerry MDS Runtime...

Page 30: ...ckBerry Policy Service log files from the day the issue was reported log level 4 recommended BlackBerry Dispatcher log files from the day the issue was reported log level 4 recommended BlackBerry devi...

Page 31: ...sage appears when an application does not install successfully on a BlackBerry device Verify that the BlackBerry device has enough memory available to install the application Resend the application In...

Page 32: ...ent App Data while installing module This message appears when an error occurs in the BlackBerry Policy Service that prevents the application from installing successfully on a BlackBerry device In the...

Page 33: ...stalled on a BlackBerry device change the Disposition application control policy to Required 8 Click OK Administration Guide Install the BlackBerry Device Software or BlackBerry Applications on a Blac...

Page 34: ...Authenticate the BlackBerry MDS Integration Service to the BlackBerry Manager Administrator BlackBerry Enterprise Server Administration Guide Section Setting up security options Download the BlackBer...

Page 35: ...Fundamentals Guide BlackBerry Plug in for Microsoft Visual Studio Developer Guide BlackBerry Plug in for Microsoft Visual Studio online help Publish a BlackBerry MDS Runtime Application to the BlackB...

Page 36: ...cations available to users Topic Configuring how users access and use BlackBerry MDS Runtime Applications Install BlackBerry MDS Runtime Applications on BlackBerry devices Administrator BlackBerry Ent...

Page 37: ...2 On the MDS Integration Services tab click Edit Properties 3 In the left pane click General 4 Click Allow Web Services Access over SSL 5 In the drop down list click True 6 Click OK 7 On the MDS Inte...

Page 38: ...9 When the status displays Stopped click Start Service ConfiguringhowusersaccessanduseBlackBerryMDSRuntimeApplications You can create BlackBerry MDS Integration Service device policies and assign them...

Page 39: ...Manager in the left pane click a user group 2 On the Group Configuration tab click MDS Integration Service 3 Click Assign Device Policy 4 In the Device Policy drop down list click the device policy th...

Page 40: ...ding 4 Click the user accounts that are connected to the same BlackBerry MDS Integration Service server 5 On the Group Configuration tab click MDS Services 6 Click Install on Device 7 Click the BlackB...

Page 41: ...e you can apply an application control policy that restricts a BlackBerry MDS Runtime Application from accessing the organizer data on BlackBerry devices To apply an application control policy to a Bl...

Page 42: ...you finish Re index the applications that are located at drive Program Files Common Files Research In Motion Shared Applications Share the network drive Related topics Indexing applications on a netwo...

Page 43: ...Related topics Defining software configurations 25 Administration Guide Applying an application control policy to a BlackBerry MDS Runtime Application 41...

Page 44: ...k Set as Push Server After you finish If you have the BlackBerry MDS Integration Service installed verify that the central push server appears in the list of BlackBerry MDS Connection Service instance...

Page 45: ...tostoreauthenticationinformationandperformHTTPauthentication on behalf of BlackBerry devices click True 6 Double click Authentication Timeout 7 Type the length of time in milliseconds that you want au...

Page 46: ...S Connection Service to manage HTTP cookie storage on the BlackBerry devices Before you begin Configure the BlackBerry MDS Connection Service to authenticate to the content servers in your environment...

Page 47: ...ection Service manages requests for web content TheBlackBerry MDSConnectionServicemanagesrequestsforwebcontentfromtheBlackBerry Browserandotherapplications on BlackBerry devices You can configure how...

Page 48: ...erver The default timeout limit is 120 000 milliseconds 2 minutes 1 In the BlackBerry Manager in the left pane click a BlackBerry MDS Connection Service 2 On the Connection Service tab click Edit Prop...

Page 49: ...rements visit tomcat apache org tomcat 5 5 doc ssl howto html Create a key store to store certificates for use with HTTPS connections You must create a key store to store the certificates that permit...

Page 50: ...rtificate for the BlackBerry MDS Connection Service to the key store 1 On the computer that hosts the BlackBerry MDS Connection Service navigate to drive Program Files Java JRE_version bin 2 At the co...

Page 51: ...Allow BlackBerry devices to connect to untrusted web servers You can allow BlackBerry devices to connect to untrusted web servers so that applications on those servers can push content to BlackBerry d...

Page 52: ...S Connection Service 2 On the Connection Service tab click Edit Properties 3 Click OCSP 4 Perform any of the following tasks Task Steps Configure the BlackBerry MDS Connection Service to accept OCSP s...

Page 53: ...avase 6 docs technotes tools windows keytool html Configuring how the BlackBerry MDS Connection Service connects to BlackBerry devices Specify the maximum amount of data that the BlackBerry MDS Connec...

Page 54: ...y that your system memory can support the thread pool size that you want to specify 1 In the BlackBerry Manager in the left pane click a BlackBerry MDS Connection Service 2 On the Connection Service t...

Page 55: ...ts double click Web Server SSL Listen Port Type the port number 5 Click OK After you finish Restart the BlackBerry MDS Connection Service Notify your organization s push application developers that yo...

Page 56: ...ng a physical connection to your organization s network Option 1 Activate a BlackBerry device using the BlackBerry Manager 1 Connect the BlackBerry device to the computer that hosts the BlackBerry Man...

Page 57: ...user account Item Description length of activation password Typicalactivationpasswordsarefourtoeightcharacterslong Activationpasswords are limited to the following character lengths BlackBerry device...

Page 58: ...f 48 hours elapses the user types the activation password incorrectly five consecutive times the BlackBerry Enterprise Server activates a BlackBerry device using the activation password Send an activa...

Page 59: ...want to assign the administrator to 6 Click the administrator 7 Click OK The database permissions change immediately After you finish Instruct the administrator to restart the BlackBerry Manager Delet...

Page 60: ...rry Enterprise Server You can define the following types of criteria specific allowed BlackBerry device PINs as a string allowed range of BlackBerry device PINs YoucanalsocontrolaccesstotheBlackBerryE...

Page 61: ...ault behavior of BlackBerry devices or the BlackBerry Desktop Software You canuseITpolicyrulestochangethebehaviorofsupportedBlackBerrydevicetypes Formoreinformation seethePolicyReference Guide You can...

Page 62: ...rule Specify a value for the IT policy rule 9 Click OK Import an IT policy 1 In the BlackBerry Manager in the left pane click BlackBerry Domain 2 On the Global tab expand Service Control Customizatio...

Page 63: ...tion changes The BlackBerry Enterprise Server must resend the IT policy update over the wireless network to the BlackBerry device to update the BlackBerry device behavior and the BlackBerry Desktop So...

Page 64: ...policy successfully or the time limit expires If the time limit expires the BlackBerry Enterprise Server deactivates the PIN for the BlackBerry device user The allowed range for this setting is 0 hour...

Page 65: ...s for its use at the same time you select a predefined permitted value for the IT policy rule When you configure a numeric range to assign to an IT policy rule users can select any numerical value wit...

Page 66: ...stration section double click IT Policies 5 Click the IT policy that you want to delete 6 Click Remove 7 Click OK Creating new IT policy rules to control third party applications You can create new IT...

Page 67: ...bit 1 is named Browser and bit 2 is named Third Party Apps 15 Click OK 16 In the Policy Item Settings section provide a value for the IT policy rule in this IT policy 17 Click OK Change or delete IT p...

Page 68: ...ign the group properties to the user accounts automatically You can copy properties from one group to another When you apply configuration properties to a group or perform administrative tasks on a gr...

Page 69: ...e as a BlackBerry Desktop Redirector When you activate a user account that you retained the user account will have the same settings it had before you deleted it Move a user account to a different use...

Page 70: ...ower pane click Account 4 Click Move User 5 Click the destination BlackBerry Enterprise Server 6 Click OK Delete a user account from the BlackBerry Enterprise Server 1 In the BlackBerry Manager in the...

Page 71: ...vice stores You can use this command to prepare a BlackBerry device to assign it to another user in your organization or to protect a stolen BlackBerry device Protect a lost BlackBerry device If a use...

Page 72: ...ck IT Admin 4 Click Erase Data and Disable Handheld 5 Click Yes After you finish You must contact your service provider to turn off service for a BlackBerry device after you send the Erase Data and Di...

Page 73: ...devicepasswordtocomplete the task Delete all applications and data from the BlackBerry device a Connect the BlackBerry device to the computer on which the BlackBerry Manager is installed b In the Blac...

Page 74: ...or update a software index for applications on a network drive 24 Remove applications from BlackBerry devices over the wireless network You can remove a BlackBerry Java Application the collaboration c...

Page 75: ...Device Management 4 Click Assign Software Configuration 5 Click none 6 Click OK Create a software configuration based on an existing software configuration 1 In the BlackBerry Manager click BlackBerry...

Page 76: ...he amount of cached memory that the BlackBerry Attachment Service uses By default the BlackBerry Attachment Service does not limit the file size of an attachment that is retrieved using a link The Bla...

Page 77: ...the BlackBerry Attachment Service can process simultaneously When you specify this value consider the amount of available memory and the competing services on the computer that hosts the BlackBerry At...

Page 78: ...dobe Acrobat versions 1 1 1 2 1 3 and 1 4 less than 2000 KB ASCII text less than 100 KB audio less than 2000 KB Corel WordPerfect versions 6 0 7 0 8 0 9 0 2000 and 10 0 less than 2000 KB HTML less tha...

Page 79: ...ats using the media application on their BlackBerry devices To manage network resources in your organization s environment you can change the maximum file size of attachments that users can download t...

Page 80: ...terprise Server 2 On the Server Configuration tab click Edit Properties 3 In the left pane click Messaging 4 Click Maximum Download Attachment Size 5 Type a number in KB between 0 and 10240 10 MB If y...

Page 81: ...nagement system that renames file format extensions you must add the extensions to the list of supported file formats 1 On the computer that hosts the BlackBerry Attachment Service on the taskbar clic...

Page 82: ...ackBerry devices and install the application on BlackBerry devices that do not have the application a Click Install on Device b In the Install application on devices drop down list click with or witho...

Page 83: ...eApplicationifyouwanttomakeittemporarilyunavailableonBlackBerrydevices Quarantined applications appear on BlackBerry devices with a quarantine icon Users cannot open quarantined applications on their...

Page 84: ...pplication 6 Click Yes After you finish If you remove a BlackBerry MDS Runtime Application from the BlackBerry MDS Application Repository the application still runs on the BlackBerry devices that it i...

Page 85: ...pecific time to send the removal request click the Schedule check box Specify the start date and end date 11 Click Next 12 Click Finish Configuring a new connection between a BlackBerry MDS Integratio...

Page 86: ...web address or domain name and the port number of the BlackBerry MDS Connection Service 8 Click OK Make a BlackBerry MDS Connection Service unavailable to a BlackBerry MDS Integration Service If you w...

Page 87: ...ll Authorization 5 In the drop down list click True 6 Click OK Users cannot access web content on their BlackBerry devices until you allow access to certain web servers using pull rules After you fini...

Page 88: ...ouble click Pull Rules 5 Click New 6 Double click Name 7 Type a name for the pull rule 8 Click OK After you finish Assign web address patterns to the pull rule Restrict or allow web address patterns u...

Page 89: ...a specific user Before you begin Create a pull rule Assign web address patterns to the pull rule 1 In the BlackBerry Manager in the left pane click BlackBerry Domain 2 On the Global tab click Edit Pr...

Page 90: ...the BlackBerry MDS Connection Service to prevent users from accessing specific media file types that exceed a maximum size 1 In the BlackBerry Manager in the left pane click BlackBerry Domain 2 On th...

Page 91: ...and allow certain server side push applications to send push requests to BlackBerry devices create push initiators Create push initiators for push applications Push initiators specify which server si...

Page 92: ...e Before you begin Turn on push authentication Create push initiators to authenticate specific push applications 1 In the BlackBerry Manager in the left pane click a BlackBerry MDS Connection Service...

Page 93: ...rs Related topics Create push initiators for push applications 89 Assign a push rule to a user group Before you begin Create a push rule Assign push initiators to the push rule 1 In the BlackBerry Man...

Page 94: ...Control 4 Click Push Encryption 5 In the drop down list click True 6 Click OK After you finish To turn off encryption for push requests in the Push Encryption drop down list click False Associate a pu...

Page 95: ...orts for application reliable push requests Application developers can create BlackBerry Java Applications to manage application reliable push requests When a BlackBerry Java Application receives an a...

Page 96: ...ur organization s system resources you can configure storage settings for push requests that are stored in the BlackBerry Configuration Database 1 In the BlackBerry Manager in the left pane click Blac...

Page 97: ...vice 2 On the Connection Service tab click Edit Properties 3 Click Push PAP 4 Double click Maximum number of Queued Connections 5 Type a number 6 Click OK 7 Click Restart Service Delete requests from...

Page 98: ...ntroller monitors the BlackBerry Enterprise Server components and restarts services Change how the BlackBerry Controller restarts the BlackBerry Messaging Agent Before you begin To create a user dmp f...

Page 99: ...ise Server tracks the missed health check in the BlackBerry Messaging Agent log file as the Wait Count Example 20148 05 12 12 21 00 0xC28 Thread No Response Thread Id 0xB00 Handle 0x558 WaitCount 2 Pr...

Page 100: ...gent a Create a DWORD value that is named MaxUserDumpPerDay b Double click the new DWORD value c In the Value data field type a value The default value is 3 Change the number of 10 minute intervals th...

Page 101: ...WORD value c In the Value data field type 0 The default value is 1 Prevent the BlackBerry Policy Service from restarting if it stops responding a Create a DWORD value that is named RestartPolicyServer...

Page 102: ...ons generate An excessive number of messages from a specific BlackBerry MDS Runtime Application or messages of a specific type might indicate that a problem exists with a BlackBerry device a BlackBerr...

Page 103: ...n Service 2 Click Monitor Messages 3 On the Monitor Messages tab type the PIN of the BlackBerry device that you want to filter notification messages for 4 In the Application drop down list click the a...

Page 104: ...format To protect the information you must limit read and write controls to the location of the log files By default the log files are stored in the root directory that is defined in the BlackBerry Co...

Page 105: ...sers send SMS text messages from their BlackBerry devices By default the logging of SMS text messages is turned off The log files are named using the format SMSLog_yyyymmdd 1 In the BlackBerry Manager...

Page 106: ...erry Enterprise Server creates a log file for each BlackBerry Enterprise Server component and saves the log files in drive Program Files Research In Motion BlackBerry Enterprise Server Logs The BlackB...

Page 107: ...rprise Server components create log files Add a prefix to the file names of all the BlackBerry Enterprise Server component log files 1 On the computer that hosts the BlackBerry Manager on the taskbar...

Page 108: ...down list click one of the following logging levels 1 Error This level logs error messages to the log files 2 Warning This level logs warning messages to the log files 3 Information This level logs d...

Page 109: ...BlackBerry Enterprise Server components Prevent a BlackBerry Enterprise Server component from creating a daily log file 1 On the computer that hosts the BlackBerry Manager on the taskbar click Start...

Page 110: ...Edit Properties 3 Double click Logs 4 Click Destination 5 In the File section click Log Level 6 In the drop down list click one of the following logging levels 1 Error This level logs error messages t...

Page 111: ...the UDP section double click Log Level 6 In the drop down list click the level of logging that you want to write to the UDP log file 7 Click OK Change the port number that the BlackBerry MDS Connecti...

Page 112: ...Berry Manager in the left pane click a BlackBerry MDS Connection Service 2 On the Connection Service tab click Edit Properties 3 Double click Logs 4 Click Destination 5 In the TCP section double click...

Page 113: ...e web server when users retrieve content from the Internet and intranet on their BlackBerry devices a Click HTTP logging enabled b In the drop down list click True Monitor HTTP headers and the body of...

Page 114: ...enabled b In the drop down list click True Monitor PGP key status and revocation information that the BlackBerry device retrieves from the PGP server a Click PGP logging enabled b In the drop down li...

Page 115: ...Berry Manager 11 Open the BlackBerry Manager Managing CAL keys CAL keys control how many user accounts can exist on a BlackBerry Enterprise Server at the same time When you exceed the number of licens...

Page 116: ...ey Click Add License To delete a CAL key right click the license key that you want to delete Click Remove License Key 5 Click Close Copy a license key to a text file 1 In the BlackBerry Manager in the...

Page 117: ...d Multipurpose Internet Mail Extensions CRL certificate revocation list DES Data Encryption Standard DOM Document Object Model GME The gateway message envelope GME protocol is a Research In Motion pro...

Page 118: ...Protocol LTPA Lightweight Third Party Authentication messaging server MIME Multipurpose Internet Mail Extensions NTLM NT LAN Manager OCSP Online Certificate Status Protocol PAP Push Access Protocol P...

Page 119: ...rotocol SRP Server Routing Protocol SSL Secure Sockets Layer TCP Transmission Control Protocol TLS Transport Layer Security Triple DES Triple Data Encryption Standard UDP User Datagram Protocol Admini...

Page 120: ...cies errors or omissions in this documentation In order to protect RIM proprietary and confidential information and or trade secrets this documentation may describe some aspects of RIM technology in g...

Page 121: ...IAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN AND B TO RIM AND ITS AFFILIATED COMPANIES THEIR SUCCESSORS ASSIGNS AGENTS SUPPLIERS INCLUDING AIRTIME SERVICE PROVIDERS AUTHORIZED RIM D...

Page 122: ...ucts and Services for access to corporate applications This product contains a modified version of HTML Tidy Copyright 1998 2003 World Wide Web Consortium Massachusetts Institute of Technology Europea...

Reviews: