S/MIME (Secure Multipurpose Internet Mail Extensions) in the security functions that were extended, it can be MIME entity (such as digital signatures and encryption information, etc.) encapsulated into a secure object. RFC 2634 defines the enhanced security services, such as confirmation receipt with the function of the receiver, so that you can ensure that the recipient can not deny that the message has been received.
BlackBerry S/MIME and Smartcard (CAC) Reader Setup Guide (v1.4) For Department of Defense Common Access Card Please refer to the Final Draft DISA Wireless STIG/BlackBerry Security Checklists for definitive guidance on setup to meet DOD requirements. DISA Wireless STIG - http://iase.disa.mil/stigs/stig/index.html Wireless STIG Checklist - http://iase.disa.mil/stigs/checklist/index.html If you have questions/comments about the setup of S/MIME and Smartcard readers please contact your local BlackBerry IT Support, BlackBerry Government Sales Manager, or BlackBerry Customer Support. Device Setup ___________________________________________________________ 2 BlackBerry Enterprise Server Configuration _________________________________ 5 CRL Properties ___________________________________________________________ 5 LDAP Properties __________________________________________________________ 5 OCSP Properties __________________________________________________________ 7 72k CAC Drivers and Updated DoD Root Certificates__________________________ 8 Obtaining/Creating Source Files _____________________________________________ 8 Share Source Files _________________________________________________________ 9 Create a Software Configuration _____________________________________________ 9 Apply Software Configuration to Users_______________________________________ 10 Desktop Configuration Tips _____________________________________________ 11 Device Configuration Tips_______________________________________________ 12 BlackBerry Enterprise Server Configuration Tips ____________________________ 13 Device Setup 1. Download and install the following software on your PC: BlackBerry Desktop software (if not already installed), BlackBerry Device software, S/MIME Support Pack, and Smartcard Reader software. Note: You will need SSP 4.0 for use with devices with 4.0 device software. You will need SSP 4.1 for use with devices with 4.1 or 4.2 BlackBerry device software. a. BlackBerry Desktop software and Smart Card Reader is available at http://www.BlackBerry.com/support. b. BlackBerry Device software is found at http://na.blackberry.com/eng/support/downloads/download_sites.jsp . (Note: The installation of the BlackBerry S/MIME Support Pack WILL FAIL if you have not installed the device software on your PC. The only exception is for devices running device software 4.2.1 or higher). c. BlackBerry S/MIME Support Pack (SSP) is available from DISA at https://gesportal.dod.mil/sites/DoDPKE/ in the AEP-SMIME Download for RIM folder of the Wireless Knowledge Base Library. It can be directly downloaded here. 2. Start BlackBerry Desktop software and connect your BlackBerry device. 3. Start Application Loader and proceed to the Device Application Selection screen. Be sure to check BlackBerry S/MIME Support Package, BlackBerry Smart Card Reader, and DOD Root Certificates. Complete the installation of software on your BlackBerry device. 4. Disconnect your BlackBerry device from your PC and connect your BlackBerry Smart Card Reader to your PC using the same USB cable. Run Application Loader from Desktop Manager to upgrade your reader if given the option. Disconnect your reader from your PC when complete. (Note: If the Smart Card Reader has been connected you will be prompted for the connection password established during paring to the BlackBerry; if unknown reset the Smart Card Reader by turning the reader off and pressing and holding the action button until you see “Resetting”). 5. If you are running BlackBerry Device Software 4.1 or earlier launch the BlackBerry Browser application on your handheld and visit https://www.dodpke.com/jad/ to download the 72K CAC Driver and DoD Root Certificate Packages. These can be downloaded wirelessly (aka Over the Air or OTA) from this website and are required to support newer DOD Root Certificates and newer CAC formats. (Note: If you operate the BlackBerry Enterprise Server you can create a software configuration to push these items wirelessly. See the section later in this documentation outlining how to do this). 6. On your BlackBerry navigate to device Options and then Bluetooth. Press the Action button on your BlackBerry Smart Card Reader and then choose Add Device on your BlackBerry. When you see the Smart Card Reader displayed, click the track wheel/ball to accept. 7. Refer to the LCD display on your BlackBerry Smart Card Reader to find the one time Bluetooth pairing code. 8. Next, ensure your CAC is in the BlackBerry Smart Card Reader and navigate on your BlackBerry device to Options, S/MIME (4.0 device software) or Options, Security Options, S/MIME (4.1 device software). In S/MIME Options, click the track wheel and choose Import Smart Card Certs. You will be prompted, at this time, to perform the secure pairing to the Smart Card Reader by entering the eight digit pass code from the reader LCD. 9. Select the certificates you need and choose OK. 10. If you have not already done so you will be prompted to set a key store password at this time. This is different from the device password or CAC pin and is used to protect digital certificates stored locally on your device. 11. Once the certificates are shown in the S/MIME Options screen you can click the track wheel and save your settings. 12. Note: The pictures displayed above are for sample purposes only. Your certificates should display a green check instead of a red X indicating they are trusted. If you do not see this ensure the DOD Root Certs are installed and then contact your security organization. 13. Congratulations. You should now be able to send signed and encrypted messages. This is done by changing the options at the very top of the message above the “To:” line. Hint, you can use the space bar to toggle through options to select Sign, Encrypt, or Sign and Encrypt. BlackBerry Enterprise Server Configuration The following items should be configured as described in the Final Draft DISA Wireless STIG/BlackBerry Security Checklists. Although not absolutely required for S/MIME, these steps will greatly improve the user experience by automating or otherwise facilitating retrieval of digital certificates and certificate status information. While LDAP, and OCSP settings can be configured on individual user handhelds this is not recommended as it adds greatly to complexity for the user or IT resources supporting user devices. Further, any changes to these systems would require many changes to user devices. Instead it is recommended to configure these settings only at the BlackBerry Enterprise Server in Mobile Data Service Properties. Once configured in Mobile Data Service Properties these settings become the “default” options as used by BlackBerry devices. CRL Properties The Certificate Revocation List (CRL) should not be configured on a DoD BES. The BES is limited to configuration of only one CRL connection. The current DoD PKI has over 39 CRL locations. OCSP must be configured instead. LDAP Properties Only one LDAP can be defined at the BES level. Additional connections to different LDAP servers could be configured through the BlackBerry Desktop Manager or the device itself if required. However, for most users only one should be required. LDAP Host Name: dod411.gds.disa.mil Port: 389 Base Query: ou=pki,ou=dod,o=u.s.%20government,c=us Query Limit: 200 LDAP User ID: <blank> LDAP Password: <blank> (will display ****) BES 4.1 LDAP Configuration BES 4.0 LDAP Configuration OCSP Properties The Department of Defense currently provides certificate validation services for all DoD PKI issued certificates in one location. Use of Device Responders and/or Certificate Extension Responders is a decision that should be made locally. Device responders are user configured OCSP settings setup on the device. Certificate Extension Responders are OCSP servers defined within a given digital certificate itself. If planning to use a local OCSP responder it is advisable to test response time for certificate status checks from the device using both configurations and use the fastest. In most cases the fastest OCSP responder is http://ocsp.disa.mil. BES 4.1 OCSP Configuration BES 4.0 OCSP Configuration Deploying CAC Drivers and DoD Root Certificates While users can install the updated DOD Root Certificates and 72K CAC drivers by downloading them wirelessly it may be easier to simply push these files directly from the BlackBerry Enterprise Server. To do this you will need to obtain/create the source files, share source files, create a software configuration, and apply the software configuration to users. Obtaining/Creating Source Files The source files used to push the updated DoD Root Certificates and 72k CAC Driver are found in a zip archive at http://www.dodpke.com/jad/. This package should be downloaded and unzipped to “C:\Program Files\Common Files\Research In Motion\Shared\Applications”. If the archive unzipped in this location the proper sub- folders should be created. Share Source Files Note: Customers are strongly urged to upgrade to either BlackBerry Enterprise Server version 4.0 SP6 or 4.1 SP1 or higher before proceeding. Configure a host computer from which the DST upgrade files will be shared, then move the COD and ALX files to a DST Upgrade folder on the hard disk drive of the host computer. The host computer can be the BlackBerry Enterprise Server computer. 1. Go to C:\Program Files\Common Files\Research In Motion\Shared and create a folder called Applications if it does not already exist. 2. In the Applications folder, if the zip archive extraction from above didn’t work correctly, create two subfolders to contain the updated DoD Root Certificates and 72K CAC Patch respectively. 3. Place the ALX files for the Root Certificates and CAC Patch into their respective folders created in step 3. 4. Create folders named “4.0.0”, “4.1.0”, and “4.2.0” within the 72kCACPatch folder. 5. Place the COD for the DODRootCerts into the folder of the same name. Place the 4.0 version of the 72k CAC Patch into the 4.0.0 folder from step 5 the 4.1 version into the 4.1.0 folder, and the 4.2 version into the 4.2.0 folder. 6. From a command prompt, type cd C:\Program Files\Common Files\Research In Motion\Apploader and press ENTER. Then type “loader.exe /index” and press ENTER. 7. Share the C:\Program Files\Common Files\Research In Motion directory as “Research In Motion”. Create a Software Configuration 1. In the Explorer view of 4.1 BlackBerry Manager, select BlackBerry Domain. (or in the 4.0 BlackBerry Handheld Configuration Tool). 2. Select Software Configurations. In the Tasks menu, select Common, and then click Add New Configuration. 3. Type a Configuration Name and a Configuration Description in the corresponding fields, and then click Change. Provide the hostname and UNC share name of the directory containing the ALX and COD files, using the format “\\<host_computer_name>\Research In Motion\”. 4. From the drop-down menu in the Delivery column, select Wireless for each of the packages. Click OK to save the configuration. Apply Software Configuration to Users 1. In the Explorer view of BlackBerry Manager, expand Servers, and then select the BlackBerry Enterprise Server name. 2. Select the BlackBerry device users who are to receive the software packages. Hold the Ctrl key to select multiple users. 3. In the Tasks menu, expand Device Management, and then select Assign Software Configuration. 4. Select the Configuration Name you typed in step 3 from the list, then click OK. 5. The software should be delivered within four hours following application of the software configuration. Desktop Configuration Tips • If you receive an error from the BlackBerry Application Loader about missing “net.rim.blackberry.securemail.smime” please note that you will need the BlackBerry Device Software to be installed on your PC in addition to the S/MIME Support Pack and Smart Card Reader packages. The BlackBerry device software is downloaded from your wireless carrier. • The Smart Card Reader 1.5 and higher software provides additional functionality to authenticate to a PC with the Smart Card Reader. This functionality is not automatically enabled and would require the smart card desktop client software provided by your smart card vendor installed on the PC. • Private keys may not be exported from Common Access Cards. Therefore, there is no way to use Certificate Synchronization with BlackBerry Desktop Software to synchronize your certificate to your BlackBerry device. Any S/MIME operation will require your CAC to be in your BlackBerry Reader. Device Configuration Tips • If User Authenticator is turned on in BlackBerry device options or by administrator policy, then any use of your BlackBerry will require your CAC to be in the reader. If removed your BlackBerry device will lock. Current JTF- GNO guidance requires either a password OR CAC (user authenticator) authentication. • If your BES Administrator has configured your server to support LDAP and OCSP requests you can wirelessly retrieve certificates for other users and obtain status information respectively. • If LDAP has been configured by your BES Administrator you can use Certificate Search to search by first name, last name, and email address for certificates to add to your certificate store. Due to the number of people in DoD you will have the most luck searching by email address. The more detail you can provide the better the lookup results will be. • If you have S/MIME Support Pack 4.1 and LDAP has been configured by your BES Administrator the BlackBerry device will automatically try to fetch certificates for you when choosing to encrypt a message to someone for which you do not already have a digital certificate. • If someone sends you a signed message you will see their certificate at the bottom of the message. You can add the certificate to your certificate store for later use by clicking the track wheel and choosing import certificate. You can then accept the label of the certificate or change it as desired. The label is used to identify the certificate in your certificate store. • When the CAC is removed from the BlackBerry Smart Card Reader the secure encryption key that protects communication between the BlackBerry device and the Smart Card Reader is broken. The next time you try to use the reader you will be prompted to press the action key to get a new code to re-establish the encrypted connection to the reader. • If desired you can set your BlackBerry so that, by default, any new message is signed or encrypted. This is done on your BlackBerry device in Message Services (4.0) or Advanced Options, Message Services (4.1). • If your certificates are issued to a different email domain than the domain address normally used for sending/receiving mail (for example, firstname.lastname@example.org vs email@example.com) consider using the IT Policy setting “Canonical Certificate Domain Name.” Applies to BES 4.0.6 and higher with BlackBerry Device Software 4.2 and higher. BlackBerry Enterprise Server Configuration Tips • In most cases LDAP and OCSP configured to use dod411.gds.disa.mil and http://ocsp.disa.mil respectively has been seen to provide the best performance. • In most cases complete setup to support certificate lookup and status checks requires additional firewall work to open TCP port 389 (LDAP) outbound and TCP port 80 (OCSP) outbound to the respective servers at DISA. • OCSP and LDAP logging is not turned on by default. Turning this logging on can greatly help identify incorrect LDAP queries or network timeouts (closed firewall). Logging for OCSP and LDAP is turned on within 4.1 from the MDS Connection Service Properties as shown below followed by the equivalent logging for BES 4.0 within Mobile Data Service Properties. • Example of BES Mobile Data Service (MDS) Log showing networking problem for LDAP. <2007-01-29 10:06:03.229EST>::<MDS-CS_STRI-BB-CRYPTO1_MDS- CS_1>:<DEBUG>:<LAYER = IPPP, HANDLER = LDAP, javax.naming.ServiceUnavailableException:DOD411.GDS.DISA.MIL:389; socket closed>
Pages to are hidden for
"BlackBerry S_MIME and Smartcard Reader Setup"Please download to view full document