BlackBerry S_MIME and Smartcard Reader Setup by bestt571

VIEWS: 1,460 PAGES: 14

More Info
									BlackBerry S/MIME and Smartcard (CAC) Reader
Setup Guide (v1.4) For Department of Defense Common Access Card
Please refer to the Final Draft DISA Wireless STIG/BlackBerry Security Checklists for
definitive guidance on setup to meet DOD requirements.
       DISA Wireless STIG -
       Wireless STIG Checklist -
If you have questions/comments about the setup of S/MIME and Smartcard readers
please contact your local BlackBerry IT Support, BlackBerry Government Sales
Manager, or BlackBerry Customer Support.

Device Setup ___________________________________________________________ 2
BlackBerry Enterprise Server Configuration _________________________________ 5
   CRL Properties ___________________________________________________________ 5
   LDAP Properties __________________________________________________________ 5
   OCSP Properties __________________________________________________________ 7
72k CAC Drivers and Updated DoD Root Certificates__________________________ 8
   Obtaining/Creating Source Files _____________________________________________ 8
   Share Source Files _________________________________________________________ 9
   Create a Software Configuration _____________________________________________ 9
   Apply Software Configuration to Users_______________________________________ 10
Desktop Configuration Tips _____________________________________________ 11
Device Configuration Tips_______________________________________________ 12
BlackBerry Enterprise Server Configuration Tips ____________________________ 13
Device Setup
  1. Download and install the following software on your PC: BlackBerry Desktop
     software (if not already installed), BlackBerry Device software, S/MIME Support
     Pack, and Smartcard Reader software. Note: You will need SSP 4.0 for use with
     devices with 4.0 device software. You will need SSP 4.1 for use with devices
     with 4.1 or 4.2 BlackBerry device software.
         a. BlackBerry Desktop software and Smart Card Reader is available at
         b. BlackBerry Device software is found at
            (Note: The installation of the BlackBerry S/MIME Support Pack WILL
            FAIL if you have not installed the device software on your PC. The only
            exception is for devices running device software 4.2.1 or higher).
         c. BlackBerry S/MIME Support Pack (SSP) is available from DISA at
   in the AEP-SMIME Download
            for RIM folder of the Wireless Knowledge Base Library. It can be
            directly downloaded here.
  2. Start BlackBerry Desktop software and connect your BlackBerry device.
  3. Start Application Loader and proceed to the Device Application Selection screen.
     Be sure to check BlackBerry S/MIME Support Package, BlackBerry Smart Card
     Reader, and DOD Root Certificates. Complete the installation of software on
     your BlackBerry device.
  4. Disconnect your BlackBerry device from your PC and connect your BlackBerry
     Smart Card Reader to your PC using the same USB cable. Run Application
     Loader from Desktop Manager to upgrade your reader if given the option.
     Disconnect your reader from your PC when complete. (Note: If the Smart Card
     Reader has been connected you will be prompted for the connection password
     established during paring to the BlackBerry; if unknown reset the Smart Card
     Reader by turning the reader off and pressing and holding the action button until
     you see “Resetting”).
  5. If you are running BlackBerry Device Software 4.1 or earlier launch the
     BlackBerry       Browser    application     on   your     handheld  and    visit to download the 72K CAC Driver and DoD Root
     Certificate Packages. These can be downloaded wirelessly (aka Over the Air or
     OTA) from this website and are required to support newer DOD Root Certificates
     and newer CAC formats. (Note: If you operate the BlackBerry Enterprise Server
     you can create a software configuration to push these items wirelessly. See the
     section later in this documentation outlining how to do this).
  6. On your BlackBerry navigate to device Options and then Bluetooth. Press the
     Action button on your BlackBerry Smart Card Reader and then choose Add
     Device on your BlackBerry. When you see the Smart Card Reader displayed,
     click the track wheel/ball to accept.
7. Refer to the LCD display on your BlackBerry Smart Card Reader to find the one
   time Bluetooth pairing code.
8. Next, ensure your CAC is in the BlackBerry Smart Card Reader and navigate on
   your BlackBerry device to Options, S/MIME (4.0 device software) or Options,
   Security Options, S/MIME (4.1 device software). In S/MIME Options, click the
   track wheel and choose Import Smart Card Certs. You will be prompted, at this
   time, to perform the secure pairing to the Smart Card Reader by entering the eight
   digit pass code from the reader LCD.
9. Select the certificates you need and choose OK.

10. If you have not already done so you will be prompted to set a key store password
    at this time. This is different from the device password or CAC pin and is used to
    protect digital certificates stored locally on your device.
11. Once the certificates are shown in the S/MIME Options screen you can click the
    track wheel and save your settings.

12. Note: The pictures displayed above are for sample purposes only. Your
    certificates should display a green check instead of a red X indicating they are
    trusted. If you do not see this ensure the DOD Root Certs are installed and then
    contact your security organization.
13. Congratulations. You should now be able to send signed and encrypted messages.
    This is done by changing the options at the very top of the message above the
    “To:” line. Hint, you can use the space bar to toggle through options to select
    Sign, Encrypt, or Sign and Encrypt.
BlackBerry Enterprise Server Configuration
The following items should be configured as described in the Final Draft DISA Wireless
STIG/BlackBerry Security Checklists. Although not absolutely required for S/MIME,
these steps will greatly improve the user experience by automating or otherwise
facilitating retrieval of digital certificates and certificate status information.
While LDAP, and OCSP settings can be configured on individual user handhelds this is
not recommended as it adds greatly to complexity for the user or IT resources supporting
user devices. Further, any changes to these systems would require many changes to user
devices. Instead it is recommended to configure these settings only at the BlackBerry
Enterprise Server in Mobile Data Service Properties. Once configured in Mobile Data
Service Properties these settings become the “default” options as used by BlackBerry
CRL Properties
The Certificate Revocation List (CRL) should not be configured on a DoD BES. The
BES is limited to configuration of only one CRL connection. The current DoD PKI has
over 39 CRL locations. OCSP must be configured instead.
LDAP Properties
Only one LDAP can be defined at the BES level. Additional connections to different
LDAP servers could be configured through the BlackBerry Desktop Manager or the
device itself if required. However, for most users only one should be required.
       LDAP Host Name:
       Port: 389
       Base Query: ou=pki,ou=dod,o=u.s.%20government,c=us
       Query Limit:        200
       LDAP User ID:         <blank>
       LDAP Password:         <blank> (will display ****)
BES 4.1 LDAP Configuration

BES 4.0 LDAP Configuration
OCSP Properties
The Department of Defense currently provides certificate validation services for all DoD
PKI issued certificates in one location. Use of Device Responders and/or Certificate
Extension Responders is a decision that should be made locally. Device responders are
user configured OCSP settings setup on the device. Certificate Extension Responders are
OCSP servers defined within a given digital certificate itself.
If planning to use a local OCSP responder it is advisable to test response time for
certificate status checks from the device using both configurations and use the fastest. In
most cases the fastest OCSP responder is

                              BES 4.1 OCSP Configuration
                             BES 4.0 OCSP Configuration

Deploying CAC Drivers and DoD Root Certificates
While users can install the updated DOD Root Certificates and 72K CAC drivers by
downloading them wirelessly it may be easier to simply push these files directly from the
BlackBerry Enterprise Server. To do this you will need to obtain/create the source files,
share source files, create a software configuration, and apply the software configuration
to users.
Obtaining/Creating Source Files
The source files used to push the updated DoD Root Certificates and 72k CAC Driver are
found in a zip archive at This package should be
downloaded and unzipped to “C:\Program Files\Common Files\Research In
Motion\Shared\Applications”. If the archive unzipped in this location the proper sub-
folders should be created.
Share Source Files
Note: Customers are strongly urged to upgrade to either BlackBerry Enterprise Server
version 4.0 SP6 or 4.1 SP1 or higher before proceeding.
Configure a host computer from which the DST upgrade files will be shared, then move
the COD and ALX files to a DST Upgrade folder on the hard disk drive of the host
computer. The host computer can be the BlackBerry Enterprise Server computer.
  1. Go to C:\Program Files\Common Files\Research In Motion\Shared and create a
     folder called Applications if it does not already exist.
  2. In the Applications folder, if the zip archive extraction from above didn’t work
     correctly, create two subfolders to contain the updated DoD Root Certificates and
     72K CAC Patch respectively.
  3. Place the ALX files for the Root Certificates and CAC Patch into their respective
     folders created in step 3.
  4. Create folders named “4.0.0”, “4.1.0”, and “4.2.0” within the 72kCACPatch folder.
  5. Place the COD for the DODRootCerts into the folder of the same name. Place the
     4.0 version of the 72k CAC Patch into the 4.0.0 folder from step 5 the 4.1 version
     into the 4.1.0 folder, and the 4.2 version into the 4.2.0 folder.

  6. From a command prompt, type cd C:\Program Files\Common Files\Research In
     Motion\Apploader and press ENTER. Then type “loader.exe /index” and press
  7. Share the C:\Program Files\Common Files\Research In Motion directory as
     “Research In Motion”.
Create a Software Configuration
   1. In the Explorer view of 4.1 BlackBerry Manager, select BlackBerry Domain. (or
      in the 4.0 BlackBerry Handheld Configuration Tool).
  2. Select Software Configurations. In the Tasks menu, select Common, and then
     click Add New Configuration.
  3. Type a Configuration Name and a Configuration Description in the corresponding
     fields, and then click Change. Provide the hostname and UNC share name of the
     directory containing the ALX and COD files, using the format
     “\\<host_computer_name>\Research In Motion\”.

  4. From the drop-down menu in the Delivery column, select Wireless for each of the
     Click OK to save the configuration.
Apply Software Configuration to Users
  1. In the Explorer view of BlackBerry Manager, expand Servers, and then select the
     BlackBerry Enterprise Server name.
  2. Select the BlackBerry device users who are to receive the software packages.
     Hold the Ctrl key to select multiple users.
  3. In the Tasks menu, expand Device Management, and then select Assign Software

  4. Select the Configuration Name you typed in step 3 from the list, then click OK.
  5. The software should be delivered within four hours following application of the
     software configuration.

Desktop Configuration Tips
  •   If you receive an error from the BlackBerry Application Loader about missing
      “net.rim.blackberry.securemail.smime” please note that you will need the
      BlackBerry Device Software to be installed on your PC in addition to the
      S/MIME Support Pack and Smart Card Reader packages. The BlackBerry device
      software is downloaded from your wireless carrier.
  •   The Smart Card Reader 1.5 and higher software provides additional functionality
      to authenticate to a PC with the Smart Card Reader. This functionality is not
      automatically enabled and would require the smart card desktop client software
      provided by your smart card vendor installed on the PC.
  •   Private keys may not be exported from Common Access Cards. Therefore, there
      is no way to use Certificate Synchronization with BlackBerry Desktop Software
      to synchronize your certificate to your BlackBerry device. Any S/MIME
      operation will require your CAC to be in your BlackBerry Reader.
Device Configuration Tips
  •   If User Authenticator is turned on in BlackBerry device options or by
      administrator policy, then any use of your BlackBerry will require your CAC to
      be in the reader. If removed your BlackBerry device will lock. Current JTF-
      GNO guidance requires either a password OR CAC (user authenticator)
  •   If your BES Administrator has configured your server to support LDAP and
      OCSP requests you can wirelessly retrieve certificates for other users and obtain
      status information respectively.
  •   If LDAP has been configured by your BES Administrator you can use Certificate
      Search to search by first name, last name, and email address for certificates to add
      to your certificate store. Due to the number of people in DoD you will have the
      most luck searching by email address. The more detail you can provide the better
      the lookup results will be.
  •   If you have S/MIME Support Pack 4.1 and LDAP has been configured by your
      BES Administrator the BlackBerry device will automatically try to fetch
      certificates for you when choosing to encrypt a message to someone for which
      you do not already have a digital certificate.
  •   If someone sends you a signed message you will see their certificate at the bottom
      of the message. You can add the certificate to your certificate store for later use
      by clicking the track wheel and choosing import certificate. You can then accept
      the label of the certificate or change it as desired. The label is used to identify the
      certificate in your certificate store.

  •   When the CAC is removed from the BlackBerry Smart Card Reader the secure
      encryption key that protects communication between the BlackBerry device and
      the Smart Card Reader is broken. The next time you try to use the reader you will
      be prompted to press the action key to get a new code to re-establish the
      encrypted connection to the reader.
  •   If desired you can set your BlackBerry so that, by default, any new message is
      signed or encrypted. This is done on your BlackBerry device in Message Services
      (4.0) or Advanced Options, Message Services (4.1).
  •   If your certificates are issued to a different email domain than the domain address
      normally used for sending/receiving mail (for example, vs consider using the IT Policy setting “Canonical
      Certificate Domain Name.” Applies to BES 4.0.6 and higher with BlackBerry
      Device Software 4.2 and higher.

BlackBerry Enterprise Server Configuration Tips
  •   In most cases LDAP and OCSP configured to use and respectively has been seen to provide the best performance.
  •   In most cases complete setup to support certificate lookup and status checks
      requires additional firewall work to open TCP port 389 (LDAP) outbound and
      TCP port 80 (OCSP) outbound to the respective servers at DISA.
  •   OCSP and LDAP logging is not turned on by default. Turning this logging on can
      greatly help identify incorrect LDAP queries or network timeouts (closed
      firewall). Logging for OCSP and LDAP is turned on within 4.1 from the MDS
      Connection Service Properties as shown below followed by the equivalent
      logging for BES 4.0 within Mobile Data Service Properties.
•   Example of BES Mobile Data Service (MDS) Log showing networking problem
    for LDAP.
          <2007-01-29        10:06:03.229EST>:[5338]:<MDS-CS_STRI-BB-CRYPTO1_MDS-
          CS_1>:<DEBUG>:<LAYER            =     IPPP,    HANDLER       =    LDAP,
          javax.naming.ServiceUnavailableException:DOD411.GDS.DISA.MIL:389;  socket

To top