[Erkan Kater]

Hi
I am busy setting up a BES12 in combination with Symantec Encryption Management Server.
But i get problems while enrolling the pgp keys to the BB devices.
Enrollment to an IOS device is piece of cake.
Anyway I want to start a tutorial so we can share ideas.
Blackberry already confirmed me that it is possible to enroll pgp keys to BB devices from 10.3 and up.

So share and ask here ...

[Erkan Kater]

Try changing the FQDN in email profile to the IP address of the SEMS server.
Maybe it makes a difference.

For additional information on enabling PGP see the following documentation:

KB36520 - Enabling PGP on BlackBerry Enterprise Service 12 - KB36520-Enabling PGP on BlackBerry Enterprise Service 12

You can also see the following Admin guide for BES 12 which explains the options available in mail profile for PGP.

http://docs.blackberry.com/en/admin/...2_v12.0_en.pdf

See Page 207/208

[Erkan Kater]

Well I did all of the above and more but I am still getting the same error.

Can not enroll with SEMS because of an unknown error

[MobileMadness002]

Have you contacted BlackBerry directly to see if the Analysts have reviewed your log files?

Eitherway, I am subscribing as I am interested in BES functionality as well.

[Erkan Kater]

I open an ticket with Blackberry and have email contact with them.
I didnt contact them directly to ask about the log files.
Should I call them for this?

[objectivemind]

Hi Erkan, have you installed the CA certificate used for the SEMS certificate on the bb device ? It will drop the connection immediately during the ssl handshake if the certificate is not trusted.

[Erkan Kater]

I installed the CA certificate from the SEMS ssl onto the CA certificate profile and attached it to the user(s) profile.
I can also see the CA certificate on the phones.

[objectivemind]

Can you see the authentication attempt in SEMS log -> Client ? Try to create create a user and upload the keys to SEMS. In my setup i can only enrol clients with Active Directory enrolment and NOT email enrolment. And key mode set to SKM. If you can't see the authentication attempt in the log you can't get any further anyway so check first that its actually connecting successfully.

[Erkan Kater]

I will try that.
Can you explain to me which port you have open externaly.
Do you have 2 different external IP adresses pointin 1 to BES12 and 1 to SEMS.
Which port go where?
I have set it up BES12 work fine, but I just dont understand how SEMS pushes secure the keys to the BB's.
I suppose it does it thru BES12 or not?

[Erkan Kater]

I am sure its an authentication problem.
Maybe something todo with ssl exchange, AD, or LDAP.
Between my AD and SEMS there is no problem cause if I connect my IOS device to donload a key it accept it without any problem.

[objectivemind]

Yes i have 2 different ip addresses but it shouldn't matter as long as port 443 is not being used by something else. Open browser and go to https for you domain and you should get a symantec webmail login or symantec error if webmail is not enabled

[objectivemind]

You should see something like this in Client log on SEMS if connection is ok : CLIENT-00011: connection from 188.171.120.118

[Erkan Kater]

Oke you have 443 pointed to SEMS.
Normaly in my case it is pointed to OWA, MS Webmail and activesync for your mobiles.
Did you change it in the mail profile in BES12 ?

[Erkan Kater]

I changed 443 to the SEMS.
And I know see the webmail login of SEMS.

[objectivemind]

I haven't tried but maybe you can try h t t p s : / / y o u r . d o m a i n : p o r t . of course you would have to forward that port to 443 on SEMS.

[Erkan Kater]

Ok.
I tried a device to connect to work all went OK
I tried to connect to email account all went OK
I tried enrollment with PGP and I get the same error cant enroll with SEMS because of an unknown error.

[objectivemind]

If you can't see an authentication attempt in SEMS log -> Client then i believe there is a problem with the CA certificate on bb.

[Erkan Kater]

You email profile;

Do you have hostnames in it or IP adresses?
Explain if it is local or external IP adresses.

[objectivemind]

If all your other clients are working the bes configuration is fine i think. you have to check the log on SEMS to see if it tries to authenticate. If theres is nothing in the log then it is the CA certificate on bb because it won't even try to authenticate if it can't get past the ssl handshake i believe. I use hostnames in the configuration and i think the SEMS hostname you enter in BES has to match the hostname on the SEMS certificate. I'm not 100% on that but i think that is the case

[Erkan Kater]

Oke I also think that might be the problem.
I exported the SSL cert from the SEMS server and imported in BES12 CA certificate.
But before I could import it I had to convert it to *.der file.
And now i just look on the device and its also on the certificate list.

[Erkan Kater]

You are right about the log it doesnt log anything that i do.
No faults, no attempts etc.

[Erkan Kater]

So let me explain what I did to with the CA.
I went to SEMS ---> system ---> Network
clicked on the cert and exported the public key.
But it come in *.pem format and BES12 ask for *.der format.
So I converted it to *.der and added it to the CA certificate profile on the BES12.
Then I added the profile to the user.

Is this correct?

[objectivemind]

I dont believe that is the Root CA certificate you are exporting but just the server certificate. Basically you need the certificate of the authority that issued the certificate if that makes any sense. You could properly do it from the command line if you got ssh access to SEMS or you could setup your own Authority in windows server if thats what you are using and issue both from there. if you willing to pay you could also buy a real certificate for 15-20 dollars with multiple hostnames and install it on SEMS and get the CA root certificate from the issuers website and install it in bb. Maybe someone with more knowledge on the subject can advise better

[Erkan Kater]

So i tried somany certificates and i am confused on which one.
The article recntly changed;

KB36520-Enabling PGP on BlackBerry Enterprise Service 12

It says: The PGP interface SSL cert must also be pushed from the BlackBerry Enterprise Service 12

What interface, do they mean network interface?
Because the whole server is full of certificates... so to be a kind of specific would be great.
Can we use the standard certificate of the interface, do we need an other certificate from a specific authority.
Do we have to import the whole certificate with private key or only publickey.
What kind of key we can use, 1024, 2048 or whatever.
How can we in a safe way convert the key that we export to a *.der file.

350 page of BES12 and 350 page of SEMS.
I am not getting who is behind so much writing and can't even write exactly what.

One thing I know IOS connected in a few seconds to the SEMS.

Anyway you all get my point... Its a big puzzle...

[Erkan Kater]

"By default the SEMS will create a “Self Signed Certificate” – we cannot use that. The Certificate needs to be signed by a certificate authority – I used an internal MS CA to create my certificates etc.

Simplest way to get the certificates, is to use a browser to connect to the SEMS Interface. You will then be able to view and copy the certificates to a .der file (You will need all certificates in the chain – usually the server and the CA Root) You will then need to create Individual CA Profiles for the Root certificate and the Server certificate.

Thirdly and most important for now…. PGP doesn’t work over Enterprise connectivity. You have to be able to connect to the PGP server directly over Wi-Fi or the PGP server SSL interface published externally on the internet. Not even a work Wi-Fi, has to be as a personal Wi-Fi connection (manually configured)"

So you can use WiFi but it has to be manually configured.