ISEC7 - B*Nator EMM Suite
Configuration Guide
Version 4.2.0
December 8, 2014
c
2014
by ISEC7 Software Ltd.
The contents of this document are copyright protected, any guarantee is excluded. The reproduction of information or data, of
texts, sections of text, or images is subject to the prior permission of ISEC7 Software Ltd. The place of fulfillment and sole legal
domicile is Hamburg.
The company names Apple, Google, IBM, Microsoft, Novell, Palm, Research In Motion Symbian and ISEC7 Software, used
in this document are the registered trademarks of these companies. The product names in this document are registered trademarks of the aforementioned companies as follows: iPhone, iPad (Apple), Android (Google), Lotus Domino (IBM), Lotus Notes
(IBM), Lotus Notes Traveler (IBM), Novell GroupWise (Novell), Palm, webOS (Palm), BlackBerry, BlackBerry Enterprise Server
(RIM-Research In Motion), Microsoft ActiveSync, Microsoft Exchange, Microsoft IIS, Microsoft Outlook, Microsoft SQL Server,
Microsoft SQL Server Desktop Engine, Windows Mobile, Windows Phone (Microsoft), Symbian platform (Symbian) and B*Nator
(ISEC7 Software).
Contents
1 Introduction
1.1 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 Installation resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3 Support contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
1
1
1
2 Trust Store for Verifying Certificates
2.1 Overview . . . . . . . . . . . . . . . . . . .
2.2 Using the Windows Trust Store . . . . . . .
2.2.1 Accessing the Windows Trust Store
2.2.2 Apache Tomcat Configuration . . .
2.2.3 B*Nator Monitor Configuration . . .
.
.
.
.
.
2
2
2
2
3
3
3 Proxy Server Settings
3.1 Proxy Settings via Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
4
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
4 BlackBerry Enterprise Server environments
4.1 Overview . . . . . . . . . . . . . . . . . . . . . .
4.2 Adding the BlackBerry Configuration Database .
4.2.1 Preparation and Requirements . . . . . .
4.2.2 Adding the Database in B*Nator . . . . .
4.2.3 Module Tuning . . . . . . . . . . . . . .
4.3 Basic Server Monitoring . . . . . . . . . . . . . .
4.3.1 Log Parsing . . . . . . . . . . . . . . . .
4.3.2 SNMP Monitoring . . . . . . . . . . . . .
4.3.3 Notifications . . . . . . . . . . . . . . . .
4.4 Administration Configuration . . . . . . . . . . .
4.4.1 Authentication . . . . . . . . . . . . . . .
4.4.2 Installing the BUA . . . . . . . . . . . . .
4.4.3 Adding the BUA to B*Nator . . . . . . .
4.4.4 Configuration of the BUA . . . . . . . . .
4.4.5 Verifying the Administration Functionality
4.5 Optional Feature . . . . . . . . . . . . . . . . . .
4.6 Host Monitoring . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
5 BlackBerry Enterprise Service 10 environments
5.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . .
5.2 Adding BlackBerry Web Services . . . . . . . . . . . . .
5.2.1 Preparation and Requirements . . . . . . . . . .
5.2.2 Adding the BlackBerry Web Services in B*Nator
i
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
6
6
8
8
8
10
11
11
11
11
12
12
13
13
14
14
16
16
.
.
.
.
17
17
19
19
19
CONTENTS
5.3
5.4
5.2.3 Module Tuning .
Server Monitoring . . . .
5.3.1 SNMP Monitoring
5.3.2 Notifications . . .
Host Monitoring . . . . .
ii
. . . . . . . .
. . . . . . . .
Configuration
. . . . . . . .
. . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
6 BlackBerry Enterprise Service 12 environments
6.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . .
6.2 Adding BlackBerry Web Services . . . . . . . . . . . . .
6.2.1 Preparation and Requirements . . . . . . . . . .
6.2.2 Adding the BlackBerry Web Services in B*Nator
6.2.3 Module Tuning . . . . . . . . . . . . . . . . . .
6.3 Server Monitoring . . . . . . . . . . . . . . . . . . . . .
6.3.1 SNMP Monitoring Configuration . . . . . . . . .
6.3.2 Notifications . . . . . . . . . . . . . . . . . . . .
6.4 Host Monitoring . . . . . . . . . . . . . . . . . . . . . .
7 Microsoft Exchange Server Monitoring
7.1 Overview . . . . . . . . . . . . . . . . . . .
7.2 Basic Exchange Server Configuration . . . .
7.2.1 Adding Exchange Servers . . . . . .
7.2.2 Configuring Exchange Servers . . . .
7.3 Mailbox Monitoring . . . . . . . . . . . . .
7.3.1 Enabling the Mailbox Monitoring . .
7.3.2 Update Interval . . . . . . . . . . .
7.3.3 Verifying the Functionality . . . . .
7.4 ActiveSync Monitoring . . . . . . . . . . .
7.4.1 Enabling the ActiveSync Monitoring
7.4.2 Exchange 2007, 2010 and 2013 . . .
7.4.3 Exchange 2003 . . . . . . . . . . .
7.4.4 Verifying the Functionality . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
21
22
22
22
23
.
.
.
.
.
.
.
.
.
24
24
26
26
26
28
29
29
29
30
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
31
31
32
32
32
33
33
33
33
34
34
34
35
35
8 Apple Mobile Device Management
8.1 Certification Authority with SCEP Service . . . . . . . . . . . . . . . . . . . . . .
8.1.1 SCEP Challenge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.1.2 Client certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.1.3 Recommendation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.1.4 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.1.5 Issuing Certificates Automatically . . . . . . . . . . . . . . . . . . . . . . .
8.1.6 Configuration in B*Nator Web Interface . . . . . . . . . . . . . . . . . . .
8.1.7 Troubleshooting Network Device Enrollment Service . . . . . . . . . . . . .
8.2 Device Management Server Identity for B*Nator . . . . . . . . . . . . . . . . . . .
8.2.1 Validity of Identity Certificate Signature . . . . . . . . . . . . . . . . . . .
8.2.2 Creating the MDM Keystore . . . . . . . . . . . . . . . . . . . . . . . . .
8.2.3 Signing the Device Management Server Identity by a Certification Authority
8.2.4 Importing the CA Reply into the MDM Alias . . . . . . . . . . . . . . . .
8.2.5 Configuration in B*Nator Web Interface . . . . . . . . . . . . . . . . . . .
8.2.6 Renewing the Device Management Server Identity . . . . . . . . . . . . . .
8.3 Push Certificate for Apple Push Notification System . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
36
37
37
37
37
37
40
40
41
42
42
42
44
46
46
47
48
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
CONTENTS
8.3.1
8.3.2
8.3.3
8.3.4
8.3.5
8.3.6
8.3.7
iii
Short Description . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating the APNS Keystore . . . . . . . . . . . . . . . . . . . . .
Creating a signed Certificate Signing Request from the APNS Alias
Creating a Push Certificate in the Apple Push Certificate Portal . .
Importing the Push Certificate into the APNS Alias . . . . . . . . .
Configuration in B*Nator Web Interface . . . . . . . . . . . . . . .
Renewing the Push Certificate . . . . . . . . . . . . . . . . . . . .
9 Host Monitoring
9.1 Setting the Monitoring Options . .
9.1.1 SNMP Configuration . . .
9.2 Reachability . . . . . . . . . . . .
9.2.1 Configuring the Threshold
9.2.2 Possible Statuses . . . . .
9.2.3 Ping Interval . . . . . . . .
9.2.4 Notifications . . . . . . . .
9.3 Host Information . . . . . . . . .
9.4 System Services . . . . . . . . . .
9.5 CPU Usage . . . . . . . . . . . .
9.6 Memory Usage . . . . . . . . . . .
9.7 Network Usage . . . . . . . . . . .
9.8 Data Storage Devices . . . . . . .
9.8.1 Configuring the Threshold
9.8.2 Possible Statuses . . . . .
9.8.3 Update Interval . . . . . .
9.8.4 Notifications . . . . . . . .
9.9 System Time Drift . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
48
48
50
51
52
53
53
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
55
56
57
57
57
57
58
58
58
58
58
58
58
59
59
59
59
60
60
10 System Configurations
10.1 Changing the Logging Level . . . . . . . . . . . . . . .
10.2 LDAP Configurations . . . . . . . . . . . . . . . . . .
10.2.1 Adding new LDAP Configurations . . . . . . .
10.2.2 Editing LDAP Configurations . . . . . . . . . .
10.2.3 Using Active Directory Logins . . . . . . . . . .
10.3 Managing Access to the Web Application . . . . . . .
10.3.1 Global Permissions . . . . . . . . . . . . . . .
10.3.2 User Self Service Permissions . . . . . . . . . .
10.3.3 Permission Editor . . . . . . . . . . . . . . . .
10.4 Notifications . . . . . . . . . . . . . . . . . . . . . . .
10.4.1 Overview . . . . . . . . . . . . . . . . . . . . .
10.4.2 Notification Recipient Lists . . . . . . . . . . .
10.4.3 Working with Notification Recipient Lists . . .
10.5 Outgoing Mail Server Configuration . . . . . . . . . .
10.5.1 Connection Security . . . . . . . . . . . . . . .
10.5.2 Send-from Address and Authentication . . . . .
10.5.3 Configuring the SMTP Gateway . . . . . . . .
10.5.4 Testing the Outgoing Mail Server Configuration
10.6 B*Nator Local Users and Groups . . . . . . . . . . . .
10.6.1 Users . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
61
61
62
62
62
64
65
65
66
67
69
69
69
71
72
72
72
72
73
74
74
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
CONTENTS
10.6.2 Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10.7 Installing B*Nator Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
iv
75
76
Chapter 1
Introduction
After the installation was successful, the configuration of the environment to be monitored and managed can
take place. It consists of several key aspects, which are described in this guide. The configuration of B*Nator
is the bigger part of the installation and configuration process. Related to each environment to be monitored
and managed, several smaller configurations are required to enable the entire functionality of all features.
1.1
Installation
The installation of B*Nator already needs to be successful finished before performing configurations described
in this guide. For more information about installing B*Nator, please refer to the Installation Guide.
1.2
Installation resources
All resources, like documentations, installers or 3rd party software required for configuring all components of
B*Nator are available from the B*Nator download area1 .
1.3
Support contact
For further details or assistance while configuring B*Nator you can also contact the support team at:
Europe
Email:
Phone:
bnator@isec7.com
+49 40 32 50 76 60
United States
Email: bnator-us@isec7.com
Phone: +1-908-279-7977
1 http://www.bnator.com/releasenotes
1
Chapter 2
Trust Store for Verifying Certificates
This chapter covers the required configurations for trusting certificates when using Secure Sockets Layer (SSL)
connections. For those it is required that the peer certificate can be verified by the client, like the ’Apache
Tomcat’, ’B*Nator Monitor’ or the ’B*Nator Agent’ services for connections like:
• HTTPS connections to web services, like the BlackBerry Web Services
• Encrypted SQL connections to BlackBerry Configurations Databases
• LDAPS connections for secured logins
• Secured SMTP connections for sending notifications
2.1
Overview
Because of ’Apache Tomcat’ and ’B*Nator’ are Java applications they will use the Java trust store, that comes
with the Java installation that each application uses. For a better understanding and an easier management
of the certificates that each application trusts, they should be configured to use the same trust store.
Followed by the recommended installation settings, the ’Apache Tomcat’ and ’B*Nator Monitor’ services both
operate using the same service account. This service account has a trust store in Windows, which can also be
used by Java applications after they have been configured for this.
2.2
Using the Windows Trust Store
To configure the ’Apache Tomcat’ and ’B*Nator Monitor’ for using the Windows trust store of the service
account, both services need to run as the service account. The configuration itself is done in the process
runner configuration of each service.
2.2.1
Accessing the Windows Trust Store
While logged in to the B*Nator server using the service account, run certmgr.msc to access the service
account’s (’Current User’, not ’Local Computer’) ’Certificates’ Management Console.
The ’Trusted Root Certification Authorities / Certificates’ store is the one, that Java applications can be
configured to use.
Importing Certificates
When it comes to import a certificate into this store, it can be done as follows:
1. Open the Windows Certificates Management Console of the service account, as described before
2. Expand ’Trust Root Certification Authorities’
2
CHAPTER 2. TRUST STORE FOR VERIFYING CERTIFICATES
3
3. Select ’Certificates’
4. Right click it or use the MSC ’Action’ menu and navigate to ’All Tasks / Import. . . ’
5. Follow the wizard to navigate to the root certificate that should be imported and finish it
2.2.2
Apache Tomcat Configuration
This configuration makes the ’Apache Tomcat’ using the Windows trust store.
1. Open ’Configure Tomcat’ from the start menu or from its installation directory, like:
C:\Program Files (x86)\Apache Software Foundation\Tomcat6.0\bin\tomcat6w.exe
Note: If UAC is enabled, make sure to run this application with administrative permissions. Sometimes
using an elevated command-line is useful.
2. Select the ’Java’ tab
3. Enter a new parameter into the ’Java Options’ text field in a new line, keeping the case, without
additional characters or white spaces infront or after this line:
-Djavax.net.ssl.trustStoreType=Windows-ROOT
4. Click the OK button to save this configuration
5. Restart the ’Apache Tomcat’ Windows service to make the changes take effect
2.2.3
B*Nator Monitor Configuration
This configuration makes the ’B*Nator Monitor’ using the Windows trust store.
1. Open the ’B*Nator Moitor Configuration’ from the installation directory, like:
C:\Program Files (x86)\BNator\bin\monitorw.bat
Note: If UAC is enabled, make sure to run this application with administrative permissions. Sometimes
using an elevated command-line is useful.
2. Select the ’Java’ tab
3. Enter a new parameter into the ’Java Options’ text field in a new line, keeping the case, without
additional characters or white spaces infront or after this line:
-Djavax.net.ssl.trustStoreType=Windows-ROOT
4. Click the OK button to save this configuration
5. Restart the ’B*Nator Monitor’ Windows service to make the changes take effect
Chapter 3
Proxy Server Settings
This chapter covers the proxy server configuration settings. The following proxy server configurations can be
made in order of their priority if configured:
1. Configuration via web application: In this case, the proxy server settings can be provided in the web
application. They will be stored in the B*Nator database and will be used for every HTTP/S connection.
Note: No exceptions can be configured.
2. Configuration via configuration file: In this case, the proxy server settings can be provided in the
’config.properties’ files in the ’/conf’ subfolder of the installation directory.
Note: Exceptions are fully supported. The Apache Tomcat and B*Nator Monitor services have to be
restarted after the configuration files was modified.
3. Configuration via ’Windows Internet Settings’: This type of configuration is enabled by default,
because the others are unconfigured by default.
Note: Exceptions won’t work with wildcards. Always full hostnames have to be configured in the
’Windows Internet Settings’. Somtimes ’localhost’ has to be as an exception, too.
If proxy server settings are required, it is recommended to use the configuration file.
3.1
Proxy Settings via Configuration File
The configuration file is located in the ’/conf’ subfolder of the B*Nator installation directory. It can be
modified using a text editor.
C:\Program Files (x86)\BNator\conf\config.properties
Note: When User Account Control (UAC) is activated, the editor should be started with administrative
permissions, otherwise the file cannot be saved to its location. As a workaround, the file can be saved
to the desktop and moved back to its origin.
Add each of the following configuration parameters to new lines. Make sure to keep the correct case and to
not enter other characters or white spaces at the beginning or the end of each line.
• http.proxyHost=proxy.company.com
• http.proxyPort=8080
• http.nonProxyHosts=*.company.com|192.168.*|srv-bes1
4
CHAPTER 3. PROXY SERVER SETTINGS
5
For more information about these parameters and the syntax for providing the non proxy hosts, please refer
to the ’Java Networking Properties Documentation’ about ’Proxies’1 .
When the file was modified, the ’Apache Tomcat’ and ’B*Nator Monitor’ services need to be restarted to
make the changes take effect.
1 https://docs.oracle.com/javase/7/docs/api/java/net/doc-files/net-properties.html#Proxies
Chapter 4
BlackBerry Enterprise Server
environments
This chapter covers the required configuration to add a BlackBerry Enterprise Server environment (domain)
to B*Nator.
4.1
Overview
The main information sources of a BlackBerry Enterprise Server domain is the ’BlackBerry Configuration
Database’. It will be access using a ’BES DB Parser’ module via TSQL connections, to get details about
BlackBerry servers, mail server, users, devices, groups, policies etc.
Note: All servers that are found, will automatically be added to the monitoring, so that those will not have
to be added manually later.
For additional monitoring features, a ’B*Nator Agent’ has to be installed on each server to get local information
about the system performance and for accessing the BDS log files.
Further monitoring information about BDS servers is received using the ’SNMP Collector’ module. For this
reason the Windows ’SNMP Service’ has to be installed on each server, too.
For administration features, a ’BlackBerry User Administration’ command-line tool has to be installed on any
server on the network, that will be manually added to B*Nator and is executed by a local ’B*Nator Agent’.
6
CHAPTER 4. BLACKBERRY ENTERPRISE SERVER ENVIRONMENTS
7
The following picture shows an overview of the required components and connections:
BES DB Parser
BlackBerry Configuration Database
(BESMgmt)
SNMP Collector
BlackBerry Enterprise Server values
Host Resource values
BlackBerry Administration Service
BlackBerry Administration API
BES Log Files
Host Monitor
BES Log Parser
BES Registry Parser
Agent Log Parser
BlackBerry Enterprise Server Details
Host Information Collector
Windows Management Instrumentation
(WMI)
Host Resource values
BES User Admin
Client Service
BES Administration Executor
Command-Line Tool
CHAPTER 4. BLACKBERRY ENTERPRISE SERVER ENVIRONMENTS
4.2
8
Adding the BlackBerry Configuration Database
As stated before, the ’BlackBerry Configuration Database’ is the main source of information about a BlackBerry
Enterprise Server environment. It needs to be added to B*Nator.
4.2.1
Preparation and Requirements
In order to access the BlackBerry Configuration Database, it has to be accessible for TCP/IP connections over
the network and an account to read the database is required.
TCP/IP Access
TCP/IP connections have to enabled for the SQL Server, which is not enabled by default. Additional information that is needed is either the ’Instance Name’ of the SQL Server where the BlackBerry database located
or it TCP/IP port, if this a static port is used.
Database Access
To access the BlackBerry database an account is need with ’datareader’ permissions on it. It is recommended
to use the B*Nator service account if possible.
If the BlackBerry database is the target for BlackBerry user migrations with B*Nator, also the ’datawriter’
permission is required.
Verifying the Accessibility of the Database
The database is located on a local or remote SQL Server Instance. The connection can be established using
the SQL Server ’Instance Name’, which will be used to detect the current port for TCP connections to the
SQL Server. Alternatively a static port can be used for the connection.
The default ’Instance Name’ of local SQL Server installations usually is ’BLACKBERRY’. The default static
port of an SQL Server Instance is ’1433’.
The connectivity can be verified by opening a connection using a ’Telnet’ Client.
telnet sql.company.com 1433
4.2.2
Adding the Database in B*Nator
Adding BlackBerry Configuration Databases to B*Nator is only available with administrative permissions. The
SQL Server hostname, instance name or port as well as the databse name and the login has to be provided,
which then is used to create a new ’BES DB Parser’ module in B*Nator. Then the new module can be
activated to retrieve information from the database.
Providing the Database Details
1. Use menu ’ADMINISTRATION\Infrastructure\Add Systems\Add BES Management Database’
2. Choose to create a new ’Microsoft SQL Server’, if the SQL Server instance that holds the BlackBerry
Configuration Database was not already added to B*Nator. Otherwise an existing SQL Server can be
selected from the drop-down menu, to provide the information that the database is located there. In
this case, you can skip the next steps until the ’Details for MSSQL Database’ have to be entered.
3. Provide the ’Details for Host of SQL Server’
(a) Enter the ’Hostname’ of the host, where the SQL Server is located
(b) The ’IP Address’ is optional and only required, if the ’Hostname’ cannot be resolved
CHAPTER 4. BLACKBERRY ENTERPRISE SERVER ENVIRONMENTS
9
(c) Selecting a ’Tunneling host’ is optional. This can be used to selected a host from the drop-down
menu, where a B*Nator Agent is installed, that should be used to tunnel the connection from the
B*Nator Monitor to the BlackBerry database through a local B*Nator Agent on a third host.
4. Prodivde the ’Details for MSSQL Server’
(a) Enter the name of the SQL Server ’Instance’ where the database is located or leave it blank
(b) The ’Port’ number of the SQL Server Instance is optional and can be used if no ’Instance’ name
should be used. If a ’Port’ is entered, it will always be used for the connection, even if an ’Instance’
name was entered. If the ’Port’ is left blank, the default port is ’1433’.
Note: If no ’Instance’ name and no ’Port’ number was given, B*Nator will try to establish a
connection with the default values.
(c) Choose if an ’Encryption’ method should be used for the connection to the SQL Server. Hover
with the mouse over the ’Encryption’ text for more details about each option.
Note: Since SQL Server 2005 and Express encryption is supported and enabled by default. Choosing ’Request’ as an encryption method will request the SQL Server to use encryption and will
fall back to no encryption, if the SQL Server does not support it.
(d) The option to ’Create SQL Server without database’ will only create the SQL Server in B*Nator,
without creating a BlackBerry database and a related ’BES DB Parser’ module
5. Provide the ’Details for MSSQL Database’
(a) Enter the ’Name’ of the BlackBerry database. The default name ’BESMgmt’ is already prefilled,
but can be modified.
(b) Select the method for the ’Authentication’ with the database.
• SQL Authentication: Login using an SQL Server account by providing ’Username’ and ’Password’.
• Windows Authentication (Username and Password): Login using Windows Authentication
py provoding ’Username’, ’Password’ and ’Domain’.
• Windows Authentication (Single Sign-On): Login using the credentials that the ’B*Nator
Monitor’ service logs on with, i.e. using the B*Nator service account.
Note: If a ’Tunneling Host’ was selected, the credentials that the ’B*Nator Agent’ service on
the selected tunneling host logs on with are used.
(c) Enter the ’Username’ of a login with permissions to access the BlackBerry database, if required for
the selected ’Authentication’ method
(d) Enter the ’Password’ for the given ’Username’, if required for the selected ’Authentication’ method
(e) Enter the ’Domain’ name for the given ’Username’, if required for the selected ’Authentication’
method
CHAPTER 4. BLACKBERRY ENTERPRISE SERVER ENVIRONMENTS
10
Add BES Management Database
SQL Server
Microsoft SQL Server
v
Details for Host of SQL Server
Hostname
sql.company.com
IP Address
Tunneling Host
---
v
Request
v
Details for MSSQL Server
Instance
Port (Optional)
Encryption
Create SQL Server without database
Details for MSSQL Database
Name
BESMgmt
Authentication
Windows Authentication (Username and Password)
Username
svc-emm
Password
····················
Domain
COMPANY
v
add
After clicking the add button the new environment with a related ’BES DB Parser’ module is added. The
web application switches to the ’Infrastructure Management’ page and preloads the newly added SQL Server
configuration.
Starting the new BES DB Parser module
1. Use menu ’ADMINISTRATION\B*Nator\Modules’
2. Look for the newly added ’BES DB Parser’ that shows the entered BlackBerry database configuration
in brackets, like BES DB Parser (sql.company.com.BESMgmt).
3. Click Activate to start the module.
4. Open the modules page again from the menu to verify if the modules makes progress.
If the module stops working, review the ’BESDBParser_xxx.log’ file in the B*Nator logs folder for further
details. Possible issue are network connection problems, invalid credentials or insufficient permissions.
If the module makes progress, the BlackBerry Enterprise Servers should appear in the server ’Navigation’ bar
on the left abd the users and devices should show up in the ’Users & Devices’ list.
4.2.3
Module Tuning
The ’BES DB Parser’ module will operate in its configured interval. Depending on the database size and the
connection quality to it, it may take more or less time than the configured interval, which can be adopted to
the environment’s performance.
When the module is activated and started, it constantly updates the information from the environment.
CHAPTER 4. BLACKBERRY ENTERPRISE SERVER ENVIRONMENTS
4.3
11
Basic Server Monitoring
The monitoring configuration for BlackBerry Enterprise Servers is done in the ’Infrastructure Management’
page.
1. Use menu ADMINISTRATION\Infrastructure\Management
2. Expand the name of the host that has a ’BlackBerry Enterprise Server’
3. Select the ’BlackBerry Enterprise Server’ service type
4.3.1
Log Parsing
The BlackBery Enterprise Server log files are a source for several events on the server as well as for possible
’Compliance’ issues. There are two types of log parsing that can be activated.
• Service Logs: Enables parsing the default log files for common events and all types or ’Error’ or
’Warning’ entries. It it recommended to enabled this option.
• Compliance Logs: Enables parsing ’PIN’, ’SMS’ and ’PhoneCall’ logs for entries that conflict with
specific black listed criteria.
Note: Even if this feature is enabled, reading those logs is only possible, if they were activated to be
logged by the BlackBerry server itself.
Log Parsing
Service Logs
Compliance Logs
Change
Clicking the Change button saves the configuration.
Reading the server log files requires to install a local ’B*Nator Agent’ on the server, as it is described in
section 10.7.
4.3.2
SNMP Monitoring
The ’SNMP’ tab contains a single setting, that enables this server to be monitored by the ’SNMP Collector’
module.
SNMP
Use for Service Monitoring
Change
When this setting is enabled, it is required to configure the SNMP ’Community Name’ on the ’SNMP’ tab in
sever’s host configtion, too. For more information about this please refer to subsection 9.1.1.
4.3.3
Notifications
With this configuration tab the notifications recipients lists can be selected as described in section 10.4.3, to
control the recipients of notifications about this server. For general information about notifications, please
refer to section 10.4.
CHAPTER 4. BLACKBERRY ENTERPRISE SERVER ENVIRONMENTS
4.4
12
Administration Configuration
For administration features, at least one ’BlackBerry User Administration’ Tool (BUA) or Service has to be
installed per BlackBerry domain, depending on the BlackBerry Enterprise Server version.
• BlackBerry Enterprise Server 4.x: ’BlackBerry User Administration Service’. Installed as a Windows
Service that accesses the BlackBerry Configuration Database.
• BlackBerry Enterprise Server 5.x: ’BlackBerry User Administration Tool’. Installed only as a tool
that connects to the ’BlackBerry Administration Service - BlackBerry Administration API’.
This is a command-line tool that is part of the ’BlackBerry Ressource Kit’. Basically the tool can be installed
on any server in the network. It is executed using a local ’B*Nator Agent’, that will execute the command-lines
and report the specific results back to the B*Nator server.
The following picture shows an overview about this functionality for a BlackBerry Enterprise Server 5 environment using a BlackBerry User Administration Tool.
BlackBerry Administration Service
BlackBerry Administration API
BES User Admin
Client Service
BES Administration Executor
Command-Line Tool
For BlackBerry user migrations with B*Nator, it is recommended to install and configure more than one BUA
for load balancing reasons.
4.4.1
Authentication
The BUA authentication is different between the ’Service’ and the ’Tool’.
• BlackBerry User Administration Service (4.x): During the installation of the service, a password has
to be provided that is required to execute it later.
• BlackBerry User Administration Tool (5.x): The tool connects to the ’BlackBerry Administration
Service - BlackBerry Administration API’ and requires to provide credentials of an account, that has
a sufficient role on the BlackBerry Administration Service. For the full range of B*Nator features a
’BlackBerry Administration Service’ login (local user) with the ’Enterprise Administrator’ role is requried
on the BAS.
Creating a local BES5 Enterprise Administrator login
1. Log on to the BlackBerry Administration Service with a ’Security Administrator’ login
2. Create an ’Administrator User’
3. Provide a ’Display Name’
4. Select the ’BlackBerry Administration Service’ authentication type from the drop-down menu
CHAPTER 4. BLACKBERRY ENTERPRISE SERVER ENVIRONMENTS
13
5. Provide a login ’Name’
6. Provide a password for the user
7. Repeat the password
8. Enter the ’Administrator Password’ of the account that you are currently logged in with
9. Select the ’Enterprise Administrator’ role from the drop-down menu
10. Create the user account
11. Log out and log in with the newly created account for verification
Note: The password of this user account expires after one year. Make sure to renew the password in time.
4.4.2
Installing the BUA
The BUA that is used should match the BlackBerry Enterprise Server version that it works for. The download
is available in the B*Nator download area1
The installation of the BUA is different between the service and the ’Tool’. Please follow the related official
installation documentation for further details.
• BlackBerry User Administration Service (4.x): The service is installed on the command-line. During
the installation a ’client password’ has to be provided that is required to execute it later. This password
must not be blank, but consist of numbers and letters only and be at least 5 characters long.
• BlackBerry User Administration Tool (5.x): The tool is installed using a Windows installer that needs
to be provided with the full qualified domain name of host where the related ’BlackBerry Administration
Service’ is installed. It then will validate the access to the BAS using the given FQDN and also verify
the web server’s certificate.
Hint: If the BAS is not available using the HTTPS default port ’443’, the port number can be entered
manually with the FQDN, e.g. bas.company.com:38443
4.4.3
Adding the BUA to B*Nator
B*Nator cannot find a BUA installation automatically so it has to be added manually.
1. Use menu ’ADMINISTRATION\Infrastructure\Add Systems\Add Host’
2. Enter the ’Hostname’ of the host, where the BUA is installed
3. The ’IP Address’ is optional and only required, if the ’Hostname’ cannot be resolved
4. Select ’BES User Administration Tool’ from the ’Type’ drop-down menu.
Note: BlackBerry User Administration ’Services’ and ’Tools’ both are ’BES User Administration Tools’
in B*Nator.
Add Host
Hostname
bes-app.company.com
IP Address
Type
BES User Administration Tool
v
Add
After clicking the Add button the BUA is added and the web application switches to the ’Infrastructure
Management’ page and preloads its configuration.
1 http://www.bnator.com/releasenotes
CHAPTER 4. BLACKBERRY ENTERPRISE SERVER ENVIRONMENTS
4.4.4
14
Configuration of the BUA
1. At first, the ’BES Management Database for which the BES User Administration Tool is configured on
this host’ has to be selected from the drop-down list.
2. The ’BES User Administration Tool Path’ is the local directory where the tool is installed in the host,
e.g.’C:\Program Files (x86)\Research in Motion\BlackBerry Enterprise Server Resource Kit\BlackBerry
User Administration Tool Client
3. Select the ’BES User Administration Tool version’ from the drop-demo menu
4. The ’BES User Administration Tool username’ is login name of the BlackBerry Administration Service
login that should be used for the BUA.
Note: The username is not requried for version 4.x
5. The ’BES User Administration Tool password’ has to be typed in twice. It must not contain one of the
following characters: ’&’ or ’-’
Note: For version 5.x it is the password for the given username. For version 4.x, it is the passward for
the service, that was configured during the installation.
Configuration
BES Management Database for which the BES
User Administration Tool is configured on this
host
BES User Administration Tool Path
sql.company.com.BESMgmt
BES User Administration Tool version
BES 5.x
BES User Administration Tool username
svc-emm
BES User Administration Tool password
····················
Type in twice. Do not use one of the following characters for your BES User Administration
Tool password: & -
····················
v
C:\Program Files (x86)\Research in Mo. . .
v
Change
4.4.5
Verifying the Administration Functionality
The functionality of the administration configuration can be verified by executing a harmless administrative
action, like resending the service book to a BlackBerry device.
1. Use the main menu ’Users & Devices’
2. Lookup a test user of the environment, the BUA was installed for
3. Click the ’Display Name’ to open the relationship detail page
4. Select the ’Administration’ tab
5. Execute the ’Resend Service Book’ action
6. Verify the executing of the from the panel that is displayed above the page.
Time
May 8, 2014 3:25:26 PM
Agent host
BES-APP
Action type
Resend Service Book
Server
BES
Description
jdoe@company.com
Result
Pending. . .
Refresh
Clicking the Refresh button refreshes the administrative action panel with the action ’Result’.
CHAPTER 4. BLACKBERRY ENTERPRISE SERVER ENVIRONMENTS
15
Results
Administrative actions can the following results.
• Pending. . . : The administrative action is executed by the ’B*Nator Agent’ on the ’Agent host’ and a
result is not yet received
• Done: The administrative action was successfully executed. Hovering with the mouse over the underlined text shows the command-line output of the BUA for further details.
• Problem: The administrative action was not successfully executed. Hovering with the mouse over the
underlined text shows the command-line output of the BUA for further details.
Example: If the username and/or password in the configuration of a BUA version 5.x is incorrect, the
BUA will be executed using wrong credentials. This means, the BUA will authenticate with the
BlackBerry Administration Service using invalid credentials, so the result in BUA might be:
Unauthorized: User is not authorized to perform this operation.
• No useable BES User Administration Tool found: The administrative action was not executed,
because no BUA configuration was found or all existing tools are either not in a good shape or the
underlying hosts do not have a good status.
Example: If a BUA is installed on host ’A’ that works for BlackBerry domain ’B’, but the ’Average
Ping Time’ of host ’A’ has a ’Warning’ status, this host cannot be used for BUA features. If no
other host has a BUA for BlackBerry domain ’B’ installed, the result is:
No useable BES User Administration Tool found
CHAPTER 4. BLACKBERRY ENTERPRISE SERVER ENVIRONMENTS
4.5
16
Optional Feature
The following feature are optional to be configured.
Info Channel Push: Pushes a B*Nator icon to the home screen of the BlackBerry devices, providing a deep
link into the B*Nator web application, showing detailed traffic usage information for the user.
B*Nator Remote Control: BlackBerry client application, providing remote control for BlackBerry devices.
MailRoundTrip Client: BlackBerry client application, monitoring the entire message runtime from sending
a mail until receiving it on a specific BlackBerry device, which is fully BlackBerry activated and in use
only for B*Nator.
B*Nator Agent mobile: BlackBerry client application, providing GPS tracking features for BlackBerry devices.
Application Portal: B*Nator provides a built-in portal to publish applications for mobile device users. Applications can be managed and published to a specific selection of users in a groupware directory
4.6
Host Monitoring
Each host that has a BlackBerry Enterprise Server on it, should also be configured for the default host
monitoring features, as described in chapter 9.
Chapter 5
BlackBerry Enterprise Service 10
environments
This chapter covers the required configuration to add a BlackBerry Enterprise Service 10 environment to
B*Nator.
5.1
Overview
A BlackBerry Enterprise Service 10 environment can consist of the following services:
BlackBerry Device Service: The ’BDS’ manages the BlackBerry devices.
Universal Device Service: The ’UDS’ manages the Apple iOS and Android devices.
For both services, the main information sources are the ’BlackBerry Web Services for Enterprise Administration’.
Each service has it’s own web service, that B*Nator will access using a ’BlackBerry Domain Monitor’ module
via HTTPS connections, to get details about servers, users, devices, groups, policies, profiles etc. and to
perform administrative tasks.
Note: All BDS hosts that are found, will automatically be added to the monitoring, so that those will not
have to be added manually later. UDS host details cannot be retrieved using the web service, but the
UDS is usually installed on a BDS. Otherwise the UDS host can manually be added as a ’Network Host’
to the monitoring.
For additional monitoring features, a ’B*Nator Agent’ has to be installed on each server to get local information
about the system performance and for accessing the BDS log files.
Further monitoring information about BDS servers is received using the ’SNMP Collector’ module. For this
reason the Windows ’SNMP Service’ has to be installed on each server, too.
17
CHAPTER 5. BLACKBERRY ENTERPRISE SERVICE 10 ENVIRONMENTS
18
The following picture shows an overview of the required components and connections:
BlackBerry Domain
Monitor
BlackBerry Web Services
for Enterprise Administration
BlackBerry Domain
Monitor
BlackBerry Web Services
for Enterprise Administration
BDS Log Files
Agent Log Parser
BDS Log Parser
BDS Registry Parser
Host Monitor
Host Information Collector
BDS Service Details
Windows Management
Instrumentation (WMI)
Host Resource values
SNMP Collector
BDS Service values
Host Resource values
CHAPTER 5. BLACKBERRY ENTERPRISE SERVICE 10 ENVIRONMENTS
5.2
19
Adding BlackBerry Web Services
As stated before, the BlackBerry Web Services are the main source of information about a BlackBerry Enterprise
Service 10 environment. They need to be added to B*Nator.
5.2.1
Preparation and Requirements
In order to access the BlackBerry Web Services, thay have to accessible over the network and the web server’s
certificate has to be valid and trusted.
Verifying the Accessibility of the BlackBerry Web Services
By default, the BlackBerry Web Services are available on the following ports:
BlackBerry Device Service: Same port that the ’BlackBerry Administration Service’ uses, like the
installation default port ’38443’ or maybe the HTTPS protocol default port ’443’.
Universal Device Service: Not the same port that the ’Administration Console’ uses. Instead it is port
’8082’ or maybe also ’18082’.
This connection can be verified by accessing the web services using a web browser from the B*Nator server.
https://bes10.company.com:<port>/enterprise/admin/ws?wsdl
Note: It may be required to use or bypass a proxy server. If proxy settings are required, they may have to be
configured for B*Nator as described in chapter 3.
Trusting the Web Server Certificate
The BlackBerry Web Services are accessed using HTTPS connections. For that reason, the web server’s
certificate has to be valid and trusted when it is validated against the trust store, that was configured for the
B*Nator Monitor as described in chapter 2.
It is required to import the certificate of the root certification authority, that issued the web server’s certificate,
to the trust store, if it is not already available there. Otherwise the validation of the web server’s certificate
will fail.
5.2.2
Adding the BlackBerry Web Services in B*Nator
Adding BlackBerry Web Services to B*Nator is only available with administrative permissions. The location
of the web services have to be provided, which then are used to create a new ’BlackBerry Domain Monitor’
module in B*Nator. After that, the credentials for the accessing these web services have to be provided. Then
the new module can be activated to retrieve information from the web services.
Providing the Web Service Details
1. Use menu ’ADMINISTRATION\Infrastructure\Add Systems\Add BlackBerry Web Services’
2. Select ’BlackBerry Device Service’ or ’Universal Device Service’
3. Enter the ’Hostname’ of the server
Note: This hostname will be used for the HTTPS connection to the BlackBerry Web Services, so the
web server’s certificate has to be valid for this hostname.
4. The ’IP Address’ is optional and only required, if the ’Hostname’ cannot be resolved
5. Enter the port number
6. Enter a ’Display name’ that is used to identify this environment later within B*Nator.
CHAPTER 5. BLACKBERRY ENTERPRISE SERVICE 10 ENVIRONMENTS
20
Add BlackBerry Web Services
BlackBerry domain
BlackBery Device Service
v
Details for BlackBerry Web Services
Hostname
bes10.company.com
IP Address (Optional)
Port (Optional)
38443
Details for BlackBerry domain
Display name
Company BDS
add
After clicking the add button the new environment is added and the web application switches to the ’Infrastructure Management’ page and preloads the newly added BlackBerry Web Services configuration.
Note: While this configuration section is loaded B*Nator connects to the BlackBerry Web Services to load
the available login methods.
Providing the Credentials
Select the ’BlackBerry Domain’ tab to enter the login credentials for an account that has the ’Enterprise
Administrator’ role on the ’BDS’ or the ’UDS’. It is recommended to use the B*Nator service account.
BlackBerry Domain
Type
BlackBerry Device Service
Display name
Company BDS
Username
svc-emm
Password
····················
Domain
COMPANY
Log in using
Active Directory
v
Change
Clicking the Change button saved the given configuration.
Note: If an error message is displayed, the connection to the web service was not successful. Review the
’BlackBerryDomainMonitor_xxx.log’ file in the B*Nator logs folder for further details.
Starting the new BlackBerry Domain Monitor module
When the credentials are entered, the new ’BlackBerry Domain Monitor’ module can be activated.
1. Use menu ’ADMINISTRATION\B*Nator\Modules’
2. Look for the newly added ’BlackBerry Domain Monitor’ that shows the entered domain display name in
brackets, like BlackBerry Domain Monitor (Company BDS).
3. Click Activate to start the module.
4. Open the modules page again from the menu to verify if the modules makes progress.
If the module stops working, review the ’BlackBerryDomainMonitor_xxx.log’ file in the B*Nator logs folder
for further details. Possible issue are network connection problems, certificate validation failuers or invalid
credentials.
If the module makes progress, the BDS servers should appear in the server ’Navigation’ bar on the left, if it
is a BDS domain and the users should show up in the ’Users & Devices’ list.
CHAPTER 5. BLACKBERRY ENTERPRISE SERVICE 10 ENVIRONMENTS
5.2.3
21
Module Tuning
The ’BlackBerry Domain Monitor’ module will operate in its configured interval. Depending on the size of the
environment, it takes more or less time than the configured interval, which can be adopted to the environment’s
performance.
When the module is activated and started, it constantly updates the information from the environment.
CHAPTER 5. BLACKBERRY ENTERPRISE SERVICE 10 ENVIRONMENTS
5.3
22
Server Monitoring
Server specific monitoring features for BlackBerry Enterprise Service 10 environments are available for BDS
servers only. UDS servers, as well as BDS servers, can also be monitoring with the default host monitoring
features as described in section 5.4.
The monitoring configuration for BDS servers is done in the ’Infrastructure Management’ page:
1. Use menu ADMINISTRATION\Infrastructure\Management
2. Expand the name of the host that has a ’BlackBerry Device Service’ server
3. Select the ’BlackBerry Device Service’ service type
4. Select the ’Monitoring’ tab
Monitoring
Service Details
Service Logs
Component Versions
Dispatcher Configuration
Database Connection Status
Traffic Information
SRP Connection Details
Change
Each monitoring option can be enabled or disabled. It is recommended to enable all options. Clicking the
Change button saves the configuration.
Some options require to install a local ’B*Nator Agent’ on the server, as it is described in section 10.7, while
others require additional configuration on the ’SNMP’ tab.
5.3.1
SNMP Monitoring Configuration
The ’SNMP’ tab contains a single setting, that enables this server to be monitored by the ’SNMP Collector’
module with the range of features, that are SNMP related and enabled on the ’Monitoring’ tab.
SNMP
Use for Service Monitoring
Change
When this setting is enabled, it is required to configure the SNMP ’Community Name’ on the ’SNMP’ tab in
sever’s host configtion, too. For more information about this please refer to subsection 9.1.1.
5.3.2
Notifications
With this configuration tab the notifications recipients lists can be selected as described in section 10.4.3, to
control the recipients of notifications about this server. For general information about notifications, please
refer to section 10.4.
CHAPTER 5. BLACKBERRY ENTERPRISE SERVICE 10 ENVIRONMENTS
5.4
23
Host Monitoring
Each host that has a BlackBerry Enterprise Service 10 server on it, should also be configured for the default
host monitoring features, as described in chapter 9.
Chapter 6
BlackBerry Enterprise Service 12
environments
This chapter covers the required configuration to add a BlackBerry Enterprise Service 12 environment to
B*Nator.
6.1
Overview
The main information source for BlackBerry Enterprise Service 12 environments are the ’BlackBerry Web
Services for Enterprise Administration’. B*Nator will access them using a ’BlackBerry Domain Monitor’
module via HTTPS connections to get details about servers, users, devices, groups, policies, profiles etc. and
to perform administrative tasks.
Note: All servers that are found, will automatically be added to the monitoring, so that those will not have
to be added manually later.
For additional monitoring features, a ’B*Nator Agent’ has to be installed on each found BlackBerry server to
get local information about the system performance.
Further monitoring information is received using the ’SNMP Collector’ module. For this reason the Windows
’SNMP Service’ has to be installed on each BlackBerry server, too.
24
CHAPTER 6. BLACKBERRY ENTERPRISE SERVICE 12 ENVIRONMENTS
25
The following picture shows an overview of the required components and connections:
BlackBerry Domain
Monitor
BlackBerry Web Services
for Enterprise Administration
BES12 Log Files
Agent Log Parser
BES12 Log Parser
Host Monitor
Host Information Collector
Windows Management
Instrumentation (WMI)
Host Resource values
BlackBerry Server values
SNMP Collector
Host Resource values
CHAPTER 6. BLACKBERRY ENTERPRISE SERVICE 12 ENVIRONMENTS
6.2
26
Adding BlackBerry Web Services
As stated before, the BlackBerry Web Services are the main source of information about a BlackBerry Enterprise
Service 12 environment. They need to be added to B*Nator.
6.2.1
Preparation and Requirements
In order to access the BlackBerry Web Services, thay have to accessible over the network and the web server’s
certificate has to be valid and trusted.
Verifying the Accessibility of the BlackBerry Web Services
By default, the BlackBerry Web Services are available on port ’18082’ using HTTPS connections. This
connection can be verified by accessing the web services using a web browser from the B*Nator server.
https://bes12.company.com:18082/enterprise/admin/ws?wsdl
Note: It may be required to use or bypass a proxy server. If proxy settings are required, they may have to be
configured for B*Nator as described in chapter 3.
Trusting the Web Server Certificate
The BlackBerry Web Services are accessed using HTTPS connections. For that reason, the web server’s
certificate has to be valid and trusted when it is validated against the trust store, that was configured for the
B*Nator Monitor as described in chapter 2.
It is required to import the certificate of the root certification authority, that issued the web server’s certificate,
to the trust store, if it is not already available there. Otherwise the validation of the web server’s certificate
will fail.
6.2.2
Adding the BlackBerry Web Services in B*Nator
Adding BlackBerry Web Services to B*Nator is only available with administrative permissions. The location
of the web services have to be provided, which then are used to create a new ’BlackBerry Domain Monitor’
module in B*Nator. After that, the credentials for the accessing these web services have to be provided. Then
the new module can be activated to retrieve information from the web services.
Providing the Web Service Details
1. Use menu ’ADMINISTRATION\Infrastructure\Add Systems\Add BlackBerry Web Services’
2. Select ’BlackBerry Enterprise Service 12’
3. Enter the ’Hostname’ of the server
Note: This hostname will be used for the HTTPS connection to the BlackBerry Web Services, so the
web server’s certificate has to be valid for this hostname.
4. The ’IP Address’ is optional and only required, if the ’Hostname’ cannot be resolved
5. Enter the port number ’18084’
6. Enter a ’Display name’ that is used to identify this environment later within B*Nator.
CHAPTER 6. BLACKBERRY ENTERPRISE SERVICE 12 ENVIRONMENTS
27
Add BlackBerry Web Services
BlackBerry domain
BlackBery Enterprise Service 12
v
Details for BlackBerry Web Services
Hostname
bes12.company.com
IP Address (Optional)
Port (Optional)
18084
Details for BlackBerry domain
Display name
Company BES12
add
After clicking the add button the new environment is added and the web application switches to the ’Infrastructure Management’ page and preloads the newly added BlackBerry Web Services configuration.
Note: While this configuration section is loaded B*Nator connects to the BlackBerry Web Services to load
the available login methods.
Providing the Credentials
Select the ’BlackBerry Domain’ tab to enter the login credentials for an account that has the ’Enterprise
Administrator’ role on the BlackBerry Enterprise Service 12. It is recommended to use the B*Nator service
account.
BlackBerry Domain
Type
BlackBerry Enterprise Service 12
Display name
Company BES12
Username
svc-emm
Password
····················
Domain
COMPANY
Log in using
Active Directory
v
Change
Clicking the Change button saved the given configuration.
Note: If an error message is displayed, the connection to the web service was not successful. Review the
’BlackBerryDomainMonitor_xxx.log’ file in the B*Nator logs folder for further details.
Starting the new BlackBerry Domain Monitor module
When the credentials are entered, the new ’BlackBerry Domain Monitor’ module can be activated.
1. Use menu ’ADMINISTRATION\B*Nator\Modules’
2. Look for the newly added ’BlackBerry Domain Monitor’ that shows the entered domain display name in
brackets, like BlackBerry Domain Monitor (Company BES12).
3. Click Activate to start the module.
4. Open the modules page again from the menu to verify if the modules makes progress.
If the module stops working, review the ’BlackBerryDomainMonitor_xxx.log’ file in the B*Nator logs folder
for further details. Possible issue are network connection problems, certificate validation failuers or invalid
credentials.
If the module makes progress, the BlackBerry servers should appear in the server ’Navigation’ bar on the left
and the users should show up in the ’Users & Devices’ list.
CHAPTER 6. BLACKBERRY ENTERPRISE SERVICE 12 ENVIRONMENTS
6.2.3
28
Module Tuning
The ’BlackBerry Domain Monitor’ module will operate in its configured interval. Depending on the size of the
environment, it takes more or less time than the configured interval, which can be adopted to the environment’s
performance.
When the module is activated and started, it constantly updates the information from the environment.
CHAPTER 6. BLACKBERRY ENTERPRISE SERVICE 12 ENVIRONMENTS
6.3
29
Server Monitoring
The monitoring configuration for BlackBerry Enterprise Service 12 servers is done in the ’Infrastructure Management’ page:
1. Use menu ADMINISTRATION\Infrastructure\Management
2. Expand the name of the host that has a ’BlackBerry Enterprise Service 12’ server
3. Select the ’BlackBerry Enterprise Service 12’ service type
4. Select the ’Monitoring’ tab
Monitoring
Service Details
Service Logs
Component Versions
Dispatcher Configuration
Database Connection Status
Traffic Information
SRP Connection Details
Change
Each monitoring option can be enabled or disabled. It is recommended to enable all options, which is set by
default. Clicking the Change button saves the configuration.
Some options require to install a local ’B*Nator Agent’ on the server, as it is described in section 10.7, while
others require additional configuration on the ’SNMP’ tab.
6.3.1
SNMP Monitoring Configuration
The ’SNMP’ tab contains a single setting, that enables this server to be monitored by the ’SNMP Collector’
module with the range of features, that are SNMP related and enabled on the ’Monitoring’ tab.
SNMP
Use for Service Monitoring
Change
When this setting is enabled, it is required to configure the SNMP ’Community Name’ on the ’SNMP’ tab in
sever’s host configtion, too. For more information about this please refer to subsection 9.1.1.
6.3.2
Notifications
With this configuration tab the notifications recipients lists can be selected as described in section 10.4.3, to
control the recipients of notifications about this server. For general information about notifications, please
refer to section 10.4.
CHAPTER 6. BLACKBERRY ENTERPRISE SERVICE 12 ENVIRONMENTS
6.4
30
Host Monitoring
Each host that has a BlackBerry Enterprise Service 12 server on it, should also be configured for the default
host monitoring features, as described in chapter 9.
Chapter 7
Microsoft Exchange Server Monitoring
This chapter covers the required configurations for monitoring Microsoft Exchange Servers. They can be used
for monitoring and managing the ’ActiveSync’ partnerships as well as for retrieving details about ’Mailboxes’
that are accessed by monitored mobile devices.
7.1
Overview
Details about Exchange environments are collected using a local B*Nator Agent installed on an Exchange
server. Depending on the Exchange version the Agent utilizes different techniques to collect the data.
• For Exchange 2007, 2010 and 2013 the PowerShell is used to retrieve the details. With this, Agents
can request information from the entire Exchange organization that the Exchange server is a part of. But
it can only access information that have the same Exchange version. So if a mixed Exchange organization
is used, e.g. with Exchange 2010 and Exchange 2013, at least one Agent has to be installed per Exchange
version, to be able requesting the details about both versions.
Note: Because of that the Agent is 32bit process and that the PowerShell is a 64bit process, a 64bit
Java Runtime Environment has to be installed on this system in addition to the 32bit JRE, which
is requried for the Agent.
• For Exchange 2003 the Windows Management Instrumentation (WMI) service and WebDAV is used
to retrieve the details. Every Exchange server can only provide details about the data it stores. If
information, like mailboxes, is required from several servers, each server requires to have an Agent
installed.
The ’B*Nator Monitor’ services analyzes the Exchange data sent by Agents using the ’Exchange Monitor’
module, which has to be stared in order to operate correctly.
Exchange Monitor
PowerShell Executor
Exchange Management
Exchange Server details
Mailbox information
ActiveSync partnerships
Mailbox policies
31
CHAPTER 7. MICROSOFT EXCHANGE SERVER MONITORING
7.2
32
Basic Exchange Server Configuration
Exchange servers are added automatically to the monitoring if they are found to be in use for another monitored
management system. If a server that should be monitored is not already available in B*Nator, it can be added
manually.
7.2.1
Adding Exchange Servers
Exchange servers can be manually as follows:
1. Use menu ’ADMINISTRATION\Infrastructure\Add Host’
2. Enter the ’Hostname’ of the server
3. The ’IP Address’ is optional and only required, if the ’Hostname’ cannot be resolved
4. Select ’Exchange’
Add Host
Hostname
srv-ex1.company.com
IP Address
Type
Exchange
v
Add
After clicking the ’Add’ button the new server is added and the web application switches to the ’Infrastructure
Management’ page and preloads the newly added ’Microsoft Exchange Server’ configuration.
7.2.2
Configuring Exchange Servers
The configuration for ’Microsoft Exchange Servers’ is available in the ’Infrastructure Management’ page:
1. Use menu ’ADMINISTRATION\Infrastructure\Management’
2. Expand the name of the host where the ’Microsoft Exchange Server’ is installed
3. Select the ’Microsoft Exchange Server’ type
4. Select the ’type of exchange server’ from the drop-down menu
5. If ’Exchange 2007’ was selected, enter the local ’installation path’ of the Exchange server into the text
field, e.g.: ’C:\Program Files\Microsoft\Exchange Server’
6. Click the Change button to save the configuration
x64 Java Runtime Environment Configuration
When a 64bit Java Runtime Environment is requried for the B*Nator Agent to access the Exchange server
details, it has to be installed on the server and the installation path of the x64 JRE has to be configured in
the ’Infrastructure Management’ page for the host where the Exchange is located.
1. Use menu ’ADMINISTRATION\Infrastructure\Management
2. Click the name of the host where the ’Microsoft Exchange Server’ is installed
3. Select the ’Agent’ tab
Note: This tab is only available, if a local B*Nator Agent is installed and active on the host.
4. Enter the local ’installation path’ of the 64bit Java Runtime Environment into the text field, e.g.:
’C:\Program Files\Java\jre7’
5. Click the Change button to save the configuration
CHAPTER 7. MICROSOFT EXCHANGE SERVER MONITORING
7.3
33
Mailbox Monitoring
Additional information about the mailboxes that mobile device connect to, are availble for management systems
that provide the mailbox location for their relationships:
• BlackBerry Enterprise Server
• Microsoft Exchange (ActiveSync)
With this information, a local B*Nator Agent on an Exchange server can be used to request the details about
mailboxes that are located on the same Exchange server. If the mailboxes that should be monitored are spread
over several servers, each server requires to have a local B*Nator Agent installed for retrieving the details
about the mailboxes.
7.3.1
Enabling the Mailbox Monitoring
To enable the mailbox monitoring for an Exchange server, it has to added and configured as described in
section 7.2. After that, the mailbox monitoring can be enabled by simply activating the ’server and mailbox
information monitoring’ for the server:
1. Use menu ’ADMINISTRATION\Infrastructure\Management’
2. Expand the name of the host where the ’Microsoft Exchange Server’ is installed
3. Select the ’Microsoft Exchange Server’ type
4. Activate the ’server and mailbox information monitoring’ checkbox
5. Click the Change button to save the configuration
This configuration change is notified to the Agent on the server, which updates its configuration and restarts
itself.
7.3.2
Update Interval
The mailbox information is updated every 60 minutes. In order to analyze the data sent by the Agents, the
’Exchange Monitor’ module has to be started in the ’B*Nator Monitor’ service.
7.3.3
Verifying the Functionality
If the mailbox monitoring was enabled and active for a while, there should be a ’Mailboxes’ box on the
Exchange server detail page in the B*Nator web application, that hosts mailboxes which are monitored.
If something seems not to work, check the log file in the /logs/agent/ subfolder in the installation directory
of the B*Nator Agent , that should collect the data. Additionally it should be verified, that the ’Exchange
Monitior’ module is started.
CHAPTER 7. MICROSOFT EXCHANGE SERVER MONITORING
7.4
34
ActiveSync Monitoring
The configuration of Microsoft Exchange ActiveSync monitoring depends on the Exchange version that should
be monitored.
• For Exchange 2007, 2010 and 2013 Exchange Servers with the ’Client Access Server’ (CAS) role
are used to get the information about all Exchange ActiveSync partnerships and mailbox policies in the
entire Exchange organization, that have the same Exchange version like the CAS.
• For Exchange 2003 a local B*Nator Agent has to be installed on those Exchange servers, that host
mailboxes which should be monitored for mobile access. The Agent utilizes the Windows Management
Instrumentation (WMI) service to retrieve information about mailboxes, that are accessed remotely. The
information about the actual devices is retrieved by accessing a hidden folder of the mailboxes, which
is done by accessing the ’EXCHANGE’ web application, also known as Outlook Web Access but using
WebDAV with this URL:
http://<hostname>:<port>/exchange/<mailbox>/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync
Note: This requires a service account with access to the mailboxes, like the ’besadmin’ account in
BlackBerry Enterprise Server environments.
7.4.1
Enabling the ActiveSync Monitoring
The configuration again depends on the Exchange server version that should be used for the monitoring. In
all cases, the Exchange server has to be to added and configured as described in section 7.2.
After that, the ActiveSync monitoring can be enabled on the ’Infrastructure Management’ page for the ’Microsoft Exchange Server’:
1. Use menu ’ADMINISTRATION\Infrastructure\Management’
2. Expand the name of the host where the ’Microsoft Exchange Server’ is installed
3. Select the ’Microsoft Exchange Server’ type
4. The configuration options are shown be below the ’ActiveSync’ headline
7.4.2
Exchange 2007, 2010 and 2013
These Exchange versions require to activate the ActiveSync monitoring for Exchange servers with the ’Client
Access Server’ (CAS) role. By default B*Nator does not know if the server is a CAS or not. For that reason,
the local B*Nator Agent on the Exchange server will automatically identify if it has the CAS role or not.
Once the CAS role was identified for the Exchange server, the following monitoring options are shown:
• Monitoring Enabled: Checkbox to enable the monitoring of ActiveSync partnerships and mailbox
policies using this Exchange server
• Interval in minutes: The time in minutes of how often the data should be collected by the Agent on
the server
• Administration enabled: Checkbox to enable the execution of administration features using the Agent
on this Exchange server
Clicking the Change button saves the configurationand notifies it to the Agent on the server, which updates
its configuration and restarts itself to start with this work.
CHAPTER 7. MICROSOFT EXCHANGE SERVER MONITORING
7.4.3
35
Exchange 2003
• Monitoring Enabled: Checkbox to enable the monitoring and management of ActiveSync partnerships
using this Exchange server
• Interval in minutes: The time in minutes of how often the data should be collected by the Agent on
the server
• IIS Server: Drop-down list to select the IIS server, that should be used to access the ’EXCHANGE’
WebDAV application.
Clicking the Change button saves the configurationand notifies it to the Agent on the server, which updates
its configuration and restarts itself to start with this work.
IIS Server Configuration
For Exchange 2003, IIS servers are usually located on the same server. If they are not already available in
the ’Infrastructure Management’ page, they can be added to the monitoring using the ’Add Host’ page in the
’Infrastructure’ menu:
1. Use menu ’ADMINISTRATION\Infrastructure\Add Host’
2. Enter the ’Hostname’ of the server, which may be the name of the already existing Exchange 2003 server
3. The ’IP Address’ is optional and only required, if the ’Hostname’ cannot be resolved
4. Select ’IIS Server’
Add Host
Hostname
srv-ex1.company.com
IP Address
Type
IIS Server
v
Add
After clicking the ’Add’ button the new server is added and the web application switches to the ’Infrastructure
Management’ page and preloads the newly added ’IIS Server’ configuration, which contains the following
options:
• SSL: Checkbox to enable HTTPS connections to this IIS server
• Port: Port that is used for the connection to the ’EXCHANGE’ WebDAV application
• Username: Username to authenticate with the web application. This user requires access to all mailboxes that are monitored for mobile accesses.
• Password: Password for the given ’Username’
7.4.4
Verifying the Functionality
If the ActiveSync monitoring was enabled and active for a while, there should be Exchange ActiveSync partnerships in the ’Users & Decvies’ list in the B*Nator web application.
If something seems not to work, check the log file in the /logs/agent/ subfolder in the installation directory
of the B*Nator Agent , that should collect the data. Additionally it should be verified, that the ’Exchange
Monitior’ module is started.
Chapter 8
Apple Mobile Device Management
This chapter is focused on describing all required steps or at least to point to the correct information source
about the configuration of 3rd party components, to finally enable Apple iOS devices to be managed directly
by B*Nator. Configuring B*Nator as a mobile device management server for Apple iOS devices requires the
following:
• Certification Authority with support for the Simple Certificate Enrollment Protocol (SCEP), to enable
Apple iOS devices enrolling their own identity certificates (private keys) for the communication with
B*Nator. This Certification Authority will be installed as trusted root CA on the Apple iOS devices
during the MDM rollout by the user.
• Java keystore with identity certificate for B*Nator to sign and encrypt configuration profiles for
each identity certificate of any Apple iOS device.
• Java keystore with push certificate for B*Nator to access the Apple Push Notification Service
(APNS), which is required to initiate communications with Apple iOS devices.
• Availability of the B*Nator and the SCEP web services via HTTPS connections from the internet or
at least via permanent VPN connection.
There are many different solutions for each single configuration. This document will focus on a configuration
with:
• One service account for B*Nator and the related systems
• Standalone Certificate Authority on the B*Nator server
• External HTTPS connections from the internet terminating on an Internet Information Services (IIS)
Server 7 or higher in a DMZ, acting as a reverse proxy.
36
CHAPTER 8. APPLE MOBILE DEVICE MANAGEMENT
8.1
37
Certification Authority with SCEP Service
The Simple Certificate Enrollment Protocol is used as an interface for network devices to let them request
client certificates on their own automatically. It is designed, that an authenticated administrator with sufficient
permissions generates an one-time password (challenge) on the SCEP service and configures the device with
the location of the SCEP service and the challenge. Then the device will contact the SCEP service, which will
handle the certification request with the Certification Authority and report the certificate back to the device.
B*Nator will fully automatically act as the SCEP service administrator.
8.1.1
SCEP Challenge
B*Nator automatically requests a SCEP challenge for every single SCEP configuration that is sent to Apple
iOS devices from the SCEP web service with support for authentication on that web service. Using predefined
XPath expressions for the supported SCEP services as well as self-defined XPath expressions for any other
SCEP service, B*Nator can extract the challenge from that web sites.
8.1.2
Client certificates
The Apple iOS devices will automatically enroll two certificates every time they are enrolled with the MDM
service of B*Nator. One is used for document signing purpose to sign and encrypt configuration profiles. The
other is used by the devices for accessing the B*Nator MDM web interface via HTTPS, which requires client
certificates for the connection establishment.
8.1.3
Recommendation
It is recommended to:
• Install a new standalone Microsoft CA with the NDES. This can be done on the same server where
B*Nator is installed.
• Use the same service account for B*Nator and the CA/NDES, if the CA is in use for B*Nator Apple
iOS MDM only.
• Use this CA for signing the MDM private key of B*Nator as described in subsection 8.2.3.
• Use this CA for signing the web server certificate, that will be used for publishing the B*Nator web
interface and the SCEP enrollment web service to the internet, if no officially signed certificate can be
used.
8.1.4
Installation
The SCEP service interacts with a Certification Authority. Both, the Certification Authority and the SCEP
service are required to be ready for use with B*Nator.
If no Certification Authority with a SCEP service is available or the existing one should not be used, it is
recommended to install a standalone Certification Authority with the Network Device Enrollment
Service (NDES) on a Windows Server 2008 R2 Datacenter or Enterprise edition or a Windows Server 2012
Standard edition or higher.
CHAPTER 8. APPLE MOBILE DEVICE MANAGEMENT
38
Brief installation overview for Windows Server 2008 R2 AD CS with NDES
This is a very short description of installing the Active Directory Certificate Services and the Network Device
Enrollment Service. For a detailed description, please refer to the Microsoft SCEP Implementation Whitepaper1 .
Service Account
As described in the Microsoft SCEP Implementation Whitepaper different service accounts should be used when
installing the NDES with an Enterprise CA, but for a Standalone CA its basically a typical local administrator.
When installing a Standalone CA only for B*Nator, the B*Nator service account can be used for the CA/NDES,
too.
Active Directory Certificate Services
1. Log on to the desired Certificate Authority server with the service account.
(a) Use the Server Manager to Add Roles to it.
(b) Select the Active Directory Certificate Services role.
(c) Select the Certificate Authority and Certificate Authority Web Enrollment on
the Role Services page. The CA Web Enrollment role service requires to install a Web Server
(IIS), too.
2. Configure the Certificate Authority role with the following settings:
(a) Select Standalone.
(b) Keep Root CA selected.
(c) Keep Create a new private key selected.
(d) Keep the RSA. . . cryptographic service povider selected and do not use more than 4096 key
character length, otherwise Apple iOS devices cannot use that key.
(e) Keep the default Common name for this CA and Distinguished name suffix or choose new ones.
(f) Keep the validity period for the certificate generated for this CA of 5 years or
even choose a higher value.
(g) Keep the location of the Certificate Database and its Log or choose any other location.
3. Keep the given settings for the Web Server (IIS) role.
4. Confirm the chosen settings and hit the Install button.
5. Restart the server.
NOTE: If the IIS web server was installed on the same server where B*Nator is installed, make sure that both
web servers do not use the same HTTP/S ports, otherwise they will conflict with each other.
For the Apache Tomcat web server of B*Nator, this can be configured in the \conf\server.xml file
in the Apache Tomcat installation directory.
For the IIS web server of the Certification Authority, this is done in the Bindings configuration for
each Web Site, which is configurable using the IIS Manager.
1 http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directorycertificate-services-ad-cs.aspx
CHAPTER 8. APPLE MOBILE DEVICE MANAGEMENT
39
Network Device Enrollment Service
1. Log on to the desired Certificate Authority server with the service account.
2. Run lusrmgt.msc from the start menu or the command line and add the service account to the local
IIS_IUSRS group.
3. Use the Server Manager to Add Roles Services to the Active Directory Certificate
Services role.
4. Select the Network Device Enrollment Service role service with the following settings:
(a) Specify the service account to let the NDES work and request certificates from the CA using this
account.
(b) Keep the default Required Information for the RA Name and Country/Region or choose new
ones.
(c) Keep the Microsoft Strong Cryptographic Provider selected for both, Signature key
CSP and Encryption Key CSP and do not use more than 4096 key character length for them,
otherwise Apple iOS devices cannot use that keys.
5. Confirm the chosen settings and hit the Install button.
NOTE: If the NDES was installed for an Enterprise CA an additional value has to be configured in the Window
Registry of the server, to point to the correct certificate template that should be used by the NDES.
This is described in more detail in the Microsoft SCEP Implementation Whitepaper2 .
Verifying the Installation
When the Certification Authority was installed with all additionally required components, the following should
be available:
Certification Authority: Run certsrv.msc from the start menu or the command line to access the Certification Authority.
Internet Information Services (IIS) Web Server: Run InetMgr.exe from the start menu or the command line to access the IIS Manager.
CA web sites: Using the IIS Manager the Default Web Site should have the following sub applications.
Depending on the HTTP/S and port settings, that pages can be accessed with the browser.
/ certsrv/ is the web enrollment application for the Certification Authority.
/ certsrv/mscep/ is NDES (SCEP) front end for the network devices.
/ certsrv/mscep_admin/ is the NDES front end for the SCEP Administrator, which directly creates
and shows a challenge when accessing the page, and opening with a valid account, like the service
account that was used to install the NDES.
2 http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directorycertificate-services-ad-cs.aspx
CHAPTER 8. APPLE MOBILE DEVICE MANAGEMENT
8.1.5
40
Issuing Certificates Automatically
By default, certificates have to be manually issued by an administrator on the Certification Authority. For
an automatic rollout of devices, this is not useful. The Certification Authority needs to be configured to
automatically issue certificates if the signing request was correct.
Example for Windows Server 2008 R2 ActiveDirectory Certificate Services
1. Log in to the CA server with a CA administrator account
2. Run certsrv.msc from the start menu or the command line to open the local Certification Authority
MMC snap in.
3. Right click on the CA object and select Properties.
4. Switch to the Policy Module tab and click the Properties. . . button.
5. Select ’Follow the settings in the certificate template, it applicable. Otherwise, automatically issue the
certificate.’ and exit the dialog with the OK button.
6. Restart the ActiveDirectory Certificate Services (CertSvc) service to make the changes take effect.
8.1.6
Configuration in B*Nator Web Interface
If a SCEP service is ready for use with B*Nator, the following configuration is required within the web
interface in menu ADMINISTRATION/ Configuration / Apple Device Management / Device
Enrollment in the Simple Certificate Enrollment Protocol box:
URL for SCEP requests: The URL that the devices will use to access the SCEP server’s web interface, like:
https://scep.company.com:443/certsrv/mscep/
Usually this would be an external hostname.
Subject prefix for certificates: The devices will be configured to request certificates with a subject of two
common names - the user’s display name and the device’s UUID. This string can be used to extend the
certificate’s subject like OU=Apple,OU=Devices,O=COMPANY.
Keysize: The keysize of the private key in bits.
Name of the instance: The name of the SCEP registration authority instance that needs to be used.
URL for SCEP challenge: Uniform resource locator of where B*Nator can log in and parse the SCEP challenge information from. Usually the internal hostname would be used for the URL, like:
http://scep-ca01.company.com/certsrv/mscep_admin/
NOTE: If HTTPS is used with a not officially trusted SCEP web server certificate, please refer to
chapter 2 for information about how to configure the B*Nator Monitor and Apache Tomcat
services Java settings to accept the certificate.
Server type: The server type of the CA that is in use. This information is required to parse the challenge
information from the CA’s website. The following server types are available:
• None: No challenge will be obtained by B*Nator.
• Windows Server 2003 - Certificate Services with SCEP Add-On
• Windows Server 2008 - Network Device Enrollment Service
• Custom: With a custom server type an additional textfield XPath expression for challenge
appears that can be used to enter an XPath expression, that points to the SCEP challende on the
website.
Username: Username of the website login.
Password: Password of the website login.
CHAPTER 8. APPLE MOBILE DEVICE MANAGEMENT
41
Domain (Optional for NTLM authentication): Domain name of the website login.
The Save button stores the information in the database.
8.1.7
Troubleshooting Network Device Enrollment Service
When encountering issues with the NDES on a Windows Server, please refer to the Windows Event Viewer for
error messages related to the NDES. Additionally the Microsoft TechNet3 can be consulted for troubleshooting
support. The following subsections describe some common issues and their solutions.
’The SCEP server returned an invalid response.’
If the Apple iOS device displays that error message after the Enrolling certificate. . . stage while installing
the B*Nator MDM profile, check the Windows Event Viewer on the NDES server for error messages from
the same time, when device tried to enroll the certificate. If there is the error message ’The Network Device
Enrollment Service received an http message without the "Operation" tag, or with an invalid "Operation" tag’,
please refer to the Microsoft KB24835644 to apply the hotfix in the NDES server.
Internal Server Error (http 500) when accessing SCEP Web Sites
If the NDES web sites /certsrv/mscep/ and /certsrv/mscep_admin/ cannot be accessed without an
internal error (http status 500), check if the two NDES certificates are valid. They are located in the personal
certificates store of the local computer account of the NDES Windows Server, which can be opened as follows:
1. Log in to NDES Windows Server as a local administrator.
2. Run mmc from the start menu or the command line.
3. Select menu File and choose Add/Remove Snap-in. . . Ctrl+M.
4. In the list of Available snap-ins select Certificates and move it to the list of Selected snap-ins using the
Add > button.
(a) Select Computer account and click the Next > button.
(b) Select Local computer: (the computer this console is running on) and click the Finish button.
5. Close the Add or Remove Snap-ins dialog with the OK button.
6. Expand Certificates (Local Computer)
7. Expand Personal
8. Select Certificates
Within that local computer personal certificates store look for the two NDES certificates. The default name,
if it was not modified during the installation of the NDES, is <Hostname>-MSCEP-RA.
If the certificate has expired, remove the Network Device Enrollment Service role-service from the ActiveDirectory Certificate Services role using the server manager role wizard. Then restart the server and reinstall the
NDES role-service again, as described in subsection 8.1.4.
For more information about the certificates of the NDES and renewing them before they expire, please refer
to the Microsoft TechNet5 .
3 http://technet.microsoft.com/en-us/library/ff955644(v=ws.10).aspx
4 http://support.microsoft.com/kb/2483564/en
5 http://technet.microsoft.com/en-us/library/ff955642(v=ws.10).aspx#BKMK_Renewing
CHAPTER 8. APPLE MOBILE DEVICE MANAGEMENT
8.2
42
Device Management Server Identity for B*Nator
B*Nator requires to have an own identity certificate for signing and encrypting configuration profiles for
each Apple iOS device specifically. This identity certificate is stored in a Java keystore, which is stored in
the B*Nator database. This store will be called MDM keystore in this document.
8.2.1
Validity of Identity Certificate Signature
On Apple iOS devices the signature of each configuration profile is displayed when viewing its details. It is shown
as Signed by and gives the common name (CN) attribute of the identity certificate’s subject. Depending
on that signature the profile is displayed as Verified or not, which is mandatory for MDM functionality. If
this signing certificate is signed by a non-offical Certification Authority, the root Certification Authority of the
identity certificate chain must be manually trusted on the Apple iOS device by installing that root Certification
Authority certificate.
Recommended Configuration
To sign the B*Nator MDM identity, the same Certification Authority should be used, that is also in use for
the SCEP service, as described in section 8.1. Then only one root Certification Authority needs to be made
trusted on the devices.
8.2.2
Creating the MDM Keystore
The device management server identity certificate is stored in the MDM keystore, which is a Java keystore.
Java keystores can be managed with the Java keytool on the command line, which is part of each JRE
installation. There are also some free third-party tools, like Portecle6 , that provide a GUI for the Java keytool.
NOTE: Using any additional third-party Java keytool GUI tools is done at your own risk!
MDM Keystore Facts
Purpose: The MDM keystore file is used to create and renew the identity certificate, but B*Nator will work
with an uploaded copy of the file, which is stored in the B*Nator database. The MDM keystore file is
not in use unless the identity certificate singing must be renewed.
Location: The file should be stored in the \conf subfolder of the B*Nator installation directory.
Name: MDM.jks
Type: JKS (Java Keystore)
Private Key: 2048bit RSA
Passwords: The keystore as well as each private key entry usually can be secured with different passwords.
For this keystore the same password must be used for the entire keystore and the private key in it.
6 http://portecle.sourceforge.net/
CHAPTER 8. APPLE MOBILE DEVICE MANAGEMENT
43
Example Creation on the Command Line
The following description shows the creation of the MDM keystore with default values using the Java keytool
on the command line, which is usually located in the \bin subfolder of Java RE installation directory. For
more help and information about the Java keytool, please refer to the Java keytool documentation7 .
1. On the B*Nator server execute the keytool.exe on the command line with the following parameters:
-genkey
-keystore “C:\Program Files (x86)\BNator\conf\MDM.jks”
-alias MDM
-keysize 2048
-keyalg RSA
2. Enter a password for the entire keystore twice.
3. Now the Java keytool is asking for the details of the identity’s subject.
(a) First and last name for the new private key, like Company MDM Service. This is the common
name (CN) of the subject, that will be visible as Signed by in the configuraton profiles’ details
on the Apple iOS devices.
(b) Organizational unit (OU), like IT Department.
(c) Organization (O), like Company Ltd..
(d) City or Locality (L), like Hamburg.
(e) State or Province (ST), like HH.
(f) Two-letter contry code (C), like DE.
4. After that, the Java keytool shows the entire subject line and asks if the given information is correct
(CN=Company MDM Service, OU=IT Department, O=Company Ltd., L=Hamburg, ST=HH, C=DE).
If the answer is n, the subject information can be retyped again. If the answer is y, the private key will
be generated with the given subject.
5. As last step, a new password for the private key entry (alias) could be entered. Do not enter a password.
Use RETURN instead, to use the same password that was entered for the entire keystore before.
After that, there is a new file MDM.jks in the \conf subfolder of the B*Nator installation directory with a
self-signed private key entry.
Verifying the self-signed Device Management Server Identity
The MDM.jks keystore file can be accessed with the Java keytool to view its details like follows:
1. On the B*Nator server execute the keytool.exe on the command line with the following parameters:
-list
-keystore “C:\Program Files (x86)\BNator\conf\MDM.jks”
-alias MDM
-v
2. Enter the password for the keystore.
3. In the verbose output (-v) look for the details about the Owner: CN= and Issuer: CN=, which should
the same - so it is self-signed.
7 http://java.sun.com/javase/7/docs/technotes/tools/windows/keytool.html
CHAPTER 8. APPLE MOBILE DEVICE MANAGEMENT
8.2.3
44
Signing the Device Management Server Identity by a Certification Authority
To not have the self-signed identity certificate installed as a trusted root CA on Apple iOS device, it should
be signed by a Certificate Authority.
Recommendation: As mentioned in subsection 8.2.1, the same Certification Authority should be used, that
is also in use for the SCEP service to only have one CA made trusted manually on the Apple iOS devices.
Using the Java keytool, a certificate signing request (CSR) can be created from the MDM alias in the
MDM keystore. With that CSR, a certificate can be issued by the Certification Authority. The purpose
of that certificate is document signing. If no certificate template is available for that purpose, also a web
server template can be used for that certificate. After the certificate was issued, the entire certificate chain
(identity certificate and all related certificates of higher issuing Certification Authorites including the root CA
certificate) can be stored as P7B file. That certificate chain file then needs to be imported as CA reply into
the MDM alias of the MDM keystore.
Creating the CSR from the MDM Alias
1. On the B*Nator server execute the keytool.exe on the command line with the following parameters:
-certreq
-keystore “C:\Program Files (x86)\BNator\conf\MDM.jks”
-alias MDM
2. Enter the password for the keystore.
3. The keytool shows the base64 encoded certificate signing request.
Example:
-----BEGIN NEW CERTIFICATE REQUEST----MIIC2jCCAcICAQAwZTELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkhIMRAwDgYDVQQHEwdIYW1idXJn
...
Lu4ty/j9SPu8A9Uc1XCJP1ba8K9+5akgdNCAtbbMEYnZMA64lP9LxUs062fW/fIJt1I=
-----END NEW CERTIFICATE REQUEST-----
CHAPTER 8. APPLE MOBILE DEVICE MANAGEMENT
45
Requesting a Certificate from the Certification Authority
This is an example for the ActiveDirectory Certificate Services of a Windows Server 2008 R2.
1. Use the browser and open the Certification Authority Web Service (/certsrv) of the CA server and log
in as an account with sufficient permissions, if requested by the browser.
2. From the Welcome page select the task Request a certificate.
3. From the Request a Certificate page, select to submit an advanced certificate request.
4. From the Advanced Certificate Request page, select to Submit a certificate request by using a base64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded
PKCS #7 file.
5. From the Submit a Certificate Request or Renewal Request page, provide the following information:
Saved Request: Copy and paste the CSR from the command line into this text box.
Example:
-----BEGIN NEW CERTIFICATE REQUEST----MIIC2jCCAcICAQAwZTELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkhIMRAwDgYDVQQHEwdIYW1idXJn
...
Lu4ty/j9SPu8A9Uc1XCJP1ba8K9+5akgdNCAtbbMEYnZMA64lP9LxUs062fW/fIJt1I=
-----END NEW CERTIFICATE REQUEST----Certificate Template: This drop-down menu is only visible on enterprise CAs. If available, choose a
template for document signing purpose, otherwise also a web server template works well.
Additional Attributes: No additional attributes are required to the device management server identity,
so this text box can be left blank.
6. Using the Submit > the certificate request will be handled by the CA. The certificate can be downloaded on the next page, if the CA was configured to issue certificates automatically, as described in
subsection 8.1.5.
7. From the Certificate Issued page, keep the checkbox selection for DER encoded, click Download certificate chain and save the P7B certificate chain file in a temporarily location, like C:\temp\MDM_chain.p7b.
Verifying the certificate chain file
The P7B certificate chain file can be opened in Windows. It should contain the certificate with the subject
information from the identity created in subsection 8.2.2 as well as the related certificates of the higher issuing
Certification Authorities.
CHAPTER 8. APPLE MOBILE DEVICE MANAGEMENT
8.2.4
46
Importing the CA Reply into the MDM Alias
Using the Java keytool, the P7B certificate chain file (CA reply) can be imported into the MDM alias in
the MDM keystore, which will update the signature of the private key to the new issuer - the Certification
Authority.
1. On the B*Nator server execute the keytool.exe on the command line with the following parameters:
-import
-keystore “C:\Program Files (x86)\BNator\conf\MDM.jks”
-alias MDM
-file C:\temp\MDM_chain.p7b
2. Enter the password for the keystore.
3. The keytool will show a warning message, that the Top-level certificate in reply is not trusted and ask
to proceed anyway, which needs to be answered with y, to make that Root CA trusted in the keystore.
After that, the keystore trusts the signature of the Root CA and the CA reply will be installed.
Verifying the final Device Management Server Identity in the MDM Alias
As described in subsection 8.2.2, the management server identity in the MDM alias of the MDM keystore
can be verified using the Java keytool. In the verbose output look for the details about the Owner: CN=
and Issuer: CN=, which should now show different information about each attribute.
When the presence of the device management server identity and its correct signature from a Certification
Authority was verified, the temporarily files, like CSR or P7B files, can be deleted, because all of that data
is stored in the MDM keystore file and can be recovered anytime if required.
8.2.5
Configuration in B*Nator Web Interface
As mentioned in section 8.2, the MDM keystore file is only used to create and renew the identity certificate
of the device management server. It is uploaded to the B*Nator web interface and B*Nator will then use it
from the database.
To upload the MDM keystore to B*Nator navigate within the web interface to menu ADMINISTRATION/
Configuration / Apple Device Management / Device Enrollment. In the Device Management Server Identity box, use the Browse. . . button to select the MDM Key Store File from the file
system and the enter the Key Store Password in the corresponding textfield. After clicking the Upload
button, the MDM keystore is stored in the B*Nator database. If the keystore could be accessed correctly, the
page reloads and the box now shows Issued to, Issuesd by and Valid from. . . to. . . information from the
keystore.
CHAPTER 8. APPLE MOBILE DEVICE MANAGEMENT
8.2.6
47
Renewing the Device Management Server Identity
When the device management server identity certificate is about to expire, the following process is required
to renew certificate.
The certificate was configured in B*Nator by uploading the entire MDM keystore to it. When it needs to be
renwed, this has to be done with the original MDM keystore file on the file system. Using the Java keytool,
a certificate signing request (CSR) has to be created from the MDM alias in the MDM keystore file. Then
this CSR has to be signed again by the Certification Authority and the entire certificate chain (CA reply)
has to be imported into the MDM alias in the MDM keystore.
For a more detailed description of the process of updating the private key’s signature, the initial description
in subsection 8.2.3 can be consulted.
When the device management server identity certificate is updated in the MDM keystore file, it has to be
uploaded to the B*Nator web interface by following these steps:
1. Stop the B*Nator Monitor Windows service on the B*Nator server.
2. Navigate to menu ADMINISTRATION/ Configuration / Apple Device Management /
Device Enrollment
3. In the Device Management Server Identity box, use the Remove button to delete the existing
(old) MDM keystore from the database.
4. After the page has reloaded, use the Browse. . . button to select the updated MDM Key Store File
from the file system and the enter the Key Store Password in the corresponding textfield. After clicking
the Upload button, the MDM keystore is stored in the B*Nator database.
5. If the keystore could be accessed correctly, the page reloads and the box now shows Issued to, Issuesd
by and Valid from. . . to. . . information from the keystore.
CHAPTER 8. APPLE MOBILE DEVICE MANAGEMENT
8.3
48
Push Certificate for Apple Push Notification System
The Apple Push Notification System (APNS) is an important link in the functional chain of managing and
contacting Apple iOS devices from third-party software, like the B*Nator. Every initial contact from the
outside to an Apple device always has to go through the APNS. In fact, B*Nator has to request the APNS to
tell the iOS device, that it should contact B*Nator. Then B*Nator has to trust the APNS, that it will push
this notification to the device and has to wait for a connection initiated directly by the device.
8.3.1
Short Description
To be able to connect to the APNS, a valid push certificate is required - otherwise the APNS will not accept
the connection request. In a mostly similar way, as described in subsection 8.2.2, the following procedure is
required to obtain a push certificate and let B*Nator work with it:
1. A new Java keystore file with a private key entry has to be created - the APNS keystore.
2. Then a certificate signing request (CSR) has to be generated from the private key entry.
3. This CSR must be additionally signed by a valid Apple MDM vendor - ISEC7.
4. With that signed CSR, a push certificate can created with an Apple ID in the Apple Push Certificates
Portal8 .
5. This push certificate can be downloaded as PEM file from the Apple Push Certificates Portal.
6. Additionally the related higher Certification Authority certificates are also required. They can be downloaded from apple.com/certificateauthority9 .
Apple Root Certificates / Apple Inc. Root Certificate: This is the Apple root CA.
Apple Intermediate Certificates / Application Integration: This is the intermediate CA, that issued the push certificate.
7. Then the Apple Inc. Root Certificate has to be imported as new trusted key entry into the APNS
keystore, to make the Appe root CA trusted in that keystore.
8. After that, the Application Integration CA has to be imported as new trusted key entry into the APNS
keystore, to make that intermediate CA trusted in that keystore as well.
9. With those two trusted key entries, the keystore can build a valid PKI path to the push certificate
when this is imported as CA reply into the private key entry of the APNS keystore.
10. After all, the APNS keystore can be verified and has to be uploaded to the B*Nator web interface, so
that B*Nator can work with it.
8.3.2
Creating the APNS Keystore
The following facts are related to the APNS keystore:
Purpose: The APNS keystore file is used to create and renew the push certificate, but B*Nator will work
with an uploaded copy of the file, which is stored in the B*Nator database. The APNS keystore file is
not in use unless the identity certificate singing must be renewed.
Location: The file should be stored in the \conf subfolder of the B*Nator installation directory.
Name: APNS.jks
Type: JKS (Java Keystore)
Private Key: 2048bit RSA
Passwords: The keystore as well as each private key entry usually can be secured with different passwords.
For this keystore the same password must be used for the entire keystore and the private key in it.
8 https://identity.apple.com/pushcert/
9 http://www.apple.com/certificateauthority/
CHAPTER 8. APPLE MOBILE DEVICE MANAGEMENT
49
Example Creation on the Command Line
The following description shows the creation of the APNS keystore with default values using the Java keytool
on the command line, which is usually located in the \bin subfolder of Java RE installation directory. For
more help and information about the Java keytool, please refer to the Java keytool documentation10 .
1. On the B*Nator server execute the keytool.exe on the command line with the following parameters:
-genkey
-keystore “C:\Program Files (x86)\BNator\conf\APNS.jks”
-alias APNS
-keysize 2048
-keyalg RSA
2. Enter a password for the entire keystore twice.
3. Now the keytool is asking for the details of the identity’s subject. All of the following information will
be overwritten by Apple, except the contry code (C) attribute.
(a) First and last name for the new private key, like Company MDM Service. This is the common
name (CN) of the subject.
(b) Organizational unit (OU), like IT Department.
(c) Organization (O), like Company Ltd..
(d) City or Locality (L), like Hamburg.
(e) State or Province (ST), like HH.
(f) Two-letter contry code (C), like DE.
4. After that, the Java keytool shows the entire subject line and asks if the given information is correct
(CN=Company MDM Service, OU=IT Department, O=Company Ltd., L=Hamburg, ST=HH, C=DE).
If the answer is n, the subject information can be retyped again. If the answer is y, the private key will
be generated with the given subject.
5. As last step, a new password for the private key entry (alias) could be entered. Do not enter a password.
Use RETURN instead, to use the same password that was entered for the entire keystore before.
After that, there is a new file APNS.jks in the \conf subfolder of the B*Nator installation directory with a
self-signed private key entry.
Verifying the self-signed Push Certificate
The APNS.jks keystore file can be accessed with the Java keytool to view its details like follows:
1. On the B*Nator server execute the keytool.exe on the command line with the following parameters:
-list
-keystore “C:\Program Files (x86)\BNator\conf\APNS.jks”
-alias APNS
-v
2. Enter the password for the keystore.
3. In the verbose output (-v) look for the details about the Owner: CN= and Issuer: CN=, which should
the same - so it is self-signed.
10 http://java.sun.com/javase/7/docs/technotes/tools/windows/keytool.html
CHAPTER 8. APPLE MOBILE DEVICE MANAGEMENT
8.3.3
50
Creating a signed Certificate Signing Request from the APNS Alias
Using the Java keytool, a certificate signing request (CSR) can be created from the APNS alias in the APNS
keystore. This CSR then has to signed as well - by ISEC7.
Creating the CSR from the APNS Alias
1. On the B*Nator server execute the keytool.exe on the command line with the following parameters:
-certreq
-keystore “C:\Program Files (x86)\BNator\conf\APNS.jks”
-alias APNS
-file C:\temp\APNS_csr.txt
2. Enter the password for the keystore.
3. The keytool then writes the base64 encoded certificate signing request into the file, provided with the
-file parameter. This file can be opened in Windows with the Editor and should contain the following
text.
Example:
-----BEGIN NEW CERTIFICATE REQUEST----MIIC2jCCAcICAQAwZTELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkhIMRAwDgYDVQQHEwdIYW1idXJn
...
Lu4ty/j9SPu8A9Uc1XCJP1ba8K9+5akgdNCAtbbMEYnZMA64lP9LxUs062fW/fIJt1I=
-----END NEW CERTIFICATE REQUEST-----
Signing the CSR by ISEC7
After the CSR file was created and verified to contain the correct content, it can be sent by email to
apns@bnator.com. If the request is valid, the CSR will be signed and sent back to sender with the new
signed certificate signing request (sCSR) file as an attachment to the response email.
CHAPTER 8. APPLE MOBILE DEVICE MANAGEMENT
8.3.4
51
Creating a Push Certificate in the Apple Push Certificate Portal
With the sCSR file, a push certificate can be issued in the Apple Push Certificates Portal11 on the following
way:
1. Open the browser and navigate to https://identity.apple.com/pushcert/
2. Sign in using an Apple ID. It is recommended to use a company Apple ID, because the push certificate
needs to be renewed once a year with the same Apple ID.
NOTE: If no company Apple ID is available or a new one should be used, navigate to
https://appleid.apple.com/ to create a new Apple ID with a valid email address.
3. After the login, there are either already existing certificates visible and/or only the Create a Certificate
button is available, which is required to proceed.
4. After using the button, follow the instructions on the screen to agree and Accept Apple’s termins of
use.
5. Finally the sCSR file can be uploaded on the Create a New Push Certificate page.
6. If the sCSR file was OK, the certificate as well as a Download button appears.
NOTE: Sometimes there is a bug in the browser after uploading the sCSR file, that a file download is
initiated as a browser dialoag. In that case just reopen https://identity.apple.com/pushcert/
again from the address bar of the browser. Then the new certificate should appear and can be
downloaded.
7. Download the push certificate (PEM file) and save it in a temporarily location, like
C:\temp\APNS_cert.pem.
11 https://identity.apple.com/pushcert/
CHAPTER 8. APPLE MOBILE DEVICE MANAGEMENT
8.3.5
52
Importing the Push Certificate into the APNS Alias
Using the Java keytool, the push certificate (CA reply) can be imported into the APNS alias in the APNS
keystore, which will update the signature of the private key to the new issuer - Apple.
But before it can uploaded, the certificates of the higher issuing Certification Authorities have to be imported
into the keystore as trusted certificate entries first. This is required for the APNS keystore, to build a valid PKI
path to the push certificate. The certificates of Apple’s Certification Authorities are available for download
online at apple.com/certificateauthority12 .
Downloading the required Apple Certification Authoritiy certificates
When viewing the push certificate details of the PEM file, which is not possible by default in Windows, it
would be visible, that the push certificate was issued by the Apple Application Integration Certification
Authroity (AAICA). So this is the first certificate that needs to be downloaded and stored in a temporarily
location, like C:\temp\AppleAAICA.cer.
NOTE: To optionally view the details of the push certificate PEM file in Windows, just rename the file
extension to CER and open it in Windows. Afterwards, rename the file back to PEM.
When viewing the details of the AAICA certificate, it is visible, that this is an intermediate CA, which was
issued by the Apple Inc. Root Certificate, which also needs to be downloaded and stored in a temporarily
location, like C:\temp\AppleIncRootCertificate.cer.
Importing the certificates into the APNS keystore
With the certificates of the higher Certification Authorites and the push certificate available, they all can be
imported into the APNS keystore using the following description:
1. On the B*Nator server execute the keytool.exe on the command line with the following parameters to
import the Apple Inc. Root Certificate first.
-import
-keystore “C:\Program Files (x86)\BNator\conf\APNS.jks”
-alias AppleIncRootCA
-file C:\temp\AppleIncRootCertificate.cer
2. Enter the password for the keystore.
3. The keytool will show a warning message, that the certificate is not trusted and ask to proceed anyway,
which needs to be answered with y, to make that Root CA trusted in the keystore.
4. Execute the keytool.exe again to import the Apple Application Integration Certification Authroity next.
-import
-keystore “C:\Program Files (x86)\BNator\conf\APNS.jks”
-alias AppleAAICA
-file C:\temp\AppleAAICA.cer
5. Enter the password for the keystore.
NOTE: The keytool will not show a warning message again, because the related issuing CA is already
trusted in the keystore.
6. Execute the keytool.exe again to import the push certificate last.
-import
-keystore “C:\Program Files (x86)\BNator\conf\APNS.jks”
12 http://www.apple.com/certificateauthority/
CHAPTER 8. APPLE MOBILE DEVICE MANAGEMENT
53
-alias APNS
-file C:\temp\APNS_cert.pem
7. Enter the password for the keystore.
8.3.6
Configuration in B*Nator Web Interface
As mentioned in subsection 8.3.2, the APNS keystore file is only used to create and renew the push certificate
to contact the Apple Push Notification Service. It is uploaded to the B*Nator web interface and B*Nator
will then use it from the database.
To upload the APNS keystore to B*Nator navigate within the web interface to menu ADMINISTRATION/
Configuration / Apple Device Management / Device Enrollment. In the Push Notification
Service Identity box, use the Browse. . . button to select the APNS Key Store File from the file system
and the enter the Key Store Password in the corresponding textfield. After clicking the Upload button, the
APNS keystore is stored in the B*Nator database. If the keystore could be accessed correctly, the page reloads
and the box now shows Issued to, Issuesd by and Valid from. . . to. . . information from the keystore.
8.3.7
Renewing the Push Certificate
The push certificate was configured in B*Nator by uploading the entire APNS keystore to it. When it is about
to expire it needs to be renwed, which has to be done with the original APNS keystore file on the file system
by following this process:
1. Navigate to menu ADMINISTRATION/ Configuration / Modules and Deactivate the Apple Device Management Monitor module in the B*Nator web interface, to not have B*Nator
contacting the Apple Push Notification System with the current certificate, while it is being renewed.
2. Using the Java keytool on the B*Nator server, a certificate signing request (CSR) has to be created
from the APNS alias in the APNS keystore file. Then this CSR has to be signed again by ISEC7, to
get a signed CSR (sCSR) file. Both steps are described in detail in subsection 8.3.3.
3. After signing in to the Apple Push Certificate Portal, with the same Apple ID that was used to create
the push certificate, as described in subsection 8.3.4, the push certificate is listed directly after the login
and can be renewed, with the Renew button, which requires to upload the new sCSR file.
NOTE: If there are several push certificates listed, try to find the correct one by looking for an entry
with matching Service, Vendor and Expiration Date.
4. Then the new push certificate can be downloaded as PEM file which has to be imported into the APNS
alias in the APNS keystore to update the private key’s signature, as describend in subsection 8.3.5.
NOTE: Only in the unlikely event, that one of the Apple CA certificates were renewed in the meantime,
they have to be imported again as well. Otherwise only the new PEM file has to be imported.
5. When the push certificate is updated in the APNS keystore file, it has to be uploaded to the B*Nator
web interface by following these steps:
(a) Navigate to menu ADMINISTRATION/ Configuration / Apple Device Management
/ Device Enrollment
(b) In the Push Notification Service Identity box, use the Remove button to delete the
existing (old) APNS keystore from the database.
(c) After the page has reloaded, use the Browse. . . button to select the updated APNS Key Store
File from the file system and the enter the Key Store Password in the corresponding textfield.
After clicking the Upload button, the APNS keystore is stored in the B*Nator database.
(d) If the keystore could be accessed correctly, the page reloads and the box now shows Issued to,
Issuesd by and Valid from. . . to. . . information from the keystore.
CHAPTER 8. APPLE MOBILE DEVICE MANAGEMENT
54
6. Finally Activate the Apple Device Management Monitor module again in the B*Nator web
interface and verify the functionality by simply checking if the Last activity timestamp is updated shortly
for active devices with an Enrolled management relationship status.
Chapter 9
Host Monitoring
This chapter covers the required configuration to monitor any host that was added to B*Nator. If the host
should be monitored that is not available in B*Nator yet, it has to be added first, as described in a corresponding
chapters of this document. Not all monitoring options are available for all hosts. Most options are available
for hosts with a Microsoft Windows operating system and a local ’B*Nator Agent’ installed.
Available monitoring options are:
• Reachability: Monitors a hosts availability via ICMP echo (ping) requests using the ’Host Monitor’
module of the ’B*Nator Monitor’ service. This feature is basically available for any type of host, that
can reply to ping requests.
• Host Information: Monitors details about the operating system, CPU, RAM etc. using a ’B*Nator
Agent’.
• System Services: Monitors the services of a Microsoft Windows system using a ’B*Nator Agent’.
• CPU Usage: Monitors the CPU usage of a Microsoft Windows system using a ’B*Nator Agent’.
• Memory Usage: Monitors the memory usage of a Microsoft Windows system using a ’B*Nator Agent’.
• Network Usage: Monitors the network usage of a Microsoft Windows system using a ’B*Nator Agent’.
• Data Storage Devices: Monitors the data storage devices of any host either using SNMP or a local
’B*Nator Agent’ on Microsoft Windows systems.
• System Time Drift: Monitors the system clock’s drift of any host compared to the B*Nator server
using the ’SNMP Collector’ module of the ’B*Nator Monitor’ service.
55
CHAPTER 9. HOST MONITORING
56
The following picture shows an overview about the several options:
Windows Management
Instrumentation (WMI)
Agent Log Parser
Host Information Collector
Host Information Details
Host Monitor
System Services
CPU Usage Details
Memory Usage Details
Network Usage Details
Data Storage Devices
Network Monitor
System Date
SNMP Collector
Data Storage Devices
Some monitoring options lead to futher configuration options, like the ’System Services’ monitoring, that later
allows to configure which services actually should be monitoring and which not. These details are covered in
the next sections.
9.1
Setting the Monitoring Options
The host monitoring features are part of the host configuration in the ’Infrastructure Management’ page.
1. Use menu ’ADMINISTRATION\Infrastructure\Management’
2. Select a host from the list to access its host configuration
3. Select the ’Monitoring’ tab
4. Enable all options that should be monitored for this host
5. Click the Change button to make the changes take effect
CHAPTER 9. HOST MONITORING
57
Monitoring
Reachability
Host Information
System Services
CPU Usage
Memory Usage
Network Usage
Data Storage Devices
System Time Drift
Change
9.1.1
SNMP Configuration
Some monitoring options require to configure using SNMP for the host that is monitored, which can be done
on the ’SNMP’ tab. It contains a setting that enables the host to be monitored by the ’SNMP Collector’
module with the range of features, that are SNMP related and enabled on the ’Monitoring’ tab. In order to
access the host’s SNMP service, a ’Community Name’ has to be configured, too.
SNMP
Use for Host Monitoring
Community Name
····················
Change
9.2
Reachability
When the ’Reachability’ option is enabled the host’s reachability on the network is monitored by the ’Network
Monitor’ module, the next time it starts working again. The module will contantly send ICMP echo (ping)
requests to the host and analyze the responses to calculate an ’Average Ping Time’ for the host. Additionally,
it uses the configured ’Threshold’ to calculate a ’Status’ for this information.
This type of monitoring is basically available for any type of host that can reply to ping requests.
9.2.1
Configuring the Threshold
The threshold for the ’Reachability’ monitoring is configured in the main settings page.
1. Use menu ’ADMINISTRATION\B*Nator\Settings’
2. Locate the ’Thresholds’ box
3. Enter a value for the ’threshold for max host ping in ms’
4. Click the update button on the bottom of the page to make the changes take effect
9.2.2
Possible Statuses
When the ’Reachability’ monitoring is enabled and the ’Network Monitor’ module did not yet operate again,
the status for the hosts’ reachability will be set to:
Unknown
When the ’Network Monitor’ module did operate the host, it will set the corresponding status depending on
the result:
Good: The ping time is below the configured threshold
Warning: The ping time is above the configured threshold
Critical: The host could not be pinged
CHAPTER 9. HOST MONITORING
9.2.3
58
Ping Interval
The interval of how often the hosts reachability on the network is checked can be controlled with the ’Network
Monitor’ module update interval.
1. Use menu ’ADMINISTRATION\B*Nator\Modules’
2. Locate the ’Network Monitor’ module
3. Enter the update interval
4. Click the update button to make the changes take effect
9.2.4
Notifications
If a host’s reachability exceeds the threshold, a notification is sent to all ’recipient notification lists’, that are
selected on the ’Notifications’ tab of every server that is added to the host, as described in section 10.4.3. For
general information about notifications, please refer to section 10.4.
9.3
Host Information
When the ’Host Information’ option is enabled additional details about the host is collected by a locally installed
’B*Nator Agent’ that uses the Windows Management Instrumentation (WMI) service to get this information.
For instructions about how to install a ’B*Nator Agent’ on a host, please refer to section 10.7.
9.4
System Services
When the ’System Services’ option is enabled the host’s service details are collected by a locally installed
’B*Nator Agent’ that uses the Windows Management Instrumentation (WMI) service to get this information.
For instructions about how to install a ’B*Nator Agent’ on a host, please refer to section 10.7.
9.5
CPU Usage
When the ’CPU Usage’ option is enabled the host’s processor usage is collected by a locally installed ’B*Nator
Agent’ that uses the Windows Management Instrumentation (WMI) service to get this information.
For instructions about how to install a ’B*Nator Agent’ on a host, please refer to section 10.7.
9.6
Memory Usage
When the ’Memory Usage’ option is enabled the host’s memory usage is collected by a locally installed ’B*Nator
Agent’ that uses the Windows Management Instrumentation (WMI) service to get this information.
For instructions about how to install a ’B*Nator Agent’ on a host, please refer to section 10.7.
9.7
Network Usage
When the ’Network Usage’ option is enabled the network usage is collected by a locally installed ’B*Nator
Agent’ that uses the Windows Management Instrumentation (WMI) service to get this information.
For instructions about how to install a ’B*Nator Agent’ on a host, please refer to section 10.7.
CHAPTER 9. HOST MONITORING
9.8
59
Data Storage Devices
When the ’Data Storage Devices’ option is enabled the details about the host’s drives is collected by using
SNMP or a locally installed ’B*Nator Agent’ that uses the Windows Management Instrumentation (WMI)
service to get this information. If SNMP is configured and an Agent is installed, both sources are used to
retrieve the data storage devices details.
In order to collect data storage device details using SNMP, the SNMP configuration for the host itself has to
be configured, as described in subsection 9.1.1.
For instructions about how to install a local ’B*Nator Agent’ on a host, please refer to section 10.7.
9.8.1
Configuring the Threshold
When data storage device details are available from the monitoring, they are visible but not actively monitored
by default. A threshold can be defined for the minimum amount of ’free space’ that should be available on
a each device, before a notification is sent to the host’s ’recipients lists’. This threshold configuration is done
using the ’Data Storage Devices’ tab on the host.
1. Use menu ’ADMINISTRATION\Infrastructure\Management’
2. Select a host from the list to access its configuration
3. Select the ’Data Storage Devices’ tab
4. Enter the ’Threshold’ for the free space of the devices to be monitored
5. Select the ’eye’ icon to enable the monitoring of the devices
6. Click the ’Change’ button to make the changes take effect
Label
C: (System)
D:
Free Space
Threshold
Monitoring
226,834/285,879 MB
10240
MB
0/4,071 MB
0
MB
Change
9.8.2
Possible Statuses
The following statuses are displayed when the device’s free space is:
. . . above the threshold
. . . below the threshold
. . . below 20 MB
. . . not monitored
9.8.3
Update Interval
The interval in that the information is updated depends on the source that is used to retrieve the data storage
device details.
CHAPTER 9. HOST MONITORING
60
SNMP
If SNMP is used, the interval can be controlled with the ’SNMP Collector’ module update interval.
1. Use menu ’ADMINISTRATION\B*Nator\Modules’
2. Locate the ’SNMP Collector’ module
3. Enter the update interval
4. Click the update button to make the changes take effect
B*Nator Agent
Locally installed Agents update the data storage device details every 5 minutes. This interval can not be
changed.
9.8.4
Notifications
If a data storage device’s free space falls below the configured threshold, a notification is sent to all ’recipient
notification lists’, that are selected on the ’Notifications’ tab of every server that is added to the host, as
described in section 10.4.3. For general information about notifications, please refer to section 10.4.
9.9
System Time Drift
When the ’System Time Drift’ option is enabled the host’s system clock drift is collected via SNMP using the
’SNMP Collector’ module and compared to the B*Nator Monitor host’s system clock.
Chapter 10
System Configurations
This chapter covers several configurations of B*Nator it self.
10.1
Changing the Logging Level
During the configuration of B*Nator or while troubleshooting issues the log level should be set to the ’Debug’
level for the best depth of information in the logs.
The log level can be changed in the web application with the ’loglevel’ box on the ’Modules’ configuration
page using menu:
ADMINISTRATION\B*Nator\Modules
loglevel
Debug
v
change loglevel
1. Select ’Debug’ from the drop-down menu
2. Click ’change loglevel’ button to make the changes take effect
The new log level is used immediately for the logs of the ’Monitor’ service the web application, so the services
do not have to be restarted.
For more detailed information about the log files, please consult to ’Software Documentation’ document.
61
CHAPTER 10. SYSTEM CONFIGURATIONS
10.2
62
LDAP Configurations
The ’Lightweight Directory Access Protocol’ is used to lookup user information for several purposes:
• user credentials to access B*Nator and the User Self Service using company directory credentials
• user identifier, when adding users to servers or when migrating users to BlackBerry Enterprise Server
environments
The list of the currently set up LDAP configurations is available in menu:
ADMINISTRATION\B*Nator\LDAP
host
DC01
US-DC01
Domino01
eDirectory05
port
636
636
389
389
namespace
DC=company,DC=com
DC=us,DC=company,DC=com
O=COMPANY
O=COMPANY
account
COMPANY\Administrator
Administrator@us.company.com
CN=Domino Admin/O=COMPANY
CN=Admin,O=COMPANY
type
Active Directory
Active Directory
Lotus Domino
Novell eDirectory
edit
edit
edit
edit
delete
delete
delete
delete
Existing LDAP configurations can be edited by using the edit link or deleted by clicking the delete link at the
end of the line.
10.2.1
Adding new LDAP Configurations
To add a new LDAP configuration to B*Nator, select the directory type of the LDAP server from the drop-down
menu. Supported directory types are:
• Active Directory
• Lotus Domino
• Novell eDirectory
After clicking the Add new LDAP button the LDAP configuration editor is displayed for providing the connection details.
10.2.2
Editing LDAP Configurations
After adding a new LDAP configuration or when editing an existing one, the LDAP configuration editor is
displayed.
LDAP Configuration
host
dc1.company.com
port
636
SSL
namespace
DC=company,DC=com
account
svc-emm@company.com
password
····················
Use for login
Test configuration
Perform Test
Change
• Host: The name or the IP address of the host on which the LDAP server is running, i.e. a ’Domain
Controller’ or a ’Domino server’ with an ’LDAP Server’ task.
CHAPTER 10. SYSTEM CONFIGURATIONS
63
• Port: LDAP server connection port. By default port 389 is used for unencrypted connections.
• SSL: Checkbox to enable ’Secure Sockets Layer’ encryption for the LDAP connection. By activating the
checkbox the port will automatically be changed to the default LDAPs port 636, if the default LDAP
port was configured before, and back from 636 to 389 when deactivating the checkbox.
Note: To establish SSL connections to the LDAP server it is required that the server certificate can be
validated for each connection. Also the given ’Host’ name must be part of the certificate’s subject.
For more information about working with certificates, please refer to chapter 2.
• Namespace: Base namespace for LDAP lookups. It consists of several objects, like organizations or
domain components. Here are some examples:
– Active Directory: DC=company,DC=com
– Domino Directory: O=company
– Novell eDirectory: O=company
• Account: Login name of an account for authenticating with the LDAP server to perform lookups.
Depending on the LDAP server and the directory type, different account name types can be valid:
– Down-level logon names, e.g. ’COMPANY\Administrator’
– User principal names, e.g. ’Administrator@company.com’
– Usernames, e.g. ’Administrator’
– Distinguished names, e.g. ’CN=Administrator,OU=Users,DC=COMPANY,DC=COM’
– Any other login name that is accepted by the given LDAP server ’host’
• Password: The password for the given ’account’.
• Use for login: Checkbox to select if this LDAP configuration should be used to provide the resulting
Active Directory domain as an option for logging in to B*Nator on the login page.
Note: This option is only available for Active Directory LDAP configurations.
• Append domain to common names (with @DOMAIN): Option to add the name of the domain to
the common names of the users, if it is required to add users to a BlackBerry Enterprise Server for Lotus
Domino.
Note: This option is only available for Lotus Domino LDAP configurations.
Testing Configurations
The entered configurations can be tested using the Perform test button, which executes a connection and
login test against the LDAP server. The result of the test is displayed afterwards. Here are some common
error messages if the configuration is incorrect:
• Hostname: If only the hostname is reported, the given ’host’ is not reachable.
• Connection refused: connect The connection to the given ’port’ was refused by the ’host’.
• Error Code 32:The given ’namespace’ is incorrect.
• Error Code 49: The given ’account’ and ’password’ information is not a valid login for the LDAP server.
• The SSL certificate of the LDAP server could not be verified: If the certificate is basically valid,
please refer to chapter 2 for information about working with certificates for the ’B*Nator Monitor’ and
’Apache Tomcat’.
Changes to the configuration can be saved by clicking the Save button.
CHAPTER 10. SYSTEM CONFIGURATIONS
10.2.3
64
Using Active Directory Logins
When an ’Active Directory’ LDAP configuration was configured with the ’Use for login’ option, it will be used
for the ’Log in using’ option in the login formular of the login page. For this reason the login page queries
each Active Directory for its ’NetBIOS domain name’ and ’UPN suffixes.
Note: This information can only be obtained from Domain Controllers, but not from Global Catalog
servers. So the LDAP configuration for the Active Directory needs be configured to connect to a
Domain Controller.
This is required for the auto selection feature of the ’Log in using’ drop-down menu on the login page, which
automatically selects the related option and locks it, if an entered ’Username’ can be matched to an Active
Directory. The following example shows the different login options for an example user:
• Example user
– User account name / logon name: jdoe
– NetBIOS domain name: COMPANY
– UPN suffix: company.com
Username
Password
Log in using
Account Name
jdoe
····················
COMPANY
Login with. . .
User Principal Name
jdoe@company.com
····················
COMPANY*
Down-Level Logon Name
COMPANY\jdoe
····················
COMPANY*
* Automatically selected and locked.
With only one Active Directory LDAP configuration, users of all domains within the forest can be logged in.
CHAPTER 10. SYSTEM CONFIGURATIONS
10.3
65
Managing Access to the Web Application
The B*Nator web application provides two main sections:
• Administrative Interface: Management access for ’Administrator’, ’Full Access’ and ’First-Level Access’
users. They are configured in the Global Permissions configuration, as described in subsection 10.3.1.
• User Self Service: Interface for users with details and administrative features for their devices. This
access and the range of available features is configured by an ’Administrator’ in the User Self Service
Permission configuration, as described later in this section.
Each section is only available with a valid login of an available user directory, that was configured with access
to the B*Nator web application. Possible directories are:
• Active Directory: User accounts from an Active Directory. This requires to add an ’LDAP Configuration’ as described in section 10.2.
• Domino Directory: User accounts from a Domino directory. This requries to configured ’DIIOP’ for a
’Domino Server’ in B*Nator and to enable the ’Use for Login’ configuration.
• B*Nator: Local user accounts in B*Nator, as described in section 10.6.
Users, groups or even entire directories can be assigned with ’permissions’ to specific sections of the web
application. So each account can be provided with access to a different range of features for the entire
B*Nator web application.
10.3.1
Global Permissions
The ’Global Permissions’ are used to provide ’administrative’ access to the B*Nator web application. They
can be configured in menu:
ADMINISTRATION\B*Nator\Global Permissions
Using the ’Permissions Editor’ that is described in subsection 10.3.3 the specific ’Permissions’ can be assigned
to each ’Principal’. The following permissions are available:
• Administrator: Unrestricted access to the B*Nator web application.
• Full Access: Access to all areas of the web application except the B*Nator configurations and settings.
The visible users, devices, servers and the related range of features depend on the permissions on each
specific systems that were granted by an ’Administrator’.
• First-Level Access: Access only to user and device administration as well as user migrations. The visible
users and devices as well as the related range of administration features depend on the permissions on
each specific systems that were granted by an ’Administrator’.
Example
for adding ’Administrator’ users from an Active Directory:
1. Use menu ’ADMINISTRATION\B*Nator\Global Permissions’
2. Click the Add Princiapl button in the ’Principals’ box
3. Select the Active Directory from the ’Principals of’ drop-down menu
4. Type the name of the user or a group into the ’Search for’ text field
5. Wait for the lookup to show results and select one entry from the list
6. Click the Add button which will close the search dialog to add the selected principal to the list of
’Principals’ and select it, so that the permissions can be set up in the ’Permissions’ box.
CHAPTER 10. SYSTEM CONFIGURATIONS
66
7. Activate the ’Administrator’ checkbox
8. Click the Save permissions button to save the ’permission’ to the selected ’principal’.
Now the newly added user or all users of the newly added group can login to the B*Nator web application
using their Active Directory credentials with ’Administrator’ permissions.
10.3.2
User Self Service Permissions
The ’User Self Service Permissions’ are used to provide users with access to the User Self Service portal. They
can be configured in menu:
ADMINISTRATION\User Self Service\Permissions
Using the ’Permissions Editor’ that is described in subsection 10.3.3 the specific ’Permissions’ can be assigned
to each ’Principal’. The following permissions are available:
• Access
– Login enabled
• Device information
– View common details
– View hardware details
– View software details
– View message details
– View traffic details
– View traffic applications
• Device Management
– Set enterprise activation password
– Change handheld password
– Change traffic push
– Kill handheld
– Change owner Info
– Manage favorites
• Provisioning
– Provisioning of Apple devices
– Provisioning of BlackBerry devices
Note: If users have permissions to log in to the User Self Service but there would be nothing available, e.g.
if they do not have a device, they will see a message that there is nothing to show and an option to
logout again.
Note: Not all features are available for all device types. If features were allowed by permissions that are not
available for a device, they will not show up in the User Self Service.
CHAPTER 10. SYSTEM CONFIGURATIONS
67
Example for adding all users from an Active Directory with permissions to login and view information about
the device.
1. Use menu ’ADMINISTRATION\B*Nator\User Self Service Permissions’
2. Click the Add Princiapl button in the ’Principals’ box
3. Select the Active Directory from the ’Principals of’ drop-down menu
4. Type the name of the Active Directory into the ’Search for’ text field
5. Wait for the lookup to show results and select it from the list
6. Click the Add button which will close the search dialog to add the selected principal to the list of
’Principals’ and select it, so that the permissions can be set up in the ’Permissions’ box.
7. Activate the checkboxes for all ’Access’ and ’Device Information’ permissions.
8. Click the Save permissions button to save the ’permissions’ to the selected ’principal’.
Now user from the newly added Active Directory can login to the User Self Service using their Active Directory
credentials and view information about the device.
10.3.3
Permission Editor
At any section when permissions need to be assigned to distinguish which users should be provided with which
permission, the ’permission editor’ is used to provide a ’principals’ box where the users can be added from the
different directories and a ’permissions field’ where the specific permissions can be assigned to each user.
Principals
The ’principals’ box provides the list of all principals, that were added to be able assigning permissions to
them. With a click on each principal in the list, the related permission are shown in the ’permissions’ box
below.
CHAPTER 10. SYSTEM CONFIGURATIONS
68
Managing Principals
Using the Add principal button, additional principals can be added to assign permissions to them.
Using the top drop-down menu the directory of where the desired principal is located must be selected. After
that the search for the principal is executed directly by typing the name into the search field, which will result
in providing the top 10 search results in the list below. Principals could be:
• B*Nator: B*Nator users and groups or BlackBerry Enterprise Server user groups monitored by B*Nator.
• Directories: Objects of configured directories like users, groups or even entire domains.
By selecting a principal and clicking the Add button, it is added to the permission editor, so that permissions
can be assigned to it.
Using the Delete principal button, the selected principal and all its related permissions is removed from the
permission editor.
Permissions
The ’permissions’ box provides the specific permissions that are available for the edited object. Each permission
can be controlled for the principal selected above, by using the checkboxes for the permissions provided. Using
the Save permissions button, the permission configuration is stored to the selected principal.
CHAPTER 10. SYSTEM CONFIGURATIONS
10.4
69
Notifications
Many events can be notified to ’recipients’ when they are recognized by the monitoring features so that it is
not neccessary to manually review the dashboards, reports or detail pages for not good statusses.
10.4.1
Overview
When an event occurs for a system it is sent to all ’ Notification Recipients Lists’ that are configured for this
systems. Those lists contain ’recipients’ that will receive a notification about the event. A recipient can be
part of several lists to receive different notifications.
Notification Types
The following the methods for sending notifications are available:
• Email: Notifications by text email. This requires to configure the outgoing email setting for B*Nator
as described in section 10.5.
• BES User: Notifications by BlackBerry PIN messages to BlackBerry Enterprise Server activated devices.
This requires a configured BlackBerry Enterprise Server environment with BlackBerry User Administration features as described in chapter 4.
10.4.2
Notification Recipient Lists
’Notification Recipient Lists’ contain recipients. Their configuration is available using menu:
ADMINISTRATION\B*Nator\Notifications\Recipients Lists
From here all existing ’recipient lists’ are available. Lists can be added, edited, deleted and assigned to systems
who’s events it should notify to its containg recipients.
Name
Description
All server notifications
System notifications
Internal BES12 Notifications
Recipients of notifications for all servers in the environment
Recipients of notifications about the monitoring system itself
Notifications about the internal BES12 servers
Recipients
2
2
5
Assign to hosts
Note: Hovering with the mouse over a row in the list shows available buttons at the end of each row.
• Checkbox: Checkbox to select the list to use the ’Assign to hosts’ button. Both predefined lists don’t
have a checkbox, because their assignment cannot be changed.
• Name: Name of the list.
• Description: More detailed description of the list.
• Recipients: Total count of recipients added to the list.
• Edit : Leads to the edit page to change the ’Name’ and ’Description’ and to add or remove recipients.
• Delete : Removes the list. Predefined lists cannot be deleted.
• Assign to hosts : Assigns or also removes the selected lists to all or specific monitored hosts.
CHAPTER 10. SYSTEM CONFIGURATIONS
70
Predefined Notification Recipient Lists
There are two predefined lists. They are automatically assigned to all systems that can produce notifications.
For that reason, they can not be deleted or manually assigned to systems. Only adding recipients is possible
for these lists.
• All server notifications: This list is automatically assigned to all servers that are monitored. Its recipients
will receive all notifications except notifications about B*Nator itself.
• System notifications: Recipients of this list receive notifications only regarding B*Nator itself.
Adding Notification Recipient Lists
New lists can be added by entering a ’name’ into the ’Add list’ box and clicking the ’Add’ button, which then
opens editor for the newly created list.
Add list
Name
Add
Editing Notification Recipient Lists
When editing a list there are two boxes displayed. An ’Information’ box for changing the ’Name’ and the
’Description’ of the list and the other for managing the recipients in the list.
Information
Name
Internal BES12 Notifications
Recipient
admin@company.com
john.doe@company.com
Language
German
English
Send test notification
Description
Notifications about the internal BES12 servers
Save
Add recipient:
Type
Email
v
English
v
Email address
Language
Add
The ’Send test notification’ button sends a test message to all recipients in the list.
Adding recipients to a list
is done by:
1. Selecting the notification ’Type’
2. Entering the correspoding address which is
• ’Email address’ when the ’Type’ is ’Email’
• ’BES User’ when the ’Type’ is ’BES User’. In this case, a lookup is executed while entering a name
of a BlackBerry Enterprise Server activated user and a user must be selected from the displayed
results list.
3. Selecting the ’Language’ for the notifications that are sent to the recipient
4. Clicking the ’Add’ button
CHAPTER 10. SYSTEM CONFIGURATIONS
10.4.3
71
Working with Notification Recipient Lists
In order to make recipients receive notifications, the ’Notification Recipient Lists’ need to be configured on
the systems who’s events should be notified to the recipients in the lists. This is automatically configured for
the two predefined lists.
If custom notification recipient lists are created, they have to assigned manually to the systems, who’s notifications it should notify to the recipients in the list. This can be done using the ’Notifications’ tab in the system’s
configuration on the ’Infrastructure Management’ page or in a mass (un)assignment way in the ’Notification
Recipient Lists’ configuration using the ’Assign to hosts’ feature.
’Notification’ Tab in Infrastructure Management Page
For some of the server configurations there will be available a configuration tab for ’Notifications’. On that
tab the available ’Notification Receipient Lists’ can be selected and unselected to control, which lists should
receive notifications related to the specific server.
CHAPTER 10. SYSTEM CONFIGURATIONS
10.5
72
Outgoing Mail Server Configuration
Before mails can be sent out by B*Nator, it has to be configured that mails can be sent using an SMTP
gateway.
Mails are sent because of different reasons, like:
• Notifications to administrators about events
• Information to users about migrations
• Individual messages to users by administrators
10.5.1
Connection Security
The connection to the SMTP gateway can either be unencrypted, what is enabled by default or encrypted.
The following ’conenction security’ methods are available:
• None: Default unencrypted SMTP will be used. The default connection port is 25.
• STARTTLS: The connection is initiated unencrypted but then requires the SMTP gateway to proceed
with TLS encryption on the same port. Default port is 25.
• SSL/TLS: The connection directly starts with encryption enabled. Default port is 465. This requires
that the SMTP gateway’s certificate is trusted by the ’Apache Tomcat’ and ’B*Nator Monitor’ services,
as described in chapter 2.
10.5.2
Send-from Address and Authentication
Depending on what authentication methods the SMTP gateway allows for sending emails, B*Nator can send
those either with any send-from address, e.g. ’BNator@company.com’ and without authentication, or with an
existing send-from address and with the corresponding credentials for authentication.
10.5.3
Configuring the SMTP Gateway
The settings for using SMTP to send emails are configured in the ’SMTP configuration for notfications’ box
using menu:
ADMINISTRATION\B*Nator\Settings
SMTP configuration for notfications
From address
BNator@company.com
Host
smtp.company.com
User
Password
Confirm password
Port
25
Connection security
STARTTLS
v
• From address: Send-from email address of B*Nator.
• Host: SMTP gateway or relay server.
• User: User for SMTP authentication, if required by the ’Host’.
• (Confirm) Password: Password for the given ’User’.
• Port: Port for connecting to the ’Host’.
• Connection security: Sets the security level to use for the connection to the ’Host’.
CHAPTER 10. SYSTEM CONFIGURATIONS
10.5.4
73
Testing the Outgoing Mail Server Configuration
When the outgoing mail server configuration is done it can be tested using the ’Send test notification’ button
in a ’Notification Recipient List’, as described in subsection 10.4.2.
This button immediately will send a test notification to all recipients in the list. If no mail does arrive in the
recipients’ inbox, the ’Services’ log file in the ’/logs/web’ subfolder of the B*Nator installation directory may
contain details about the issue.
C:\Program Files (x86)\BNator\logs\web\Services_2014-12-08.log
Hint: For better troubleshooting the log level should be set to ’Debug , as described in section 10.1, for the
full range of possible logging.
Possible issues are network connection problems, certificate validation issues when the connection is encrypted
or that the gateway does accept the request with an error message like ’550 5.7.1 Client does not have
permissions to send as this sender’.
CHAPTER 10. SYSTEM CONFIGURATIONS
10.6
74
B*Nator Local Users and Groups
B*Nator has an internal directory for managing local users and groups that can be used as logins to the
B*Nator web application. It is recommended to use a company directory, as described in section 10.3, but a
local account with ’Administrator’ access to the B*Nator web application is useful, if the company directory
login does not work for any reason.
The local account management is available using the menu:
ADMINISTRATION\B*Nator\Account Management
It has the following sub menus:
• Users: Local user directory for creating managing the user accounts
• Groups: Local group directory for managing the user/group memberships
10.6.1
Users
The ’Users’ page show a list of all existing users and a box to add new users.
name
email
admin
jdoe
john.doe@company.com
Test
Edit
Delete
Edit
Delete
• Name: User name.
• Email: Email address of the User.
• Test : Only available if an email address was entered for the user. Initiates a test email sent to the
email address.
• Edit : Leads to the editor for this user.
• Delete : Removes the login from B*Nator.
Adding Users
Adding new users can be done using the ’add user’ box. The following information is required:
• Name: User name.
• Email: Email address of the user.
• Password: Password for user.
• Repeat password: Repeat password field.
The add user button adds the new user to B*Nator directory.
add user
name
email
password
repeat password
add user
CHAPTER 10. SYSTEM CONFIGURATIONS
75
Editing Users
Using the Edit button the user account details can be modified. Additionally there is a login disabled
checkbox to temporarily deactivate the account.
edit user
name
jdoe
email
john.doe@company.com
password
····················
repeat password
····················
login disabled
edit user
10.6.2
Groups
At this section ’B*Nator users’ can be assigned to groups. The ’Groups’ page shows a list of all existing
groups.
name
Local Users
External Users
Local Admins
Edit
Edit
Edit
Delete
Delete
Delete
Name: The name of the group.
Edit : Leads to the editor for this group.
Delete : Removes the group from B*Nator.
Adding Groups
Adding new groups is available from the ’add group’ box by entering a ’name’ for the group into the text field
and clicking the add group button.
add user
name
add group
Editing Groups
Using the ’Edit’ link provides the option to move user into to a group as well as to remove users from a group
by selecting from the pool of ’available users’ or ’selected users’ and using either the ’to right’ button to move
an ’available user’ into the group, or the ’to left’ button to remove a ’selected user’ from the group.
Also the group’s name can be changed by modifing the text field and using the ’change’ button.
Local Users
name
available users
admin
selected users
-->
<--
jdoe
change
CHAPTER 10. SYSTEM CONFIGURATIONS
10.7
Installing B*Nator Agents
The installation of ’B*Nator Agents’ is described in detail in the Installation Guide document.
76
Download PDF