Professional Documents
Culture Documents
Copyright © 2003 - 2010 Liquid Machines, Inc. All rights reserved. Confidential and proprietary
information of Liquid Machines, Inc.
The material in this document may not in whole or in part be copied, photocopied, reproduced,
translated, or converted to any electronic or machine-readable form without the prior written
consent of Liquid Machines. The information in this document is for informational use only, is
subject to change without notice, and should not be construed as a commitment by Liquid
Machines. Liquid Machines assumes no responsibility or liability for any errors or inaccuracies that
may appear in this document.
This document and the software described in this document are furnished under a license
accompanying the software and may be used only in accordance with the terms of such license.
By using this document, you agree to the terms and conditions of that license.
>> For other copyright and trademark information, see the Liquid Machines Copyright, included in
this document package.
Copyright/Disclaimer ....................................................................................................................... ii
Preface ..................................................................................................................................vii
Book Conventions ......................................................................................................................vii
Intended Audience .....................................................................................................................vii
Related Documents ................................................................................................................... viii
Using this Manual ...................................................................................................................... viii
Chapter 1: Introducing the Liquid Machines Gateway for BlackBerry ........................................A-1
About Liquid Machines .............................................................................................................A-2
About the Liquid Machines Gateway for BlackBerry .................................................................A-2
Deployment Options .............................................................................................................A-2
Theory of Operation ..............................................................................................................A-3
Client Capabilities .....................................................................................................................A-3
Client-level Encryption ..........................................................................................................A-3
Protected Email Messages ...................................................................................................A-3
Copy and Paste ....................................................................................................................A-3
Attachment Security Options .................................................................................................A-4
Secure Attachment Rendering ..............................................................................................A-4
Secure Attachment Viewing ..................................................................................................A-4
Saving Protected Attachments ..............................................................................................A-4
Forwarding Protected Messages via Email, PIN and SMS ....................................................A-4
Expiration ..............................................................................................................................A-5
International Character Set Support ......................................................................................A-5
About Security Services ...........................................................................................................A-6
Protection Systems ...............................................................................................................A-6
Microsoft Windows Rights Management Services (RMS) ......................................................A-8
Liquid Machines Document Control.....................................................................................A-10
More About Unprotecting at the Gateway ...............................................................................A-11
Microsoft Windows Rights Management Services (RMS) ....................................................A-11
Liquid Machines Document Control.....................................................................................A-12
Installation Architecture ..........................................................................................................A-14
Rights Management Services (RMS) ..................................................................................A-14
BlackBerry Enterprise Server for Exchange ........................................................................A-14
Welcome to the Liquid Machines Gateway for BlackBerry Administrator’s Guide. The Liquid
Machines Gateway for BlackBerry extends access to content protected with Microsoft Rights
Management Services (RMS) beyond the desktop. BlackBerry smartphone users can now send
and receive protected messages and attachments using the same policies available in Microsoft
Outlook.
This document introduces the Liquid Machines Gateway for BlackBerry and describes how to
install and administer the Gateway Server and the Client. The Gateway for Blackberry Server and
Client components operate together to provide the capabilities described in this document. The
document also provides the Gateway Configuration File Syntax.
Book Conventions
CAUTION: Cautions the user of actions that may result in operational issues or data
loss.
NOTE: Identifies important points, helpful hints, special circumstances, or
alternative methods.
Intended Audience
This guide is intended for administrators who are responsible for installing and administering the
Liquid Machines Gateway for BlackBerry and the Client for BlackBerry.
Deployment Options
The Liquid Machines Gateway for BlackBerry can be used in a variety of configurations. Based on
your environment and security preferences, you can take advantage of different features.
When deployed together with Microsoft Rights Management Services (RMS), the Liquid Machines
Gateway for BlackBerry can allow users to work with both protected email messages and
documents. When deployed with Liquid Machines Document Control, using the Liquid Machines
Security Service, the gateway processes protected attachments only.
Additional deployment options may be made, depending on your organization’s preferences
around security, performance, viewing options and client software management:
Client Capabilities
Client-level Encryption
Messages, and optionally attachments, that are decrypted at the gateway are re-encrypted prior to
delivery to the smartphone. Encryption of content on the smartphone blocks the leakage of
sensitive data via saving to USB or other memory device, or sending via PIN or SMS.
The Gateway for BlackBerry packages the rights and content of a protected message
together in a custom format and stores them that way on the smartphone. The smartphone
must have the Liquid Machines Client for BlackBerry installed for the recipient to be able to
read the message and attachment(s). The package is encrypted using AES-128 (symmetric
key encryption), which means that the client can open the package and verify the rights of
the user without communicating with a key distribution service. Although the message is
encrypted, users can read it offline, even if they have not read it before. Attachments are
also encrypted, but the user must have requested that the attachment be downloaded and
decrypted to be subsequently available offline.
Note that the Liquid Machines Client for BlackBerry interprets the rights to a message upon
delivery, so they will not be updated dynamically on the device if the policy is changed.
NOTE: It is possible to deploy the Liquid Machines Gateway for BlackBerry in such
a way that both messages and attachments are delivered and stored
completely decrypted on the device. In this case, messages and
attachments protected in Outlook can be read on the BlackBerry device
without the Liquid Machines client, but there is no security enforcement on
the device and none of the client security features described are available.
Protection Systems
When enabled, the Gateway for BlackBerry decrypts content that was protected using any or all of
the following systems:
Microsoft Rights Management Services (RMS)
RMS policies may be applied to both messages and attachments, either on the desktop
or by the Liquid Machines Client for BlackBerry
RMS policy encryption and decryption is based on RMS Super User capability, granted
by a Windows RMS server V1 SP2 or AD RMS in Windows Server 2008.
Liquid Machines Document Control can protect attachments using RMS security
services. (See Liquid Machines Document Control documentation for more details.)
Liquid Machines Document Control Security Service
Liquid Machines Document Control Security Service-based policies apply only to
message attachments and are typically applied at the desktop.
Encryption and decryption is based on Liquid Machines policy permissions, granted on
a Liquid Machines Document Control server, version 6 or 7.
Liquid M achines Docum ent Control Server: P roviding P olicies, K eys, and
Security
Liquid Machines Document Control provides enhanced enforcement options based on policies
downloaded from a Liquid Machines Document Control server. The physical security (encryption)
can be provided either by RMS or by a Liquid Machines Key Service (LMKS), which is part of the
Liquid Machines Document Control server. The combination of a Liquid Machines Document
Control server, various physical security services, and various clients is referred to as Universal
Enforcement Services (UES).
To be able to obtain policy information and cryptographic keys, the Gateway for BlackBerry must
communicate with one or more Liquid Machines Document Control servers, version 6.4 or later.
The Gateway caches policies and keys locally, which maximizes performance and allows offline
operation. It contacts the servers on startup and polls them for policy changes periodically, based
on a frequency specified by the Liquid Machines Document Control server. The cache can also be
updated dynamically if the Gateway encounters a document protected by a new policy that is not
yet in the cache. The cache is stored in an encrypted form that is only accessible to the Gateway.
When policies and keys are available in the cache, the Gateway can unprotect documents that use
LMKS Security without communicating with any server. Liquid Machines Document Control
documents that use RMS Security still require communications in order to obtain a document-
specific license.
Attachment Handling
The Liquid Machines Gateway for BlackBerry supports the BlackBerry Attachment Service.
Authorized message recipients can read attachments that have been protected with RMS or Liquid
Machines policies on their BlackBerry smartphones.
When an Outlook user protects an email message and attaches an unprotected Office document,
the message policy automatically protects the document as well. In this case, they gateway will
unprotect both the message and attachment and encrypt both the message and attachment before
delivering them to the BlackBerry smartphone.
There are other scenarios where the attachment is not automatically protected when a message is
protected. Non-Office files, like PDF for example, are not supported by Outlook’s implementation
of IRM and so are not automatically protected with an RMS policy. In this case, the gateway
removes the RMS protection from the message and applies encryption to the message, but does
not apply encryption directly to the document itself. Since the message is encrypted and these
attachments are stored inside the encrypted message envelope, they cannot be accessed without
accessing the protected message. Once these attachments are extracted from the envelope
however, they are no longer protected.
Ex pired M essages
If the user attempts to reply to or forward an expired message, the action is blocked, and the
sending user receives a notification indicating that the message was not delivered.
This chapter describes the installation requirements for the Gateway Server and how to install,
upgrade, or uninstall the Gateway Server.
Topics included in this chapter are:
System Requirements
Important Information About Upgrading From Previous Versions
Preinstallation Requirements
Installing the Liquid Machines Gateway for BlackBerry
Upgrading from a Previous Version of the Liquid Machines Gateway for BlackBerry
Software
Windows Server 2003 SP1 or SP2 or Windows Server 2008 (including R2).
The server must be installed in an Active Directory 2000, 2003, or 2008 domain. For an
RMS installation, a Microsoft Rights Management Services server 1.0 SP2 or AD RMS
server must have been installed and provisioned for the production environment in this
domain.
BlackBerry Enterprise Server for Exchange 4.0, 4.1 or 5.0. We strongly recommend that
you install the latest service packs for 4.0 or SP6 for 4.1 (version 4.1.6).
If Microsoft Windows Rights Management (RMS) is enabled:
Microsoft Rights Management Client 1.0 SP2 or ADM RMS.
lmbesupdatecl --profile=BlackBerryServer
--connection-string="DRIVER={SQL Server};SERVER=localhost;
DATABASE=lmbes;Trusted_Connection=yes"
Replace localhost with the hostname or IP address of your SQL Server. Replace lmbes
with the name of the database you created. For more information on constructing the
connection-string, see Configuring the ODBC Connection String for the Gateway Database
on page A-4.
The utility does not remove any license information from the BlackBerry Administrator's Inbox. You
can manually delete this information after you are sure the Gateway is properly configured and
operational.
Diagnostic Logging
The Gateway is capable of generating diagnostic log file data suitable for analysis by Liquid
Machines Software Engineers. Liquid Machines Product Support may require you to enable this
logging as a part of a troubleshooting procedure. You can read more about how this is done, where
the log files are located, and so on, in Appendix C: Adding RMS Servers to the Local Intranet Sites
on page C-1.
To create a report:
Open a command window and cd to the installation directory.
Type the following command and press Enter:
LmGetActiveUsers --generate –p all –r <path to the report file
that should be created>
If you have configured the Gateway database with settings other than the default, use the “-c”
parameter to specify the connection string.
Example: To create a report in a file called report_all.txt:
LmGetActiveUsers –generate –p all –r report_all.txt
Options for the LmGetActiveUsers command:
Program Modes (mutually exclusive, defaults to '--generate')
Command Option Description
--generate Generates an active users report.
--validate Validate that a generated report has not been altered.
The Liquid Machines Client for BlackBerry provides a means to decrypt and display protected
messages and attachments. It allows users to apply RMS policy templates to outgoing messages
sent from the BlackBerry. It also allows for automatic expunging of expired messages from the
BlackBerry.
This chapter explains how to install the Liquid Machines Client for BlackBerry using the
BlackBerry® Desktop Manager.
Topics included in this chapter are:
System Requirements
Preinstallation Requirements
Installing and Uninstalling the Client
For information on how to install the Client for BlackBerry over the air, refer to Knowledge Base
Article KE-1437 on our Customer Care web site.
Software
Operating System
One of the following:
Windows 2000 Service Pack 4
Windows XP Service Pack 1, 2, or 3
Windows Vista Service Pack 1
Window 7
Preinstallation Requirements
The Liquid Machines Client for BlackBerry is an application developed using the BlackBerry®
Java® Development Environment. The application uses portions of the BlackBerry API that require
the BlackBerry® Browser to be enabled in order to function properly.
Figure 4-2: Open the Client for BlackBerry Folder and Select the LQMIBB40.alx
Then complete the application loading process according to the procedures in your
BlackBerry software manual.
To further test the installation, refer to the Liquid Machines Client for BlackBerry User’s Guide and
to relevant information in this guide.
This chapter describes administration tasks you can perform with the Liquid Machines Client for
BlackBerry.
Topics included in this chapter are:
Configuring the Apply Policies Menu on BlackBerry Smartphones
Delivering Policies to the Smartphone
Setting Client Application Permissions
Accessing Client Diagnostic Functions
M essage Form at
The message must be sent in plain text format. It must not be a protected email, or HTML or Rich
Text.
Configuration Syntax
Subject
The subject of the message must be exactly like this:
<Handheld_Policy_Settings>
<Template>
<Name>Executive Confidential</Name>
<Expires_On>Never</Expires_On>
</Template>
</Policy_Message>
Long form names (those that begin with --) can be abbreviated, as long as the abbreviation is
unambiguous.
IT Policy Push
Another method to send templates to a smartphone is by IT Policy Push. You can automatically
distribute, or push, RMS templates that have been created to a user or a group of users. With the
plain text email message, if a user’s BlackBerry is hard-reset, the email has to be sent again. When
the RMS policies are pushed via an IT Policy, the RMS policies defined in the IT Policy Template
are automatically pushed to the BlackBerry device. By default, IT Policies are pushed immediately
after applying an IT Policy and automatically every 4 hours thereafter.
Figure 5-1: Select the Units of Time and the Number of Units
Figure 5-2: To Enable Logging, Press l (for Logging) and Then e (for Enable)
Figure 5-3: To Disable Logging, Press l (for Logging) and Then d (for Disable)
Sections
These are the main sections in the Configuration file:
logging: Parameters that control how and where the Gateway logs diagnostic information.
gateway-service: Parameters that control the behavior of the Gateway Service. Do not
change these settings without consulting Support.
services: The name of the LDAP server to use.
protection-config: Parameters that control how the Gateway Service protects and
unprotects content.
reporting: Parameters that control the behaviors of application event logging.
monitoring: Parameters that control monitoring statistics.
adapters: Parameters that control behaviors of adapters that integrate Gateway
functionality into third-party applications.
logging settings
root-dir: The location where the Adapter stores log files when verbose diagnostic
logging has been turned on. The default value is:
${system:dirs:common-app-data}\Liquid Machines\Gateway for BlackBerry\logs
logfile-severity: Used to enable more verbose diagnostic logging. Do not change
this value except as directed by Liquid Machines Product Support.
max-backup-logfile-count (2): The maximum number of old log files to keep around
before deleting the oldest. The minimum value is 0; the maximum value is 100 (inclusive). If
-1 is specified, old log files are not deleted.
max-logfile-size (10 MB): The maximum size any log file is allowed to reach before
being rolled over to backup files. The minimum value is 100 KB; the maximum value is 1 TB
(inclusive).
max-logfile-lifetime (1 day): The maximum amount of time any log file is allowed to
be used before being rolled over to backup files. The current remaining time is calculated
from the previous midnight. The minimum value is 1 hr; the maximum value is infinite
(inclusive). See Specifying Units of Time on page A-3.
gateway-service-settings
data-dir (${system:dirs:common-app-data}\Liquid Machines\Gateway
for BlackBerry): Controls where the Gateway saves its private data.
protection-config settings
unprotectable-server-suffix es subsettings
This section contains a list of domain suffixes to match against the name of the server that protects
a document or message to be unprotected. If a suffix matches, a failure to unprotect will be treated
as an error. If no suffix matches, a failure to unprotect will not be treated as an error. Matches are
not case-sensitive. An empty suffix or empty list will match anything; i.e., all domains will be treated
as local. For more information on how this variable affects the Gateway, see Foreign Protection
Checking with RMS on page A-11.
unprotectable-server-suffix: Explicitly adds a domain suffix that the Gateway
should treat as local. The default list item, ${system:host:primary-domain-name},
includes the DNS domain of the Gateway machine.
unprotect-attachments (true): Enables or disables unprotecting attachments on
messages going through Unprotect or Unprotect-for-Reprotect Gateways and Cleartext-
BCCs.
m s-rm s subsettings
enabled (false): Enables or disables all RMS functionality.
template-location (\\rms\Templates): If you will populate the Apply Policies
menu on the Client for BlackBerry (see Configuring the Apply Policies Menu on BlackBerry
Smartphones on page A-2), or if users will apply templates manually, then you must have
configured RMS templates that correspond and made them available to the Gateway. Place
the files on the BlackBerry Enterprise Server file system or a network share, and then set
this setting to the path where they are located. It must be a fully qualified local or UNC path.
You can use the same share location you have configured for other RMS-enabled
applications. For example:
<template-location>\\fileserver.acme.lan\shares\RMStemplates</template-
location>
<template-location>c:\UserFiles\RMStemplates</template-location>
template-refresh-frequency (1 hr): Controls how often the Gateway updates its
template cache for new, modified, or deleted templates. The minimum value is 1 min, and
the maximum value is infinite. When set to infinite, the Gateway must be restarted
to force a cache update. See Specifying Units of Time on page A-3.
licensing-servers-ad-forests: Allows specification of the Active Directory global
catalog servers to use when checking group membership while evaluating RMS rights. If
your RMS deployment includes only a single licensing server in a single Active Directory
forest, you can leave this entry blank. In a more complex multi-forest environment, each
entry should start with the host name of an RMS licensing server, followed by an equal sign
(=), followed by the name of the Active Directory forest name. For example:
rms.mydomain.com=myforestname.com
lm -ues subsettings
enabled (false): Enables or disables all Universal Enforcement Services functionality,
which allows processing of content protected by Liquid Machines Document Control.
policy-servers: Policy servers that should be contacted to obtain policy information.
Servers can be identified by host name or by URL, for example, <policy-
server>server.mydomain.com</policy-server>.
forward-proxy-specification: Configures proxy information to be used when
communicating with Liquid Machines Document Control policy servers
proxy-type (DIRECT): Configures the proxy type of proxy to use, whether it be
an auto-config proxy (AUTO-DETECT), a specified proxy server (TUNNEL), or no
proxy (DIRECT)
proxy-server: Configures the proxy server to use when the proxy type is
TUNNEL
try-direct-first (false): Controls whether a direct connection should be tried
before any attempts at using the proxy server
allow-server-discovery (true): Enables the ability to contact new Liquid Machines
Document Control servers based on document contents.
discovered-server-lifetime (60 min): Configures the time for which discovered
servers will be kept active (and polled) before they must be discovered again. See
Specifying Units of Time on page A-3.
discovered-server-cleanup-period (5 min): Configures how often discovered
servers will be examined to see if they should be deactivated. See Specifying Units of Time
on page A-3.
reporting settings
event-log severity (All): The minimum severity of events that are sent to an
Application Event log. Values are fatal, error, warning, info, and all.
log-frequency-error (1 minute): The maximum frequency at which the same type of
error message can be reported in the Event log before multiple occurrences are batched in
a single entry, and how frequently such batches are reported. See Specifying Units of Time
on page A-3.
log-frequency-warning (1 minute): The maximum frequency at which the same type of
warning message can be reported in the Event log before multiple occurrences are batched
in a single entry, and how frequently such batches are reported. See Specifying Units of
Time on page A-3.
log-frequency-info (1 minute): The maximum frequency at which the same type of
info message can be reported in the Event log before multiple occurrences are batched in a
monitoring settings
enabled (true): Enables or disables monitoring statistics.
Warnings
Message delivered but not processed: This is logged under the following conditions:
Policy indicates the message should be blocked. For example, an Outlook user sends a
message to a smartphone user who does not have View rights. The smartphone user
receives a message indicating they did not have rights to read the original content, and the
Gateway logs this message to the Event log.
Protection policy information not available. The information necessary to protect replies to
and forwards of this message, which is being sent from the smartphone, is not available.
The smartphone user receives an NDR indicating the problem, and the Gateway logs this
message to the Event log.
Cannot identify message. The information necessary to protect replies to and forwards of
this message, which is being sent from the smartphone, is not available. The smartphone
user receives an NDR indicating the problem, and the Gateway logs this message to the
Event log.
This appendix describes how to add RMS Servers to the local intranet sites.
To add RMS Servers to the local intranet sites:
1. Log on to the Gateway for BlackBerry computer as the BESAdmin account.
2. In Internet Explorer, on the Tools menu, click Internet Options.
3. In the Internet Options dialog box, click the Security tab (see Figure C-1).
contacting
A Liquid Machines, ii
conventions, vii
access control list (ACL), 1-8 copyright, ii
access licenses credentials, 1-8
issuing, 1-8
ACL (access control list), 1-8
Acrobat, 1-10 D
Active Directory, 1-8
data-dir, A-4
adapter settings, A-8
discovered-server-cleanup-period, A-6
adapters, A-3
discovered-server-lifetime, A-6
Ad-Hoc permissions, 1-10
documents
administering the Gateway Server, 3-1
related, viii
Adobe Acrobat, 1-10
Adobe Reader, 1-10
allow-server-discovery, A-6 E
app
enabled, A-5, A-6, A-7
logging
channel encryption keys, 1-8
name, A-10 env, A-10
event-log severity, A-6
scope, A-11
scoped-name, A-11
severity, A-10 F
file foreign content, 1-13
roll-index, A-11
app:dirs:install, A-10
audience, vii G
auditing, 1-12 gateway-service, A-3
authenticating users, 1-8
B I
Information Rights Management, 1-8
batching-period, A-7 IRM, 1-8
bes subsettings, A-8 issuing access licenses, 1-8
bind-addr, A-4, A-7
bind-port, A-4
bind-port, A-7 L
book conventions, vii ldap-server-name, A-5
license-archive, A-9
C licenses
issuing, 1-8
client Liquid Machines
Liquid Machines Document Control, 1-10 contacting, ii
RMS, 1-8 Liquid Machines Document Control, 1-11, 1-12
comments Liquid Machines Document Control Client, 1-10
Configuration file, A-2 Liquid Machines Document Control Server, 1-10
connection-string, A-9 Liquid Machines Key Service, 1-10
P T
policies, 1-10 template-location, A-5
policy-servers, A-6 template-refresh-frequency, A-5
protection-config, A-3
protection-config settings, A-5
U
R unprotectable-server-suffix, A-5
unprotecting, 1-11
Reader, 1-10 users
related documents, viii authenticating, 1-8
reporting, A-3
reporting settings, A-6
RMS, 1-10, 1-11 V
RMS client, 1-8 variables
RMS server, 1-8 Configuration file, A-2, A-10
RMS Super Users, 1-10 Visio, 1-10
RMS template, 1-10
RMS)