Installation guide
BlackBerry Enterprise Solution 26
Decrypting and reading messages on the BlackBerry device using Lotus Notes API 7.0
The BlackBerry® Enterprise Server Version 4.1 or later for IBM® Lotus® Domino® with Lotus Notes® API 7.0
automatically turns on support for reading IBM Lotus Notes encrypted messages and S/MIME-encrypted
messages on the BlackBerry device. Lotus Notes API 7.0 requires the BlackBerry device user’s Notes .id file and
password to decrypt the received secure messages. The BlackBerry device user must manually click Import Notes
ID and attach a copy of the Notes .id file that they used to login. The IBM Lotus Domino messaging agent copies
the Notes .id file to the BlackBerry Enterprise Server in plain text format temporarily, at the request of the Lotus
Notes API.
If a BlackBerry device user has support for this feature turned on, when the BlackBerry device forwards or replies
to an encrypted message that the BlackBerry device has received, decrypted, and decompressed, the BlackBerry
Enterprise Server for IBM Lotus Domino decrypts the message before the BlackBerry device sends the message
to the recipient as plain text.
The BlackBerry Enterprise Server administrator can configure the default BlackBerry device behaviour in the
following ways:
• use the Disable Notes Native Encryption Forward And Reply IT policy rule to prevent BlackBerry device
users from forwarding and replying to IBM Lotus Notes encrypted messages on their BlackBerry devices
• use the Notes Native Encryption Password Timeout IT policy rule to specify the maximum length of time (in
minutes) that the BlackBerry device stores the IBM Lotus Notes .id password that the user types
Process for decrypting IBM Lotus Notes and S/MIME messages
If a BlackBerry device user sets support for reading IBM Lotus Notes and S/MIME-encrypted messages on the
BlackBerry device, when the BlackBerry device user receives an IBM Lotus Notes or S/MIME-encrypted message,
the BlackBerry Enterprise Server for IBM Lotus Domino decrypts the message using the following process:
1. A BlackBerry device user receives an IBM Lotus Notes and S/MIME-encrypted message.
2. The BlackBerry Enterprise Server for IBM Lotus Domino messaging agent decrypts the BlackBerry device
user’s cached Notes .id password and uses the decrypted password to decrypt the message.
If the BlackBerry Enterprise Server for IBM Lotus Domino messaging agent does not have the Notes .id
password, the BlackBerry device user must select More, More All, or Open Attachment to pull the decrypted
message to the BlackBerry device.
3. The BlackBerry Enterprise Server deletes the decrypted Notes .id password from memory. The encrypted
Notes .id password remains cached.
4. The BlackBerry Enterprise Server pushes the decrypted message to the BlackBerry device, where the user
can read the message.
Notes .id password protection
After a BlackBerry device user imports the Notes .id file and password (stored in the Notes .id file), the password
is
• encrypted in BlackBerry device memory using AES with the BlackBerry device user’s master encryption key
• encrypted in the BlackBerry Enterprise Server for IBM Lotus Domino messaging agent memory using AES
with the BlackBerry device user’s master encryption key
• decrypted before being used to call the required Lotus Notes API security functions
The BlackBerry Enterprise Server for IBM Lotus Domino messaging agent deletes the Notes .id files and plain
text passwords it stores when
• a message decryption failure occurs on the BlackBerry Enterprise Server
• the BlackBerry Enterprise Server restarts
• the password times out (the default expiration timeout is 24 hours)
www.blackberry.com