Upload
zeppos-galanos
View
129
Download
0
Embed Size (px)
Citation preview
IBM Lotus Protector for Mail Encryption ServerAdministrator's Guide
Version InformationLotus Protector for Mail Encryption Server Administrator's Guide. Lotus Protector for Mail Encryption Server Version 2.1.0. Released April 2010. This edition applies to version 2, release 1, modification 0 of IBM Lotus Protector for Mail Encryption (product number 5724-Z72) and to all subsequent releases and modifications until otherwise indicated in new editions.
Copyright InformationCopyright 1991-2010 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation. Copyright IBM Corporation 1994, 2010. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Scheduled Contract with IBM Corp..
Trademark InformationPGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners. IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at http://www.ibm.com/legal/copytrade.shtml .
LimitationsThe software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation. Subject to the terms of the license that accompanied the Program, Licensee may redistribute PGP Universal Satellite.
NoticesThis information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd. 1623-14, Shimotsuruma, Yamato-shi Kanagawa 242-8502 Japan Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation. INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: Lotus Software IBM Software Group
One Rogers Street Cambridge, MA 02142 USA Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. If you are viewing this information softcopy, the photographs and color illustrations may not appear.
4
ContentsIntroductionWhat is Lotus Protector for Mail Encryption Server Who Should Read This Guide Symbols Getting Assistance
1515 16 16 16
The Big PictureImportant Terms Overview of Products Lotus Protector for Mail Encryption Server Concepts Lotus Protector for Mail Encryption Server Features Lotus Protector for Mail Encryption Server User Types Installation Overview
17
17 17 19 20 22 23
Open PortsTCP Ports UDP Ports
29
29 31
Naming your Lotus Protector for Mail Encryption ServerConsidering a Name for Your Lotus Protector for Mail Encryption Server Methods for Naming a Lotus Protector for Mail Encryption Server
33
33 34
Understanding the Administrative InterfaceSystem Requirements Logging In The System Overview Page Managing Alerts Administrative Interface Map Icons
35
35 35 37 38 39 40
Licensing Your SoftwareLicensing a Lotus Protector for Mail Encryption Server
47
47
i
IBM Lotus Protector for Mail Encryption Server
Contents
Operating in Learn Mode
Purpose of Learn Mode Checking the Logs Managing Learn Mode
4949 50 50
Managed DomainsAbout Managed Domains Adding Managed Domains Deleting Managed Domains
53
53 54 54
Understanding KeysKey Modes Lotus Protector for Mail Encryption Server Supported Key Modes How Lotus Protector for Mail Encryption Server Uses Certificate Revocation Lists Key Reconstruction Blocks
55
55 57 58 58
Managing Organization KeysAbout Organization Keys Organization Key Inspecting the Organization Key Regenerating the Organization Key Importing an Organization Key Organization Certificate Inspecting the Organization Certificate Exporting the Organization Certificate Deleting the Organization Certificate Generating the Organization Certificate Importing the Organization Certificate Additional Decryption Key (ADK) Importing the ADK Inspecting the ADK Deleting the ADK Verified Directory Key Importing the Verified Directory Key Inspecting the Verified Directory Key Deleting the Verified Directory Key
61
61 61 62 63 63 64 65 65 66 66 67 67 68 68 69 69 69 70 70
Administering Managed Keys
Managed Key Permissions Viewing Managed Keys
7172 72
ii
IBM Lotus Protector for Mail Encryption Server
Contents
Managed Key Information Email Addresses Subkeys Certificates Permissions Attributes Symmetric Key Series Symmetric Keys Custom Data Objects Exporting Consumer Keys Exporting the Managed Key of an Internal User Exporting the Managed Key of an External User Exporting Mail Encryption Verified Directory User Keys Exporting the Managed Key of a Managed Device Deleting Consumer Keys Deleting the Managed Key of an Internal User Deleting the Managed Key of an External User Deleting the Key of a Mail Encryption Verified Directory User Deleting the Managed Key of a Managed Device Approving Pending Keys Revoking Managed Keys
73 76 76 76 76 77 78 80 81 82 82 83 84 84 85 85 85 86 86 86 87
Managing Trusted Keys and CertificatesOverview Trusted Keys Trusted Certificates Adding a Trusted Key or Certificate Inspecting and Changing Trusted Key Properties Deleting Trusted Keys and Certificates Searching for Trusted Keys and Certificates
89
89 89 89 90 91 91 92
Setting Mail PolicyOverview How Policy Chains Work Mail Policy and Dictionaries Mail Policy and Key Searches Mail Policy and Cached Keys Understanding the Pre-Installed Policy Chains Mail Policy Outside the Mailflow Using the Rule Interface The Conditions Card The Actions Card Building Valid Chains and Rules Using Valid Processing Order Creating Valid Groups Creating a Valid Ruleiii
93
93 94 95 95 96 96 98 98 99 101 102 102 103 104
IBM Lotus Protector for Mail Encryption Server
Contents
Managing Policy Chains Mail Policy Best Practices Restoring Mail Policy to Default Settings Editing Policy Chain Settings Adding Policy Chains Deleting Policy Chains Exporting Policy Chains Printing Policy Chains Managing Rules Adding Rules to Policy Chains Deleting Rules from Policy Chains Enabling and Disabling Rules Changing the Processing Order of the Rules Adding Key Searches Choosing Condition Statements, Conditions, and Actions Condition Statements Conditions Actions Working with Common Access Cards
105 105 106 106 106 108 108 109 109 109 109 110 110 111 111 111 112 119 133
Applying Key Not Found Settings to External UsersOverview Bounce the Message Mail Encryption PDF Messenger Certified Delivery with Mail Encryption PDF Messenger Send Unencrypted Mail Encryption Smart Trailer Protector for Mail Encryption Web Messenger Changing Policy Settings Changing User Delivery Method Preference
135
135 136 136 137 137 138 139 141 141
Using Dictionaries with PolicyOverview Default Dictionaries Editing Default Dictionaries User-Defined Dictionaries Adding a User-Defined Dictionary Editing a User-Defined Dictionary Deleting a Dictionary Exporting a Dictionary Searching the Dictionaries
143
143 144 146 147 147 148 148 149 149
Keyservers, SMTP Archive Servers, and Mail Policy
Overview
151151
iv
IBM Lotus Protector for Mail Encryption Server
Contents
Keyservers Adding or Editing a Keyserver Deleting a Keyserver SMTP Servers Adding or Editing an Archive Server Deleting an Archive Server
151 152 154 154 154 155
Managing Keys in the Key CacheOverview Changing Cached Key Timeout Purging Keys from the Cache Trusting Cached Keys Viewing Cached Keys Searching the Key Cache
157
157 157 158 158 158 159
Configuring Mail ProxiesOverview Lotus Protector for Mail Encryption Server and Mail Proxies Mail Proxies in a Gateway Placement Mail Proxies in an Internal Placement Mail Proxies Page Creating New or Editing Existing Proxies Creating or Editing a POP/IMAP Proxy Creating or Editing an Outbound SMTP Proxy Creating or Editing an Inbound SMTP Proxy Creating or Editing a Unified SMTP Proxy
161
161 161 162 164 165 165 166 168 170 172
Email in the Mail QueueOverview Deleting Messages from the Mail Queue
175
175 176
Specifying Mail RoutesOverview Managing Mail Routes Adding a Mail Route Editing a Mail Route Deleting a Mail Route
177
177 178 178 179 179
v
IBM Lotus Protector for Mail Encryption Server
Contents
Customizing System Message Templates
Overview Templates and Message Size Mail Encryption PDF Messenger Templates Templates for New Protector for Mail Encryption Web Messenger Users Editing a Message Template
181181 182 182 182 183
Managing GroupsUnderstanding Groups Sorting Consumers into Groups Everyone Group Excluded Group Policy Group Order Setting Policy Group Order Creating a New Group Deleting a Group Viewing Group Members Manually Adding Group Members Manually Removing Members from a Group Group Permissions Adding Group Permissions Deleting Group Permissions Setting Group Membership Searching Groups Creating Group Client Installations How Group Policy is Assigned to PGP Desktop Installers Creating PGP Desktop Installers
185
185 185 186 186 187 187 187 188 188 189 189 190 191 191 192 193 194 194 195
Distributing the Lotus Protector for Mail Encryption ClientPreparing the Lotus Protector for Mail Encryption Client for installation Editing the Notes.ini File Configuring the .MSI File Editing the PMEConf.dat File
201
201 202 202 203
Managing Devices
Managed Devices Adding and Deleting Managed Devices Adding Managed Devices to Groups Managed Device Information Deleting Managed Devices from Lotus Protector for Mail Encryption Server Deleting Managed Devices from Groups
205206 206 207 209 212 213
vi
IBM Lotus Protector for Mail Encryption Server
Contents
WDE Devices (Computers and Disks) WDE Computers WDE Disks Searching for Devices
214 214 216 218
Administering Consumer Policy
Understanding Consumer Policy Making Sure Users Create Strong Passphrases Understanding Entropy Using the Windows Preinstallation Environment X.509 Certificate Management in Lotus Notes Environments Trusting Certificates Created by Lotus Protector for Mail Encryption Server Setting the Lotus Notes Key Settings in Lotus Protector for Mail Encryption Server Technical Deployment Information Offline Policy Using a Policy ADK Out of Mail Stream Support Enrolling Users through Silent Enrollment Silent Enrollment with Windows Silent Enrollment with Mac OS X PGP Whole Disk Encryption Administration PGP Whole Disk Encryption on Mac OS X with FileVault How Does Single Sign-On Work? Enabling Single Sign-On Managing Clients Remotely Using a PGP WDE Administrator Active Directory Group Managing Clients Locally Using the PGP WDE Administrator Key Managing Consumer Policies Adding a Consumer Policy Editing a Consumer Policy Deleting a Consumer Policy
221221 222 222 223 223 224 226 227 228 229 229 231 231 232 232 232 233 234 235 236 237 237 238 239
Setting Policy for ClientsClient and Lotus Protector for Mail Encryption Server Version Compatibility Establishing PGP Desktop Settings for Your PGP Desktop Clients PGP Desktop Feature License Settings Controlling PGP Desktop Components PGP Portable PGP Mobile PGP NetShare How the PGP NetShare Policy Settings Work Together Multi-user environments and managing PGP NetShare Backing Up PGP NetShare-Protected Files
241
241 242 243 244 245 245 246 246 247 247
vii
IBM Lotus Protector for Mail Encryption Server
Contents
Using Directory Synchronization to Manage Consumers
How Lotus Protector for Mail Encryption Server Uses Directory Synchronization Base DN and Bind DN Consumer Matching Rules Understanding User Enrollment Methods Before Creating a Client Installer Directory Enrollment Email Enrollment Enabling Directory Synchronization Adding or Editing an LDAP Directory The LDAP Servers Tab The Base Distinguished Name Tab The Consumer Matching Rules Tab Testing the LDAP Connection Using Sample Records to Configure LDAP Settings Deleting an LDAP Directory Setting LDAP Directory Order Directory Synchronization Settings
249249 251 252 252 253 254 256 258 258 260 260 261 261 261 262 262 262
Managing User AccountsUnderstanding User Account Types Viewing User Accounts User Management Tasks Setting User Authentication Editing User Attributes Adding Users to Groups Editing User Permissions Deleting Users Searching for Users Viewing User Log Entries Changing Display Names and Usernames Exporting a Users X.509 Certificate Revoking a User's X.509 Certificate Managing User Keys Managing Internal User Accounts Importing Internal User Keys Manually Creating New Internal User Accounts Exporting PGP Whole Disk Encryption Login Failure Data Internal User Settings Managing External User Accounts Importing External Users Exporting Delivery Receipts External User Settings
265
265 265 265 266 266 266 267 267 268 268 268 269 269 270 271 271 272 272 273 277 278 279 279
viii
IBM Lotus Protector for Mail Encryption Server
Contents
Managing Verified Directory User Accounts Importing Verified Directory Users Mail Encryption Verified Directory User Settings
281 282 282
Recovering Encrypted Data in an Enterprise Environment
Using Key Reconstruction Recovering Encryption Key Material without Key Reconstruction Encryption Key Recovery of CKM Keys Encryption Key Recovery of GKM Keys Encryption Key Recovery of SCKM Keys Encryption Key Recovery of SKM Keys Using an Additional Decryption Key for Data Recovery
285285 286 286 287 287 288 288
PGP Universal SatelliteOverview Technical Information Distributing the PGP Universal Satellite Software Configuration Deployment Mode Key Mode PGP Universal Satellite Configurations Switching Key Modes Policy and Key or Certificate Retrieval Retrieving Lost Policies Retrieving Lost Keys or Certificates
291
291 292 292 292 292 293 294 296 296 297 298
PGP Universal Satellite for WindowsOverview System Requirements Obtaining the Installer Installation Updates Files MAPI Support External MAPI Configuration Lotus Notes Support External Lotus Notes Configuration
301
301 302 302 302 303 303 304 304 305 305
PGP Universal Satellite for Mac OS X
Overview System Requirements Obtaining the Installer Installation Updatesix
307307 307 308 308 309
IBM Lotus Protector for Mail Encryption Server
Contents
Files
309
Configuring Protector for Mail Encryption Web Messenger
Overview Protector for Mail Encryption Web Messenger and Clustering External Authentication Customizing Protector for Mail Encryption Web Messenger Adding a New Template Troubleshooting Customization Changing the Active Template Deleting a Template Editing a Template Downloading Template Files Restoring to Factory Defaults Configuring the Protector for Mail Encryption Web Messenger Service Starting and Stopping Protector for Mail Encryption Web Messenger Selecting the Protector for Mail Encryption Web Messenger Network Interface Setting Up External Authentication Creating Settings for Protector for Mail Encryption Web Messenger User Accounts Setting Message Replication in a Cluster
311311 312 313 314 315 319 322 322 323 323 323 324 324 325 326 327 329
Configuring the Integrated KeyserverOverview Starting and Stopping the Keyserver Service Configuring the Keyserver Service
331
331 331 332
Configuring the Mail Encryption Verified DirectoryOverview Starting and Stopping the Mail Encryption Verified Directory Configuring the Mail Encryption Verified Directory
335
335 336 336
Managing the Certificate Revocation List ServiceOverview Starting and Stopping the CRL Service Editing CRL Service Settings
339
339 339 340
Configuring Universal Services Protocol
Starting and Stopping USP Adding USP Interfaces
341341 341
x
IBM Lotus Protector for Mail Encryption Server
Contents
System Graphs
Overview CPU Usage Message Activity Whole Disk Encryption Recipient Statistics Recipient Domain Statistics
343343 343 344 344 345 345
System LogsOverview Filtering the Log View Searching the Log Files Exporting a Log File Enabling External Logging
347
347 348 349 349 350
Configuring SNMP MonitoringOverview Starting and Stopping SNMP Monitoring Configuring the SNMP Service Downloading the Custom MIB File
351
351 352 352 353
Shutting Down and Restarting Services and Power
355
Overview 355 Server Information 355 Setting the Time 355 Updating Software 356 Licensing a Lotus Protector for Mail Encryption Server 356 Downloading the Release Notes 357 Shutting Down and Restarting the Lotus Protector for Mail Encryption Server Software Services357 Shutting Down and Restarting the Lotus Protector for Mail Encryption Server Hardware 358
Managing Administrator AccountsOverview Administrator Roles Administrator Authentication Creating a New Administrator Importing SSH v2 Keys Deleting Administrators Inspecting and Changing the Settings of an Administrator Configuring RSA SecurID Authenticationxi
359
359 360 360 361 362 362 363 364
IBM Lotus Protector for Mail Encryption Server
Contents
Resetting SecurID PINs Daily Status Email
365 366
Protecting Lotus Protector for Mail Encryption Server with Ignition KeysOverview Ignition Keys and Clustering Preparing Hardware Tokens to be Ignition Keys Configuring a Hardware Token Ignition Key Configuring a Soft-Ignition Passphrase Ignition Key Deleting Ignition Keys
369
369 371 371 373 373 374
Backing Up and Restoring System and User DataOverview Creating Backups Scheduling Backups Performing On-Demand Backups Configuring the Backup Location Restoring From a Backup Restoring On-Demand Restoring Configuration Restoring from a Different Version
375
375 376 376 376 376 378 378 378 379
Updating Lotus Protector for Mail Encryption Server SoftwareOverview Inspecting Update Packages
381
381 382
Setting Network InterfacesUnderstanding the Network Settings Connecting to a Proxy Server Changing Interface Settings Adding Interface Settings Deleting Interface Settings Editing Global Network Settings Assigning a Certificate Working with Certificates Importing an Existing Certificate Generating a Certificate Request Adding a Pending Certificate Inspecting a Certificate Exporting a Certificate Deleting a Certificate
383
383 384 385 385 385 386 386 386 387 388 389 389 389 390
xii
IBM Lotus Protector for Mail Encryption Server
Contents
Clustering your Lotus Protector for Mail Encryption Servers
Overview Cluster Status Creating a Cluster Deleting Cluster Members Clustering and Protector for Mail Encryption Web Messenger Managing Settings for Cluster Members Changing Network Settings in Clusters
391391 392 393 395 395 396 398
Index
399
xiii
1
IntroductionThis Administrators Guide describes both the IBM Lotus Protector for Mail Encryption Server and Client software. It tells you how to get them up and running on your network, how to configure them, and how to maintain them. This section provides a high-level overview of Lotus Protector for Mail Encryption Server. Sections of the Lotus Protector for Mail Encryption Server Administrator's Guide refer to management of PGP Whole Disk Encryption, PGP Portable, PGP NetShare, and other PGP Desktop client products. The PGP Desktop products encrypt data on disks, removable media, and mobile devices as well as secure files for collaborating teams, and they can be fully managed by the Lotus Protector for Mail Encryption Server. However, these PGP products must be purchased separately (from PGP Corporation) to be deployed and managed by the Lotus Protector for Mail Encryption Server.
What is Lotus Protector for Mail Encryption ServerWith Lotus Protector for Mail Encryption Server management server, you can manage your organization's security policies, users, keys and configurations, deliver messages to external recipients with or without encryption keys, and defend sensitive data to avoid the financial loss, legal ramifications, and brand damage resulting from a data breach. Lotus Protector for Mail Encryption Server automatically creates and maintains a Self-Managing Security Architecture (SMSA) by monitoring authenticated users and their email traffic. You can also send protected messages to addresses that are not part of the SMSA. The Lotus Protector for Mail Encryption Server encrypts, decrypts, signs, and verifies messages automatically, providing strong security through policies you control. Lotus Protector for Mail Encryption Client provides IBM Lotus enterprise customers with an automatic, transparent encryption solution for securing internal and external confidential email communications, managed by the Lotus Protector for Mail Encryption Server. Lotus Notes offers a native encryption solution for secure messaging within an organization. While Lotus Protector for Mail Encryption Client can be used for internal-to-internal secure messaging, it is intended to secure the internal component of a message which is being delivered to an external recipient. With Lotus Protector for Mail Encryption Client, you can minimize the risk of a data breach and better comply with partner and regulatory mandates for information security and privacy.
15
IBM Lotus Protector for Mail Encryption Server
Introduction
The management capabilities of the Lotus Protector for Mail Encryption Server can be extended to managing the PGP Desktop applications that provide encryption of data on disks, removable media, and mobile devices as well as security of files for collaborating teams.
Who Should Read This GuideThis Administrators Guide is for the person or persons who implement and maintain your organizations Lotus Protector for Mail Encryption Server environment. These are the Lotus Protector for Mail Encryption Server administrators. This guide is also intended for anyone else who wants to learn about how Lotus Protector for Mail Encryption Server works.
SymbolsNotes, Cautions, and Warnings are used in the following ways. Note: Notes are extra, but important, information. A Note calls your attention to important aspects of the product. You can use the product better if you read the Notes. Caution: Cautions indicate the possibility of loss of data or a minor security breach. A Caution tells you about a situation where problems can occur unless precautions are taken. Pay attention to Cautions. Warning: Warnings indicate the possibility of significant data loss or a major security breach. A Warning means serious problems will occur unless you take the appropriate action. Please take Warnings very seriously.
Getting AssistanceFor additional information about Lotus Protector for Mail Encryption Server and how to obtain support, see Lotus Protector for Mail Encryption (http://www.ibm.com/software/lotus/products/protector/mailencryption/).
16
2
The Big PictureThis chapter describes some important terms and concepts and gives you a high-level overview of the things you need to do to set up and maintain your Lotus Protector for Mail Encryption Server environment.
Important TermsThe following sections define important terms you will encounter throughout the Lotus Protector for Mail Encryption Server and this documentation.
Overview of Products Lotus Protector for Mail Encryption Server: A device you add to your network that provides secure messaging with little or no user interaction. The Lotus Protector for Mail Encryption Server automatically creates and maintains a security architecture by monitoring authenticated users and their email traffic. You can also send protected messages to addresses that are not part of the security architecture. PGP Global Directory: A free, public keyserver hosted by PGP Corporation. The PGP Global Directory provides quick and easy access to the universe of PGP keys. It uses next-generation keyserver technology that queries the email address on a key (to verify that the owner of the email address wants their key posted) and lets users manage their own keys. Using the PGP Global Directory significantly enhances your chances of finding a valid public key of someone to whom you want to send secured messages.
For external users without encryption keys, Lotus Protector for Mail Encryption Server offers multiple secure delivery options, leveraging thirdparty software that is already installed on typical computer systems, such as a web browser or Adobe Acrobat Reader. For email recipients who do not have an encryption solution, you can use of of the following secure delivery options from Lotus Protector for Mail Encryption Server: PGP Universal Satellite: The PGP Universal Satellite software resides on the computer of an external email user. It allows email to be encrypted end to end, all the way to and from the desktop. Using PGP Universal Satellite is one of the ways for external users to participate in the SMSA. It also allows users the option of controlling their keys on their local computers (if allowed by the administrator).
17
IBM Lotus Protector for Mail Encryption Server
The Big Picture
Protector for Mail Encryption Web Messenger: The Protector for Mail Encryption Web Messenger service allows an external user to securely read a message from an internal user before the external user has a relationship with the SMSA. If Protector for Mail Encryption Web Messenger is available via mail policy for a user and the recipients key cannot be found, the message is stored on the Lotus Protector for Mail Encryption Server and an unprotected message is sent to the recipient. The unprotected message includes a link to the original message, held on the Lotus Protector for Mail Encryption Server. The recipient must create a passphrase, and then can access his encrypted messages stored on Lotus Protector for Mail Encryption Server. Mail Encryption PDF Messenger: Mail Encryption PDF Messenger enables sending encrypted PDF messages to external users who do not have a relationship with the SMSA. In the normal mode, as with Protector for Mail Encryption Web Messenger, the user receives a message with a link to the encrypted message location and uses a Protector for Mail Encryption Web Messenger passphrase to access the message. Mail Encryption PDF Messenger also provides Certified Delivery, which encrypts the message to a one-time passphrase, and creates and logs a delivery receipt when the user retrieves the passphrase.
Lotus Protector for Mail Encryption Client: Lotus Protector for Mail Encryption Client provides IBM Lotus enterprise customers with an automatic, transparent encryption solution for securing internal and external confidential email communications. Lotus Notes offers a native encryption solution for secure messaging within an organization. While Lotus Protector for Mail Encryption Client can be used for internal-to-internal secure messaging, it is intended to secure the internal component of a message which is being delivered to an external recipient. With Lotus Protector for Mail Encryption Client, you can minimize the risk of a data breach and better comply with partner and regulatory mandates for information security and privacy.
Separately-licensed PGP products: PGP Desktop: A client software tool that uses cryptography to protect your data against unauthorized access. PGP Desktop is available for Windows and Mac OS X. It can include the following components, depending upon the features you license: PGP Whole Disk Encryption: Whole Disk Encryption is a feature of PGP Desktop that encrypts your entire hard drive or partition, including your boot record, thus protecting all your files when you are not using them. PGP Whole Disk Encryption is also available for selected Linux systems.
18
IBM Lotus Protector for Mail Encryption Server
The Big Picture
PGP NetShare: A feature of PGP Desktop for Windows with which you can securely and transparently share files and folders among selected individuals. PGP NetShare users can protect their files and folders simply by placing them within a folder that is designated as protected. PGP Virtual Disk: PGP Virtual Disk volumes are a feature of PGP Desktop that let you use part of your hard drive space as an encrypted virtual disk. You can protect a PGP Virtual Disk volume with a key or a passphrase. You can also create additional users for a volume, so that people you authorize can also access the volume. PGP Zip: A feature of PGP Desktop that lets you put any combination of files and folders into a single encrypted, compressed package for convenient transport or backup. You can encrypt a PGP Zip archive to a PGP key or to a passphrase. PGP Portable: A separately-licensed feature that enables you to send encrypted files to users who do not have PGP Desktop software, and to transport files securely to systems that do not or cannot have PGP software installed.
Lotus Protector for Mail Encryption Server Concepts keys. convention: Lotus Protector for Mail Encryption Server automatically looks for valid public keys for email recipients at a special hostname, if no valid public key is found locally to secure a message. This hostname is keys. (where is the email domain of the recipient). For example, Example Corporations externally visible Lotus Protector for Mail Encryption Server is named keys.example.com. IBM Corporation strongly recommends you name your externally visible Lotus Protector for Mail Encryption Server according to this convention because it allows other Lotus Protector for Mail Encryption Servers to easily find valid public keys for email recipients in your domain. For more information, see Naming your Lotus Protector for Mail Encryption Server (on page 33). Security Architecture: Behind the scenes, the Lotus Protector for Mail Encryption Server creates and manages its own security architecture for the users whose email domain it is securing. Because the security architecture is created and managed automatically, we call this a selfmanaging security architecture (SMSA).
19
IBM Lotus Protector for Mail Encryption Server
The Big Picture
Lotus Protector for Mail Encryption Server Features Administrative Interface: Each Lotus Protector for Mail Encryption Server is controlled via a Web-based administrative interface. The administrative interface gives you control over Lotus Protector for Mail Encryption Server. While many settings are initially established using the web-based Setup Assistant, all settings of a Lotus Protector for Mail Encryption Server can be controlled via the administrative interface. Backup and Restore: Because full backups of the data stored on your Lotus Protector for Mail Encryption Server are critical in a natural disaster or other unanticipated loss of data or hardware, you can schedule automatic backups of your Lotus Protector for Mail Encryption Server data or manually perform a backup. You can fully restore a Lotus Protector for Mail Encryption Server from a backup. In the event of a minor problem, you can restore the Lotus Protector for Mail Encryption Server to any saved backup. In the event that a Lotus Protector for Mail Encryption Server is no longer usable, you can restore its data from a backup onto a new Lotus Protector for Mail Encryption Server during initial setup of the new Lotus Protector for Mail Encryption Server using the Setup Assistant. All backups are encrypted to the Organization Key and can be stored securely off the Lotus Protector for Mail Encryption Server. Cluster: When you have two or more Lotus Protector for Mail Encryption Servers in your network, you configure them to synchronize with each other; this is called a cluster. Dictionary: Dictionaries are lists of terms to be matched. The dictionaries work with mail policy to allow you to define content lists that can trigger rules. Directory Synchronization: If you have LDAP directories in your organization, your Lotus Protector for Mail Encryption Server can be synchronized with the directories. The Lotus Protector for Mail Encryption Server automatically imports user information from the directories when users send and receive email; it also creates internal user accounts for them, including adding and using X.509 certificates if they are contained in the LDAP directories. Ignition Keys: You can protect the contents of a Lotus Protector for Mail Encryption Server, even if the hardware is stolen, by requiring the use of a hardware token or a software passphrase, or both, on start. Keyserver: Each Lotus Protector for Mail Encryption Server includes an integrated keyserver populated with the public keys of your internal users. When an external user sends a message to an internal user, the external Lotus Protector for Mail Encryption Server goes to the keyserver to find the public key of the recipient to use to secure the message. The Lotus Protector for Mail Encryption Server administrator can enable or disable the service, and control access to it via the administrative interface.20
IBM Lotus Protector for Mail Encryption Server
The Big Picture
Learn Mode: When you finish configuring a Lotus Protector for Mail Encryption Server using the Setup Assistant, it begins in Learn Mode, where the Lotus Protector for Mail Encryption Server sends messages through mail policy without taking any action on the messages, and does not encrypt or sign any messages. Learn Mode gives the Lotus Protector for Mail Encryption Server a chance to build its SMSA (creating keys for authenticated users, for example) so that when when Learn Mode is turned off, the Lotus Protector for Mail Encryption Server can immediately begin securing messages. It is also an excellent way for administrators to learn about the product. You should check the logs of the Lotus Protector for Mail Encryption Server while it is in Learn Mode to see what it would be doing to email traffic if it were live on your network. You can make changes to the Lotus Protector for Mail Encryption Servers policies while it is in Learn Mode until things are working as expected.
Mail Policy: The Lotus Protector for Mail Encryption Server processes email messages based on the policies you establish. Mail policy applies to inbound and outbound email processed by both Lotus Protector for Mail Encryption Server and client software. Mail policy consists of multiple policy chains, comprised of sequential mail processing rules. Organization Certificate: You must create or obtain an Organization Certificate to enable S/MIME support by Lotus Protector for Mail Encryption Server. The Organization Certificate signs all X.509 certificates the server creates. Organization Key: The Setup Assistant automatically creates an Organization Key (actually a keypair) when it configures a Lotus Protector for Mail Encryption Server. The Organization Key is used to sign all PGP keys the Lotus Protector for Mail Encryption Server creates and to encrypt Lotus Protector for Mail Encryption Server backups. Caution: It is extremely important to back up your Organization Key: all keys the Lotus Protector for Mail Encryption Server creates are signed by the Organization Key, and all backups are encrypted to the Organization Key. If you lose your Organization Key and have not backed it up, the signatures on those keys are meaningless and you cannot restore from backups encrypted to the Organization Key.
Mail Encryption Verified Directory: The Mail Encryption Verified Directory supplements the internal keyserver by letting internal and external users manage the publishing of their own public keys. The Mail Encryption Verified Directory also serves as a replacement for the PGP Keyserver product. The Mail Encryption Verified Directory uses next-generation keyserver technology to ensure that the keys in the directory can be trusted. Server Placement: A Lotus Protector for Mail Encryption Server can be placed in one of two locations in your network to process email.
21
IBM Lotus Protector for Mail Encryption Server
The Big Picture
With an internal placement, the Lotus Protector for Mail Encryption Server logically sits between your email users and your mail server. It encrypts and signs outgoing SMTP email and decrypts and verifies incoming mail being picked up by email clients using POP or IMAP. Email stored on your mail server is stored secured (encrypted). With a gateway placement, the Lotus Protector for Mail Encryption Server logically sits between your mail server and the Internet. It encrypts and signs outgoing SMTP email and decrypts and verifies incoming SMTP email. Email stored on your mail server is stored unsecured. For more information, see Configuring Mail Proxies (on page 161) and the Lotus Protector for Mail Encryption Server Installation Guide. Setup Assistant: When you attempt to log in for the first time to the administrative interface of a Lotus Protector for Mail Encryption Server, the Setup Assistant takes you through the configuration of that Lotus Protector for Mail Encryption Server.
Lotus Protector for Mail Encryption Server User Types Administrators: Any user who manages the Lotus Protector for Mail Encryption Server and its security configuration from inside the internal network. Only administrators are allowed to access the administrative interface that controls Lotus Protector for Mail Encryption Server. A Lotus Protector for Mail Encryption Server supports multiple administrators, each of which can be assigned a different authority: from read-only access to full control over every feature and function. Consumers: Internal, external, and Verified Directory users, and devices. External Users: External users are email users from other domains (domains not being managed by your Lotus Protector for Mail Encryption Server) who have been added to the SMSA. Internal Users: Internal users are email users from the domains being managed by your Lotus Protector for Mail Encryption Server. Lotus Protector for Mail Encryption Server allows you to manage PGP Desktop deployments to your internal users. The administrator can control which PGP Desktop features are automatically implemented at install, and establish and update security policy for PGP Desktop users that those users cannot override (except on the side of being more secure). Mail Encryption Verified Directory Users: Internal and external users who have submitted their public keys to the Mail Encryption Verified Directory, a Web-accessible keyserver.
22
IBM Lotus Protector for Mail Encryption Server
The Big Picture
Devices: Managed devices, WDE computers, and WDE disks. Managed devices are arbitrary objects whose keys are managed by Lotus Protector for Mail Encryption Server. WDE computers, and WDE disks are devices that are detected when users enroll.
Other Email Users: Users within your organization can securely send email to recipients outside the SMSA. First, the Lotus Protector for Mail Encryption Server attempts to find a key for the recipient. If that fails, there are four fallback options, all controlled by mail policy: bounce the message back to the sender (so it is not sent unencrypted), send unencrypted, Mail Encryption Smart Trailer, and Protector for Mail Encryption Web Messenger mail. Mail Encryption Smart Trailer sends the message unencrypted and adds text giving the recipient the option of joining the SMSA by installing PGP Universal Satellite, using an existing key or certificate, or using Protector for Mail Encryption Web Messenger. Protector for Mail Encryption Web Messenger lets the recipient securely read the message on a secure website; it also gives the recipient options for handling subsequent messages from the same domain: read the messages on a secure website using a passphrase they establish, install PGP Universal Satellite, or add an existing key or certificate to the SMSA.
Installation OverviewThe following steps are a broad overview of what it takes to plan, set up, and maintain your Lotus Protector for Mail Encryption Server environment. Steps 1 and 4 are described in the Lotus Protector for Mail Encryption Server Installation Guide. The remaining tasks are described in this book. Note that these steps apply to the installation of a new, stand-alone Lotus Protector for Mail Encryption Server. If you plan to install a cluster, you must install and configure one Lotus Protector for Mail Encryption Server following the steps outlined here. Subsequent cluster members will receive most of their configuration settings from the initial Lotus Protector for Mail Encryption Server through data replication. 1 Plan where in your network you want to locate your Lotus Protector for Mail Encryption Server(s). Where you put Lotus Protector for Mail Encryption Servers in your network, how many Lotus Protector for Mail Encryption Servers you have in your network, and other factors all have a major impact on how you add them to your existing network. Create a diagram of your network that includes all network components and shows how email flows; this diagram details how adding a Lotus Protector for Mail Encryption Server impacts your network.
23
IBM Lotus Protector for Mail Encryption Server
The Big Picture
For more information on planning how to add Lotus Protector for Mail Encryption Servers to your existing network, see Adding the Lotus Protector for Mail Encryption Server to Your Network in the Lotus Protector for Mail Encryption Server Installation Guide. 2 Perform necessary DNS changes. Add IP addresses for your Lotus Protector for Mail Encryption Servers, an alias to your keyserver, update the MX record if necessary, add keys., hostnames of potential Secondary servers for a cluster, and so on. Properly configured DNS settings (including root servers and appropriate reverse lookup records) are required to support Lotus Protector for Mail Encryption Server. Make sure both host and pointer records are correct. IP addresses must be resolvable to hostnames, as well as hostnames resolvable to IP addresses. 3 Prepare a hardware token Ignition Key. If you want to add a hardware token Ignition Key during setup, install the drivers and configure the token before you begin the Lotus Protector for Mail Encryption Server setup process. See Protecting Lotus Protector for Mail Encryption Server with Ignition Keys (on page 369) for information on how to prepare a hardware token Ignition Key. Note: In a cluster, the Ignition Key configured on the first Lotus Protector for Mail Encryption Server in the cluster will also apply to the subsequent members of the cluster. 4 Install and configure this Lotus Protector for Mail Encryption Server. The Setup Assistant runs automatically when you first access the administrative interface for the Lotus Protector for Mail Encryption Server. The Setup Assistant is where you can set or confirm a number of basic settings such as your network settings, administrator password, server placement option, mail server address and so on. To configure multiple servers as a cluster, you must configure one server first in the normal manner, then add the additional servers as cluster members. You can do this through the Setup Assistant when you install a server that will join an existing cluster, or you can do this through the Lotus Protector for Mail Encryption Server administrative interface. For more information, see Setting Up the Lotus Protector for Mail Encryption Server in the Lotus Protector for Mail Encryption Server Installation Guide. 5 Create a SSL/TLS certificate or obtain a valid SSL/TLS certificate. You can create a self-signed certificate for use with SSL/TLS traffic. Because this certificate is self-signed, however, it might not be trusted by email or Web browser clients. recommends that you obtain a valid SSL/TLS certificate for each of your Lotus Protector for Mail Encryption Servers from a reputable Certificate Authority.
24
IBM Lotus Protector for Mail Encryption Server
The Big Picture
This is especially important for Lotus Protector for Mail Encryption Servers that are accessed publicly. Older Web browsers might reject self-signed certificates or not know how to handle them correctly when they encounter them via Protector for Mail Encryption Web Messenger or Mail Encryption Smart Trailer. For more information, see Working with Certificates (on page 386). 6 Configure the Directory Synchronization feature to synchronize an LDAP directory with your Lotus Protector for Mail Encryption Server. You must have an LDAP directory configured and Directory Synchronization enabled for user enrollment to work. By default user enrollment assumes that you have an LDAP directory configured. There are two parts to configuring LDAP for user enrollment: You must have LDAP enabled on the Domino server to which the Lotus Protector for Mail Encryption Server is communicating. To enable LDAP in the Lotus Protector for Mail Encryption Server do the following:
Log in to the Lotus Protector for Mail Encryption Server administrative interface, go to Consumers > Directory Synchronization, and click Add LDAP Directory... You will need to provide information about your LDAP directory: - credentials to use to contact the LDAP server (the Bind DN) - the addressing information of the server (hostname, port, and protocol) - one or more Base DNs to use for lookup. Make sure you have Open LDAP selected as the directory type. When you have tested that Lotus Protector for Mail Encryption Server can communicate with the LDAP directory, you can enable directory synchronization on the Consumers > Directory Synchronization page.
For more detailed information, see Using Directory Synchronization to Manage Users (on page 249). 7 Add trusted keys, configure internal and external user policy, and establish mail policy. All these settings are important for secure operation of Lotus Protector for Mail Encryption Server. For more information on adding trusted keys from outside the SMSA, see Managing Trusted Keys and Certificates (on page 89). For more information about user policy settings, see Setting Internal User Policy and Setting External User Policy. For information on setting up mail policy, see Setting Mail Policy (on page 93).
25
IBM Lotus Protector for Mail Encryption Server
The Big Picture
Note: When setting policy for Consumers, Lotus Protector for Mail Encryption Server provides an option called Out of Mail Stream (OOMS) support. OOMS specifies how the email gets transmitted from the client to the server when Lotus Protector for Mail Encryption Client cannot find a key for the recipient and therefore cannot encrypt the message. OOMS is enable by default, as this is the most secure setting. With OOMS enabled, sensitive messages that can't be encrypted locally are sent to Lotus Protector for Mail Encryption Server "out of the mail stream." Lotus Protector for Mail Encryption Client creates a separate, encrypted network connection to the Lotus Protector for Mail Encryption Server to transmit the message. However, archiving solutions, outbound anti-virus filters, or other systems which monitor or proxy mail traffic will not see these messages. You can elect to disable OOMS, which means that sensitive messages that can't be encrypted locally are sent to Lotus Protector for Mail Encryption Server "in the mail stream" like normal email. Importantly, this email is sent in the clear (unencrypted). Mail or Network administrators could read these messages by accessing the mail server's storage or monitoring network traffic. However, archiving solutions, outbound anti virus filters, or other systems which monitor or proxy mail traffic will process these messages normally. During your configuration of your Lotus Protector for Mail Encryption Server you should determine the appropriate settings for your requirements. This option can be set separately for each policy group, and is set through the Consumer Policy settings. For more details on the effects of enabling or disabling OOMS, see Out of Mail Stream Support (on page 229). 8 Add your Domino domain as a managed domain. Usually, you specify your Internet domain during installation through the Setup Assistant. If your Lotus Protector for Mail Encryption Server is also managing a Domino server, you must add your Domino domain name manually through the Managed Domains page (Consumers > Managed Domains). 9 Reconfigure the settings of your email clients and servers, if necessary. Depending on how you are adding the Lotus Protector for Mail Encryption Server to your network, some setting changes might be necessary. For example, if you are using a Lotus Protector for Mail Encryption Server placed internally, the email clients must have SMTP authentication turned on. For Lotus Protector for Mail Encryption Servers placed externally, you must configure your mail server to relay SMTP traffic to the Lotus Protector for Mail Encryption Server.
26
IBM Lotus Protector for Mail Encryption Server
The Big Picture
10 Enable SNMP Polling and Traps. You can configure Lotus Protector for Mail Encryption Server to allow network management applications to monitor system information for the device on which Lotus Protector for Mail Encryption Server is installed and to send system and application information to an external destination. See Configuring SNMP Monitoring (on page 351) in the Lotus Protector for Mail Encryption Server Administrator's Guide for more information. 11 Configure and distribute Lotus Protector for Mail Encryption Client to your users as appropriate. Lotus Protector for Mail Encryption Client provides IBM Lotus enterprise customers with an automatic, transparent encryption solution for securing internal and external confidential email communications. Before you can distribute the Lotus Protector for Mail Encryption Client installation file, you need to make the location of the Lotus Protector for Mail Encryption Server available to the client software. For more information, see Distributing the Lotus Protector for Mail Encryption Client (on page 201). 12 Analyze the data from Learn Mode. In Learn Mode, your Lotus Protector for Mail Encryption Server sends messages through mail policy without actually taking action on the messages, decrypts and verifies incoming messages when possible, and dynamically creates a SMSA. You can see what the Lotus Protector for Mail Encryption Server would have done without Learn Mode by monitoring the system logs. Learn Mode lets you become familiar with how the Lotus Protector for Mail Encryption Server operates and it lets you see the effects of the policy settings you have established before the Lotus Protector for Mail Encryption Server actually goes live on your network. Naturally, you can fine tune settings while in Learn Mode, so that the Lotus Protector for Mail Encryption Server is operating just how you want before you go live. For more information, see Operating in Learn Mode (on page 49). 13 Adjust policies as necessary. It might take a few tries to get everything working just the way you want. For example, you might need to revise your mail policy. 14 Perform backups of all Lotus Protector for Mail Encryption Servers before you take them out of Learn Mode. This gives you a baseline backup in case you need to return to a clean installation. For more information, see Backing Up and Restoring System and User Data (on page 375).
27
IBM Lotus Protector for Mail Encryption Server
The Big Picture
15 Take your Lotus Protector for Mail Encryption Servers out of Learn Mode. Once this is done, email messages are encrypted, signed, and decrypted/verified, according to the relevant policy rules. Make sure you have licensed each of your Lotus Protector for Mail Encryption Servers; you cannot take a Lotus Protector for Mail Encryption Server out of Learn Mode until it has been licensed. 16 Monitor the system logs to make sure your Lotus Protector for Mail Encryption Server environment is operating as expected.
28
3TCP Ports
Port 21
Open PortsThis chapter lists and describes the ports a Lotus Protector for Mail Encryption Server has open and on which it is listening.
Protocol/Service FTP (File Transfer Protocol)
Comment Used for transmitting encrypted backup archives to other servers. Data is sent via passive FTP, so port 20 (FTP Data) is not used. Used for remote shell access to the server for low-level system administration. Used for sending mail. With a gateway placement, the Lotus Protector for Mail Encryption Server listens on port 25 for both incoming and outgoing SMTP traffic. Used to allow user access to the Mail Encryption Verified Directory. If the Mail Encryption Verified Directory is not enabled, access on this port is automatically redirected to port 443 over HTTPS. Also used for Universal Services Protocal (USP) keyserver connection.
22
Open SSH (Secure Shell)
25
SMTP (Simple Mail Transfer Protocol)
80
HTTP (HyperText Transfer Protocol)
110
POP (Post Office Protocol)
Used for retrieving mail by users with POP accounts with internal placements only. Closed for gateway placements.
29
IBM Lotus Protector for Mail Encryption Server
Open Ports
Port 143
Protocol/Service IMAP (Internet Message Access Protocol)
Comment Used for retrieving mail by users with IMAP accounts with internal placements only. Closed for gateway placements. Used to allow remote hosts to look up public keys of local users. Used for PGP Desktop and PGP Universal Satellite policy distribution and Protector for Mail Encryption Web Messenger access. Used for access over HTTPS if the Verified Directory is not enabled. Also used for Universal Services Protocal (USP)over SSL for keyserver connection.
389 443
LDAP (Lightweight Directory Access Protocol) HTTPS (HyperText Transfer Protocol, Secure)
444
SOAPS (Simple Object Access Protocol, Secure) SMTPS (Simple Mail Transfer Protocol, Secure)
Used for clustering replication messages. Used for sending mail securely with internal placements only. Closed for gateway placements. This is a non-standard port used only by legacy mail servers. We recommend not using this port, and instead always using STARTTLS on port 25. Used to securely allow remote hosts to look up public keys of local users. Used for retrieving mail securely by users with IMAP accounts with internal placements only. Closed for gateway placements. Used for retrieving mail securely by users with POP accounts with internal placements only. Closed for gateway placements. Used to allow access to the Lotus Protector for Mail Encryption Server administrative interface.
465
636
LDAPS (Lightweight Directory Access Protocol, Secure) IMAPS (Internet Message Access Protocol, Secure)
993
995
POPS (Post Office Protocol, Secure)
9000
HTTPS (HyperText Transfer Protocol, Secure)
30
IBM Lotus Protector for Mail Encryption Server
Open Ports
UDP Ports
Port 123 Protocol/Service NTP (Network Time Protocol) SNMP (Simple Network Management Protocol) Comment Used to synchronize the systems clock with a reference time source on a different server. Used by network management applications to query the health and activities of Lotus Protector for Mail Encryption Server software and the computer on which it is installed.
161
31
4
Naming your Lotus Protector for Mail Encryption Server
This section describes how and why to name your Lotus Protector for Mail Encryption Server using the keys. convention.
Considering a Name for Your Lotus Protector for Mail Encryption ServerUnless a valid public key is found locally, Lotus Protector for Mail Encryption Servers automatically look for valid public keys for email recipients by attempting to contact a keyserver at a a special hostname, keys., where is the email domain of the recipient. For example, an internal user at example.com is sending email to [email protected]. If no valid public key for Susan is found on the Example Corp. Lotus Protector for Mail Encryption Server (keys would be found locally if they are cached, or if Susan was an external user who explicitly supplied her key via the Protector for Mail Encryption Web Messenger service), it automatically looks for a valid public key for Susan at keys.widgetcorp.com, even if there is no domain policy for widgetcorp.com on Examples Lotus Protector for Mail Encryption Server. Naturally, the Example Corp. Lotus Protector for Mail Encryption Server can only find a valid public key for [email protected] at keys.widgetcorp.com if the Widgetcorp Lotus Protector for Mail Encryption Server is named using the keys. convention. Caution: IBM Corporation strongly recommends you name your Lotus Protector for Mail Encryption Server according to this convention, because doing so allows other Lotus Protector for Mail Encryption Servers to easily find valid public keys for email recipients in your domain. Make sure to name your externally visible Lotus Protector for Mail Encryption Server using this convention. If your organization uses email addresses such as [email protected] as well as [email protected], then you need your Lotus Protector for Mail Encryption Server to be reachable at both keys.example.com and keys.corp.example.com.
33
IBM Lotus Protector for Mail Encryption Server
Naming your Lotus Protector for Mail Encryption Server
If you have multiple Lotus Protector for Mail Encryption Servers in a cluster managing an email domain, only one of those Lotus Protector for Mail Encryption Servers needs to use the keys. convention. Note: Keys that are found using the keys. convention are treated as valid and trusted by default. Alternately, keys. should be the address of a load-balancing device which then distributes connections to your Lotus Protector for Mail Encryption Servers keyserver service. The ports that would need to be load-balanced are the ones on which you are running your keyserver service (typically port 389 for LDAP and 636 for LDAPS). Another acceptable naming convention would be to name your Lotus Protector for Mail Encryption Server according to the required naming convention your company uses, and make sure the server has a DNS alias of keys..com. If you are administering multiple email domains, you should establish the keys. convention for each email domain. If your Lotus Protector for Mail Encryption Server is behind your corporate firewall (as it should be), you need to make sure that ports 389 (LDAP) and 636 (LDAPS) are open to support the keys. convention.
Methods for Naming a Lotus Protector for Mail Encryption ServerThere are three ways to name your Lotus Protector for Mail Encryption Server to support the keys. convention: Name your Lotus Protector for Mail Encryption Server keys. on the Host Name field of the Network Setup page in the Setup Assistant. Change the Host Name of your Lotus Protector for Mail Encryption Server to keys. using the administrative interface on the Network Settings section of the System > Network page. Create a DNS alias to your Lotus Protector for Mail Encryption Server that uses the keys. convention that is appropriate for your DNS server configuration.
34
5
Understanding the Administrative Interface
This section describes the Lotus Protector for Mail Encryption Servers Webbased administrative interface.
System RequirementsThe Lotus Protector for Mail Encryption Server administrative interface has been fully tested with the following Web browsers: Windows 2000 Professional and Advanced Server: Mozilla Firefox 3.0, Internet Explorer 6.0, Internet Explorer 7.0 Windows XP Professional and Pro x64: Mozilla Firefox 3.0, Internet Explorer 6.0, Internet Explorer 7.0 Windows Vista: Mozilla Firefox 3.0, Internet Explorer 7.0 Mac OS X 10.4: Mozilla Firefox 3.0, Safari 2.0 Mac OS X 10.5: Mozilla Firefox 3.0, Safari 3.1
While you might find that the administrative interface works with other Web browsers, we recommend these browsers for maximum compatibility.
Logging InA login name and passphrase for the administrative interface were originally established when you configured the server using the Setup Assistant. In addition, the original administrator may have created additional administrators, and may have configured your Lotus Protector for Mail Encryption Server to accept RSA SecurID authentication. To log in to your servers administrative interface 1 In a Web browser, type https://:9000/ and press Enter. Note: If you see a Security Alert dialog box relating to the security certificate, it means you need to replace the self-signed certificate created automatically with a certificate from a public Certificate Authority. The Login page appears.
35
IBM Lotus Protector for Mail Encryption Server
Understanding the Administrative Interface
2 3
Type the current login name in the Username field. Type the current passphrase or SecurID passcode in the Passphrase field. (If SecurID authentication is enabled, a message below the Passphrase field will indicate that a SecurID passcode can be entered. A given administrator is configured to use either passphrase or SecurID authentication, not both.)
4 5 6
Click the Login button or press Enter. If the login credentials are accepted, the System Overview page appears. If the login credentials do not match, an error is displayed. For passphrase authentication that fails, an "Invalid Login" error appears. For SecurID authentication, different events may occur. See the following procedure for more information.
To log in using RSA SecurID authentication 1 Follow steps 1-4 in the procedure above. If your SecurID passcode is accepted, and no PIN reset is required, the System Overview page appears. Note: If Lotus Protector for Mail Encryption Server fails to connect with any RSA Manager server, you will be presented with the standard "Invalid Login" message. The connection failure will be logged in the Lotus Protector for Mail Encryption Server Administration log, enabling you to determine whether this was the cause of the login failure. 2 If the RSA server policy determines that a PIN reset is required, upon successful login the PIN Reset dialog appears. Depending on the RSA server policy, you may be able to have the RSA server generate a new PIN for you, or enter a new PIN manually. When this is done, the System Overview page appears. For more details see Resetting SecurID PINs (on page 365). If the RSA server detects a problem with the token code portion of your passcode, you are asked to re-enter your PIN plus the next code shown on your SecurID token. Type your PIN and the next token code that appears, then click Login or press Enter. Based on your RSA server policy, you may be given several chances to authenticate successfully using the next token code. However, eventually continued failures will result in a failed login.
3
4
Note: Log in events are logged in the Lotus Protector for Mail Encryption Server Administration log. Successful and failed attempts, and next tokencode requests are logged, as are problems connecting to the RSA Manager servers.
36
IBM Lotus Protector for Mail Encryption Server
Understanding the Administrative Interface
The System Overview PageThe System Overview page is the first page you see when you log in to Lotus Protector for Mail Encryption Server. You can also view it from Reporting > Overview. The page provides a general report of system information and statistics. The information displayed includes: System alerts, including licensing issues and PGP Whole Disk Encryption login failures. System alerts appear at the top of the page. System Graphs for CPU usage, message activity, and Whole Disk Encryption. Click the buttons to switch the graphs. Click the System Graphs heading to go to the Reporting > Graphs page. See System Graphs (on page 343) for more information about system graphs. Services information, including which services are running or stopped. Depending on the service, the entry may also include the number of users or keys handled by the service. Click the service name link to go to the administrative page for that service. For a running Web Messenger service, click the URL to go to the Web Messenger interface. For a running Verified Directory service, click the URL to go to the Verified Directory interface to search for a key, upload your own public key, or remove your key from the searchable directory.
System Statistics, including software version number, system uptime, total messages processed, and number of PGP Portable Disks created. Click the Statistics link to go to the System > General Settings page. Mail Queue statistics show the number of email messages in the queue waiting to be processed, if applicable, and the size of the mail queue. Click the Mail Queue link to go to the Mail > Mail Queue status page for detailed information about the contents of the mail queue. Estimated Policy Group Membership shows the number of members in each consumer policy group. Click a policy group name to go to the page for configuring that policy group. Clustering provides status information about the cluster configuration, if this Lotus Protector for Mail Encryption Server is a member of a cluster. This display shows, for each cluster member, its hostname or IP address, its status, its location (Internal or DMZ) and a login icon (except for the member on which you are currently logged in). Click the Clustering heading to go to the System > Clustering page. This display does not appear if your Lotus Protector for Mail Encryption Server is not a member of a cluster.
37
IBM Lotus Protector for Mail Encryption Server
Understanding the Administrative Interface
Click Refresh (at the top of the System Overview page) to refresh the information shown on this page. The Manage Alerts button takes you to the Alerts page where you can configure how you want to be notified about WDE login failures. For more details, see Managing Alerts (on page 38). The Export Data button lets you export statistics for WDE Activity, WDE Login Failures, PDF Messenger Certified Delivery Receipts, and the Mail Policy Print View (which provides in a printable format all your mail policy chains and rules).
Managing AlertsThe Lotus Protector for Mail Encryption Server groups failed login attempts into reported login failures. This feature is intended to make reporting about failed login attempts more useful, because one or several failed login attempts by a PGP Whole Disk Encryption user does not necessarily mean an attempted break-in. Use the Alerts dialog box to choose how many failed login attempts constitutes a login failure. For example, you can specify that an alert should be triggered after 3 failed login attempts. If 6 failed attempts occur, 2 login failure alerts appear. Alerts about PGP Whole Disk Encryption login failures appear on the System Overview page and in the Daily Status Email. Alerts for devices belonging to specific users appear on the user's Internal Users dialog box. Alerts are also sent when a user is locked out of a system because he or she exceeded the number of allowable login failures set on the Disk Encryption tab of Consumer Policy. To specify how you want to be notified of PGP Whole Disk Encryption login failures 1 From the System Overview page, click Manage Alerts. The Alerts dialog box appears. 2 3 Specify how many consecutive failed login attempts a single device must report before the administrator is notified. Choose how long you want login failure alerts to be displayed on the System Overview page, the Daily Status Email, and the Internal Users page, in hours or days. Specify how long you want to keep login failure records in the database, in days.
4
Note: PGP Whole Disk Encryption is a feature of the PGP Desktop product line, which must be purchased separately from PGP Corporation to be deployed and managed by the Lotus Protector for Mail Encryption Server.
38
IBM Lotus Protector for Mail Encryption Server
Understanding the Administrative Interface
Administrative Interface MapThe administrative interface is organized as follows: Sections Reporting Pages Overview Graphs Logs Consumers Groups Users Devices Consumer Policy Managed Domains Directory Synchronization Keys Managed Keys Trusted Keys Organization Keys Ignition Keys Keyservers Key Cache Mail Mail Policy Dictionaries Archive Servers Proxies Mail Queue Mail Routes Message Templates Services Web Messenger Keyserver SNMP Verified Directory Certificate Revocation39
IBM Lotus Protector for Mail Encryption Server
Understanding the Administrative Interface
USP System General Settings Administrators Backups Updates Network Clustering
IconsThe administrative interface uses the following icons. Type Actions Icon Description Add Remove Connect Delete Clear Search Install/Export Reinstall/Regenerate Restore Revoke Forward Back
40
IBM Lotus Protector for Mail Encryption Server
Understanding the Administrative Interface
Type
Icon
Description First Last Move priority up Move priority down Closed Action Opened Action Help Update software Print
Users
Internal user Administrative user Excluded user Internal user, revoked Expired internal user External user, revoked External user External user, pending Expired external user
41
IBM Lotus Protector for Mail Encryption Server
Understanding the Administrative Interface
Type
Icon
Description Directory user Expired directory user Directory user, pending
Keys and Certificates
Key Key, expired Key, revoked Key reconstruction Whole Disk Recovery Token Keypair Keypair, expired Keypair, revoked Certificate Expired certificate Revoked certificate Expired certificate pair Certificate pair Revoked certificate pair ADK (Additional Decryption Key)
42
IBM Lotus Protector for Mail Encryption Server
Understanding the Administrative Interface
Type
Icon
Description Organization Key Verified Directory Key
Mail Policy
Default policy chain Policy chain Policy rule Dictionary term Excluded address
`
Pending excluded address Keyserver Default keyserver
User Policy
Default policy Excluded policy
Web Messenger
Default template
Customized template Broken template Backup Backup successful Backup pending
43
IBM Lotus Protector for Mail Encryption Server
Understanding the Administrative Interface
Type
Icon
Description Backup failed
Update
Successful install Update ready to be installed Failed install
Clustering
Cluster Active cluster Inactive cluster
Logs
Info Notice Warning Error
Miscellaneous
Domain Mail proxy (SMTP, POP, IMAP)
Inbound mailserver Outbound mailserver SMTP server Mail route
44
IBM Lotus Protector for Mail Encryption Server
Understanding the Administrative Interface
Type
Icon
Description Network interface Learn mode Access control enabled
45
6
Licensing Your SoftwareThis section describes how to license your Lotus Protector for Mail Encryption Server. Note: The license for Lotus Protector for Mail Encryption Server is included automatically when you run the Setup Assistant and accept the licensing terms. You do not need to separately add or update a Lotus Protector for Mail Encryption Server license. However, you will need to add a license if you separately purchase a PGP product, such as PGP Desktop or PGP Whole Disk Encryption.
Licensing a Lotus Protector for Mail Encryption ServerThe license for Lotus Protector for Mail Encryption Server is included automatically when you run the Setup Assistant and accept the licensing terms. You do not need to separately add or update a Lotus Protector for Mail Encryption Server license. However, you will need to add a license if you separately purchase a PGP product, such as PGP Desktop or PGP Whole Disk Encryption. For instructions on licensing additional products, see Licensing a Lotus Protector for Mail Encryption Server (on page 356).
47
7
Operating in Learn Mode
When you finish configuring a Lotus Protector for Mail Encryption Server using the Setup Assistant, it begins running in Learn Mode. In Learn Mode, messages are processed through mail policy, but none of the actions from the policy are performed. Messages are neither encrypted nor signed. This functions as a rehearsal, so that you can learn how policies would affect email traffic if implemented. While running in Learn Mode, the Lotus Protector for Mail Encryption Server also creates keys for authenticated users so that when Learn Mode is turned off, the server can secure messages immediately. After messages go through mail policy, Lotus Protector for Mail Encryption Server decrypts and verifies incoming messages for which there are local internal or external user keys. Outgoing messages are sent unencrypted. In Learn Mode, non-RFC compliant email is sent unprocessed and in the clear. Turn Learn Mode off to process messages through the mail policy exception chain. In Learn Mode, the Lotus Protector for Mail Encryption Server: Creates user accounts with user keys, in accordance with Consumer Policy. Decrypts messages using internal and external keys stored on the server, but does not search for keys externally. Does not encrypt or sign messages. Will not apply mail policy to messages, and will not take any Key Not Found action on messages. Note: Your Lotus Protector for Mail Encryption Server must be licensed before you can take it out of Learn Mode. Note: The license for Lotus Protector for Mail Encryption Server is included automatically when you run the Setup Assistant and accept the licensing terms. You do not need to separately add or update a Lotus Protector for Mail Encryption Server license. However, you will need to add a license if you separately purchase a PGP product, such as PGP Desktop or PGP Whole Disk Encryption.
Purpose of Learn ModeLearn Mode allows you to:
49
IBM Lotus Protector for Mail Encryption Server
Operating in Learn Mode
View (by examining the logs) how policies would affect email traffic if implemented. Build the SMSA (creating keys for authenticated users, for example) so that when the server goes livewhen Learn Mode is turned offthe server can secure messages immediately. Identify mailing lists your users send messages to and add their addresses to the dictionaries of Excluded Email Addresses. Most likely, users won't send encrypted messages to a mailing list. Lotus Protector for Mail Encryption Server decrypts and verifies incoming email while operating in Learn Mode. Lotus Protector for Mail Encryption Server still automatically detects mailing lists when Learn Mode is off, but unless the addresses were retrieved via the Directory Synchronization feature, they require approval from the Lotus Protector for Mail Encryption Server administrator to be added to the list of excluded email addresses. For more information, see Using Dictionaries with Policy (on page 143). Mailing lists are identified per RFC 2919, List-Id: A Structured Field and Namespace for the Identification of Mailing Lists, as well as by using default exclusion rules.
Checking the LogsThe effects of your policies can be checked while Learn Mode is on, even though the server is not actually encrypting or signing messages. To check the servers logs 1 Access the administrative interface for the server. The administrative interface appears. 2 Click Reporting, then Logs. The System Logs page appears. 3 Check the logs to see what effect your policies are having on email traffic.
Managing Learn ModeThe Lotus Protector for Mail Encryption Server is put into Learn Mode by the Setup Assistant. If your server is in Learn Mode, you see a yellow icon, the Change Mode button, in the upper-right corner of your browser page.
50
IBM Lotus Protector for Mail Encryption Server
Operating in Learn Mode
To turn off Learn Mode 1 Click the Change Mode button in the upper-right corner of the page. The Mail Processing Settings dialog box appears. 2 3 Deselect Operate in Learn Mode. Click Save. Learn Mode is turned off. To turn on Learn Mode 1 Click the Change Mode button in the upper-right corner of the page. The Mail Processing Settings dialog box appears. 2 3 Select Operate in Learn Mode. Click Save. Learn Mode is turned on.
51
8
Managed Domains
This section describes how to create and manage the internal domains for which your Lotus Protector for Mail Encryption Server protects email messages.
About Managed DomainsThe Managed Domains page gives you control over the domains for which the Lotus Protector for Mail Encryption Server is handling email. Email users from domains being managed by your server are called internal users. Conversely, email users from domains not being managed by your server but who are part of the SMSA are called external users. For example, if your company is Example Corporation, you can have the domain example.com and your employees would have email addresses such as [email protected]. If this were the case, you would want to establish example.com as a domain to be managed by your server. When you install your Lotus Protector for Mail Encryption Server you have the opportunity to add a managed domain in the Setup Assistant. If you do not set it up at that time, you can use the Managed Domains page to add it. You can also add additional managed domains from the Managed Domains page, if you have users with addresses in multiple domains that you want to be considered internal users. Managed domains automatically include sub-domains, so in the example above, users such as [email protected] would also be considered internal users. Multi-level domain structures as used by some countries are also acceptable: for example, the domain example.co.uk. The Managed Domains page accepts Internet DNS domain names and Domino domains. You must have an Internet DNS domain name, and if you have Notes users, you must also include the Domino domain name. WINS names (for example, \\EXAMPLE) do not belong here. Usually, you specify your Internet domain during installation through the Setup Assistant. If your Lotus Protector for Mail Encryption Server is also managing a Domino server, you must add your Domino domain name manually through the Managed Domains page. For example, if you have an Internet domain "example.com" and a Domino domain "ExDomino," you would add example.com as the managed domain during setup, for SMTP addressing. You would then add ExDomino as an additional managed domain, for Domino addressing.
53
IBM Lotus Protector for Mail Encryption Server
Managed Domains
Mail to and from your managed domains is processed according to your mail policy. You can also create mail policy rules specifically for your managed domains. See the chapter Setting Mail Policy (on page 93) for more information on creating mail policies. Managed domains entered on the Managed Domains page populate the Managed Domains dictionary. The dynamic Managed Domains dictionary automatically includes subdomains. See Using Dictionaries with Policy (on page 143) for more information on dictionaries.
Adding Managed Domains To add a domain to the list of managed domains 1 Click Add Managed Domain. The Add Managed Domain dialog box appears. 2 Type a domain name in the Domain field. Do not type WINS names (for example, \\EXAMPLE) here. Type only Internet DNS domain names or Domino domain names. 3 Click Save.
Deleting Managed DomainsIf you delete a managed domain, all the user IDs within that domain remain in the system. Users can still encrypt and sign messages with their keys. To remove a domain name already on the list of managed domains 1 Click the icon in the Delete column of the domain you want to remove from the list. A confirmation dialog box appears. 2 Click OK. The confirmation dialog box disappears and the selected domain name is removed from the list of managed domains.
54
9
Key Modes
Understanding Keys
This chapter introduces some of the concepts related to how Consumer keys are managed. It introduces the concept of key modes, which are used to control whether internal and external users can manage their own keys or whether keys should be managed by Lotus Protector for Mail Encryption Server. It also discusses the use of Certificate Revocation Lists and key reconstruction blocks.
Keys generated by Lotus Protector for Mail Encryption Server and Lotus Protector for Mail Encryption Client are managed entirely by the Lotus Protector for Mail Encryption Server. These keys are called Server Managed Keys (SKM). If you purchase a PGP Desktop license and create installers, you can choose whether you want users to be able to manage their own keys, or whether keys should be managed by the Lotus Protector for Mail Encryption Server. End-to-end email processing functions refer to encryption, decryption, and signing performed at the client, rather than on the Lotus Protector for Mail Encryption Server. Lotus Protector for Mail Encryption Server Email Functions Encrypt Client Key Mode (CKM) Guarded Key Mode (GKM) No No Decrypt No No Sign No No End-to-end Email Processing Functions Encrypt Yes Yes Decrypt Yes Yes Sign Yes Yes No Private keys stored passphrase protected Yes Keys Managed By Server
Server Key Mode (SKM)
Yes
Yes
Yes
Yes
Yes
Yes
55
IBM Lotus Protector for Mail Encryption Server
Understanding Keys
Lotus Protector for Mail Encryption Server Email Functions Server Client Key Mode (SCKM) Yes Yes No
End-to-end Email Processing Functions Yes Yes Yes
Keys Managed By Server Public and private encryption subkeys stored on client and Lotus Protector for Mail Encryption Server, private signing subkeys stored only on client
Server Key Mode (SKM)The Lotus Protector for Mail Encryption Server generates and manages user keys. Users cannot manage their own keys. Lotus Protector for Mail Encryption Server administrators have access to private keys. If a user has a client installation, the users keys are downloaded to the client at each use. SKM can also be used without client installations; if there is no client installation, you must use SKM. The client stores the private key encrypted to a random passphrase, so users can read email offline. PGP NetShare does not support SKM. SKM is not compatible with smart cards.
Client Key Mode (CKM)Users use client software to generate and manage their own keys. Lotus Protector for Mail Encryption Server administrators do not have access to private keys. CKM user email is secure on the mail server. CKM users are responsible for backing up their keys; if they lose their private keys, there is no way to retrieve them. Users who want to be able to read their email offline and unconnected to Lotus Protector for Mail Encryption Server must use CKM. PGP NetShare supports CKM; it requires that users control their own keys.56
IBM Lotus Protector for Mail Encryption Server
Understanding Keys
Guarded Key Mode (GKM)Users generate and manage their own keys, and store their passphrase-protected private keys on the server. GKM is similar to CKM, except that Lotus Protector for Mail Encryption Server stores protected copies of private keys. PGP NetShare supports GKM; it requires that users control their own keys.
Server Client Key Mode (SCKM)Keys are generated on the client. Private encryption subkeys are stored on both the client and Lotus Protector for Mail Encryption Server, and private signing subkeys are stored only on the client.
