protector admin
TRANSCRIPT
-
7/27/2019 Protector Admin
1/403
IBM Lotus Protector for MailEncryption Server
Administrator's Guide
-
7/27/2019 Protector Admin
2/403
-
7/27/2019 Protector Admin
3/403
-
7/27/2019 Protector Admin
4/403
IBM Software Group One Rogers StreetCambridge, MA 02142
USA
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
If you are viewing this information softcopy, the photographs and color illustrations may not appear.
4
-
7/27/2019 Protector Admin
5/403
13
Contents
Introduction
What is Lotus Protector for Mail Encryption Server 13
Who Should Read This Guide 14
Symbols 14
Getting Assistance 14
The Big Picture 15
Important Terms 15
Overview of Products 15Lotus Protector for Mail Encryption Server Concepts 17
Lotus Protector for Mail Encryption Server Features 18
Lotus Protector for Mail Encryption Server User Types 20
Installation Overview 21
Open Ports 27
TCP Ports 27
UDP Ports 29
Naming your Lotus Protector for Mail Encryption Server 31
Considering a Name for Your Lotus Protector for Mail Encryption Server 31
Methods for Naming a Lotus Protector for Mail Encryption Server 32
Understanding the Administrative Interface 33
System Requirements 33
Logging In 33
The System Overview Page 35
Managing Alerts 36
Administrative Interface Map 37
Icons 38
Licensing Your Software 43
Licensing a Lotus Protector for Mail Encryption Server 43
Operating in Learn Mode 45
Purpose of Learn Mode 45Checking the Logs 46
Managing Learn Mode 46
i
-
7/27/2019 Protector Admin
6/403
IBM Lotus Protector for Mail Encryption Server Contents
Managed Domains 49
About Managed Domains 49
Adding Managed Domains 50Deleting Managed Domains 50
Understanding Keys 51
Key Modes 51
Lotus Protector for Mail Encryption Server Supported Key Modes 53
How Lotus Protector for Mail Encryption Server Uses Certificate Revocation Lists 54
Key Reconstruction Blocks 54
Managing Organization Keys 57
About Organization Keys 57
Organization Key 57Inspecting the Organization Key 58
Regenerating the Organization Key 59Importing an Organization Key 59
Organization Certificate 60
Inspecting the Organization Certificate 61
Exporting the Organization Certificate 61
Deleting the Organization Certificate 62
Generating the Organization Certificate 62
Importing the Organization Certificate 63
Additional Decryption Key (ADK) 63
Importing the ADK 64
Inspecting the ADK 64
Deleting the ADK 65
Verified Directory Key 65
Importing the Verified Directory Key 65
Inspecting the Verified Directory Key 66
Deleting the Verified Directory Key 66
Administering Managed Keys 67
Managed Key Permissions 68
Viewing Managed Keys 68
Managed Key Information 69
Email Addresses 72
Subkeys 72Certificates 72
Permissions 72
Attributes 73
Symmetric Key Series 74
Symmetric Keys 76
Custom Data Objects 77
Exporting Consumer Keys 78
ii
-
7/27/2019 Protector Admin
7/403
IBM Lotus Protector for Mail Encryption Server Contents
Exporting the Managed Key of an Internal User 78
Exporting the Managed Key of an External User 79
Exporting Mail Encryption Verified Directory User Keys 80
Exporting the Managed Key of a Managed Device 80
Deleting Consumer Keys 81Deleting the Managed Key of an Internal User 81
Deleting the Managed Key of an External User 81Deleting the Key of a Mail Encryption Verified Directory User 82
Deleting the Managed Key of a Managed Device 82
Approving Pending Keys 82
Revoking Managed Keys 83
Managing Trusted Keys and Certificates 85
Overview 85
Trusted Keys 85
Trusted Certificates 85
Adding a Trusted Key or Certificate 86Inspecting and Changing Trusted Key Properties 87
Deleting Trusted Keys and Certificates 87Searching for Trusted Keys and Certificates 88
Setting Mail Policy 89
Overview 89
How Policy Chains Work 90
Mail Policy and Dictionaries 91
Mail Policy and Key Searches 91
Mail Policy and Cached Keys 92
Understanding the Pre-Installed Policy Chains 92
Mail Policy Outside the Mailflow 94
Using the Rule Interface 94
The Conditions Card 95
The Actions Card 97
Building Valid Chains and Rules 97
Using Valid Processing Order 98
Creating Valid Groups 99Creating a Valid Rule 100
Managing Policy Chains 100
Mail Policy Best Practices 101Restoring Mail Policy to Default Settings 101
Editing Policy Chain Settings 101
Adding Policy Chains 101Deleting Policy Chains 103
Exporting Policy Chains 103
Printing Policy Chains 104
Managing Rules 104
Adding Rules to Policy Chains 104
Deleting Rules from Policy Chains 104
Enabling and Disabling Rules 105
iii
-
7/27/2019 Protector Admin
8/403
IBM Lotus Protector for Mail Encryption Server Contents
Changing the Processing Order of the Rules 106
Adding Key Searches 106
Choosing Condition Statements, Conditions, and Actions 106
Condition Statements 107
Conditions 107Actions 113
Applying Key Not Found Settings to External Users 129
Overview 129Bounce the Message 130
Mail Encryption PDF Messenger 130
Certified Delivery with Mail Encryption PDF Messenger 131Send Unencrypted 131
Mail Encryption Smart Trailer 132
Protector for Mail Encryption Web Messenger 133
Changing Policy Settings 135
Changing User Delivery Method Preference 135
Using Dictionaries with Policy 137
Overview 137
Default Dictionaries 138
Editing Default Dictionaries 140
User-Defined Dictionaries 141
Adding a User-Defined Dictionary 141Editing a User-Defined Dictionary 142
Deleting a Dictionary 142
Exporting a Dictionary 143Searching the Dictionaries 143
Keyservers, SMTP Archive Servers, and Mail Policy 145
Overview 145
Keyservers 145
Adding or Editing a Keyserver 146
Deleting a Keyserver 148
SMTP Servers 148
Adding or Editing an Archive Server 148
Deleting an Archive Server 149
Managing Keys in the Key Cache 151
Overview 151Changing Cached Key Timeout 151
Purging Keys from the Cache 152
Trusting Cached Keys 152
Viewing Cached Keys 152
Searching the Key Cache 153
iv
-
7/27/2019 Protector Admin
9/403
IBM Lotus Protector for Mail Encryption Server Contents
Configuring Mail Proxies 155
Overview 155
Lotus Protector for Mail Encryption Server and Mail Proxies 155Mail Proxies in a Gateway Placement 156
Mail Proxies in an Internal Placement 158
Mail Proxies Page 159
Creating New or Editing Existing Proxies 160
Creating or Editing a POP/IMAP Proxy 160
Creating or Editing an Outbound SMTP Proxy 162
Creating or Editing an Inbound SMTP Proxy 164
Creating or Editing a Unified SMTP Proxy 166
Email in the Mail Queue 171
Overview 171
Deleting Messages from the Mail Queue 172
Specifying Mail Routes 173
Overview 173
Managing Mail Routes 174
Adding a Mail Route 174
Editing a Mail Route 175
Deleting a Mail Route 175
Customizing System Message Templates 177
Overview 177
Templates and Message Size 178
Mail Encryption PDF Messenger Templates 178
Templates for New Protector for Mail Encryption Web Messenger Users 178Editing a Message Template 179
Managing Groups 181
Understanding Groups 181
Sorting Consumers into Groups 181
Everyone Group 182
Excluded Group 182
Policy Group Order 183
Setting Policy Group Order 183Creating a New Group 183
Deleting a Group 184
Viewing Group Members 184
Manually Adding Group Members 185
Manually Removing Members from a Group 185
Group Permissions 186Adding Group Permissions 187
v
-
7/27/2019 Protector Admin
10/403
IBM Lotus Protector for Mail Encryption Server Contents
Deleting Group Permissions 187
Setting Group Membership 188
Searching Groups 189
Creating Group Client Installations 189
How Group Policy is Assigned to PGP Desktop Installers 190Creating PGP Desktop Installers 191
Distributing the Lotus Protector for Mail Encryption Client 197
Preparing the Lotus Protector for Mail Encryption Client for installation 197
Editing the Notes.ini File 198
Configuring the .MSI File 198
Editing the PMEConf.dat File 199
Managing Devices 201
Managed Devices 202
Adding and Deleting Managed Devices 202Adding Managed Devices to Groups 203
Managed Device Information 205
Deleting Managed Devices from Lotus Protector for Mail Encryption Server 208
Deleting Managed Devices from Groups 209WDE Devices (Computers and Disks) 210
WDE Computers 210
WDE Disks 212
Searching for Devices 214
Administering Consumer Policy 217
Understanding Consumer Policy 217
Making Sure Users Create Strong Passphrases 218
Understanding Entropy 218
Using the Windows Preinstallation Environment 219
X.509 Certificate Management in Lotus Notes Environments 219
Trusting Certificates Created by Lotus Protector for Mail Encryption Server 220Setting the Lotus Notes Key Settings in Lotus Protector for Mail Encryption Server 222
Technical Deployment Information 223
Offline Policy 223Using a Policy ADK 225
Out of Mail Stream Support 225
Enrolling Users through Silent Enrollment 227
Silent Enrollment with Mac OS X 227
Silent Enrollment with Windows 227PGP Whole Disk Encryption Administration 228
PGP Whole Disk Encryption on Mac OS X with FileVault 228
How Does Single Sign-On Work? 228
Enabling Single Sign-On 229
Managing Clients Remotely Using a PGP WDE Administrator Active Directory Group 231
Managing Clients Locally Using the PGP WDE Administrator Key 231
vi
-
7/27/2019 Protector Admin
11/403
IBM Lotus Protector for Mail Encryption Server Contents
Managing Consumer Policies 233
Adding a Consumer Policy 233
Editing a Consumer Policy 233
Deleting a Consumer Policy 234
Setting Policy for Clients 235
Client and Lotus Protector for Mail Encryption Server Version Compatibility 235
Establishing PGP Desktop Settings for Your PGP Desktop Clients 236
PGP Desktop Feature License Settings 237
Controlling PGP Desktop Components 238
PGP Portable 239
PGP Mobile 240
PGP NetShare 240
How the PGP NetShare Policy Settings Work Together 240
Multi-user environments and managing PGP NetShare 241
Backing Up PGP NetShare-Protected Files 241
Using Directory Synchronization to Manage Consumers 243
How Lotus Protector for Mail Encryption Server Uses Directory Synchronization 243
Base DN and Bind DN 245Consumer Matching Rules 246
Understanding User Enrollment Methods 246
Before Creating a Client Installer 247
Directory Enrollment 248
Email Enrollment 250
Enabling Directory Synchronization 252
Adding or Editing an LDAP Directory 253
The LDAP Servers Tab 254
The Base Distinguished Name Tab 254
The Consumer Matching Rules Tab 255
Testing the LDAP Connection 255
Using Sample Records to Configure LDAP Settings 255
Deleting an LDAP Directory 256
Setting LDAP Directory Order 256
Directory Synchronization Settings 256
Managing User Accounts 259
Understanding User Account Types 259
Viewing User Accounts 259
User Management Tasks 259Setting User Authentication 260
Editing User Attributes 260
Adding Users to Groups 260
Editing User Permissions 261
Deleting Users 261
Searching for Users 262
Viewing User Log Entries 262
vii
-
7/27/2019 Protector Admin
12/403
IBM Lotus Protector for Mail Encryption Server Contents
Changing Display Names and Usernames 262
Exporting a Users X.509 Certificate 263
Revoking a User's X.509 Certificate 264
Managing User Keys 264
Managing Internal User Accounts 265Importing Internal User Keys Manually 265
Creating New Internal User Accounts 266Exporting PGP Whole Disk Encryption Login Failure Data 267
Internal User Settings 267
Managing External User Accounts 271
Importing External Users 272
Exporting Delivery Receipts 273
External User Settings 274
Managing Verified Directory User Accounts 275
Importing Verified Directory Users 276
Mail Encryption Verified Directory User Settings 277
Recovering Encrypted Data in an Enterprise Environment 279
Using Key Reconstruction 279Recovering Encryption Key Material without Key Reconstruction 280
Encryption Key Recovery of CKM Keys 280
Encryption Key Recovery of GKM Keys 281
Encryption Key Recovery of SCKM Keys 281Encryption Key Recovery of SKM Keys 282
Using an Additional Decryption Key for Data Recovery 282
PGP Universal Satellite 285
Overview 285
Technical Information 286
Distributing the PGP Universal Satellite Software 286
Configuration 286
Key Mode 286
PGP Universal Satellite Configurations 287
Switching Key Modes 290
Policy and Key or Certificate Retrieval 290Retrieving Lost Policies 290
Retrieving Lost Keys or Certificates 292
PGP Universal Satellite for Windows 295
Overview 295System Requirements 295
Obtaining the Installer 296
Installation 296
Updates 297
Files 297
MAPI Support 298
External MAPI Configuration 298
viii
-
7/27/2019 Protector Admin
13/403
IBM Lotus Protector for Mail Encryption Server Contents
Lotus Notes Support 299
External Lotus Notes Configuration 299
PGP Universal Satellite for Mac OS X 301
Overview 301
System Requirements 301
Obtaining the Installer 302
Installation 302
Updates 303
Files 303
Configuring Protector for Mail Encryption Web Messenger 305
Overview 305
Protector for Mail Encryption Web Messenger and Clustering 306
External Authentication 307
Customizing Protector for Mail Encryption Web Messenger 308Adding a New Template 309
Troubleshooting Customization 313
Changing the Active Template 316
Deleting a Template 316Editing a Template 316
Downloading Template Files 317
Restoring to Factory Defaults 317
Configuring the Protector for Mail Encryption Web Messenger Service 317
Starting and Stopping Protector for Mail Encryption Web Messenger 318
Selecting the Protector for Mail Encryption Web Messenger Network Interface 319
Setting Up External Authentication 320
Creating Settings for Protector for Mail Encryption Web Messenger User Accounts 321
Setting Message Replication in a Cluster 322
Configuring the Integrated Keyserver 325
Overview 325Starting and Stopping the Keyserver Service 325
Configuring the Keyserver Service 326
Configuring the Mail Encryption Verified Directory 329
Overview 329
Starting and Stopping the Mail Encryption Verified Directory 330
Configuring the Mail Encryption Verified Directory 330
Managing the Certificate Revocation List Service 333
Overview 333
Starting and Stopping the CRL Service 333
Editing CRL Service Settings 334
ix
-
7/27/2019 Protector Admin
14/403
IBM Lotus Protector for Mail Encryption Server Contents
Configuring Universal Services Protocol 335
Starting and Stopping USP 335
Adding USP Interfaces 335
System Graphs 337
Overview 337
CPU Usage 337
Message Activity 338
Whole Disk Encryption 338
Recipient Statistics 339
Recipient Domain Statistics 339
System Logs 341
Overview 341Filtering the Log View 342
Searching the Log Files 343Exporting a Log File 343
Enabling External Logging 344
Configuring SNMP Monitoring 345
Overview 345
Starting and Stopping SNMP Monitoring 346
Configuring the SNMP Service 346
Downloading the Custom MIB File 347
Viewing Server and License Settings and Shutting Down Services 349
Server Information 349
Setting the Time 350
Updating Software 350
Licensing a Lotus Protector for Mail Encryption Server 350
Downloading the Release Notes 351
Shutting Down and Restarting the Lotus Protector for Mail Encryption Server Software Services351
Shutting Down and Restarting the Lotus Protector for Mail Encryption Server Hardware 352
Managing Administrator Accounts 353
Overview 353Administrator Roles 354
Administrator Authentication 354
Creating a New Administrator 355
Importing SSH v2 Keys 356Deleting Administrators 356
x
-
7/27/2019 Protector Admin
15/403
IBM Lotus Protector for Mail Encryption Server Contents
Inspecting and Changing the Settings of an Administrator 357
Configuring RSA SecurID Authentication 358
Resetting SecurID PINs 359
Daily Status Email 360
Protecting Lotus Protector for Mail Encryption Server with Ignition Keys 363
Overview 363
Ignition Keys and Clustering 365
Preparing Hardware Tokens to be Ignition Keys 365
Configuring a Hardware Token Ignition Key 367
Configuring a Soft-Ignition Passphrase Ignition Key 367
Deleting Ignition Keys 368
Backing Up and Restoring System and User Data 369
Overview 369
Creating Backups 370Scheduling Backups 370
Performing On-Demand Backups 370
Configuring the Backup Location 370
Restoring From a Backup 372Restoring On-Demand 372
Restoring Configuration 373
Restoring from a Different Version 374
Updating Lotus Protector for Mail Encryption Server Software 375
Overview 375
Inspecting Update Packages 376
Setting Network Interfaces 377
Understanding the Network Settings 377
Changing Interface Settings 378
Adding Interface Settings 378Deleting Interface Settings 379
Editing Global Network Settings 379
Assigning a Certificate 379
Working with Certificates 380
Importing an Existing Certificate 380
Generating a Certificate Request 381
Adding a Pending Certificate 382Inspecting a Certificate 382
Exporting a Certificate 383
Deleting a Certificate 383
xi
-
7/27/2019 Protector Admin
16/403
IBM Lotus Protector for Mail Encryption Server Contents
Clustering your Lotus Protector for Mail Encryption Servers 385
Overview 385
Cluster Status 386Creating a Cluster 387
Deleting Cluster Members 390
Clustering and Protector for Mail Encryption Web Messenger 390
Managing Settings for Cluster Members 391
Changing Network Settings in Clusters 393
Index 395
xii
-
7/27/2019 Protector Admin
17/403
1Introduction
This Administrators Guide describes both the IBM Lotus Protector for Mail
Encryption Server and Client software. It tells you how to get them up and
running on your network, how to configure them, and how to maintain them.
This section provides a high-level overview of Lotus Protector for Mail
Encryption Server.
Sections of the Lotus Protector for Mail Encryption Server Administrator's
Guiderefer to management of PGP Whole Disk Encryption, PGP Portable, PGP
NetShare, and other PGP Desktop client products. The PGP Desktop products
encrypt data on disks, removable media, and mobile devices as well as secure
files for collaborating teams, and they can be fully managed by the Lotus
Protector for Mail Encryption Server. However, these PGP products must be
purchased separately (from PGP Corporation) to be deployed and managed by
the Lotus Protector for Mail Encryption Server.
What is Lotus Protector for Mail Encryption Server
With Lotus Protector for Mail Encryption Server management server, you can
manage your organization's security policies, users, keys and configurations,
deliver messages to external recipients with or without encryption keys, and
defend sensitive data to avoid the financial loss, legal ramifications, and brand
damage resulting from a data breach.
Lotus Protector for Mail Encryption Server automatically creates and maintains a
Self-Managing Security Architecture (SMSA) by monitoring authenticated users
and their email traffic. You can also send protected messages to addresses that
are notpart of the SMSA. The Lotus Protector for Mail Encryption Server
encrypts, decrypts, signs, and verifies messages automatically, providing strongsecurity through policies you control.
Lotus Protector for Mail Encryption Client provides IBM Lotus enterprise
customers with an automatic, transparent encryption solution for securing
internal and external confidential email communications, managed by the Lotus
Protector for Mail Encryption Server. Lotus Notes offers a native encryption
solution for secure messaging within an organization. While Lotus Protector for
Mail Encryption Client can be used for internal-to-internal secure messaging, it
is intended to secure the internal component of a message which is being
delivered to an external recipient. With Lotus Protector for Mail Encryption
Client, you can minimize the risk of a data breach and better comply with
partner and regulatory mandates for information security and privacy.
13
-
7/27/2019 Protector Admin
18/403
IBM Lotus Protector for Mail Encryption Server Introduction
The management capabilities of the Lotus Protector for Mail Encryption Server
can be extended to managing the PGP Desktop applications that provide
encryption of data on disks, removable media, and mobile devices as well as
security of files for collaborating teams.
Who Should Read This Guide
This Administrators Guide is for the person or persons who implement and
maintain your organizations Lotus Protector for Mail Encryption Server
environment. These are the Lotus Protector for Mail Encryption Server
administrators.
This guide is also intended for anyone else who wants to learn about how Lotus
Protector for Mail Encryption Server works.
Symbols
Notes, Cautions, and Warnings are used in the following ways.
Note: Notes are extra, but important, information. A Note calls your attention
to important aspects of the product. You can use the product better if you
read the Notes.
Caution: Cautions indicate the possibility of loss of data or a minor security
breach. A Caution tells you about a situation where problems can occur
unless precautions are taken. Pay attention to Cautions.
Warning: Warnings indicate the possibility of significant data loss or a major
security breach. A Warning means serious problems will occur unless you
take the appropriate action. Please take Warnings very seriously.
Getting Assistance
For additional information about Lotus Protector for Mail Encryption Server and
how to obtain support, see Lotus Protector for Mail Encryption
(http://www.ibm.com/software/lotus/products/protector/mailencryption/).
14
http://www.ibm.com/software/lotus/products/protector/mailencryption/http://www.ibm.com/software/lotus/products/protector/mailencryption/ -
7/27/2019 Protector Admin
19/403
2 The Big Picture
This chapter describes some important terms and concepts and gives you a
high-level overview of the things you need to do to set up and maintain your
Lotus Protector for Mail Encryption Server environment.
Important Terms
The following sections define important terms you will encounter throughout
the Lotus Protector for Mail Encryption Server and this documentation.
Overview of Products
Lotus Protector for Mail Encryption Server: A device you add to your
network that provides secure messaging with little or no user interaction.
The Lotus Protector for Mail Encryption Server automatically creates and
maintains a security architecture by monitoring authenticated users and
their email traffic. You can also send protected messages to addresses that
are notpart of the security architecture.
PGP Global Directory: A free, public keyserver hosted by PGP
Corporation. The PGP Global Directory provides quick and easy access
to the universe of PGP keys. It uses next-generation keyservertechnology that queries the email address on a key (to verify that theowner of the email address wants their key posted) and lets users
manage their own keys. Using the PGP Global Directory significantly
enhances your chances of finding a valid public key of someone to
whom you want to send secured messages.
For external users without encryption keys, Lotus Protector for Mail
Encryption Server offers multiple secure delivery options, leveraging third-party software that is already installed on typical computer systems, such
as a web browser or Adobe Acrobat Reader. For email recipients who do
not have an encryption solution, you can use of of the following secure
delivery options from Lotus Protector for Mail Encryption Server:
PGP Universal Satellite: The PGP Universal Satellite software
resides on the computer of an external email user. It allows email to
be encrypted end to end, all the way to and from the desktop. UsingPGP Universal Satellite is one of the ways for external users to
participate in the SMSA. It also allows users the option of controlling
their keys on their local computers (if allowed by the administrator).
15
-
7/27/2019 Protector Admin
20/403
IBM Lotus Protector for Mail Encryption Server The Big Picture
Protector for Mail Encryption Web Messenger: The Protector for
Mail Encryption Web Messenger service allows an external user to
securely read a message from an internal user beforethe external
user has a relationship with the SMSA. If Protector for Mail Encryption
Web Messenger is available via mail policy for a user and therecipients key cannot be found, the message is stored on the Lotus
Protector for Mail Encryption Server and an unprotected message is
sent to the recipient. The unprotected message includes a link to the
original message, held on the Lotus Protector for Mail Encryption
Server. The recipient must create a passphrase, and then can access
his encrypted messages stored on Lotus Protector for Mail Encryption
Server.
Mail Encryption PDF Messenger: Mail Encryption PDF Messengerenables sending encrypted PDF messages to external users who do
not have a relationship with the SMSA. In the normal mode, as with
Protector for Mail Encryption Web Messenger, the user receives a
message with a link to the encrypted message location and uses a
Protector for Mail Encryption Web Messenger passphrase to access
the message. Mail Encryption PDF Messenger also provides Certified
Delivery, which encrypts the message to a one-time passphrase, and
creates and logs a delivery receipt when the user retrieves the
passphrase.
Lotus Protector for Mail Encryption Client: Lotus Protector for Mail
Encryption Client provides IBM Lotus enterprise customers with an
automatic, transparent encryption solution for securing internal and external
confidential email communications. Lotus Notes offers a native encryption
solution for secure messaging within an organization. While Lotus
Protector for Mail Encryption Client can be used for internal-to-internal
secure messaging, it is intended to secure the internal component of a
message which is being delivered to an external recipient. With LotusProtector for Mail Encryption Client, you can minimize the risk of a data
breach and better comply with partner and regulatory mandates for
information security and privacy.
Separately-licensed PGP products:
PGP Desktop: A client software tool that uses cryptography to protect your
data against unauthorized access. PGP Desktop is available for Windows
and Mac OS X. It can include the following components, depending upon
the features you license:
PGP Whole Disk Encryption: Whole Disk Encryption is a feature of
PGP Desktop that encrypts your entire hard drive or partition,
including your boot record, thus protecting all your files when you arenot using them. PGP Whole Disk Encryption is also available for
selected Linux systems.
16
-
7/27/2019 Protector Admin
21/403
-
7/27/2019 Protector Admin
22/403
IBM Lotus Protector for Mail Encryption Server The Big Picture
Lotus Protector for Mail Encryption Server Features
Administrative Interface: Each Lotus Protector for Mail Encryption Server
is controlled via a Web-based administrative interface. The administrativeinterface gives you control over Lotus Protector for Mail Encryption Server.
While many settings are initially established using the web-based Setup
Assistant, all settings of a Lotus Protector for Mail Encryption Server can
be controlled via the administrative interface.
Backup and Restore: Because full backups of the data stored on your
Lotus Protector for Mail Encryption Server are critical in a natural disaster or
other unanticipated loss of data or hardware, you can schedule automatic
backups of your Lotus Protector for Mail Encryption Server data or
manually perform a backup.
You can fully restore a Lotus Protector for Mail Encryption Server from a
backup. In the event of a minor problem, you can restore the Lotus
Protector for Mail Encryption Server to any saved backup. In the event that
a Lotus Protector for Mail Encryption Server is no longer usable, you can
restore its data from a backup onto a new Lotus Protector for Mail
Encryption Server during initial setup of the new Lotus Protector for Mail
Encryption Server using the Setup Assistant. All backups are encrypted to
the Organization Key and can be stored securely off the Lotus Protector for
Mail Encryption Server.
Cluster: When you have two or more Lotus Protector for Mail Encryption
Servers in your network, you configure them to synchronize with each
other; this is called a cluster.
Dictionary: Dictionaries are lists of terms to be matched. The dictionaries
work with mail policy to allow you to define content lists that can triggerrules.
Directory Synchronization: If you have LDAP directories in your
organization, your Lotus Protector for Mail Encryption Server can be
synchronized with the directories. The Lotus Protector for Mail Encryption
Server automatically imports user information from the directories when
users send and receive email; it also creates internal user accounts for
them, including adding and using X.509 certificates if they are contained in
the LDAP directories.
Ignition Keys: You can protect the contents of a Lotus Protector for Mail
Encryption Server, even if the hardware is stolen, by requiring the use of a
hardware token or a software passphrase, or both, on start.
Keyserver: Each Lotus Protector for Mail Encryption Server includes an
integrated keyserver populated with the public keys of your internal users.
When an external user sends a message to an internal user, the external
Lotus Protector for Mail Encryption Server goes to the keyserver to find the
public key of the recipient to use to secure the message. The Lotus
Protector for Mail Encryption Server administrator can enable or disable the
service, and control access to it via the administrative interface.
18
-
7/27/2019 Protector Admin
23/403
IBM Lotus Protector for Mail Encryption Server The Big Picture
Learn Mode: When you finish configuring a Lotus Protector for Mail
Encryption Server using the Setup Assistant, it begins in Learn Mode,
where the Lotus Protector for Mail Encryption Server sends messages
through mail policy without taking any action on the messages, and does
not encrypt or sign any messages.Learn Mode gives the Lotus Protector for Mail Encryption Server a chance
to build its SMSA (creating keys for authenticated users, for example) so
that when when Learn Mode is turned off, the Lotus Protector for Mail
Encryption Server can immediately begin securing messages. It is also an
excellent way for administrators to learn about the product.
You should check the logs of the Lotus Protector for Mail Encryption Server
while it is in Learn Mode to see what it would be doing to email traffic if it
were live on your network. You can make changes to the Lotus Protector
for Mail Encryption Servers policies while it is in Learn Mode until things
are working as expected.
Mail Policy: The Lotus Protector for Mail Encryption Server processes
email messages based on the policies you establish. Mail policy applies to
inbound and outbound email processed by both Lotus Protector for Mail
Encryption Server and client software. Mail policy consists of multiple
policy chains, comprised of sequential mail processing rules.
Organization Certificate: You must create or obtain an Organization
Certificate to enable S/MIME support by Lotus Protector for Mail
Encryption Server. The Organization Certificate signs all X.509 certificates
the server creates.
Organization Key: The Setup Assistant automatically creates an
Organization Key (actually a keypair) when it configures a Lotus Protector
for Mail Encryption Server. The Organization Key is used to sign all PGP
keys the Lotus Protector for Mail Encryption Server creates and to encryptLotus Protector for Mail Encryption Server backups.
Caution: It is extremely important to back up your Organization Key: all
keys the Lotus Protector for Mail Encryption Server creates are signed by
the Organization Key, and all backups are encrypted to the Organization
Key. If you lose your Organization Key and have not backed it up, the
signatures on those keys are meaningless and you cannot restore from
backups encrypted to the Organization Key.
Mail Encryption Verified Directory: The Mail Encryption Verified Directory
supplements the internal keyserver by letting internal and external users
manage the publishing of their own public keys. The Mail Encryption
Verified Directory also serves as a replacement for the PGP Keyserverproduct. The Mail Encryption Verified Directory uses next-generation
keyserver technology to ensure that the keys in the directory can be
trusted.
19
-
7/27/2019 Protector Admin
24/403
IBM Lotus Protector for Mail Encryption Server The Big Picture
Server Placement: A Lotus Protector for Mail Encryption Server can be
placed in one of two locations in your network to process email.
With an internal placement, the Lotus Protector for Mail Encryption Server
logically sits between your email users and your mail server. It encrypts
and signs outgoing SMTP email and decrypts and verifies incoming mailbeing picked up by email clients using POP or IMAP. Email stored on your
mail server is stored secured (encrypted).
With a gateway placement, the Lotus Protector for Mail Encryption Server
logically sits between your mail server and the Internet. It encrypts and
signs outgoing SMTP email and decrypts and verifies incoming SMTP
email. Email stored on your mail server is stored unsecured.
For more information, see Configuring Mail Proxies(on page 155) and the
Lotus Protector for Mail Encryption Server Installation Guide.
Setup Assistant: When you attempt to log in for the first time to theadministrative interface of a Lotus Protector for Mail Encryption Server, the
Setup Assistant takes you through the configuration of that Lotus Protectorfor Mail Encryption Server.
Lotus Protector for Mail Encryption Server User Types
Administrators: Any user who manages the Lotus Protector for Mail
Encryption Server and its security configuration from inside the internal
network.
Only administrators are allowed to access the administrative interface that
controls Lotus Protector for Mail Encryption Server. A Lotus Protector for
Mail Encryption Server supports multiple administrators, each of which can
be assigned a different authority: from read-only access to full control overevery feature and function.
Consumers: Internal, external, and Verified Directory users, and devices.
External Users: External users are email users from other domains(domains notbeing managed by your Lotus Protector for Mail
Encryption Server) who have been added to the SMSA.
Internal Users: Internal users are email users from the domains being
managed by your Lotus Protector for Mail Encryption Server.
Lotus Protector for Mail Encryption Server allows you to manage PGPDesktop deployments to your internal users. The administrator can
control which PGP Desktop features are automatically implemented at
install, and establish and update security policy for PGP Desktop usersthat those users cannot override (except on the side of being more
secure).
Mail Encryption Verified Directory Users: Internal and externalusers who have submitted their public keys to the Mail Encryption
Verified Directory, a Web-accessible keyserver.
20
-
7/27/2019 Protector Admin
25/403
IBM Lotus Protector for Mail Encryption Server The Big Picture
Devices: Managed devices, WDE computers, and WDE disks.
Managed devices are arbitrary objects whose keys are managed by
Lotus Protector for Mail Encryption Server. WDE computers, and
WDE disks are devices that are detected when users enroll.
Other Email Users: Users within your organization can securely sendemail to recipients outside the SMSA.
First, the Lotus Protector for Mail Encryption Server attempts to find a key
for the recipient. If that fails, there are four fallback options, all controlled by
mail policy: bounce the message back to the sender (so it is not sent
unencrypted), send unencrypted, Mail Encryption Smart Trailer, and
Protector for Mail Encryption Web Messenger mail.
Mail Encryption Smart Trailer sends the message unencrypted and adds
text giving the recipient the option of joining the SMSA by installing PGP
Universal Satellite, using an existing key or certificate, or using Protector
for Mail Encryption Web Messenger. Protector for Mail Encryption Web
Messenger lets the recipient securely read the message on a secure
website; it also gives the recipient options for handling subsequent
messages from the same domain: read the messages on a secure website
using a passphrase they establish, install PGP Universal Satellite, or add an
existing key or certificate to the SMSA.
Installation Overview
The following steps are a broad overview of what it takes to plan, set up, and
maintain your Lotus Protector for Mail Encryption Server environment.
Steps 1 and 4 are described in the Lotus Protector for Mail Encryption Server
Installation Guide. The remaining tasks are described in this book.
Note that these steps apply to the installation of a new, stand-alone Lotus
Protector for Mail Encryption Server. If you plan to install a cluster, you must
install and configure one Lotus Protector for Mail Encryption Server following
the steps outlined here. Subsequent cluster members will receive most of their
configuration settings from the initial Lotus Protector for Mail Encryption Server
through data replication.
1 Plan where in your network you want to locate your Lotus Protectorfor Mail Encryption Server(s).
Where you put Lotus Protector for Mail Encryption Servers in your
network, how many Lotus Protector for Mail Encryption Servers you have
in your network, and other factors all have a major impact on how you addthem to your existing network.
Create a diagram of your network that includes all network components
and shows how email flows; this diagram details how adding a Lotus
Protector for Mail Encryption Server impacts your network.
21
-
7/27/2019 Protector Admin
26/403
IBM Lotus Protector for Mail Encryption Server The Big Picture
For more information on planning how to add Lotus Protector for Mail
Encryption Servers to your existing network, see Adding the Lotus
Protector for Mail Encryption Server to Your Network in the Lotus Protector
for Mail Encryption Server Installation Guide.
2 Perform necessary DNS changes.
Add IP addresses for your Lotus Protector for Mail Encryption Servers, an
alias to your keyserver, update the MX record if necessary, add
keys., hostnames of potential Secondary servers for a cluster,
and so on.
Properly configured DNS settings (including root servers and appropriate
reverse lookup records) are required to support Lotus Protector for Mail
Encryption Server. Make sure both host and pointer records are correct. IP
addresses must be resolvable to hostnames, as well as hostnames
resolvable to IP addresses.
3 Prepare a hardware token Ignition Key.
If you want to add a hardware token Ignition Key during setup, install the
drivers and configure the token before you begin the Lotus Protector for
Mail Encryption Server setup process. See Protecting Lotus Protector for
Mail Encryption Server with Ignition Keys(on page 363) for information on
how to prepare a hardware token Ignition Key.
Note: In a cluster, the Ignition Key configured on the first Lotus Protector
for Mail Encryption Server in the cluster will also apply to the subsequent
members of the cluster.
4 Install and configure this Lotus Protector for Mail Encryption Server.
The Setup Assistant runs automatically when you first access the
administrative interface for the Lotus Protector for Mail Encryption Server.The Setup Assistant is where you can set or confirm a number of basicsettings such as your network settings, administrator password, server
placement option, mail server address and so on.
To configure multiple servers as a cluster, you must configure one server
first in the normal manner, then add the additional servers as cluster
members. You can do this through the Setup Assistant when you install a
server that will join an existing cluster, or you can do this through the LotusProtector for Mail Encryption Server administrative interface.
For more information, see Setting Up the Lotus Protector for Mail
Encryption Server in the Lotus Protector for Mail Encryption Server
Installation Guide.
5 Create a SSL/TLS certificate or obtain a valid SSL/TLS certificate.
You can create a self-signed certificate for use with SSL/TLS traffic.
Because this certificate is self-signed, however, it might not be trusted by
email or Web browser clients. IBM Corporation recommends that you
obtain a valid SSL/TLS certificate for each of your Lotus Protector for Mail
Encryption Servers from a reputable Certificate Authority.
22
-
7/27/2019 Protector Admin
27/403
-
7/27/2019 Protector Admin
28/403
IBM Lotus Protector for Mail Encryption Server The Big Picture
Note: When setting policy for Consumers, Lotus Protector for MailEncryption Server provides an option called Out of Mail Stream (OOMS)
support. OOMS specifies how the email gets transmitted from the client
to the server when Lotus Protector for Mail Encryption Client cannot find
a key for the recipient and therefore cannot encrypt the message.
OOMS is enable by default, as this is the most secure setting. WithOOMS enabled, sensitive messages that can't be encrypted locally are
sent to Lotus Protector for Mail Encryption Server "out of the mail
stream." Lotus Protector for Mail Encryption Client creates a separate,
encrypted network connection to the Lotus Protector for Mail Encryption
Server to transmit the message. However, archiving solutions, outbound
anti-virus filters, or other systems which monitor or proxy mail traffic will
not see these messages.
You can elect to disable OOMS, which means that sensitive messages
that can't be encrypted locally are sent to Lotus Protector for Mail
Encryption Server "in the mail stream" like normal email. Importantly, this
email is sent in the clear (unencrypted). Mail or Network administratorscould read these messages by accessing the mail server's storage or
monitoring network traffic. However, archiving solutions, outbound anti
virus filters, or other systems which monitor or proxy mail traffic will
process these messages normally.
During your configuration of your Lotus Protector for Mail Encryption
Server you should determine the appropriate settings for your
requirements. This option can be set separately for each policy group, and
is set through the Consumer Policy settings. For more details on the
effects of enabling or disabling OOMS, see Out of Mail Stream Support
(on page 225).
8 Add your Domino domain as a managed domain.Usually, you specify your Internet domain during installation through the
Setup Assistant. If your Lotus Protector for Mail Encryption Server is also
managing a Domino server, you must add your Domino domain name
manually through the Managed Domains page (Consumers > Managed
Domains).
9 Reconfigure the settings of your email clients and servers, ifnecessary.
Depending on how you are adding the Lotus Protector for Mail Encryption
Server to your network, some setting changes might be necessary. For
example, if you are using a Lotus Protector for Mail Encryption Server
placed internally, the email clients must have SMTP authentication turnedon. For Lotus Protector for Mail Encryption Servers placed externally, you
must configure your mail server to relay SMTP traffic to the Lotus Protector
for Mail Encryption Server.
24
-
7/27/2019 Protector Admin
29/403
-
7/27/2019 Protector Admin
30/403
IBM Lotus Protector for Mail Encryption Server The Big Picture
15 Take your Lotus Protector for Mail Encryption Servers out of LearnMode.
Once this is done, email messages are encrypted, signed, and
decrypted/verified, according to the relevant policy rules. Make sure you
have licensed each of your Lotus Protector for Mail Encryption Servers; youcannot take a Lotus Protector for Mail Encryption Server out of Learn Mode
until it has been licensed.
16 Monitor the system logs to make sure your Lotus Protector for MailEncryption Server environment is operating as expected.
26
-
7/27/2019 Protector Admin
31/403
-
7/27/2019 Protector Admin
32/403
IBM Lotus Protector for Mail Encryption Server Open Ports
Port Protocol/Service Comment
389 LDAP (Lightweight DirectoryAccess Protocol)
Used to allow remote hosts to
look up public keys of local users.
443 HTTPS (HyperText TransferProtocol, Secure)
Used for Lotus Protector for Mail
Encryption Client, PGP UniversalSatellite, and PGP Desktop policy
distribution and Protector for Mail
Encryption Web Messenger
access.
Used for access over HTTPS if the
Verified Directory is not enabled.
Also used for Universal Services
Protocal (USP)over SSL for
keyserver connection.
444 SOAPS (Simple Object AccessProtocol, Secure)
Used for clustering replication
messages.
465 SMTPS (Simple Mail TransferProtocol, Secure)
Used for sending mail securely
with internal placements only.
Closed for gateway placements.
This is a non-standard port used
only by legacy mail servers. We
recommend not using this port,
and instead always using
STARTTLS on port 25.
636 LDAPS (Lightweight Directory
Access Protocol, Secure)
Used to securely allow remote
hosts to look up public keys oflocal users.
993 IMAPS (Internet Message AccessProtocol, Secure)
Used for retrieving mail securely
by users with IMAP accounts with
internal placements only. Closed
for gateway placements.
995 POPS (Post Office Protocol,Secure)
Used for retrieving mail securely
by users with POP accounts withinternal placements only. Closed
for gateway placements.
9000 HTTPS (HyperText Transfer
Protocol, Secure)
Used to allow access to the Lotus
Protector for Mail EncryptionServer administrative interface.
28
-
7/27/2019 Protector Admin
33/403
IBM Lotus Protector for Mail Encryption Server Open Ports
UDP Ports
Port Protocol/Service Comment
53 DNS (Domain Name System) Used to look up a FQDN (Fully Qualified
Domain Name) on the DNS server, and
translate to an IP address.
123 NTP (Network Time Protocol) Used to synchronize the systems clock
with a reference time source on a different
server.
161 SNMP (Simple NetworkManagement Protocol)
Used by network management
applications to query the health and
activities of Lotus Protector for Mail
Encryption Server software and thecomputer on which it is installed.
29
-
7/27/2019 Protector Admin
34/403
-
7/27/2019 Protector Admin
35/403
-
7/27/2019 Protector Admin
36/403
IBM Lotus Protector for Mail Encryption Server Naming your Lotus Protector for Mail Encryption Server
If you have multiple Lotus Protector for Mail Encryption Servers in a cluster
managing an email domain, only one of those Lotus Protector for Mail
Encryption Servers needs to use the keys. convention.
Note: Keys that are found using the keys. convention are treated
as valid and trusted by default.
Alternately, keys. should be the address of a load-balancing device
which then distributes connections to your Lotus Protector for Mail Encryption
Servers keyserver service. The ports that would need to be load-balanced are
the ones on which you are running your keyserver service (typically port 389 for
LDAP and 636 for LDAPS).
Another acceptable naming convention would be to name your Lotus Protectorfor Mail Encryption Server according to the required naming convention your
company uses, and make sure the server has a DNS alias of
keys..com.
If you are administering multiple email domains, you should establish the
keys. convention for each email domain.
If your Lotus Protector for Mail Encryption Server is behind your corporate
firewall (as it should be), you need to make sure that ports 389 (LDAP) and 636
(LDAPS) are open to support the keys. convention.
Methods for Naming a Lotus Protector for Mail EncryptionServer
There are three ways to name your Lotus Protector for Mail Encryption Server
to support the keys. convention:
Name your Lotus Protector for Mail Encryption Server keys.
on the Host Name field of the Network Setup page in the Setup Assistant.
Change the Host Name of your Lotus Protector for Mail Encryption Server
to keys. using the administrative interface on the Network
Settings section of the System > Network page.
Create a DNS alias to your Lotus Protector for Mail Encryption Server that
uses the keys. convention that is appropriate for your DNS
server configuration.
32
http:///reader/full/keys.%3Cdomain%3E.comhttp:///reader/full/keys.%3Cdomain%3E.com -
7/27/2019 Protector Admin
37/403
-
7/27/2019 Protector Admin
38/403
IBM Lotus Protector for Mail Encryption Server Understanding the Administrative Interface
2 Type the current login name in the Username field.
3 Type the current passphrase or SecurID passcode in the Passphrase field.
(If SecurID authentication is enabled, a message below the Passphrase
field will indicate that a SecurID passcode can be entered. A givenadministrator is configured to use either passphrase or SecurID
authentication, not both.)
4 Click the Login button or press Enter.
5 If the login credentials are accepted, the System Overview page appears.
6 If the login credentials do not match, an error is displayed. For passphrase
authentication that fails, an "Invalid Login" error appears. For SecurID
authentication, different events may occur. See the following procedure for
more information.
To log in using RSA SecurID authentication
1 Follow steps 1-4 in the procedure above. If your SecurID passcode is
accepted, and no PIN reset is required, the System Overview page
appears.
Note: If Lotus Protector for Mail Encryption Server fails to connect with
any RSA Manager server, you will be presented with the standard "InvalidLogin" message. The connection failure will be logged in the Lotus
Protector for Mail Encryption Server Administration log, enabling you to
determine whether this was the cause of the login failure.
2 If the RSA server policy determines that a PIN reset is required, upon
successful login the PIN Reset dialog appears. Depending on the RSA
server policy, you may be able to have the RSA server generate a new PIN
for you, or enter a new PIN manually. When this is done, the SystemOverview page appears. For more details see Resetting SecurID PINs(on
page 359).
3 If the RSA server detects a problem with the token code portion of your
passcode, you are asked to re-enter your PIN plus the next code shown on
your SecurID token. Type your PIN and the next token code that appears,
then click Login or press Enter.
4 Based on your RSA server policy, you may be given several chances to
authenticate successfully using the next token code. However, eventually
continued failures will result in a failed login.
Note: Log in events are logged in the Lotus Protector for Mail Encryption
Server Administration log. Successful and failed attempts, and next
tokencode requests are logged, as are problems connecting to the RSA
Manager servers.
34
-
7/27/2019 Protector Admin
39/403
IBM Lotus Protector for Mail Encryption Server Understanding the Administrative Interface
The System Overview Page
The System Overview page is the first page you see when you log in to LotusProtector for Mail Encryption Server. You can also view it from Reporting >
Overview.
The page provides a general report of system information and statistics. The
information displayed includes:
System alerts, including licensing issues and PGP Whole Disk Encryption
login failures. System alerts appear at the top of the page.
System Graphs for CPU usage, message activity, and Whole Disk
Encryption. Click the buttons to switch the graphs. Click the System
Graphs heading to go to the Reporting > Graphs page. See System
Graphs(on page 337) for more information about system graphs.
Services information, including which services are running or stopped.
Depending on the service, the entry may also include the number of
users or keys handled by the service.
Click the service name link to go to the administrative page for that
service.
For a running Web Messenger service, click the URL to go to the Web
Messenger interface.
For a running Verified Directory service, click the URL to go to the
Verified Directory interface to search for a key, upload your own public
key, or remove your key from the searchable directory.
System Statistics, including software version number, system uptime,
total messages processed, and number of PGP Portable Disks created.
Click the Statistics link to go to the System > General Settings page.
Mail Queue statistics show the number of email messages in the queue
waiting to be processed, if applicable, and the size of the mail queue. Click
the Mail Queue link to go to the Mail > Mail Queue status page for
detailed information about the contents of the mail queue. Estimated Policy
Group Membership shows the number of members in each consumer
policy group. Click a policy group name to go to the page for configuring
that policy group.
Clustering provides status information about the cluster configuration, if
this Lotus Protector for Mail Encryption Server is a member of a cluster.This display shows, for each cluster member, its hostname or IP address,
its status, its location (Internal or DMZ) and a login icon (except for the
member on which you are currently logged in). Click the Clustering
heading to go to the System > Clustering page. This display does not
appear if your Lotus Protector for Mail Encryption Server is not a member
of a cluster.
35
-
7/27/2019 Protector Admin
40/403
IBM Lotus Protector for Mail Encryption Server Understanding the Administrative Interface
Click Refresh (at the top of the System Overview page) to refresh the
information shown on this page.
The Manage Alerts button takes you to the Alerts page where you can
configure how you want to be notified about WDE login failures. For more
details, see Managing Alerts(on page 36).
The Export Data button lets you export statistics for WDE Activity, WDE Login
Failures, PDF Messenger Certified Delivery Receipts, and the Mail Policy Print
View (which provides in a printable format all your mail policy chains and rules).
Managing Alerts
The Lotus Protector for Mail Encryption Server groups failed login attempts into
reported login failures. This feature is intended to make reporting about failed
login attempts more useful, because one or several failed login attempts by a
PGP Whole Disk Encryption user does not necessarily mean an attemptedbreak-in. Use the Alerts dialog box to choose how many failed login attempts
constitutes a login failure. For example, you can specify that an alert should be
triggered after 3 failed login attempts. If 6 failed attempts occur, 2 login failure
alerts appear.
Alerts about PGP Whole Disk Encryption login failures appear on the System
Overview page and in the Daily Status Email. Alerts for devices belonging to
specific users appear on the user's Internal Users dialog box.
Alerts are also sent when a user is locked out of a system because he or she
exceeded the number of allowable login failures set on the Disk Encryption tab
of Consumer Policy.
To specify how you want to be notified of PGP Whole Disk Encryptionlogin failures
1 From the System Overview page, click Manage Alerts.
The Alerts dialog box appears.
2 Specify how many consecutive failed login attempts a single device mustreport before the administrator is notified.
3 Choose how long you want login failure alerts to be displayed on theSystem Overview page, the Daily Status Email, and the Internal Users
page, in hours or days.
4 Specify how long you want to keep login failure records in the database, indays.
Note: PGP Whole Disk Encryption is a feature of the PGP Desktop product
line, which must be purchased separately from PGP Corporation to be
deployed and managed by the Lotus Protector for Mail Encryption Server.
36
-
7/27/2019 Protector Admin
41/403
-
7/27/2019 Protector Admin
42/403
IBM Lotus Protector for Mail Encryption Server Understanding the Administrative Interface
USP
System General Settings
Administrators
Backups
Updates
Network
Clustering
IconsThe administrative interface uses the following icons.
Type Icon Description
Actions Add
Remove
Connect
Delete
Clear Search
Install/Export
Reinstall/Regenerate
Restore
Revoke
Forward
Back
First
Last
Move priority up
Move priority down
Closed Action
38
-
7/27/2019 Protector Admin
43/403
IBM Lotus Protector for Mail Encryption Server Understanding the Administrative Interface
Type Icon Description
Opened Action
Help
Print
Users Internal user
Administrative user
Excluded user
Internal user, revoked
Expired internal user
External user, revoked
External user
External user, pending
Expired external user
Directory user
Expired directory user
Directory user, pending
Keys and Certificates Key
Key, expired
Key, revoked
Key reconstruction
39
-
7/27/2019 Protector Admin
44/403
-
7/27/2019 Protector Admin
45/403
IBM Lotus Protector for Mail Encryption Server Understanding the Administrative Interface
Type Icon Description
` Pending excluded address
Keyserver
Default keyserver
User Policy Default policy
Excluded policy
Web Messenger Default template
Customized template
Broken template
Backup Backup successful
Backup pending
Backup failed
Update Successful install
Update ready to be installed
Failed install
Clustering Cluster
Active cluster
Inactive cluster
Logs Info
Notice
41
-
7/27/2019 Protector Admin
46/403
IBM Lotus Protector for Mail Encryption Server Understanding the Administrative Interface
Type Icon Description
Warning
Error
Miscellaneous Domain
Mail proxy (SMTP, POP, IMAP)
Inbound mailserver
Outbound mailserver
SMTP server
Mail route
Network interface
Learn mode
Access control enabled
42
-
7/27/2019 Protector Admin
47/403
6Licensing Your Software
This section describes how to license your Lotus Protector for Mail Encryption
Server.
Note: The license for Lotus Protector for Mail Encryption Server is included
automatically when you run the Setup Assistant and accept the licensing
terms. You do not need to separately add or update a Lotus Protector for Mail
Encryption Server license.
However, you will need to add a license if you separately purchase a PGP
product, such as PGP Desktop or PGP Whole Disk Encryption.
Licensing a Lotus Protector for Mail Encryption Server
The license for Lotus Protector for Mail Encryption Server is included
automatically when you run the Setup Assistant and accept the licensing terms.
You do not need to separately add or update a Lotus Protector for MailEncryption Server license.
However, you will need to add a license if you separately purchase a PGPproduct, such as PGP Desktop or PGP Whole Disk Encryption.
For instructions on licensing additional products, see Licensing a LotusProtector for Mail Encryption Server(on page 350).
43
-
7/27/2019 Protector Admin
48/403
-
7/27/2019 Protector Admin
49/403
7 Operating in Learn Mode
When you finish configuring a Lotus Protector for Mail Encryption Server using
the Setup Assistant, it begins running in Learn Mode.
In Learn Mode, messages are processed through mail policy, but none of the
actions from the policy are performed. Messages are neither encrypted nor
signed. This functions as a rehearsal, so that you can learn how policies would
affect email traffic if implemented. While running in Learn Mode, the LotusProtector for Mail Encryption Server also creates keys for authenticated users
so that when Learn Mode is turned off, the server can secure messages
immediately.
After messages go through mail policy, Lotus Protector for Mail EncryptionServer decrypts and verifies incoming messages for which there are local
internal or external user keys. Outgoing messages are sent unencrypted. InLearn Mode, non-RFC compliant email is sent unprocessed and in the clear.
Turn Learn Mode off to process messages through the mail policy exception
chain.
In Learn Mode, the Lotus Protector for Mail Encryption Server:
Creates user accounts with user keys, in accordance with Consumer
Policy.
Decrypts messages using internal and external keys stored on the server,
but does not search for keys externally.
Does not encrypt or sign messages.
Will not apply mail policy to messages, and will not take any Key Not Found
action on messages.
Note: Your Lotus Protector for Mail Encryption Server must be licensedbefore you can take it out of Learn Mode.
Note: The license for Lotus Protector for Mail Encryption Server is included
automatically when you run the Setup Assistant and accept the licensing
terms. You do not need to separately add or update a Lotus Protector for Mail
Encryption Server license.
However, you will need to add a license if you separately purchase a PGP
product, such as PGP Desktop or PGP Whole Disk Encryption.
Purpose of Learn Mode
Learn Mode allows you to:
45
-
7/27/2019 Protector Admin
50/403
IBM Lotus Protector for Mail Encryption Server Operating in Learn Mode
View (by examining the logs) how policies would affect email traffic if
implemented.
Build the SMSA (creating keys for authenticated users, for example) so that
when the server goes livewhen Learn Mode is turned offthe server
can secure messages immediately.
Identify mailing lists your users send messages to and add their addresses
to the dictionaries of Excluded Email Addresses. Most likely, users won't
send encrypted messages to a mailing list.
Lotus Protector for Mail Encryption Server decrypts and verifies incoming
email while operating in Learn Mode.
Lotus Protector for Mail Encryption Server still automatically detects
mailing lists when Learn Mode is off, but unless the addresses were
retrieved via the Directory Synchronization feature, they require approval
from the Lotus Protector for Mail Encryption Server administrator to be
added to the list of excluded email addresses. For more information, see
Using Dictionaries with Policy(on page 137).
Mailing lists are identified per RFC 2919, List-Id: A Structured Field and
Namespace for the Identification of Mailing Lists, as well as by using
default exclusion rules.
Checking the Logs
The effects of your policies can be checked while Learn Mode is on, even
though the server is not actually encrypting or signing messages.
To check the servers logs
1 Access the administrative interface for the server.
The administrative interface appears.
2 Click Reporting, then Logs.
The System Logs page appears.
3 Check the logs to see what effect your policies are having on email traffic.
Managing Learn ModeThe Lotus Protector for Mail Encryption Server is put into Learn Mode by the
Setup Assistant. If your server is in Learn Mode, you see a yellow icon, the
Change Mode button, in the upper-right corner of your browser page.
46
-
7/27/2019 Protector Admin
51/403
IBM Lotus Protector for Mail Encryption Server Operating in Learn Mode
To turn off Learn Mode
1 Click the Change Mode button in the upper-right corner of the page.
The Mail Processing Settings dialog box appears.2 Deselect Operate in Learn Mode.
3 Click Save.
Learn Mode is turned off.
To turn on Learn Mode
1 Click the Change Mode button in the upper-right corner of the page.
The Mail Processing Settings dialog box appears.
2 Select Operate in Learn Mode.
3 Click Save.
Learn Mode is turned on.
47
-
7/27/2019 Protector Admin
52/403
-
7/27/2019 Protector Admin
53/403
8 Managed Domains
This section describes how to create and manage the internal domains for
which your Lotus Protector for Mail Encryption Server protects email messages.
About Managed Domains
The Managed Domains page gives you control over the domains for which the
Lotus Protector for Mail Encryption Server is handling email.
Email users from domains being managed by your server are called internalusers. Conversely, email users from domains not being managed by your
server but who are part of the SMSA are called external users.
For example, if your company is Example Corporation, you can have the
domain example.com and your employees would have email addresses such
If this were the case, you would want to establish example.com as a domain
to be managed by your server. When you install your Lotus Protector for Mail
Encryption Server you have the opportunity to add a managed domain in the
Setup Assistant. If you do not set it up at that time, you can use the Managed
Domains page to add it. You can also add additional managed domains from the
Managed Domains page, if you have users with addresses in multiple domains
that you want to be considered internal users.
Managed domains automatically include sub-domains, so in the example above,
users such as [email protected] would also be considered internalusers. Multi-level domain structures as used by some countries are also
acceptable: for example, the domain example.co.uk.
The Managed Domains page accepts Internet DNS domain names and Domino
domains. You must have an Internet DNS domain name, and if you have Notes
users, you must also include the Domino domain name. WINS names (for
example,\\EXAMPLE) do not belong here.
Usually, you specify your Internet domain during installation through the SetupAssistant. If your Lotus Protector for Mail Encryption Server is also managing a
Domino server, you must add your Domino domain name manually through theManaged Domains page.
For example, if you have an Internet domain "example.com" and a Domino
domain "ExDomino," you would add example.com as the managed domain
during setup, for SMTP addressing. You would then add ExDomino as anadditional managed domain, for Domino addressing.
49
mailto:[email protected]:[email protected]://example/http://example/mailto:[email protected]:[email protected] -
7/27/2019 Protector Admin
54/403
IBM Lotus Protector for Mail Encryption Server Managed Domains
Mail to and from your managed domains is processed according to your mail
policy. You can also create mail policy rules specifically for your managed
domains. See the chapter Setting Mail Policy(on page 89) for more information
on creating mail policies.
Managed domains entered on the Managed Domains page populate theManaged Domains dictionary. The dynamic Managed Domains dictionary
automatically includes subdomains. See Using Dictionaries with Policy(on page
137) for more information on dictionaries.
Adding Managed Domains
To add a domain to the list of managed domains
1 Click Add Managed Domain.
The Add Managed Domain dialog box appears.
2 Type a domain name in the Domain field.
Do not type WINS names (for example,\\EXAMPLE) here. Type only
Internet DNS domain names or Domino domain names.
3 Click Save.
Deleting Managed Domains
If you delete a managed domain, all the user IDs within that domain remain inthe system. Users can still encrypt and sign messages with their keys.
To remove a domain name already on the list of managed domains
1 Click the icon in the Delete column of the domain you want to remove
from the list.
A confirmation dialog box appears.
2 Click OK.
The confirmation dialog box disappears and the selected domain name is
removed from the list of managed domains.
50
http://example/http://example/ -
7/27/2019 Protector Admin
55/403
9Understanding Keys
This chapter introduces some of the concepts related to how Consumer keys
are managed. It introduces the concept of key modes, which are used to control
whether internal and external users can manage their own keys or whether
keys should be managed by Lotus Protector for Mail Encryption Server. It also
discusses the use of Certificate Revocation Lists and key reconstruction blocks.
Key Modes
Keys generated by Lotus Protector for Mail Encryption Server and LotusProtector for Mail Encryption Client are managed entirely by the Lotus Protector
for Mail Encryption Server. These keys are called Server Managed Keys (SKM).
If you purchase a PGP Desktop license and create installers, you can choose
whether you want users to be able to manage their own keys, or whether keysshould be managed by the Lotus Protector for Mail Encryption Server.
End-to-end email processing functions refer to encryption, decryption, and
signing performed at the client, rather than on the Lotus Protector for Mail
Encryption Server.
Lotus Protector for MailEncryption Server Email
Functions
End-to-end EmailProcessing Functions
Keys ManagedBy Server
Encrypt Decrypt Sign Encrypt Decrypt Sign
Client KeyMode(CKM)
No No No Yes Yes Yes No
GuardedKey Mode(GKM)
No No No Yes Yes Yes Private keys
stored
passphrase
protected
Server Key
Mode(SKM)
Yes Yes Yes Yes Yes Yes Yes
51
-
7/27/2019 Protector Admin
56/403
IBM Lotus Protector for Mail Encryption Server Understanding Keys
Lotus Protector for MailEncryption Server EmailFunctions
End-to-end EmailProcessing Functions
Keys ManagedBy Server
ServerClient KeyMode(SCKM)
Yes Yes No Yes Yes Yes Public andprivate
encryption
subkeys stored
on client and
Lotus Protector
for Mail
Encryption
Server, private
signing subkeys
stored only on
client
Server Key Mode (SKM)The Lotus Protector for Mail Encryption Server
generates and manages user keys.
Users cannot manage their own keys.
Lotus Protector for Mail Encryption Server administrators have access
to private keys.
If a user has a client installation, the users keys are downloaded to
the client at each use.
SKM can also be used without client installations; if there is no client
installation, you must use SKM.
The client stores the private key encrypted to a random passphrase,so users can read email offline.
Client Key Mode (CKM)Users use client software to generate and
manage their own keys.
Lotus Protector for Mail Encryption Server administrators do not have
access to private keys.
CKM user email is secure on the mail server.
CKM users are responsible for backing up their keys; if they lose their
private keys, there is no way to retrieve them.
Users who want to be able to read their email offline and
unconnected to Lotus Protector for Mail Encryption Server must useCKM.
Guarded Key Mode (GKM)Users generate and manage their own keys,
and store their passphrase-protected private keys on the server.
GKM is similar to CKM, except that Lotus Protector for Mail
Encryption Server stores protected copies of private keys.
52
-
7/27/2019 Protector Admin
57/403
IBM Lotus Protector for Mail Encryption Server Understanding Keys
Server Client Key Mode (SCKM)Keys are generated on the client.
Private encryption subkeys are stored on both the client and Lotus
Protector for Mail Encryption Server, and private signing subkeys are stored
only on the client.
SCKM allows for separate signing and encryption subkeys,comparable to X.509 signing and encryption keys.
The public and private encryption subkey is on the server, but by
default encryption is not performed on the server.
The public-only signing subkey is on the server. Lotus Protector for
Mail Encryption Server cannot sign email for the user.
Mail processing must take place on the client side to use the SCKM
signing subkey.
If an SCKM user resets their key, the entire SCKM key is revoked,
including all subkeys, and remains on the Lotus Protector for Mail
Encryption Server as a non-primary key for the user. This non-primary
key can still be used for decryption, and remain on the Lotus Protector
for Mail Encryption Server until manually removed by the
administrator.
Which key management option you choose depends on what your users need
and which client application they use. Server Key Mode is generally appropriate
for PGP Universal Satellite users. Client Key Mode is more appropriate for PGP
Desktop users. If your security policy requires that a users signing key is only in
the possession of the user, but the users encryption key must be archived,
SCKM is the correct choice.
Lotus Protector for Mail Encryption Server Supported KeyModes
The mode of a key controls what key materials are managed by the Lotus
Protector for Mail Encryption Server and the client. Lotus Protector for Mail
Encryption Server allows different key modes depending on the client used.
Lotus Protector for Mail Encryption Client supports Server Key Mode (SKM)
only. This means that all key materials are managed by the Lotus Protector
for Mail Encryption Server. Only SKM keys will be generated for Lotus
Protector for Mail Encryption Client users.
Lotus Protector for Mail Encryption Server supports other key modes for
existing users who migrate to the Lotus Protector for Mail Encryption
Server and Lotus Protector for Mail Encryption Client products. Migrating
users who have non-SKM keys can continue to use their existing keys.
53
-
7/27/2019 Protector Admin
58/403
IBM Lotus Protector for Mail Encryption Server Understanding Keys
When adding PGP Desktop to existing Lotus Protector for Mail Encryption
Server environments, existing Lotus Protector for Mail Encryption Client
users who migrate to PGP Desktop continue to use their SKM keys. New
PGP Desktop users can use any key mode with Lotus Protector for Mail
Encryption Server.
How Lotus Protector for Mail Encryption Server UsesCertificate Revocation Lists
A certificate revocation list (CRL) is a list of certificates that have been revokedbefore their scheduled expiration date. The Lotus Protector for Mail Encryption
Server retrieves CRLs for certificates from CRL Distribution Points (DP).
The Lotus Protector for Mail Encryption Server checks the CRL DPs
automatically before encrypting a message to a certificate, including certificates
for internal and external users, as well as certificates in the cache. The serveralso checks the CRL DPs before importing any internal or external usercertificate. It does not check before importing Trusted Certificates, or before
connecting to servers with SSL certificates.
The Lotus Protector for Mail Encryption Server checks the revocation status of
just the recipient's certificate. It does not check the revocation status of the
other certificates in the signing chain.
Once retrieved, certificate revocation status is stored on the parent certificate,
so the Trusted Certificate for each user certificate stores the list of all the
associated revoked certificates. Once the CRL is stored on the TrustedCertificate, the Lotus Protector for Mail Encryption Server runs future CRL
checks based on the next update date for that list.
Key Reconstruction Blocks
Key reconstruction blocks allow users to retrieve their private keys if they forget
their passphrases.
Key reconstruction blocks contain several user-defined questions and the user's
private key, which is encrypted with the answers to those questions.
Lotus Protector for Mail Encryption Server stores these questions and answersso that users can get back their private keys in case they lose their
passphrases. For example, if a user writes five questions and answers, they canbe asked three (or more) of the questions to reconstruct their private key.
54
-
7/27/2019 Protector Admin
59/403
IBM Lotus Protector for Mail Encryption Server Understanding Keys
If an internal PGP Desktop user has uploaded a key reconstruction block to the
Lotus Protector for Mail Encryption Server, you can delete it. You might want to
delete a key reconstruction block if you have already deleted or revoked the
associated key and you do not want the key to be recoverable. If you delete the
key reconstruction block, it is no longer stored on the Lotus Protector for MailEncryption Server, although it is possible that the user also has a copy.
See Recovering Encrypted Data in an Enterprise Environment(on page 279) for
information on other methods of data recovery.
55
-
7/27/2019 Protector Admin
60/403
-
7/27/2019 Protector Admin
61/403
10Managing Organization
Keys
This section describes the various keys and certificates you can configure and
use with your Lotus Protector for Mail Encryption Server.
About Organization Keys
There are multiple keys and certificates you can use with your Lotus Protector
for Mail Encryption Server:
Organization Key. Used to sign all user keys the Lotus Protector for Mail
Encryption Server creates and to encrypt server backups.
Organization Certificate. Used to generate user S/MIME certificates in an
S/MIME environment.
Additional Decryption Key (ADK). Used to reconstruct messages if the
recipient is unable or unwilling to do so. Every message encrypted to anexternal recipient by an internal user is also encrypted to the ADK, allowing
the Lotus Protector for Mail Encryption Server administrator to decrypt any
message sent by internal users, if required to do so by regulations or
security policy.
Verified Directory Key. Used to sign keys submitted to the MailEncryption Verified Directory by external users.
The Organization Keys page provides access to all of these.
Organization Key
Your Organization Key is used to sign all user keys the Lotus Protector for Mail
Encryption Server creates and to encrypt server backups. The Organization Key
is what was referred to as the Corporate Key in the old PGP Keyserver
environment.
Warning: You must make a backup of your Organization Key, in case of a
problem with the server. That way, you can restore your server from a
backup using the backup Organization Key.
57
-
7/27/2019 Protector Admin
62/403
IBM Lotus Protector for Mail Encryption Server Managing Organization Keys
Each Lotus Protector for Mail Encryption Server is pre-configured with a unique
Organization Key generated by the Setup Assistant. If you would like to use
different settings for this key, you can regenerate the key with the settings you
prefer. This should only be done prior to live deployment of the server or
creation of user keys by the server.The Organization Key automatically renews itself one day before its expiration
date. It renews with all the same settings.
If you have multiple Lotus Protector for Mail Encryption Servers in a cluster, the
Organization Key is synchronized.
An Organization Keys identification is based on the name of the managed
domain for which the key was created. Organization Keys by convention have
one ID per managed domain so that they can be easily found via a directory
lookup.
The Organization Key information includes the Public Keyserver URL, as
specified on the Services > Keyserver page. Anytime the Public Keyserver URL
changes, that information on the Organization Key changes immediately.
Inspecting the Organization Key
To inspect the properties of an Organization Key
1 Click the name of the Organization Key.
The Organization Key Info dialog box appears.
2 Inspect the properties of the Organization Key.
3 To export either just the public key portion of the Organization Key or the
entire keypair, click the Export button and save the file to the desiredlocation. Optional: You can protect your Organization Key with a
passphrase when you export it.
When you export the Organization Key you also get the Organization
Certificate. You can use PGP Desktop to extract the Organization
Certificate from the Organization Key.
4 Click OK.
If you are going to regenerate your Organization Key, you should use a
fairly high bit size, such as 2048. However, if you are going to be using
X.509 certificates and S/MIME, be aware that many clients only support up
to 1024 bits; thus you may want to use 1024 bits for maximum
compatibility with S/MIME. All clients can be expected to support at least4096 bits.
58
-
7/27/2019 Protector Admin
63/403
-
7/27/2019 Protector Admin
64/403
IBM Lotus Protector for Mail Encryption Server Managing Organization Keys
To import an Organization Key
1 Click the icon in the Import column of the Organization Key row.
2 The following warning dialog box appears:Importing a new Organization Key will cause the current key (and
Organization Certificate, if any) to be deleted, and will cause problems with
existing key signatures and backups. Any existing Ignition Keys will also be
removed. Are you sure you want to proceed?
3 Click OK.
The Import Organization Key dialog box appears.
4 Do one of the following:
If you w