protector admin

Upload: john-engelsted

Post on 02-Apr-2018

222 views

Category:

Documents


0 download

TRANSCRIPT

  • 7/27/2019 Protector Admin

    1/403

    IBM Lotus Protector for MailEncryption Server

    Administrator's Guide

  • 7/27/2019 Protector Admin

    2/403

  • 7/27/2019 Protector Admin

    3/403

  • 7/27/2019 Protector Admin

    4/403

    IBM Software Group One Rogers StreetCambridge, MA 02142

    USA

    Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

    The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

    If you are viewing this information softcopy, the photographs and color illustrations may not appear.

    4

  • 7/27/2019 Protector Admin

    5/403

    13

    Contents

    Introduction

    What is Lotus Protector for Mail Encryption Server 13

    Who Should Read This Guide 14

    Symbols 14

    Getting Assistance 14

    The Big Picture 15

    Important Terms 15

    Overview of Products 15Lotus Protector for Mail Encryption Server Concepts 17

    Lotus Protector for Mail Encryption Server Features 18

    Lotus Protector for Mail Encryption Server User Types 20

    Installation Overview 21

    Open Ports 27

    TCP Ports 27

    UDP Ports 29

    Naming your Lotus Protector for Mail Encryption Server 31

    Considering a Name for Your Lotus Protector for Mail Encryption Server 31

    Methods for Naming a Lotus Protector for Mail Encryption Server 32

    Understanding the Administrative Interface 33

    System Requirements 33

    Logging In 33

    The System Overview Page 35

    Managing Alerts 36

    Administrative Interface Map 37

    Icons 38

    Licensing Your Software 43

    Licensing a Lotus Protector for Mail Encryption Server 43

    Operating in Learn Mode 45

    Purpose of Learn Mode 45Checking the Logs 46

    Managing Learn Mode 46

    i

  • 7/27/2019 Protector Admin

    6/403

    IBM Lotus Protector for Mail Encryption Server Contents

    Managed Domains 49

    About Managed Domains 49

    Adding Managed Domains 50Deleting Managed Domains 50

    Understanding Keys 51

    Key Modes 51

    Lotus Protector for Mail Encryption Server Supported Key Modes 53

    How Lotus Protector for Mail Encryption Server Uses Certificate Revocation Lists 54

    Key Reconstruction Blocks 54

    Managing Organization Keys 57

    About Organization Keys 57

    Organization Key 57Inspecting the Organization Key 58

    Regenerating the Organization Key 59Importing an Organization Key 59

    Organization Certificate 60

    Inspecting the Organization Certificate 61

    Exporting the Organization Certificate 61

    Deleting the Organization Certificate 62

    Generating the Organization Certificate 62

    Importing the Organization Certificate 63

    Additional Decryption Key (ADK) 63

    Importing the ADK 64

    Inspecting the ADK 64

    Deleting the ADK 65

    Verified Directory Key 65

    Importing the Verified Directory Key 65

    Inspecting the Verified Directory Key 66

    Deleting the Verified Directory Key 66

    Administering Managed Keys 67

    Managed Key Permissions 68

    Viewing Managed Keys 68

    Managed Key Information 69

    Email Addresses 72

    Subkeys 72Certificates 72

    Permissions 72

    Attributes 73

    Symmetric Key Series 74

    Symmetric Keys 76

    Custom Data Objects 77

    Exporting Consumer Keys 78

    ii

  • 7/27/2019 Protector Admin

    7/403

    IBM Lotus Protector for Mail Encryption Server Contents

    Exporting the Managed Key of an Internal User 78

    Exporting the Managed Key of an External User 79

    Exporting Mail Encryption Verified Directory User Keys 80

    Exporting the Managed Key of a Managed Device 80

    Deleting Consumer Keys 81Deleting the Managed Key of an Internal User 81

    Deleting the Managed Key of an External User 81Deleting the Key of a Mail Encryption Verified Directory User 82

    Deleting the Managed Key of a Managed Device 82

    Approving Pending Keys 82

    Revoking Managed Keys 83

    Managing Trusted Keys and Certificates 85

    Overview 85

    Trusted Keys 85

    Trusted Certificates 85

    Adding a Trusted Key or Certificate 86Inspecting and Changing Trusted Key Properties 87

    Deleting Trusted Keys and Certificates 87Searching for Trusted Keys and Certificates 88

    Setting Mail Policy 89

    Overview 89

    How Policy Chains Work 90

    Mail Policy and Dictionaries 91

    Mail Policy and Key Searches 91

    Mail Policy and Cached Keys 92

    Understanding the Pre-Installed Policy Chains 92

    Mail Policy Outside the Mailflow 94

    Using the Rule Interface 94

    The Conditions Card 95

    The Actions Card 97

    Building Valid Chains and Rules 97

    Using Valid Processing Order 98

    Creating Valid Groups 99Creating a Valid Rule 100

    Managing Policy Chains 100

    Mail Policy Best Practices 101Restoring Mail Policy to Default Settings 101

    Editing Policy Chain Settings 101

    Adding Policy Chains 101Deleting Policy Chains 103

    Exporting Policy Chains 103

    Printing Policy Chains 104

    Managing Rules 104

    Adding Rules to Policy Chains 104

    Deleting Rules from Policy Chains 104

    Enabling and Disabling Rules 105

    iii

  • 7/27/2019 Protector Admin

    8/403

    IBM Lotus Protector for Mail Encryption Server Contents

    Changing the Processing Order of the Rules 106

    Adding Key Searches 106

    Choosing Condition Statements, Conditions, and Actions 106

    Condition Statements 107

    Conditions 107Actions 113

    Applying Key Not Found Settings to External Users 129

    Overview 129Bounce the Message 130

    Mail Encryption PDF Messenger 130

    Certified Delivery with Mail Encryption PDF Messenger 131Send Unencrypted 131

    Mail Encryption Smart Trailer 132

    Protector for Mail Encryption Web Messenger 133

    Changing Policy Settings 135

    Changing User Delivery Method Preference 135

    Using Dictionaries with Policy 137

    Overview 137

    Default Dictionaries 138

    Editing Default Dictionaries 140

    User-Defined Dictionaries 141

    Adding a User-Defined Dictionary 141Editing a User-Defined Dictionary 142

    Deleting a Dictionary 142

    Exporting a Dictionary 143Searching the Dictionaries 143

    Keyservers, SMTP Archive Servers, and Mail Policy 145

    Overview 145

    Keyservers 145

    Adding or Editing a Keyserver 146

    Deleting a Keyserver 148

    SMTP Servers 148

    Adding or Editing an Archive Server 148

    Deleting an Archive Server 149

    Managing Keys in the Key Cache 151

    Overview 151Changing Cached Key Timeout 151

    Purging Keys from the Cache 152

    Trusting Cached Keys 152

    Viewing Cached Keys 152

    Searching the Key Cache 153

    iv

  • 7/27/2019 Protector Admin

    9/403

    IBM Lotus Protector for Mail Encryption Server Contents

    Configuring Mail Proxies 155

    Overview 155

    Lotus Protector for Mail Encryption Server and Mail Proxies 155Mail Proxies in a Gateway Placement 156

    Mail Proxies in an Internal Placement 158

    Mail Proxies Page 159

    Creating New or Editing Existing Proxies 160

    Creating or Editing a POP/IMAP Proxy 160

    Creating or Editing an Outbound SMTP Proxy 162

    Creating or Editing an Inbound SMTP Proxy 164

    Creating or Editing a Unified SMTP Proxy 166

    Email in the Mail Queue 171

    Overview 171

    Deleting Messages from the Mail Queue 172

    Specifying Mail Routes 173

    Overview 173

    Managing Mail Routes 174

    Adding a Mail Route 174

    Editing a Mail Route 175

    Deleting a Mail Route 175

    Customizing System Message Templates 177

    Overview 177

    Templates and Message Size 178

    Mail Encryption PDF Messenger Templates 178

    Templates for New Protector for Mail Encryption Web Messenger Users 178Editing a Message Template 179

    Managing Groups 181

    Understanding Groups 181

    Sorting Consumers into Groups 181

    Everyone Group 182

    Excluded Group 182

    Policy Group Order 183

    Setting Policy Group Order 183Creating a New Group 183

    Deleting a Group 184

    Viewing Group Members 184

    Manually Adding Group Members 185

    Manually Removing Members from a Group 185

    Group Permissions 186Adding Group Permissions 187

    v

  • 7/27/2019 Protector Admin

    10/403

    IBM Lotus Protector for Mail Encryption Server Contents

    Deleting Group Permissions 187

    Setting Group Membership 188

    Searching Groups 189

    Creating Group Client Installations 189

    How Group Policy is Assigned to PGP Desktop Installers 190Creating PGP Desktop Installers 191

    Distributing the Lotus Protector for Mail Encryption Client 197

    Preparing the Lotus Protector for Mail Encryption Client for installation 197

    Editing the Notes.ini File 198

    Configuring the .MSI File 198

    Editing the PMEConf.dat File 199

    Managing Devices 201

    Managed Devices 202

    Adding and Deleting Managed Devices 202Adding Managed Devices to Groups 203

    Managed Device Information 205

    Deleting Managed Devices from Lotus Protector for Mail Encryption Server 208

    Deleting Managed Devices from Groups 209WDE Devices (Computers and Disks) 210

    WDE Computers 210

    WDE Disks 212

    Searching for Devices 214

    Administering Consumer Policy 217

    Understanding Consumer Policy 217

    Making Sure Users Create Strong Passphrases 218

    Understanding Entropy 218

    Using the Windows Preinstallation Environment 219

    X.509 Certificate Management in Lotus Notes Environments 219

    Trusting Certificates Created by Lotus Protector for Mail Encryption Server 220Setting the Lotus Notes Key Settings in Lotus Protector for Mail Encryption Server 222

    Technical Deployment Information 223

    Offline Policy 223Using a Policy ADK 225

    Out of Mail Stream Support 225

    Enrolling Users through Silent Enrollment 227

    Silent Enrollment with Mac OS X 227

    Silent Enrollment with Windows 227PGP Whole Disk Encryption Administration 228

    PGP Whole Disk Encryption on Mac OS X with FileVault 228

    How Does Single Sign-On Work? 228

    Enabling Single Sign-On 229

    Managing Clients Remotely Using a PGP WDE Administrator Active Directory Group 231

    Managing Clients Locally Using the PGP WDE Administrator Key 231

    vi

  • 7/27/2019 Protector Admin

    11/403

    IBM Lotus Protector for Mail Encryption Server Contents

    Managing Consumer Policies 233

    Adding a Consumer Policy 233

    Editing a Consumer Policy 233

    Deleting a Consumer Policy 234

    Setting Policy for Clients 235

    Client and Lotus Protector for Mail Encryption Server Version Compatibility 235

    Establishing PGP Desktop Settings for Your PGP Desktop Clients 236

    PGP Desktop Feature License Settings 237

    Controlling PGP Desktop Components 238

    PGP Portable 239

    PGP Mobile 240

    PGP NetShare 240

    How the PGP NetShare Policy Settings Work Together 240

    Multi-user environments and managing PGP NetShare 241

    Backing Up PGP NetShare-Protected Files 241

    Using Directory Synchronization to Manage Consumers 243

    How Lotus Protector for Mail Encryption Server Uses Directory Synchronization 243

    Base DN and Bind DN 245Consumer Matching Rules 246

    Understanding User Enrollment Methods 246

    Before Creating a Client Installer 247

    Directory Enrollment 248

    Email Enrollment 250

    Enabling Directory Synchronization 252

    Adding or Editing an LDAP Directory 253

    The LDAP Servers Tab 254

    The Base Distinguished Name Tab 254

    The Consumer Matching Rules Tab 255

    Testing the LDAP Connection 255

    Using Sample Records to Configure LDAP Settings 255

    Deleting an LDAP Directory 256

    Setting LDAP Directory Order 256

    Directory Synchronization Settings 256

    Managing User Accounts 259

    Understanding User Account Types 259

    Viewing User Accounts 259

    User Management Tasks 259Setting User Authentication 260

    Editing User Attributes 260

    Adding Users to Groups 260

    Editing User Permissions 261

    Deleting Users 261

    Searching for Users 262

    Viewing User Log Entries 262

    vii

  • 7/27/2019 Protector Admin

    12/403

    IBM Lotus Protector for Mail Encryption Server Contents

    Changing Display Names and Usernames 262

    Exporting a Users X.509 Certificate 263

    Revoking a User's X.509 Certificate 264

    Managing User Keys 264

    Managing Internal User Accounts 265Importing Internal User Keys Manually 265

    Creating New Internal User Accounts 266Exporting PGP Whole Disk Encryption Login Failure Data 267

    Internal User Settings 267

    Managing External User Accounts 271

    Importing External Users 272

    Exporting Delivery Receipts 273

    External User Settings 274

    Managing Verified Directory User Accounts 275

    Importing Verified Directory Users 276

    Mail Encryption Verified Directory User Settings 277

    Recovering Encrypted Data in an Enterprise Environment 279

    Using Key Reconstruction 279Recovering Encryption Key Material without Key Reconstruction 280

    Encryption Key Recovery of CKM Keys 280

    Encryption Key Recovery of GKM Keys 281

    Encryption Key Recovery of SCKM Keys 281Encryption Key Recovery of SKM Keys 282

    Using an Additional Decryption Key for Data Recovery 282

    PGP Universal Satellite 285

    Overview 285

    Technical Information 286

    Distributing the PGP Universal Satellite Software 286

    Configuration 286

    Key Mode 286

    PGP Universal Satellite Configurations 287

    Switching Key Modes 290

    Policy and Key or Certificate Retrieval 290Retrieving Lost Policies 290

    Retrieving Lost Keys or Certificates 292

    PGP Universal Satellite for Windows 295

    Overview 295System Requirements 295

    Obtaining the Installer 296

    Installation 296

    Updates 297

    Files 297

    MAPI Support 298

    External MAPI Configuration 298

    viii

  • 7/27/2019 Protector Admin

    13/403

    IBM Lotus Protector for Mail Encryption Server Contents

    Lotus Notes Support 299

    External Lotus Notes Configuration 299

    PGP Universal Satellite for Mac OS X 301

    Overview 301

    System Requirements 301

    Obtaining the Installer 302

    Installation 302

    Updates 303

    Files 303

    Configuring Protector for Mail Encryption Web Messenger 305

    Overview 305

    Protector for Mail Encryption Web Messenger and Clustering 306

    External Authentication 307

    Customizing Protector for Mail Encryption Web Messenger 308Adding a New Template 309

    Troubleshooting Customization 313

    Changing the Active Template 316

    Deleting a Template 316Editing a Template 316

    Downloading Template Files 317

    Restoring to Factory Defaults 317

    Configuring the Protector for Mail Encryption Web Messenger Service 317

    Starting and Stopping Protector for Mail Encryption Web Messenger 318

    Selecting the Protector for Mail Encryption Web Messenger Network Interface 319

    Setting Up External Authentication 320

    Creating Settings for Protector for Mail Encryption Web Messenger User Accounts 321

    Setting Message Replication in a Cluster 322

    Configuring the Integrated Keyserver 325

    Overview 325Starting and Stopping the Keyserver Service 325

    Configuring the Keyserver Service 326

    Configuring the Mail Encryption Verified Directory 329

    Overview 329

    Starting and Stopping the Mail Encryption Verified Directory 330

    Configuring the Mail Encryption Verified Directory 330

    Managing the Certificate Revocation List Service 333

    Overview 333

    Starting and Stopping the CRL Service 333

    Editing CRL Service Settings 334

    ix

  • 7/27/2019 Protector Admin

    14/403

    IBM Lotus Protector for Mail Encryption Server Contents

    Configuring Universal Services Protocol 335

    Starting and Stopping USP 335

    Adding USP Interfaces 335

    System Graphs 337

    Overview 337

    CPU Usage 337

    Message Activity 338

    Whole Disk Encryption 338

    Recipient Statistics 339

    Recipient Domain Statistics 339

    System Logs 341

    Overview 341Filtering the Log View 342

    Searching the Log Files 343Exporting a Log File 343

    Enabling External Logging 344

    Configuring SNMP Monitoring 345

    Overview 345

    Starting and Stopping SNMP Monitoring 346

    Configuring the SNMP Service 346

    Downloading the Custom MIB File 347

    Viewing Server and License Settings and Shutting Down Services 349

    Server Information 349

    Setting the Time 350

    Updating Software 350

    Licensing a Lotus Protector for Mail Encryption Server 350

    Downloading the Release Notes 351

    Shutting Down and Restarting the Lotus Protector for Mail Encryption Server Software Services351

    Shutting Down and Restarting the Lotus Protector for Mail Encryption Server Hardware 352

    Managing Administrator Accounts 353

    Overview 353Administrator Roles 354

    Administrator Authentication 354

    Creating a New Administrator 355

    Importing SSH v2 Keys 356Deleting Administrators 356

    x

  • 7/27/2019 Protector Admin

    15/403

    IBM Lotus Protector for Mail Encryption Server Contents

    Inspecting and Changing the Settings of an Administrator 357

    Configuring RSA SecurID Authentication 358

    Resetting SecurID PINs 359

    Daily Status Email 360

    Protecting Lotus Protector for Mail Encryption Server with Ignition Keys 363

    Overview 363

    Ignition Keys and Clustering 365

    Preparing Hardware Tokens to be Ignition Keys 365

    Configuring a Hardware Token Ignition Key 367

    Configuring a Soft-Ignition Passphrase Ignition Key 367

    Deleting Ignition Keys 368

    Backing Up and Restoring System and User Data 369

    Overview 369

    Creating Backups 370Scheduling Backups 370

    Performing On-Demand Backups 370

    Configuring the Backup Location 370

    Restoring From a Backup 372Restoring On-Demand 372

    Restoring Configuration 373

    Restoring from a Different Version 374

    Updating Lotus Protector for Mail Encryption Server Software 375

    Overview 375

    Inspecting Update Packages 376

    Setting Network Interfaces 377

    Understanding the Network Settings 377

    Changing Interface Settings 378

    Adding Interface Settings 378Deleting Interface Settings 379

    Editing Global Network Settings 379

    Assigning a Certificate 379

    Working with Certificates 380

    Importing an Existing Certificate 380

    Generating a Certificate Request 381

    Adding a Pending Certificate 382Inspecting a Certificate 382

    Exporting a Certificate 383

    Deleting a Certificate 383

    xi

  • 7/27/2019 Protector Admin

    16/403

    IBM Lotus Protector for Mail Encryption Server Contents

    Clustering your Lotus Protector for Mail Encryption Servers 385

    Overview 385

    Cluster Status 386Creating a Cluster 387

    Deleting Cluster Members 390

    Clustering and Protector for Mail Encryption Web Messenger 390

    Managing Settings for Cluster Members 391

    Changing Network Settings in Clusters 393

    Index 395

    xii

  • 7/27/2019 Protector Admin

    17/403

    1Introduction

    This Administrators Guide describes both the IBM Lotus Protector for Mail

    Encryption Server and Client software. It tells you how to get them up and

    running on your network, how to configure them, and how to maintain them.

    This section provides a high-level overview of Lotus Protector for Mail

    Encryption Server.

    Sections of the Lotus Protector for Mail Encryption Server Administrator's

    Guiderefer to management of PGP Whole Disk Encryption, PGP Portable, PGP

    NetShare, and other PGP Desktop client products. The PGP Desktop products

    encrypt data on disks, removable media, and mobile devices as well as secure

    files for collaborating teams, and they can be fully managed by the Lotus

    Protector for Mail Encryption Server. However, these PGP products must be

    purchased separately (from PGP Corporation) to be deployed and managed by

    the Lotus Protector for Mail Encryption Server.

    What is Lotus Protector for Mail Encryption Server

    With Lotus Protector for Mail Encryption Server management server, you can

    manage your organization's security policies, users, keys and configurations,

    deliver messages to external recipients with or without encryption keys, and

    defend sensitive data to avoid the financial loss, legal ramifications, and brand

    damage resulting from a data breach.

    Lotus Protector for Mail Encryption Server automatically creates and maintains a

    Self-Managing Security Architecture (SMSA) by monitoring authenticated users

    and their email traffic. You can also send protected messages to addresses that

    are notpart of the SMSA. The Lotus Protector for Mail Encryption Server

    encrypts, decrypts, signs, and verifies messages automatically, providing strongsecurity through policies you control.

    Lotus Protector for Mail Encryption Client provides IBM Lotus enterprise

    customers with an automatic, transparent encryption solution for securing

    internal and external confidential email communications, managed by the Lotus

    Protector for Mail Encryption Server. Lotus Notes offers a native encryption

    solution for secure messaging within an organization. While Lotus Protector for

    Mail Encryption Client can be used for internal-to-internal secure messaging, it

    is intended to secure the internal component of a message which is being

    delivered to an external recipient. With Lotus Protector for Mail Encryption

    Client, you can minimize the risk of a data breach and better comply with

    partner and regulatory mandates for information security and privacy.

    13

  • 7/27/2019 Protector Admin

    18/403

    IBM Lotus Protector for Mail Encryption Server Introduction

    The management capabilities of the Lotus Protector for Mail Encryption Server

    can be extended to managing the PGP Desktop applications that provide

    encryption of data on disks, removable media, and mobile devices as well as

    security of files for collaborating teams.

    Who Should Read This Guide

    This Administrators Guide is for the person or persons who implement and

    maintain your organizations Lotus Protector for Mail Encryption Server

    environment. These are the Lotus Protector for Mail Encryption Server

    administrators.

    This guide is also intended for anyone else who wants to learn about how Lotus

    Protector for Mail Encryption Server works.

    Symbols

    Notes, Cautions, and Warnings are used in the following ways.

    Note: Notes are extra, but important, information. A Note calls your attention

    to important aspects of the product. You can use the product better if you

    read the Notes.

    Caution: Cautions indicate the possibility of loss of data or a minor security

    breach. A Caution tells you about a situation where problems can occur

    unless precautions are taken. Pay attention to Cautions.

    Warning: Warnings indicate the possibility of significant data loss or a major

    security breach. A Warning means serious problems will occur unless you

    take the appropriate action. Please take Warnings very seriously.

    Getting Assistance

    For additional information about Lotus Protector for Mail Encryption Server and

    how to obtain support, see Lotus Protector for Mail Encryption

    (http://www.ibm.com/software/lotus/products/protector/mailencryption/).

    14

    http://www.ibm.com/software/lotus/products/protector/mailencryption/http://www.ibm.com/software/lotus/products/protector/mailencryption/
  • 7/27/2019 Protector Admin

    19/403

    2 The Big Picture

    This chapter describes some important terms and concepts and gives you a

    high-level overview of the things you need to do to set up and maintain your

    Lotus Protector for Mail Encryption Server environment.

    Important Terms

    The following sections define important terms you will encounter throughout

    the Lotus Protector for Mail Encryption Server and this documentation.

    Overview of Products

    Lotus Protector for Mail Encryption Server: A device you add to your

    network that provides secure messaging with little or no user interaction.

    The Lotus Protector for Mail Encryption Server automatically creates and

    maintains a security architecture by monitoring authenticated users and

    their email traffic. You can also send protected messages to addresses that

    are notpart of the security architecture.

    PGP Global Directory: A free, public keyserver hosted by PGP

    Corporation. The PGP Global Directory provides quick and easy access

    to the universe of PGP keys. It uses next-generation keyservertechnology that queries the email address on a key (to verify that theowner of the email address wants their key posted) and lets users

    manage their own keys. Using the PGP Global Directory significantly

    enhances your chances of finding a valid public key of someone to

    whom you want to send secured messages.

    For external users without encryption keys, Lotus Protector for Mail

    Encryption Server offers multiple secure delivery options, leveraging third-party software that is already installed on typical computer systems, such

    as a web browser or Adobe Acrobat Reader. For email recipients who do

    not have an encryption solution, you can use of of the following secure

    delivery options from Lotus Protector for Mail Encryption Server:

    PGP Universal Satellite: The PGP Universal Satellite software

    resides on the computer of an external email user. It allows email to

    be encrypted end to end, all the way to and from the desktop. UsingPGP Universal Satellite is one of the ways for external users to

    participate in the SMSA. It also allows users the option of controlling

    their keys on their local computers (if allowed by the administrator).

    15

  • 7/27/2019 Protector Admin

    20/403

    IBM Lotus Protector for Mail Encryption Server The Big Picture

    Protector for Mail Encryption Web Messenger: The Protector for

    Mail Encryption Web Messenger service allows an external user to

    securely read a message from an internal user beforethe external

    user has a relationship with the SMSA. If Protector for Mail Encryption

    Web Messenger is available via mail policy for a user and therecipients key cannot be found, the message is stored on the Lotus

    Protector for Mail Encryption Server and an unprotected message is

    sent to the recipient. The unprotected message includes a link to the

    original message, held on the Lotus Protector for Mail Encryption

    Server. The recipient must create a passphrase, and then can access

    his encrypted messages stored on Lotus Protector for Mail Encryption

    Server.

    Mail Encryption PDF Messenger: Mail Encryption PDF Messengerenables sending encrypted PDF messages to external users who do

    not have a relationship with the SMSA. In the normal mode, as with

    Protector for Mail Encryption Web Messenger, the user receives a

    message with a link to the encrypted message location and uses a

    Protector for Mail Encryption Web Messenger passphrase to access

    the message. Mail Encryption PDF Messenger also provides Certified

    Delivery, which encrypts the message to a one-time passphrase, and

    creates and logs a delivery receipt when the user retrieves the

    passphrase.

    Lotus Protector for Mail Encryption Client: Lotus Protector for Mail

    Encryption Client provides IBM Lotus enterprise customers with an

    automatic, transparent encryption solution for securing internal and external

    confidential email communications. Lotus Notes offers a native encryption

    solution for secure messaging within an organization. While Lotus

    Protector for Mail Encryption Client can be used for internal-to-internal

    secure messaging, it is intended to secure the internal component of a

    message which is being delivered to an external recipient. With LotusProtector for Mail Encryption Client, you can minimize the risk of a data

    breach and better comply with partner and regulatory mandates for

    information security and privacy.

    Separately-licensed PGP products:

    PGP Desktop: A client software tool that uses cryptography to protect your

    data against unauthorized access. PGP Desktop is available for Windows

    and Mac OS X. It can include the following components, depending upon

    the features you license:

    PGP Whole Disk Encryption: Whole Disk Encryption is a feature of

    PGP Desktop that encrypts your entire hard drive or partition,

    including your boot record, thus protecting all your files when you arenot using them. PGP Whole Disk Encryption is also available for

    selected Linux systems.

    16

  • 7/27/2019 Protector Admin

    21/403

  • 7/27/2019 Protector Admin

    22/403

    IBM Lotus Protector for Mail Encryption Server The Big Picture

    Lotus Protector for Mail Encryption Server Features

    Administrative Interface: Each Lotus Protector for Mail Encryption Server

    is controlled via a Web-based administrative interface. The administrativeinterface gives you control over Lotus Protector for Mail Encryption Server.

    While many settings are initially established using the web-based Setup

    Assistant, all settings of a Lotus Protector for Mail Encryption Server can

    be controlled via the administrative interface.

    Backup and Restore: Because full backups of the data stored on your

    Lotus Protector for Mail Encryption Server are critical in a natural disaster or

    other unanticipated loss of data or hardware, you can schedule automatic

    backups of your Lotus Protector for Mail Encryption Server data or

    manually perform a backup.

    You can fully restore a Lotus Protector for Mail Encryption Server from a

    backup. In the event of a minor problem, you can restore the Lotus

    Protector for Mail Encryption Server to any saved backup. In the event that

    a Lotus Protector for Mail Encryption Server is no longer usable, you can

    restore its data from a backup onto a new Lotus Protector for Mail

    Encryption Server during initial setup of the new Lotus Protector for Mail

    Encryption Server using the Setup Assistant. All backups are encrypted to

    the Organization Key and can be stored securely off the Lotus Protector for

    Mail Encryption Server.

    Cluster: When you have two or more Lotus Protector for Mail Encryption

    Servers in your network, you configure them to synchronize with each

    other; this is called a cluster.

    Dictionary: Dictionaries are lists of terms to be matched. The dictionaries

    work with mail policy to allow you to define content lists that can triggerrules.

    Directory Synchronization: If you have LDAP directories in your

    organization, your Lotus Protector for Mail Encryption Server can be

    synchronized with the directories. The Lotus Protector for Mail Encryption

    Server automatically imports user information from the directories when

    users send and receive email; it also creates internal user accounts for

    them, including adding and using X.509 certificates if they are contained in

    the LDAP directories.

    Ignition Keys: You can protect the contents of a Lotus Protector for Mail

    Encryption Server, even if the hardware is stolen, by requiring the use of a

    hardware token or a software passphrase, or both, on start.

    Keyserver: Each Lotus Protector for Mail Encryption Server includes an

    integrated keyserver populated with the public keys of your internal users.

    When an external user sends a message to an internal user, the external

    Lotus Protector for Mail Encryption Server goes to the keyserver to find the

    public key of the recipient to use to secure the message. The Lotus

    Protector for Mail Encryption Server administrator can enable or disable the

    service, and control access to it via the administrative interface.

    18

  • 7/27/2019 Protector Admin

    23/403

    IBM Lotus Protector for Mail Encryption Server The Big Picture

    Learn Mode: When you finish configuring a Lotus Protector for Mail

    Encryption Server using the Setup Assistant, it begins in Learn Mode,

    where the Lotus Protector for Mail Encryption Server sends messages

    through mail policy without taking any action on the messages, and does

    not encrypt or sign any messages.Learn Mode gives the Lotus Protector for Mail Encryption Server a chance

    to build its SMSA (creating keys for authenticated users, for example) so

    that when when Learn Mode is turned off, the Lotus Protector for Mail

    Encryption Server can immediately begin securing messages. It is also an

    excellent way for administrators to learn about the product.

    You should check the logs of the Lotus Protector for Mail Encryption Server

    while it is in Learn Mode to see what it would be doing to email traffic if it

    were live on your network. You can make changes to the Lotus Protector

    for Mail Encryption Servers policies while it is in Learn Mode until things

    are working as expected.

    Mail Policy: The Lotus Protector for Mail Encryption Server processes

    email messages based on the policies you establish. Mail policy applies to

    inbound and outbound email processed by both Lotus Protector for Mail

    Encryption Server and client software. Mail policy consists of multiple

    policy chains, comprised of sequential mail processing rules.

    Organization Certificate: You must create or obtain an Organization

    Certificate to enable S/MIME support by Lotus Protector for Mail

    Encryption Server. The Organization Certificate signs all X.509 certificates

    the server creates.

    Organization Key: The Setup Assistant automatically creates an

    Organization Key (actually a keypair) when it configures a Lotus Protector

    for Mail Encryption Server. The Organization Key is used to sign all PGP

    keys the Lotus Protector for Mail Encryption Server creates and to encryptLotus Protector for Mail Encryption Server backups.

    Caution: It is extremely important to back up your Organization Key: all

    keys the Lotus Protector for Mail Encryption Server creates are signed by

    the Organization Key, and all backups are encrypted to the Organization

    Key. If you lose your Organization Key and have not backed it up, the

    signatures on those keys are meaningless and you cannot restore from

    backups encrypted to the Organization Key.

    Mail Encryption Verified Directory: The Mail Encryption Verified Directory

    supplements the internal keyserver by letting internal and external users

    manage the publishing of their own public keys. The Mail Encryption

    Verified Directory also serves as a replacement for the PGP Keyserverproduct. The Mail Encryption Verified Directory uses next-generation

    keyserver technology to ensure that the keys in the directory can be

    trusted.

    19

  • 7/27/2019 Protector Admin

    24/403

    IBM Lotus Protector for Mail Encryption Server The Big Picture

    Server Placement: A Lotus Protector for Mail Encryption Server can be

    placed in one of two locations in your network to process email.

    With an internal placement, the Lotus Protector for Mail Encryption Server

    logically sits between your email users and your mail server. It encrypts

    and signs outgoing SMTP email and decrypts and verifies incoming mailbeing picked up by email clients using POP or IMAP. Email stored on your

    mail server is stored secured (encrypted).

    With a gateway placement, the Lotus Protector for Mail Encryption Server

    logically sits between your mail server and the Internet. It encrypts and

    signs outgoing SMTP email and decrypts and verifies incoming SMTP

    email. Email stored on your mail server is stored unsecured.

    For more information, see Configuring Mail Proxies(on page 155) and the

    Lotus Protector for Mail Encryption Server Installation Guide.

    Setup Assistant: When you attempt to log in for the first time to theadministrative interface of a Lotus Protector for Mail Encryption Server, the

    Setup Assistant takes you through the configuration of that Lotus Protectorfor Mail Encryption Server.

    Lotus Protector for Mail Encryption Server User Types

    Administrators: Any user who manages the Lotus Protector for Mail

    Encryption Server and its security configuration from inside the internal

    network.

    Only administrators are allowed to access the administrative interface that

    controls Lotus Protector for Mail Encryption Server. A Lotus Protector for

    Mail Encryption Server supports multiple administrators, each of which can

    be assigned a different authority: from read-only access to full control overevery feature and function.

    Consumers: Internal, external, and Verified Directory users, and devices.

    External Users: External users are email users from other domains(domains notbeing managed by your Lotus Protector for Mail

    Encryption Server) who have been added to the SMSA.

    Internal Users: Internal users are email users from the domains being

    managed by your Lotus Protector for Mail Encryption Server.

    Lotus Protector for Mail Encryption Server allows you to manage PGPDesktop deployments to your internal users. The administrator can

    control which PGP Desktop features are automatically implemented at

    install, and establish and update security policy for PGP Desktop usersthat those users cannot override (except on the side of being more

    secure).

    Mail Encryption Verified Directory Users: Internal and externalusers who have submitted their public keys to the Mail Encryption

    Verified Directory, a Web-accessible keyserver.

    20

  • 7/27/2019 Protector Admin

    25/403

    IBM Lotus Protector for Mail Encryption Server The Big Picture

    Devices: Managed devices, WDE computers, and WDE disks.

    Managed devices are arbitrary objects whose keys are managed by

    Lotus Protector for Mail Encryption Server. WDE computers, and

    WDE disks are devices that are detected when users enroll.

    Other Email Users: Users within your organization can securely sendemail to recipients outside the SMSA.

    First, the Lotus Protector for Mail Encryption Server attempts to find a key

    for the recipient. If that fails, there are four fallback options, all controlled by

    mail policy: bounce the message back to the sender (so it is not sent

    unencrypted), send unencrypted, Mail Encryption Smart Trailer, and

    Protector for Mail Encryption Web Messenger mail.

    Mail Encryption Smart Trailer sends the message unencrypted and adds

    text giving the recipient the option of joining the SMSA by installing PGP

    Universal Satellite, using an existing key or certificate, or using Protector

    for Mail Encryption Web Messenger. Protector for Mail Encryption Web

    Messenger lets the recipient securely read the message on a secure

    website; it also gives the recipient options for handling subsequent

    messages from the same domain: read the messages on a secure website

    using a passphrase they establish, install PGP Universal Satellite, or add an

    existing key or certificate to the SMSA.

    Installation Overview

    The following steps are a broad overview of what it takes to plan, set up, and

    maintain your Lotus Protector for Mail Encryption Server environment.

    Steps 1 and 4 are described in the Lotus Protector for Mail Encryption Server

    Installation Guide. The remaining tasks are described in this book.

    Note that these steps apply to the installation of a new, stand-alone Lotus

    Protector for Mail Encryption Server. If you plan to install a cluster, you must

    install and configure one Lotus Protector for Mail Encryption Server following

    the steps outlined here. Subsequent cluster members will receive most of their

    configuration settings from the initial Lotus Protector for Mail Encryption Server

    through data replication.

    1 Plan where in your network you want to locate your Lotus Protectorfor Mail Encryption Server(s).

    Where you put Lotus Protector for Mail Encryption Servers in your

    network, how many Lotus Protector for Mail Encryption Servers you have

    in your network, and other factors all have a major impact on how you addthem to your existing network.

    Create a diagram of your network that includes all network components

    and shows how email flows; this diagram details how adding a Lotus

    Protector for Mail Encryption Server impacts your network.

    21

  • 7/27/2019 Protector Admin

    26/403

    IBM Lotus Protector for Mail Encryption Server The Big Picture

    For more information on planning how to add Lotus Protector for Mail

    Encryption Servers to your existing network, see Adding the Lotus

    Protector for Mail Encryption Server to Your Network in the Lotus Protector

    for Mail Encryption Server Installation Guide.

    2 Perform necessary DNS changes.

    Add IP addresses for your Lotus Protector for Mail Encryption Servers, an

    alias to your keyserver, update the MX record if necessary, add

    keys., hostnames of potential Secondary servers for a cluster,

    and so on.

    Properly configured DNS settings (including root servers and appropriate

    reverse lookup records) are required to support Lotus Protector for Mail

    Encryption Server. Make sure both host and pointer records are correct. IP

    addresses must be resolvable to hostnames, as well as hostnames

    resolvable to IP addresses.

    3 Prepare a hardware token Ignition Key.

    If you want to add a hardware token Ignition Key during setup, install the

    drivers and configure the token before you begin the Lotus Protector for

    Mail Encryption Server setup process. See Protecting Lotus Protector for

    Mail Encryption Server with Ignition Keys(on page 363) for information on

    how to prepare a hardware token Ignition Key.

    Note: In a cluster, the Ignition Key configured on the first Lotus Protector

    for Mail Encryption Server in the cluster will also apply to the subsequent

    members of the cluster.

    4 Install and configure this Lotus Protector for Mail Encryption Server.

    The Setup Assistant runs automatically when you first access the

    administrative interface for the Lotus Protector for Mail Encryption Server.The Setup Assistant is where you can set or confirm a number of basicsettings such as your network settings, administrator password, server

    placement option, mail server address and so on.

    To configure multiple servers as a cluster, you must configure one server

    first in the normal manner, then add the additional servers as cluster

    members. You can do this through the Setup Assistant when you install a

    server that will join an existing cluster, or you can do this through the LotusProtector for Mail Encryption Server administrative interface.

    For more information, see Setting Up the Lotus Protector for Mail

    Encryption Server in the Lotus Protector for Mail Encryption Server

    Installation Guide.

    5 Create a SSL/TLS certificate or obtain a valid SSL/TLS certificate.

    You can create a self-signed certificate for use with SSL/TLS traffic.

    Because this certificate is self-signed, however, it might not be trusted by

    email or Web browser clients. IBM Corporation recommends that you

    obtain a valid SSL/TLS certificate for each of your Lotus Protector for Mail

    Encryption Servers from a reputable Certificate Authority.

    22

  • 7/27/2019 Protector Admin

    27/403

  • 7/27/2019 Protector Admin

    28/403

    IBM Lotus Protector for Mail Encryption Server The Big Picture

    Note: When setting policy for Consumers, Lotus Protector for MailEncryption Server provides an option called Out of Mail Stream (OOMS)

    support. OOMS specifies how the email gets transmitted from the client

    to the server when Lotus Protector for Mail Encryption Client cannot find

    a key for the recipient and therefore cannot encrypt the message.

    OOMS is enable by default, as this is the most secure setting. WithOOMS enabled, sensitive messages that can't be encrypted locally are

    sent to Lotus Protector for Mail Encryption Server "out of the mail

    stream." Lotus Protector for Mail Encryption Client creates a separate,

    encrypted network connection to the Lotus Protector for Mail Encryption

    Server to transmit the message. However, archiving solutions, outbound

    anti-virus filters, or other systems which monitor or proxy mail traffic will

    not see these messages.

    You can elect to disable OOMS, which means that sensitive messages

    that can't be encrypted locally are sent to Lotus Protector for Mail

    Encryption Server "in the mail stream" like normal email. Importantly, this

    email is sent in the clear (unencrypted). Mail or Network administratorscould read these messages by accessing the mail server's storage or

    monitoring network traffic. However, archiving solutions, outbound anti

    virus filters, or other systems which monitor or proxy mail traffic will

    process these messages normally.

    During your configuration of your Lotus Protector for Mail Encryption

    Server you should determine the appropriate settings for your

    requirements. This option can be set separately for each policy group, and

    is set through the Consumer Policy settings. For more details on the

    effects of enabling or disabling OOMS, see Out of Mail Stream Support

    (on page 225).

    8 Add your Domino domain as a managed domain.Usually, you specify your Internet domain during installation through the

    Setup Assistant. If your Lotus Protector for Mail Encryption Server is also

    managing a Domino server, you must add your Domino domain name

    manually through the Managed Domains page (Consumers > Managed

    Domains).

    9 Reconfigure the settings of your email clients and servers, ifnecessary.

    Depending on how you are adding the Lotus Protector for Mail Encryption

    Server to your network, some setting changes might be necessary. For

    example, if you are using a Lotus Protector for Mail Encryption Server

    placed internally, the email clients must have SMTP authentication turnedon. For Lotus Protector for Mail Encryption Servers placed externally, you

    must configure your mail server to relay SMTP traffic to the Lotus Protector

    for Mail Encryption Server.

    24

  • 7/27/2019 Protector Admin

    29/403

  • 7/27/2019 Protector Admin

    30/403

    IBM Lotus Protector for Mail Encryption Server The Big Picture

    15 Take your Lotus Protector for Mail Encryption Servers out of LearnMode.

    Once this is done, email messages are encrypted, signed, and

    decrypted/verified, according to the relevant policy rules. Make sure you

    have licensed each of your Lotus Protector for Mail Encryption Servers; youcannot take a Lotus Protector for Mail Encryption Server out of Learn Mode

    until it has been licensed.

    16 Monitor the system logs to make sure your Lotus Protector for MailEncryption Server environment is operating as expected.

    26

  • 7/27/2019 Protector Admin

    31/403

  • 7/27/2019 Protector Admin

    32/403

    IBM Lotus Protector for Mail Encryption Server Open Ports

    Port Protocol/Service Comment

    389 LDAP (Lightweight DirectoryAccess Protocol)

    Used to allow remote hosts to

    look up public keys of local users.

    443 HTTPS (HyperText TransferProtocol, Secure)

    Used for Lotus Protector for Mail

    Encryption Client, PGP UniversalSatellite, and PGP Desktop policy

    distribution and Protector for Mail

    Encryption Web Messenger

    access.

    Used for access over HTTPS if the

    Verified Directory is not enabled.

    Also used for Universal Services

    Protocal (USP)over SSL for

    keyserver connection.

    444 SOAPS (Simple Object AccessProtocol, Secure)

    Used for clustering replication

    messages.

    465 SMTPS (Simple Mail TransferProtocol, Secure)

    Used for sending mail securely

    with internal placements only.

    Closed for gateway placements.

    This is a non-standard port used

    only by legacy mail servers. We

    recommend not using this port,

    and instead always using

    STARTTLS on port 25.

    636 LDAPS (Lightweight Directory

    Access Protocol, Secure)

    Used to securely allow remote

    hosts to look up public keys oflocal users.

    993 IMAPS (Internet Message AccessProtocol, Secure)

    Used for retrieving mail securely

    by users with IMAP accounts with

    internal placements only. Closed

    for gateway placements.

    995 POPS (Post Office Protocol,Secure)

    Used for retrieving mail securely

    by users with POP accounts withinternal placements only. Closed

    for gateway placements.

    9000 HTTPS (HyperText Transfer

    Protocol, Secure)

    Used to allow access to the Lotus

    Protector for Mail EncryptionServer administrative interface.

    28

  • 7/27/2019 Protector Admin

    33/403

    IBM Lotus Protector for Mail Encryption Server Open Ports

    UDP Ports

    Port Protocol/Service Comment

    53 DNS (Domain Name System) Used to look up a FQDN (Fully Qualified

    Domain Name) on the DNS server, and

    translate to an IP address.

    123 NTP (Network Time Protocol) Used to synchronize the systems clock

    with a reference time source on a different

    server.

    161 SNMP (Simple NetworkManagement Protocol)

    Used by network management

    applications to query the health and

    activities of Lotus Protector for Mail

    Encryption Server software and thecomputer on which it is installed.

    29

  • 7/27/2019 Protector Admin

    34/403

  • 7/27/2019 Protector Admin

    35/403

  • 7/27/2019 Protector Admin

    36/403

    IBM Lotus Protector for Mail Encryption Server Naming your Lotus Protector for Mail Encryption Server

    If you have multiple Lotus Protector for Mail Encryption Servers in a cluster

    managing an email domain, only one of those Lotus Protector for Mail

    Encryption Servers needs to use the keys. convention.

    Note: Keys that are found using the keys. convention are treated

    as valid and trusted by default.

    Alternately, keys. should be the address of a load-balancing device

    which then distributes connections to your Lotus Protector for Mail Encryption

    Servers keyserver service. The ports that would need to be load-balanced are

    the ones on which you are running your keyserver service (typically port 389 for

    LDAP and 636 for LDAPS).

    Another acceptable naming convention would be to name your Lotus Protectorfor Mail Encryption Server according to the required naming convention your

    company uses, and make sure the server has a DNS alias of

    keys..com.

    If you are administering multiple email domains, you should establish the

    keys. convention for each email domain.

    If your Lotus Protector for Mail Encryption Server is behind your corporate

    firewall (as it should be), you need to make sure that ports 389 (LDAP) and 636

    (LDAPS) are open to support the keys. convention.

    Methods for Naming a Lotus Protector for Mail EncryptionServer

    There are three ways to name your Lotus Protector for Mail Encryption Server

    to support the keys. convention:

    Name your Lotus Protector for Mail Encryption Server keys.

    on the Host Name field of the Network Setup page in the Setup Assistant.

    Change the Host Name of your Lotus Protector for Mail Encryption Server

    to keys. using the administrative interface on the Network

    Settings section of the System > Network page.

    Create a DNS alias to your Lotus Protector for Mail Encryption Server that

    uses the keys. convention that is appropriate for your DNS

    server configuration.

    32

    http:///reader/full/keys.%3Cdomain%3E.comhttp:///reader/full/keys.%3Cdomain%3E.com
  • 7/27/2019 Protector Admin

    37/403

  • 7/27/2019 Protector Admin

    38/403

    IBM Lotus Protector for Mail Encryption Server Understanding the Administrative Interface

    2 Type the current login name in the Username field.

    3 Type the current passphrase or SecurID passcode in the Passphrase field.

    (If SecurID authentication is enabled, a message below the Passphrase

    field will indicate that a SecurID passcode can be entered. A givenadministrator is configured to use either passphrase or SecurID

    authentication, not both.)

    4 Click the Login button or press Enter.

    5 If the login credentials are accepted, the System Overview page appears.

    6 If the login credentials do not match, an error is displayed. For passphrase

    authentication that fails, an "Invalid Login" error appears. For SecurID

    authentication, different events may occur. See the following procedure for

    more information.

    To log in using RSA SecurID authentication

    1 Follow steps 1-4 in the procedure above. If your SecurID passcode is

    accepted, and no PIN reset is required, the System Overview page

    appears.

    Note: If Lotus Protector for Mail Encryption Server fails to connect with

    any RSA Manager server, you will be presented with the standard "InvalidLogin" message. The connection failure will be logged in the Lotus

    Protector for Mail Encryption Server Administration log, enabling you to

    determine whether this was the cause of the login failure.

    2 If the RSA server policy determines that a PIN reset is required, upon

    successful login the PIN Reset dialog appears. Depending on the RSA

    server policy, you may be able to have the RSA server generate a new PIN

    for you, or enter a new PIN manually. When this is done, the SystemOverview page appears. For more details see Resetting SecurID PINs(on

    page 359).

    3 If the RSA server detects a problem with the token code portion of your

    passcode, you are asked to re-enter your PIN plus the next code shown on

    your SecurID token. Type your PIN and the next token code that appears,

    then click Login or press Enter.

    4 Based on your RSA server policy, you may be given several chances to

    authenticate successfully using the next token code. However, eventually

    continued failures will result in a failed login.

    Note: Log in events are logged in the Lotus Protector for Mail Encryption

    Server Administration log. Successful and failed attempts, and next

    tokencode requests are logged, as are problems connecting to the RSA

    Manager servers.

    34

  • 7/27/2019 Protector Admin

    39/403

    IBM Lotus Protector for Mail Encryption Server Understanding the Administrative Interface

    The System Overview Page

    The System Overview page is the first page you see when you log in to LotusProtector for Mail Encryption Server. You can also view it from Reporting >

    Overview.

    The page provides a general report of system information and statistics. The

    information displayed includes:

    System alerts, including licensing issues and PGP Whole Disk Encryption

    login failures. System alerts appear at the top of the page.

    System Graphs for CPU usage, message activity, and Whole Disk

    Encryption. Click the buttons to switch the graphs. Click the System

    Graphs heading to go to the Reporting > Graphs page. See System

    Graphs(on page 337) for more information about system graphs.

    Services information, including which services are running or stopped.

    Depending on the service, the entry may also include the number of

    users or keys handled by the service.

    Click the service name link to go to the administrative page for that

    service.

    For a running Web Messenger service, click the URL to go to the Web

    Messenger interface.

    For a running Verified Directory service, click the URL to go to the

    Verified Directory interface to search for a key, upload your own public

    key, or remove your key from the searchable directory.

    System Statistics, including software version number, system uptime,

    total messages processed, and number of PGP Portable Disks created.

    Click the Statistics link to go to the System > General Settings page.

    Mail Queue statistics show the number of email messages in the queue

    waiting to be processed, if applicable, and the size of the mail queue. Click

    the Mail Queue link to go to the Mail > Mail Queue status page for

    detailed information about the contents of the mail queue. Estimated Policy

    Group Membership shows the number of members in each consumer

    policy group. Click a policy group name to go to the page for configuring

    that policy group.

    Clustering provides status information about the cluster configuration, if

    this Lotus Protector for Mail Encryption Server is a member of a cluster.This display shows, for each cluster member, its hostname or IP address,

    its status, its location (Internal or DMZ) and a login icon (except for the

    member on which you are currently logged in). Click the Clustering

    heading to go to the System > Clustering page. This display does not

    appear if your Lotus Protector for Mail Encryption Server is not a member

    of a cluster.

    35

  • 7/27/2019 Protector Admin

    40/403

    IBM Lotus Protector for Mail Encryption Server Understanding the Administrative Interface

    Click Refresh (at the top of the System Overview page) to refresh the

    information shown on this page.

    The Manage Alerts button takes you to the Alerts page where you can

    configure how you want to be notified about WDE login failures. For more

    details, see Managing Alerts(on page 36).

    The Export Data button lets you export statistics for WDE Activity, WDE Login

    Failures, PDF Messenger Certified Delivery Receipts, and the Mail Policy Print

    View (which provides in a printable format all your mail policy chains and rules).

    Managing Alerts

    The Lotus Protector for Mail Encryption Server groups failed login attempts into

    reported login failures. This feature is intended to make reporting about failed

    login attempts more useful, because one or several failed login attempts by a

    PGP Whole Disk Encryption user does not necessarily mean an attemptedbreak-in. Use the Alerts dialog box to choose how many failed login attempts

    constitutes a login failure. For example, you can specify that an alert should be

    triggered after 3 failed login attempts. If 6 failed attempts occur, 2 login failure

    alerts appear.

    Alerts about PGP Whole Disk Encryption login failures appear on the System

    Overview page and in the Daily Status Email. Alerts for devices belonging to

    specific users appear on the user's Internal Users dialog box.

    Alerts are also sent when a user is locked out of a system because he or she

    exceeded the number of allowable login failures set on the Disk Encryption tab

    of Consumer Policy.

    To specify how you want to be notified of PGP Whole Disk Encryptionlogin failures

    1 From the System Overview page, click Manage Alerts.

    The Alerts dialog box appears.

    2 Specify how many consecutive failed login attempts a single device mustreport before the administrator is notified.

    3 Choose how long you want login failure alerts to be displayed on theSystem Overview page, the Daily Status Email, and the Internal Users

    page, in hours or days.

    4 Specify how long you want to keep login failure records in the database, indays.

    Note: PGP Whole Disk Encryption is a feature of the PGP Desktop product

    line, which must be purchased separately from PGP Corporation to be

    deployed and managed by the Lotus Protector for Mail Encryption Server.

    36

  • 7/27/2019 Protector Admin

    41/403

  • 7/27/2019 Protector Admin

    42/403

    IBM Lotus Protector for Mail Encryption Server Understanding the Administrative Interface

    USP

    System General Settings

    Administrators

    Backups

    Updates

    Network

    Clustering

    IconsThe administrative interface uses the following icons.

    Type Icon Description

    Actions Add

    Remove

    Connect

    Delete

    Clear Search

    Install/Export

    Reinstall/Regenerate

    Restore

    Revoke

    Forward

    Back

    First

    Last

    Move priority up

    Move priority down

    Closed Action

    38

  • 7/27/2019 Protector Admin

    43/403

    IBM Lotus Protector for Mail Encryption Server Understanding the Administrative Interface

    Type Icon Description

    Opened Action

    Help

    Print

    Users Internal user

    Administrative user

    Excluded user

    Internal user, revoked

    Expired internal user

    External user, revoked

    External user

    External user, pending

    Expired external user

    Directory user

    Expired directory user

    Directory user, pending

    Keys and Certificates Key

    Key, expired

    Key, revoked

    Key reconstruction

    39

  • 7/27/2019 Protector Admin

    44/403

  • 7/27/2019 Protector Admin

    45/403

    IBM Lotus Protector for Mail Encryption Server Understanding the Administrative Interface

    Type Icon Description

    ` Pending excluded address

    Keyserver

    Default keyserver

    User Policy Default policy

    Excluded policy

    Web Messenger Default template

    Customized template

    Broken template

    Backup Backup successful

    Backup pending

    Backup failed

    Update Successful install

    Update ready to be installed

    Failed install

    Clustering Cluster

    Active cluster

    Inactive cluster

    Logs Info

    Notice

    41

  • 7/27/2019 Protector Admin

    46/403

    IBM Lotus Protector for Mail Encryption Server Understanding the Administrative Interface

    Type Icon Description

    Warning

    Error

    Miscellaneous Domain

    Mail proxy (SMTP, POP, IMAP)

    Inbound mailserver

    Outbound mailserver

    SMTP server

    Mail route

    Network interface

    Learn mode

    Access control enabled

    42

  • 7/27/2019 Protector Admin

    47/403

    6Licensing Your Software

    This section describes how to license your Lotus Protector for Mail Encryption

    Server.

    Note: The license for Lotus Protector for Mail Encryption Server is included

    automatically when you run the Setup Assistant and accept the licensing

    terms. You do not need to separately add or update a Lotus Protector for Mail

    Encryption Server license.

    However, you will need to add a license if you separately purchase a PGP

    product, such as PGP Desktop or PGP Whole Disk Encryption.

    Licensing a Lotus Protector for Mail Encryption Server

    The license for Lotus Protector for Mail Encryption Server is included

    automatically when you run the Setup Assistant and accept the licensing terms.

    You do not need to separately add or update a Lotus Protector for MailEncryption Server license.

    However, you will need to add a license if you separately purchase a PGPproduct, such as PGP Desktop or PGP Whole Disk Encryption.

    For instructions on licensing additional products, see Licensing a LotusProtector for Mail Encryption Server(on page 350).

    43

  • 7/27/2019 Protector Admin

    48/403

  • 7/27/2019 Protector Admin

    49/403

    7 Operating in Learn Mode

    When you finish configuring a Lotus Protector for Mail Encryption Server using

    the Setup Assistant, it begins running in Learn Mode.

    In Learn Mode, messages are processed through mail policy, but none of the

    actions from the policy are performed. Messages are neither encrypted nor

    signed. This functions as a rehearsal, so that you can learn how policies would

    affect email traffic if implemented. While running in Learn Mode, the LotusProtector for Mail Encryption Server also creates keys for authenticated users

    so that when Learn Mode is turned off, the server can secure messages

    immediately.

    After messages go through mail policy, Lotus Protector for Mail EncryptionServer decrypts and verifies incoming messages for which there are local

    internal or external user keys. Outgoing messages are sent unencrypted. InLearn Mode, non-RFC compliant email is sent unprocessed and in the clear.

    Turn Learn Mode off to process messages through the mail policy exception

    chain.

    In Learn Mode, the Lotus Protector for Mail Encryption Server:

    Creates user accounts with user keys, in accordance with Consumer

    Policy.

    Decrypts messages using internal and external keys stored on the server,

    but does not search for keys externally.

    Does not encrypt or sign messages.

    Will not apply mail policy to messages, and will not take any Key Not Found

    action on messages.

    Note: Your Lotus Protector for Mail Encryption Server must be licensedbefore you can take it out of Learn Mode.

    Note: The license for Lotus Protector for Mail Encryption Server is included

    automatically when you run the Setup Assistant and accept the licensing

    terms. You do not need to separately add or update a Lotus Protector for Mail

    Encryption Server license.

    However, you will need to add a license if you separately purchase a PGP

    product, such as PGP Desktop or PGP Whole Disk Encryption.

    Purpose of Learn Mode

    Learn Mode allows you to:

    45

  • 7/27/2019 Protector Admin

    50/403

    IBM Lotus Protector for Mail Encryption Server Operating in Learn Mode

    View (by examining the logs) how policies would affect email traffic if

    implemented.

    Build the SMSA (creating keys for authenticated users, for example) so that

    when the server goes livewhen Learn Mode is turned offthe server

    can secure messages immediately.

    Identify mailing lists your users send messages to and add their addresses

    to the dictionaries of Excluded Email Addresses. Most likely, users won't

    send encrypted messages to a mailing list.

    Lotus Protector for Mail Encryption Server decrypts and verifies incoming

    email while operating in Learn Mode.

    Lotus Protector for Mail Encryption Server still automatically detects

    mailing lists when Learn Mode is off, but unless the addresses were

    retrieved via the Directory Synchronization feature, they require approval

    from the Lotus Protector for Mail Encryption Server administrator to be

    added to the list of excluded email addresses. For more information, see

    Using Dictionaries with Policy(on page 137).

    Mailing lists are identified per RFC 2919, List-Id: A Structured Field and

    Namespace for the Identification of Mailing Lists, as well as by using

    default exclusion rules.

    Checking the Logs

    The effects of your policies can be checked while Learn Mode is on, even

    though the server is not actually encrypting or signing messages.

    To check the servers logs

    1 Access the administrative interface for the server.

    The administrative interface appears.

    2 Click Reporting, then Logs.

    The System Logs page appears.

    3 Check the logs to see what effect your policies are having on email traffic.

    Managing Learn ModeThe Lotus Protector for Mail Encryption Server is put into Learn Mode by the

    Setup Assistant. If your server is in Learn Mode, you see a yellow icon, the

    Change Mode button, in the upper-right corner of your browser page.

    46

  • 7/27/2019 Protector Admin

    51/403

    IBM Lotus Protector for Mail Encryption Server Operating in Learn Mode

    To turn off Learn Mode

    1 Click the Change Mode button in the upper-right corner of the page.

    The Mail Processing Settings dialog box appears.2 Deselect Operate in Learn Mode.

    3 Click Save.

    Learn Mode is turned off.

    To turn on Learn Mode

    1 Click the Change Mode button in the upper-right corner of the page.

    The Mail Processing Settings dialog box appears.

    2 Select Operate in Learn Mode.

    3 Click Save.

    Learn Mode is turned on.

    47

  • 7/27/2019 Protector Admin

    52/403

  • 7/27/2019 Protector Admin

    53/403

    8 Managed Domains

    This section describes how to create and manage the internal domains for

    which your Lotus Protector for Mail Encryption Server protects email messages.

    About Managed Domains

    The Managed Domains page gives you control over the domains for which the

    Lotus Protector for Mail Encryption Server is handling email.

    Email users from domains being managed by your server are called internalusers. Conversely, email users from domains not being managed by your

    server but who are part of the SMSA are called external users.

    For example, if your company is Example Corporation, you can have the

    domain example.com and your employees would have email addresses such

    as [email protected].

    If this were the case, you would want to establish example.com as a domain

    to be managed by your server. When you install your Lotus Protector for Mail

    Encryption Server you have the opportunity to add a managed domain in the

    Setup Assistant. If you do not set it up at that time, you can use the Managed

    Domains page to add it. You can also add additional managed domains from the

    Managed Domains page, if you have users with addresses in multiple domains

    that you want to be considered internal users.

    Managed domains automatically include sub-domains, so in the example above,

    users such as [email protected] would also be considered internalusers. Multi-level domain structures as used by some countries are also

    acceptable: for example, the domain example.co.uk.

    The Managed Domains page accepts Internet DNS domain names and Domino

    domains. You must have an Internet DNS domain name, and if you have Notes

    users, you must also include the Domino domain name. WINS names (for

    example,\\EXAMPLE) do not belong here.

    Usually, you specify your Internet domain during installation through the SetupAssistant. If your Lotus Protector for Mail Encryption Server is also managing a

    Domino server, you must add your Domino domain name manually through theManaged Domains page.

    For example, if you have an Internet domain "example.com" and a Domino

    domain "ExDomino," you would add example.com as the managed domain

    during setup, for SMTP addressing. You would then add ExDomino as anadditional managed domain, for Domino addressing.

    49

    mailto:[email protected]:[email protected]://example/http://example/mailto:[email protected]:[email protected]
  • 7/27/2019 Protector Admin

    54/403

    IBM Lotus Protector for Mail Encryption Server Managed Domains

    Mail to and from your managed domains is processed according to your mail

    policy. You can also create mail policy rules specifically for your managed

    domains. See the chapter Setting Mail Policy(on page 89) for more information

    on creating mail policies.

    Managed domains entered on the Managed Domains page populate theManaged Domains dictionary. The dynamic Managed Domains dictionary

    automatically includes subdomains. See Using Dictionaries with Policy(on page

    137) for more information on dictionaries.

    Adding Managed Domains

    To add a domain to the list of managed domains

    1 Click Add Managed Domain.

    The Add Managed Domain dialog box appears.

    2 Type a domain name in the Domain field.

    Do not type WINS names (for example,\\EXAMPLE) here. Type only

    Internet DNS domain names or Domino domain names.

    3 Click Save.

    Deleting Managed Domains

    If you delete a managed domain, all the user IDs within that domain remain inthe system. Users can still encrypt and sign messages with their keys.

    To remove a domain name already on the list of managed domains

    1 Click the icon in the Delete column of the domain you want to remove

    from the list.

    A confirmation dialog box appears.

    2 Click OK.

    The confirmation dialog box disappears and the selected domain name is

    removed from the list of managed domains.

    50

    http://example/http://example/
  • 7/27/2019 Protector Admin

    55/403

    9Understanding Keys

    This chapter introduces some of the concepts related to how Consumer keys

    are managed. It introduces the concept of key modes, which are used to control

    whether internal and external users can manage their own keys or whether

    keys should be managed by Lotus Protector for Mail Encryption Server. It also

    discusses the use of Certificate Revocation Lists and key reconstruction blocks.

    Key Modes

    Keys generated by Lotus Protector for Mail Encryption Server and LotusProtector for Mail Encryption Client are managed entirely by the Lotus Protector

    for Mail Encryption Server. These keys are called Server Managed Keys (SKM).

    If you purchase a PGP Desktop license and create installers, you can choose

    whether you want users to be able to manage their own keys, or whether keysshould be managed by the Lotus Protector for Mail Encryption Server.

    End-to-end email processing functions refer to encryption, decryption, and

    signing performed at the client, rather than on the Lotus Protector for Mail

    Encryption Server.

    Lotus Protector for MailEncryption Server Email

    Functions

    End-to-end EmailProcessing Functions

    Keys ManagedBy Server

    Encrypt Decrypt Sign Encrypt Decrypt Sign

    Client KeyMode(CKM)

    No No No Yes Yes Yes No

    GuardedKey Mode(GKM)

    No No No Yes Yes Yes Private keys

    stored

    passphrase

    protected

    Server Key

    Mode(SKM)

    Yes Yes Yes Yes Yes Yes Yes

    51

  • 7/27/2019 Protector Admin

    56/403

    IBM Lotus Protector for Mail Encryption Server Understanding Keys

    Lotus Protector for MailEncryption Server EmailFunctions

    End-to-end EmailProcessing Functions

    Keys ManagedBy Server

    ServerClient KeyMode(SCKM)

    Yes Yes No Yes Yes Yes Public andprivate

    encryption

    subkeys stored

    on client and

    Lotus Protector

    for Mail

    Encryption

    Server, private

    signing subkeys

    stored only on

    client

    Server Key Mode (SKM)The Lotus Protector for Mail Encryption Server

    generates and manages user keys.

    Users cannot manage their own keys.

    Lotus Protector for Mail Encryption Server administrators have access

    to private keys.

    If a user has a client installation, the users keys are downloaded to

    the client at each use.

    SKM can also be used without client installations; if there is no client

    installation, you must use SKM.

    The client stores the private key encrypted to a random passphrase,so users can read email offline.

    Client Key Mode (CKM)Users use client software to generate and

    manage their own keys.

    Lotus Protector for Mail Encryption Server administrators do not have

    access to private keys.

    CKM user email is secure on the mail server.

    CKM users are responsible for backing up their keys; if they lose their

    private keys, there is no way to retrieve them.

    Users who want to be able to read their email offline and

    unconnected to Lotus Protector for Mail Encryption Server must useCKM.

    Guarded Key Mode (GKM)Users generate and manage their own keys,

    and store their passphrase-protected private keys on the server.

    GKM is similar to CKM, except that Lotus Protector for Mail

    Encryption Server stores protected copies of private keys.

    52

  • 7/27/2019 Protector Admin

    57/403

    IBM Lotus Protector for Mail Encryption Server Understanding Keys

    Server Client Key Mode (SCKM)Keys are generated on the client.

    Private encryption subkeys are stored on both the client and Lotus

    Protector for Mail Encryption Server, and private signing subkeys are stored

    only on the client.

    SCKM allows for separate signing and encryption subkeys,comparable to X.509 signing and encryption keys.

    The public and private encryption subkey is on the server, but by

    default encryption is not performed on the server.

    The public-only signing subkey is on the server. Lotus Protector for

    Mail Encryption Server cannot sign email for the user.

    Mail processing must take place on the client side to use the SCKM

    signing subkey.

    If an SCKM user resets their key, the entire SCKM key is revoked,

    including all subkeys, and remains on the Lotus Protector for Mail

    Encryption Server as a non-primary key for the user. This non-primary

    key can still be used for decryption, and remain on the Lotus Protector

    for Mail Encryption Server until manually removed by the

    administrator.

    Which key management option you choose depends on what your users need

    and which client application they use. Server Key Mode is generally appropriate

    for PGP Universal Satellite users. Client Key Mode is more appropriate for PGP

    Desktop users. If your security policy requires that a users signing key is only in

    the possession of the user, but the users encryption key must be archived,

    SCKM is the correct choice.

    Lotus Protector for Mail Encryption Server Supported KeyModes

    The mode of a key controls what key materials are managed by the Lotus

    Protector for Mail Encryption Server and the client. Lotus Protector for Mail

    Encryption Server allows different key modes depending on the client used.

    Lotus Protector for Mail Encryption Client supports Server Key Mode (SKM)

    only. This means that all key materials are managed by the Lotus Protector

    for Mail Encryption Server. Only SKM keys will be generated for Lotus

    Protector for Mail Encryption Client users.

    Lotus Protector for Mail Encryption Server supports other key modes for

    existing users who migrate to the Lotus Protector for Mail Encryption

    Server and Lotus Protector for Mail Encryption Client products. Migrating

    users who have non-SKM keys can continue to use their existing keys.

    53

  • 7/27/2019 Protector Admin

    58/403

    IBM Lotus Protector for Mail Encryption Server Understanding Keys

    When adding PGP Desktop to existing Lotus Protector for Mail Encryption

    Server environments, existing Lotus Protector for Mail Encryption Client

    users who migrate to PGP Desktop continue to use their SKM keys. New

    PGP Desktop users can use any key mode with Lotus Protector for Mail

    Encryption Server.

    How Lotus Protector for Mail Encryption Server UsesCertificate Revocation Lists

    A certificate revocation list (CRL) is a list of certificates that have been revokedbefore their scheduled expiration date. The Lotus Protector for Mail Encryption

    Server retrieves CRLs for certificates from CRL Distribution Points (DP).

    The Lotus Protector for Mail Encryption Server checks the CRL DPs

    automatically before encrypting a message to a certificate, including certificates

    for internal and external users, as well as certificates in the cache. The serveralso checks the CRL DPs before importing any internal or external usercertificate. It does not check before importing Trusted Certificates, or before

    connecting to servers with SSL certificates.

    The Lotus Protector for Mail Encryption Server checks the revocation status of

    just the recipient's certificate. It does not check the revocation status of the

    other certificates in the signing chain.

    Once retrieved, certificate revocation status is stored on the parent certificate,

    so the Trusted Certificate for each user certificate stores the list of all the

    associated revoked certificates. Once the CRL is stored on the TrustedCertificate, the Lotus Protector for Mail Encryption Server runs future CRL

    checks based on the next update date for that list.

    Key Reconstruction Blocks

    Key reconstruction blocks allow users to retrieve their private keys if they forget

    their passphrases.

    Key reconstruction blocks contain several user-defined questions and the user's

    private key, which is encrypted with the answers to those questions.

    Lotus Protector for Mail Encryption Server stores these questions and answersso that users can get back their private keys in case they lose their

    passphrases. For example, if a user writes five questions and answers, they canbe asked three (or more) of the questions to reconstruct their private key.

    54

  • 7/27/2019 Protector Admin

    59/403

    IBM Lotus Protector for Mail Encryption Server Understanding Keys

    If an internal PGP Desktop user has uploaded a key reconstruction block to the

    Lotus Protector for Mail Encryption Server, you can delete it. You might want to

    delete a key reconstruction block if you have already deleted or revoked the

    associated key and you do not want the key to be recoverable. If you delete the

    key reconstruction block, it is no longer stored on the Lotus Protector for MailEncryption Server, although it is possible that the user also has a copy.

    See Recovering Encrypted Data in an Enterprise Environment(on page 279) for

    information on other methods of data recovery.

    55

  • 7/27/2019 Protector Admin

    60/403

  • 7/27/2019 Protector Admin

    61/403

    10Managing Organization

    Keys

    This section describes the various keys and certificates you can configure and

    use with your Lotus Protector for Mail Encryption Server.

    About Organization Keys

    There are multiple keys and certificates you can use with your Lotus Protector

    for Mail Encryption Server:

    Organization Key. Used to sign all user keys the Lotus Protector for Mail

    Encryption Server creates and to encrypt server backups.

    Organization Certificate. Used to generate user S/MIME certificates in an

    S/MIME environment.

    Additional Decryption Key (ADK). Used to reconstruct messages if the

    recipient is unable or unwilling to do so. Every message encrypted to anexternal recipient by an internal user is also encrypted to the ADK, allowing

    the Lotus Protector for Mail Encryption Server administrator to decrypt any

    message sent by internal users, if required to do so by regulations or

    security policy.

    Verified Directory Key. Used to sign keys submitted to the MailEncryption Verified Directory by external users.

    The Organization Keys page provides access to all of these.

    Organization Key

    Your Organization Key is used to sign all user keys the Lotus Protector for Mail

    Encryption Server creates and to encrypt server backups. The Organization Key

    is what was referred to as the Corporate Key in the old PGP Keyserver

    environment.

    Warning: You must make a backup of your Organization Key, in case of a

    problem with the server. That way, you can restore your server from a

    backup using the backup Organization Key.

    57

  • 7/27/2019 Protector Admin

    62/403

    IBM Lotus Protector for Mail Encryption Server Managing Organization Keys

    Each Lotus Protector for Mail Encryption Server is pre-configured with a unique

    Organization Key generated by the Setup Assistant. If you would like to use

    different settings for this key, you can regenerate the key with the settings you

    prefer. This should only be done prior to live deployment of the server or

    creation of user keys by the server.The Organization Key automatically renews itself one day before its expiration

    date. It renews with all the same settings.

    If you have multiple Lotus Protector for Mail Encryption Servers in a cluster, the

    Organization Key is synchronized.

    An Organization Keys identification is based on the name of the managed

    domain for which the key was created. Organization Keys by convention have

    one ID per managed domain so that they can be easily found via a directory

    lookup.

    The Organization Key information includes the Public Keyserver URL, as

    specified on the Services > Keyserver page. Anytime the Public Keyserver URL

    changes, that information on the Organization Key changes immediately.

    Inspecting the Organization Key

    To inspect the properties of an Organization Key

    1 Click the name of the Organization Key.

    The Organization Key Info dialog box appears.

    2 Inspect the properties of the Organization Key.

    3 To export either just the public key portion of the Organization Key or the

    entire keypair, click the Export button and save the file to the desiredlocation. Optional: You can protect your Organization Key with a

    passphrase when you export it.

    When you export the Organization Key you also get the Organization

    Certificate. You can use PGP Desktop to extract the Organization

    Certificate from the Organization Key.

    4 Click OK.

    If you are going to regenerate your Organization Key, you should use a

    fairly high bit size, such as 2048. However, if you are going to be using

    X.509 certificates and S/MIME, be aware that many clients only support up

    to 1024 bits; thus you may want to use 1024 bits for maximum

    compatibility with S/MIME. All clients can be expected to support at least4096 bits.

    58

  • 7/27/2019 Protector Admin

    63/403

  • 7/27/2019 Protector Admin

    64/403

    IBM Lotus Protector for Mail Encryption Server Managing Organization Keys

    To import an Organization Key

    1 Click the icon in the Import column of the Organization Key row.

    2 The following warning dialog box appears:Importing a new Organization Key will cause the current key (and

    Organization Certificate, if any) to be deleted, and will cause problems with

    existing key signatures and backups. Any existing Ignition Keys will also be

    removed. Are you sure you want to proceed?

    3 Click OK.

    The Import Organization Key dialog box appears.

    4 Do one of the following:

    If you w