IBM Lotus Protector for Mail Encryption Server. Administrator's Guide

(1)

IBM Lotus Protector for Mail Encryption

Server

(2)

(3)

Version Information

Lotus Protector for Mail Encryption Server Administrator's Guide. Lotus Protector for Mail Encryption Server Version 2.1.0. Released April 2010. This edition applies to version 2, release 1, modification 0 of IBM Lotus Protector for Mail Encryption (product number 5724-Z72) and to all subsequent releases and modifications until otherwise indicated in new editions.

Copyright Information

Copyright © 1991-2010 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.

Trademark Information

PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at http://www.ibm.com/legal/copytrade.shtml .

Limitations

The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.

Subject to the terms of the license that accompanied the Program, Licensee may redistribute PGP Universal Satellite.

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A

For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd.

1623-14, Shimotsuruma, Yamato-shi Kanagawa 242-8502 Japan

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation.

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

(4)

One Rogers Street Cambridge, MA 02142 USA

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

If you are viewing this information softcopy, the photographs and color illustrations may not appear.

(5)

15 Introduction

What is Lotus Protector for Mail Encryption Server 15 Who Should Read This Guide 16

Symbols 16

Getting Assistance 16

The Big Picture

17

Important Terms 17

Overview of Products 17 Lotus Protector for Mail Encryption Server Concepts 19 Lotus Protector for Mail Encryption Server Features 20 Lotus Protector for Mail Encryption Server User Types 22 Installation Overview 23

Open Ports

29

TCP Ports 29

UDP Ports 31

Naming your Lotus Protector for Mail Encryption Server

33

Considering a Name for Your Lotus Protector for Mail Encryption Server 33 Methods for Naming a Lotus Protector for Mail Encryption Server 34

Understanding the Administrative Interface

35

System Requirements 35

Logging In 35

The System Overview Page 37

Managing Alerts 38

Administrative Interface Map 39

Icons 40

Licensing Your Software

47

(6)

IBM Lotus Protector for Mail Encryption Server Contents

Operating in Learn Mode

49

Purpose of Learn Mode 49

Checking the Logs 50

Managing Learn Mode 50

Managed Domains

53

About Managed Domains 53 Adding Managed Domains 54 Deleting Managed Domains 54

Understanding Keys

55

Key Modes 55

Lotus Protector for Mail Encryption Server Supported Key Modes 57 How Lotus Protector for Mail Encryption Server Uses Certificate Revocation Lists 58 Key Reconstruction Blocks 58

Managing Organization Keys

61

About Organization Keys 61

Organization Key 61

Inspecting the Organization Key 62 Regenerating the Organization Key 63 Importing an Organization Key 63 Organization Certificate 64 Inspecting the Organization Certificate 65 Exporting the Organization Certificate 65 Deleting the Organization Certificate 66 Generating the Organization Certificate 66 Importing the Organization Certificate 67 Additional Decryption Key (ADK) 67

Importing the ADK 68

Inspecting the ADK 68

Deleting the ADK 69

Verified Directory Key 69 Importing the Verified Directory Key 69 Inspecting the Verified Directory Key 70 Deleting the Verified Directory Key 70

Administering Managed Keys

71

Managed Key Permissions 72 Viewing Managed Keys 72

(7)

Managed Key Information 73

Email Addresses 76

Subkeys 76

Certificates 76

Permissions 76

Attributes 77

Symmetric Key Series 78

Symmetric Keys 80

Custom Data Objects 81 Exporting Consumer Keys 82 Exporting the Managed Key of an Internal User 82 Exporting the Managed Key of an External User 83 Exporting Mail Encryption Verified Directory User Keys 84 Exporting the Managed Key of a Managed Device 84 Deleting Consumer Keys 85 Deleting the Managed Key of an Internal User 85 Deleting the Managed Key of an External User 85 Deleting the Key of a Mail Encryption Verified Directory User 86 Deleting the Managed Key of a Managed Device 86 Approving Pending Keys 86 Revoking Managed Keys 87

Managing Trusted Keys and Certificates

89

Overview 89

Trusted Keys 89

Trusted Certificates 89 Adding a Trusted Key or Certificate 90 Inspecting and Changing Trusted Key Properties 91 Deleting Trusted Keys and Certificates 91 Searching for Trusted Keys and Certificates 92

Setting Mail Policy

93

Overview 93

How Policy Chains Work 94 Mail Policy and Dictionaries 95 Mail Policy and Key Searches 95 Mail Policy and Cached Keys 96 Understanding the Pre-Installed Policy Chains 96 Mail Policy Outside the Mailflow 98 Using the Rule Interface 98 The Conditions Card 99 The Actions Card 101 Building Valid Chains and Rules 102 Using Valid Processing Order 102 Creating Valid Groups 103 Creating a Valid Rule 104

(8)

Managing Policy Chains 105 Mail Policy Best Practices 105 Restoring Mail Policy to Default Settings 106 Editing Policy Chain Settings 106 Adding Policy Chains 106 Deleting Policy Chains 108 Exporting Policy Chains 108 Printing Policy Chains 109

Managing Rules 109

Adding Rules to Policy Chains 109 Deleting Rules from Policy Chains 109 Enabling and Disabling Rules 110 Changing the Processing Order of the Rules 110 Adding Key Searches 111 Choosing Condition Statements, Conditions, and Actions 111 Condition Statements 111

Conditions 112

Actions 119

Working with Common Access Cards 133

Applying Key Not Found Settings to External Users

135

Overview 135

Bounce the Message 136 Mail Encryption PDF Messenger 136 Certified Delivery with Mail Encryption PDF Messenger 137 Send Unencrypted 137 Mail Encryption Smart Trailer 138 Protector for Mail Encryption Web Messenger 139 Changing Policy Settings 141 Changing User Delivery Method Preference 141

Using Dictionaries with Policy

143

Overview 143

Default Dictionaries 144 Editing Default Dictionaries 146 User-Defined Dictionaries 147 Adding a User-Defined Dictionary 147 Editing a User-Defined Dictionary 148 Deleting a Dictionary 148 Exporting a Dictionary 149 Searching the Dictionaries 149

Keyservers, SMTP Archive Servers, and Mail Policy

151

Overview 151

(9)

Keyservers 151

Adding or Editing a Keyserver 152 Deleting a Keyserver 154

SMTP Servers 154

Adding or Editing an Archive Server 154 Deleting an Archive Server 155

Managing Keys in the Key Cache

157

Overview 157

Changing Cached Key Timeout 157 Purging Keys from the Cache 158 Trusting Cached Keys 158 Viewing Cached Keys 158 Searching the Key Cache 159

Configuring Mail Proxies

161

Overview 161

Lotus Protector for Mail Encryption Server and Mail Proxies 161 Mail Proxies in a Gateway Placement 162 Mail Proxies in an Internal Placement 164

Mail Proxies Page 165

Creating New or Editing Existing Proxies 165 Creating or Editing a POP/IMAP Proxy 166 Creating or Editing an Outbound SMTP Proxy 168 Creating or Editing an Inbound SMTP Proxy 170 Creating or Editing a Unified SMTP Proxy 172

Email in the Mail Queue

175

Overview 175

Deleting Messages from the Mail Queue 176

Specifying Mail Routes

177

Overview 177

Managing Mail Routes 178 Adding a Mail Route 178 Editing a Mail Route 179 Deleting a Mail Route 179

(10)

Customizing System Message Templates

181

Overview 181

Templates and Message Size 182 Mail Encryption PDF Messenger Templates 182 Templates for New Protector for Mail Encryption Web Messenger Users 182 Editing a Message Template 183

Managing Groups

185

Understanding Groups 185 Sorting Consumers into Groups 185

Everyone Group 186

Excluded Group 186

Policy Group Order 187 Setting Policy Group Order 187 Creating a New Group 187

Deleting a Group 188

Viewing Group Members 188 Manually Adding Group Members 189 Manually Removing Members from a Group 189

Group Permissions 190

Adding Group Permissions 191 Deleting Group Permissions 191 Setting Group Membership 192

Searching Groups 193

Creating Group Client Installations 194 How Group Policy is Assigned to PGP Desktop Installers 194 Creating PGP Desktop Installers 195

Distributing the Lotus Protector for Mail Encryption Client

201

Preparing the Lotus Protector for Mail Encryption Client for installation 201 Editing the Notes.ini File 202 Configuring the .MSI File 202 Editing the PMEConf.dat File 203

Managing Devices

205

Managed Devices 206

Adding and Deleting Managed Devices 206 Adding Managed Devices to Groups 207 Managed Device Information 209 Deleting Managed Devices from Lotus Protector for Mail Encryption Server 212 Deleting Managed Devices from Groups 213

(11)

WDE Devices (Computers and Disks) 214

WDE Computers 214

WDE Disks 216

Searching for Devices 218

Administering Consumer Policy

221

Understanding Consumer Policy 221 Making Sure Users Create Strong Passphrases 222 Understanding Entropy 222 Using the Windows Preinstallation Environment 223 X.509 Certificate Management in Lotus Notes Environments 223 Trusting Certificates Created by Lotus Protector for Mail Encryption Server 224 Setting the Lotus Notes Key Settings in Lotus Protector for Mail Encryption Server 226 Technical Deployment Information 227

Offline Policy 228

Using a Policy ADK 229 Out of Mail Stream Support 229 Enrolling Users through Silent Enrollment 231 Silent Enrollment with Windows 231 Silent Enrollment with Mac OS X 232 PGP Whole Disk Encryption Administration 232 PGP Whole Disk Encryption on Mac OS X with FileVault 232 How Does Single Sign-On Work? 233 Enabling Single Sign-On 234 Managing Clients Remotely Using a PGP WDE Administrator Active Directory Group 235 Managing Clients Locally Using the PGP WDE Administrator Key 236 Managing Consumer Policies 237 Adding a Consumer Policy 237 Editing a Consumer Policy 238 Deleting a Consumer Policy 239

Setting Policy for Clients

241

Client and Lotus Protector for Mail Encryption Server Version Compatibility 241 Establishing PGP Desktop Settings for Your PGP Desktop Clients 242 PGP Desktop Feature License Settings 243 Controlling PGP Desktop Components 244

PGP Portable 245

PGP Mobile 245

PGP NetShare 246

How the PGP NetShare Policy Settings Work Together 246 Multi-user environments and managing PGP NetShare 247 Backing Up PGP NetShare-Protected Files 247

(12)

Using Directory Synchronization to Manage Consumers

249

How Lotus Protector for Mail Encryption Server Uses Directory Synchronization 249 Base DN and Bind DN 251 Consumer Matching Rules 252 Understanding User Enrollment Methods 252 Before Creating a Client Installer 253 Directory Enrollment 254 Email Enrollment 256 Enabling Directory Synchronization 258 Adding or Editing an LDAP Directory 258 The LDAP Servers Tab 260 The Base Distinguished Name Tab 260 The Consumer Matching Rules Tab 261 Testing the LDAP Connection 261 Using Sample Records to Configure LDAP Settings 261 Deleting an LDAP Directory 262 Setting LDAP Directory Order 262 Directory Synchronization Settings 262

Managing User Accounts

265

Understanding User Account Types 265 Viewing User Accounts 265 User Management Tasks 265 Setting User Authentication 266 Editing User Attributes 266 Adding Users to Groups 266 Editing User Permissions 267

Deleting Users 267

Searching for Users 268 Viewing User Log Entries 268 Changing Display Names and Usernames 268 Exporting a User’s X.509 Certificate 269 Revoking a User's X.509 Certificate 269 Managing User Keys 270 Managing Internal User Accounts 271 Importing Internal User Keys Manually 271 Creating New Internal User Accounts 272 Exporting PGP Whole Disk Encryption Login Failure Data 272 Internal User Settings 273 Managing External User Accounts 277 Importing External Users 278 Exporting Delivery Receipts 279 External User Settings 279

(13)

Managing Verified Directory User Accounts 281 Importing Verified Directory Users 282 Mail Encryption Verified Directory User Settings 282

Recovering Encrypted Data in an Enterprise Environment

285

Using Key Reconstruction 285 Recovering Encryption Key Material without Key Reconstruction 286 Encryption Key Recovery of CKM Keys 286 Encryption Key Recovery of GKM Keys 287 Encryption Key Recovery of SCKM Keys 287 Encryption Key Recovery of SKM Keys 288 Using an Additional Decryption Key for Data Recovery 288

PGP Universal Satellite

291

Overview 291

Technical Information 292 Distributing the PGP Universal Satellite Software 292

Configuration 292

Deployment Mode 292

Key Mode 293

PGP Universal Satellite Configurations 294 Switching Key Modes 296 Policy and Key or Certificate Retrieval 296 Retrieving Lost Policies 297 Retrieving Lost Keys or Certificates 298

PGP Universal Satellite for Windows

301

Overview 301

System Requirements 302 Obtaining the Installer 302

Installation 302

Updates 303

Files 303

MAPI Support 304

External MAPI Configuration 304 Lotus Notes Support 305 External Lotus Notes Configuration 305

PGP Universal Satellite for Mac OS X

307

Overview 307

System Requirements 307 Obtaining the Installer 308

(14)

Files 309

Configuring Protector for Mail Encryption Web Messenger

311

Overview 311

Protector for Mail Encryption Web Messenger and Clustering 312 External Authentication 313 Customizing Protector for Mail Encryption Web Messenger 314 Adding a New Template 315 Troubleshooting Customization 319 Changing the Active Template 322 Deleting a Template 322 Editing a Template 323 Downloading Template Files 323 Restoring to Factory Defaults 323 Configuring the Protector for Mail Encryption Web Messenger Service 324 Starting and Stopping Protector for Mail Encryption Web Messenger 324 Selecting the Protector for Mail Encryption Web Messenger Network Interface 325 Setting Up External Authentication 326 Creating Settings for Protector for Mail Encryption Web Messenger User Accounts 327 Setting Message Replication in a Cluster 329

Configuring the Integrated Keyserver

331

Overview 331

Starting and Stopping the Keyserver Service 331 Configuring the Keyserver Service 332

Configuring the Mail Encryption Verified Directory

335

Overview 335

Starting and Stopping the Mail Encryption Verified Directory 336 Configuring the Mail Encryption Verified Directory 336

Managing the Certificate Revocation List Service

339

Overview 339

Starting and Stopping the CRL Service 339 Editing CRL Service Settings 340

Configuring Universal Services Protocol

341

Starting and Stopping USP 341 Adding USP Interfaces 341

(15)

System Graphs

343

Overview 343

CPU Usage 343

Message Activity 344

Whole Disk Encryption 344 Recipient Statistics 345 Recipient Domain Statistics 345

System Logs

347

Overview 347

Filtering the Log View 348 Searching the Log Files 349 Exporting a Log File 349 Enabling External Logging 350

Configuring SNMP Monitoring

351

Overview 351

Starting and Stopping SNMP Monitoring 352 Configuring the SNMP Service 352 Downloading the Custom MIB File 353

Shutting Down and Restarting Services and Power

355

Overview 355

Server Information 355 Setting the Time 355 Updating Software 356 Licensing a Lotus Protector for Mail Encryption Server 356 Downloading the Release Notes 357 Shutting Down and Restarting the Lotus Protector for Mail Encryption Server Software Services357 Shutting Down and Restarting the Lotus Protector for Mail Encryption Server Hardware 358

Managing Administrator Accounts

359

Overview 359

Administrator Roles 360 Administrator Authentication 360 Creating a New Administrator 361 Importing SSH v2 Keys 362 Deleting Administrators 362 Inspecting and Changing the Settings of an Administrator 363 Configuring RSA SecurID Authentication 364

(16)

Resetting SecurID PINs 365 Daily Status Email 366

Protecting Lotus Protector for Mail Encryption Server with Ignition Keys

369

Overview 369

Ignition Keys and Clustering 371 Preparing Hardware Tokens to be Ignition Keys 371 Configuring a Hardware Token Ignition Key 373 Configuring a Soft-Ignition Passphrase Ignition Key 373 Deleting Ignition Keys 374

Backing Up and Restoring System and User Data

375

Overview 375

Creating Backups 376

Scheduling Backups 376 Performing On-Demand Backups 376 Configuring the Backup Location 376 Restoring From a Backup 378 Restoring On-Demand 378 Restoring Configuration 378 Restoring from a Different Version 379

Updating Lotus Protector for Mail Encryption Server Software

381

Overview 381

Inspecting Update Packages 382

Setting Network Interfaces

383

Understanding the Network Settings 383 Connecting to a Proxy Server 384 Changing Interface Settings 385 Adding Interface Settings 385 Deleting Interface Settings 385 Editing Global Network Settings 386 Assigning a Certificate 386 Working with Certificates 386 Importing an Existing Certificate 387 Generating a Certificate Request 388 Adding a Pending Certificate 389 Inspecting a Certificate 389 Exporting a Certificate 389 Deleting a Certificate 390

(17)

Clustering your Lotus Protector for Mail Encryption Servers

391

Overview 391

Cluster Status 392

Creating a Cluster 393 Deleting Cluster Members 395 Clustering and Protector for Mail Encryption Web Messenger 395 Managing Settings for Cluster Members 396 Changing Network Settings in Clusters 398

(18)

(19)

1

Introduction

This Administrator’s Guide describes both the IBM®_{Lotus Protector for Mail}

Encryption Server and Client software. It tells you how to get them up and running on your network, how to configure them, and how to maintain them. This section provides a high-level overview of Lotus Protector for Mail Encryption Server.

Sections of the Lotus Protector for Mail Encryption Server Administrator's Guide

refer to management of PGP Whole Disk Encryption, PGP Portable, PGP NetShare, and other PGP Desktop client products. The PGP Desktop products encrypt data on disks, removable media, and mobile devices as well as secure files for collaborating teams, and they can be fully managed by the Lotus Protector for Mail Encryption Server. However, these PGP products must be purchased separately (from PGP Corporation) to be deployed and managed by the Lotus Protector for Mail Encryption Server.

What is Lotus Protector for Mail Encryption Server

With Lotus Protector for Mail Encryption Server management server, you can manage your organization's security policies, users, keys and configurations, deliver messages to external recipients with or without encryption keys, and defend sensitive data to avoid the financial loss, legal ramifications, and brand damage resulting from a data breach.

Lotus Protector for Mail Encryption Server automatically creates and maintains a Self-Managing Security Architecture (SMSA) by monitoring authenticated users and their email traffic. You can also send protected messages to addresses that are not part of the SMSA. The Lotus Protector for Mail Encryption Server encrypts, decrypts, signs, and verifies messages automatically, providing strong security through policies you control.

Lotus Protector for Mail Encryption Client provides IBM Lotus®_enterprise

customers with an automatic, transparent encryption solution for securing internal and external confidential email communications, managed by the Lotus Protector for Mail Encryption Server. Lotus Notes®_{offers a native encryption}

solution for secure messaging within an organization. While Lotus Protector for Mail Encryption Client can be used for internal-to-internal secure messaging, it is intended to secure the internal component of a message which is being

delivered to an external recipient. With Lotus Protector for Mail Encryption Client, you can minimize the risk of a data breach and better comply with partner and regulatory mandates for information security and privacy.

(20)

IBM Lotus Protector for Mail Encryption Server Introduction

The management capabilities of the Lotus Protector for Mail Encryption Server can be extended to managing the PGP Desktop applications that provide encryption of data on disks, removable media, and mobile devices as well as security of files for collaborating teams.

Who Should Read This Guide

This Administrator’s Guide is for the person or persons who implement and maintain your organization’s Lotus Protector for Mail Encryption Server environment. These are the Lotus Protector for Mail Encryption Server administrators.

This guide is also intended for anyone else who wants to learn about how Lotus Protector for Mail Encryption Server works.

Symbols

Notes, Cautions, and Warnings are used in the following ways.

Note: Notes are extra, but important, information. A Note calls your attention to important aspects of the product. You can use the product better if you read the Notes.

Caution: Cautions indicate the possibility of loss of data or a minor security breach. A Caution tells you about a situation where problems can occur unless precautions are taken. Pay attention to Cautions.

Warning: Warnings indicate the possibility of significant data loss or a major security breach. A Warning means serious problems will occur unless you take the appropriate action. Please take Warnings very seriously.

Getting Assistance

For additional information about Lotus Protector for Mail Encryption Server and how to obtain support, see Lotus Protector for Mail Encryption

(http://www.ibm.com/software/lotus/products/protector/mailencryption/).

(21)

2

The Big Picture

This chapter describes some important terms and concepts and gives you a high-level overview of the things you need to do to set up and maintain your Lotus Protector for Mail Encryption Server environment.

Important Terms

The following sections define important terms you will encounter throughout the Lotus Protector for Mail Encryption Server and this documentation.

Overview of Products

Lotus Protector for Mail Encryption Server: A device you add to your network that provides secure messaging with little or no user interaction. The Lotus Protector for Mail Encryption Server automatically creates and maintains a security architecture by monitoring authenticated users and their email traffic. You can also send protected messages to addresses that are not part of the security architecture.

PGP Global Directory: A free, public keyserver hosted by PGP Corporation. The PGP Global Directory provides quick and easy access to the universe of PGP keys. It uses next-generation keyserver

technology that queries the email address on a key (to verify that the owner of the email address wants their key posted) and lets users manage their own keys. Using the PGP Global Directory significantly enhances your chances of finding a valid public key of someone to whom you want to send secured messages.

For external users without encryption keys, Lotus Protector for Mail Encryption Server offers multiple secure delivery options, leveraging third-party software that is already installed on typical computer systems, such as a web browser or Adobe Acrobat Reader. For email recipients who do not have an encryption solution, you can use of of the following secure delivery options from Lotus Protector for Mail Encryption Server:

PGP Universal Satellite: The PGP Universal Satellite software resides on the computer of an external email user. It allows email to be encrypted end to end, all the way to and from the desktop. Using PGP Universal Satellite is one of the ways for external users to participate in the SMSA. It also allows users the option of controlling their keys on their local computers (if allowed by the administrator).

(22)

IBM Lotus Protector for Mail Encryption Server The Big Picture

Protector for Mail Encryption Web Messenger: The Protector for Mail Encryption Web Messenger service allows an external user to securely read a message from an internal user before the external user has a relationship with the SMSA. If Protector for Mail Encryption Web Messenger is available via mail policy for a user and the

recipient’s key cannot be found, the message is stored on the Lotus Protector for Mail Encryption Server and an unprotected message is sent to the recipient. The unprotected message includes a link to the original message, held on the Lotus Protector for Mail Encryption Server. The recipient must create a passphrase, and then can access his encrypted messages stored on Lotus Protector for Mail Encryption Server.

Mail Encryption PDF Messenger: Mail Encryption PDF Messenger enables sending encrypted PDF messages to external users who do not have a relationship with the SMSA. In the normal mode, as with Protector for Mail Encryption Web Messenger, the user receives a message with a link to the encrypted message location and uses a Protector for Mail Encryption Web Messenger passphrase to access the message. Mail Encryption PDF Messenger also provides Certified Delivery, which encrypts the message to a one-time passphrase, and creates and logs a delivery receipt when the user retrieves the passphrase.

Lotus Protector for Mail Encryption Client: Lotus Protector for Mail Encryption Client provides IBM Lotus enterprise customers with an

automatic, transparent encryption solution for securing internal and external confidential email communications. Lotus Notes offers a native encryption solution for secure messaging within an organization. While Lotus Protector for Mail Encryption Client can be used for internal-to-internal secure

messaging, it is intended to secure the internal component of a message which is being delivered to an external recipient. With Lotus Protector for Mail Encryption Client, you can minimize the risk of a data breach and better comply with partner and regulatory mandates for information security and privacy.

Separately-licensed PGP products:

PGP Desktop: A client software tool that uses cryptography to protect your data against unauthorized access. PGP Desktop is available for Windows®

and Mac OS®_{X. It can include the following components, depending upon}

the features you license:

PGP Whole Disk Encryption: Whole Disk Encryption is a feature of PGP Desktop that encrypts your entire hard drive or partition, including your boot record, thus protecting all your files when you are not using them. PGP Whole Disk Encryption is also available for selected Linux®

systems.

(23)

PGP NetShare: A feature of PGP Desktop for Windows with which you can securely and transparently share files and folders among selected individuals. PGP NetShare users can protect their files and folders simply by placing them within a folder that is designated as protected.

PGP Virtual Disk: PGP Virtual Disk volumes are a feature of PGP Desktop that let you use part of your hard drive space as an encrypted virtual disk. You can protect a PGP Virtual Disk volume with a key or a passphrase. You can also create additional users for a volume, so that people you authorize can also access the volume.

PGP Zip: A feature of PGP Desktop that lets you put any combination of files and folders into a single encrypted, compressed package for convenient transport or backup. You can encrypt a PGP Zip archive to a PGP key or to a passphrase.

PGP Portable: A separately-licensed feature that enables you to send encrypted files to users who do not have PGP Desktop software, and to transport files securely to systems that do not or cannot have PGP software installed.

Lotus Protector for Mail Encryption Server Concepts

keys.<domain> convention: Lotus Protector for Mail Encryption Server automatically looks for valid public keys for email recipients at a special hostname, if no valid public key is found locally to secure a message. This hostname is keys.<domain> (where <domain> is the email domain of the recipient). For example, Example Corporation’s externally visible Lotus Protector for Mail Encryption Server is named keys.example.com. IBM®_{Corporation strongly recommends you name your externally visible}

Lotus Protector for Mail Encryption Server according to this convention because it allows other Lotus Protector for Mail Encryption Servers to easily find valid public keys for email recipients in your domain.

For more information, see Naming your Lotus Protector for Mail Encryption Server (on page 33).

Security Architecture: Behind the scenes, the Lotus Protector for Mail Encryption Server creates and manages its own security architecture for the users whose email domain it is securing. Because the security architecture is created and managed automatically, we call this a self-managing security architecture (SMSA).

(24)

Lotus Protector for Mail Encryption Server Features

Administrative Interface: Each Lotus Protector for Mail Encryption Server is controlled via a Web-based administrative interface. The administrative interface gives you control over Lotus Protector for Mail Encryption Server. While many settings are initially established using the web-based Setup Assistant, all settings of a Lotus Protector for Mail Encryption Server can be controlled via the administrative interface.

Backup and Restore: Because full backups of the data stored on your Lotus Protector for Mail Encryption Server are critical in a natural disaster or other unanticipated loss of data or hardware, you can schedule automatic backups of your Lotus Protector for Mail Encryption Server data or manually perform a backup.

You can fully restore a Lotus Protector for Mail Encryption Server from a backup. In the event of a minor problem, you can restore the Lotus

Protector for Mail Encryption Server to any saved backup. In the event that a Lotus Protector for Mail Encryption Server is no longer usable, you can restore its data from a backup onto a new Lotus Protector for Mail Encryption Server during initial setup of the new Lotus Protector for Mail Encryption Server using the Setup Assistant. All backups are encrypted to the Organization Key and can be stored securely off the Lotus Protector for Mail Encryption Server.

Cluster: When you have two or more Lotus Protector for Mail Encryption Servers in your network, you configure them to synchronize with each other; this is called a “cluster.”

Dictionary: Dictionaries are lists of terms to be matched. The dictionaries work with mail policy to allow you to define content lists that can trigger rules.

Directory Synchronization: If you have LDAP directories in your organization, your Lotus Protector for Mail Encryption Server can be synchronized with the directories. The Lotus Protector for Mail Encryption Server automatically imports user information from the directories when users send and receive email; it also creates internal user accounts for them, including adding and using X.509 certificates if they are contained in the LDAP directories.

Ignition Keys: You can protect the contents of a Lotus Protector for Mail Encryption Server, even if the hardware is stolen, by requiring the use of a hardware token or a software passphrase, or both, on start.

Keyserver: Each Lotus Protector for Mail Encryption Server includes an integrated keyserver populated with the public keys of your internal users. When an external user sends a message to an internal user, the external Lotus Protector for Mail Encryption Server goes to the keyserver to find the public key of the recipient to use to secure the message. The Lotus

Protector for Mail Encryption Server administrator can enable or disable the service, and control access to it via the administrative interface.

(25)

Learn Mode: When you finish configuring a Lotus Protector for Mail Encryption Server using the Setup Assistant, it begins in Learn Mode, where the Lotus Protector for Mail Encryption Server sends messages through mail policy without taking any action on the messages, and does not encrypt or sign any messages.

Learn Mode gives the Lotus Protector for Mail Encryption Server a chance to build its SMSA (creating keys for authenticated users, for example) so that when when Learn Mode is turned off, the Lotus Protector for Mail Encryption Server can immediately begin securing messages. It is also an excellent way for administrators to learn about the product.

You should check the logs of the Lotus Protector for Mail Encryption Server while it is in Learn Mode to see what it would be doing to email traffic if it were live on your network. You can make changes to the Lotus Protector for Mail Encryption Server’s policies while it is in Learn Mode until things are working as expected.

Mail Policy: The Lotus Protector for Mail Encryption Server processes email messages based on the policies you establish. Mail policy applies to inbound and outbound email processed by both Lotus Protector for Mail Encryption Server and client software. Mail policy consists of multiple policy chains, comprised of sequential mail processing rules.

Organization Certificate: You must create or obtain an Organization Certificate to enable S/MIME support by Lotus Protector for Mail Encryption Server. The Organization Certificate signs all X.509 certificates the server creates.

Organization Key: The Setup Assistant automatically creates an

Organization Key (actually a keypair) when it configures a Lotus Protector for Mail Encryption Server. The Organization Key is used to sign all PGP keys the Lotus Protector for Mail Encryption Server creates and to encrypt Lotus Protector for Mail Encryption Server backups.

Caution: It is extremely important to back up your Organization Key: all keys the Lotus Protector for Mail Encryption Server creates are signed by the Organization Key, and all backups are encrypted to the Organization Key. If you lose your Organization Key and have not backed it up, the signatures on those keys are meaningless and you cannot restore from backups encrypted to the Organization Key.

Mail Encryption Verified Directory: The Mail Encryption Verified Directory supplements the internal keyserver by letting internal and external users manage the publishing of their own public keys. The Mail Encryption Verified Directory also serves as a replacement for the PGP Keyserver product. The Mail Encryption Verified Directory uses next-generation keyserver technology to ensure that the keys in the directory can be trusted.

Server Placement: A Lotus Protector for Mail Encryption Server can be placed in one of two locations in your network to process email.

(26)

With an internal placement, the Lotus Protector for Mail Encryption Server logically sits between your email users and your mail server. It encrypts and signs outgoing SMTP email and decrypts and verifies incoming mail being picked up by email clients using POP or IMAP. Email stored on your mail server is stored secured (encrypted).

With a gateway placement, the Lotus Protector for Mail Encryption Server logically sits between your mail server and the Internet. It encrypts and signs outgoing SMTP email and decrypts and verifies incoming SMTP email. Email stored on your mail server is stored unsecured.

For more information, see Configuring Mail Proxies (on page 161) and the

Lotus Protector for Mail Encryption Server Installation Guide.

Setup Assistant: When you attempt to log in for the first time to the administrative interface of a Lotus Protector for Mail Encryption Server, the Setup Assistant takes you through the configuration of that Lotus Protector for Mail Encryption Server.

Lotus Protector for Mail Encryption Server User Types

Administrators: Any user who manages the Lotus Protector for Mail Encryption Server and its security configuration from inside the internal network.

Only administrators are allowed to access the administrative interface that controls Lotus Protector for Mail Encryption Server. A Lotus Protector for Mail Encryption Server supports multiple administrators, each of which can be assigned a different authority: from read-only access to full control over every feature and function.

Consumers: Internal, external, and Verified Directory users, and devices. External Users: External users are email users from other domains

(domains not being managed by your Lotus Protector for Mail Encryption Server) who have been added to the SMSA.

Internal Users: Internal users are email users from the domains being managed by your Lotus Protector for Mail Encryption Server.

Lotus Protector for Mail Encryption Server allows you to manage PGP Desktop deployments to your internal users. The administrator can control which PGP Desktop features are automatically implemented at install, and establish and update security policy for PGP Desktop users that those users cannot override (except on the side of being more secure).

Mail Encryption Verified Directory Users: Internal and external users who have submitted their public keys to the Mail Encryption Verified Directory, a Web-accessible keyserver.

(27)

Devices: Managed devices, WDE computers, and WDE disks. Managed devices are arbitrary objects whose keys are managed by Lotus Protector for Mail Encryption Server. WDE computers, and WDE disks are devices that are detected when users enroll.

Other Email Users: Users within your organization can securely send email to recipients outside the SMSA.

First, the Lotus Protector for Mail Encryption Server attempts to find a key for the recipient. If that fails, there are four fallback options, all controlled by mail policy: bounce the message back to the sender (so it is not sent unencrypted), send unencrypted, Mail Encryption Smart Trailer, and Protector for Mail Encryption Web Messenger mail.

Mail Encryption Smart Trailer sends the message unencrypted and adds text giving the recipient the option of joining the SMSA by installing PGP Universal Satellite, using an existing key or certificate, or using Protector for Mail Encryption Web Messenger. Protector for Mail Encryption Web Messenger lets the recipient securely read the message on a secure website; it also gives the recipient options for handling subsequent

messages from the same domain: read the messages on a secure website using a passphrase they establish, install PGP Universal Satellite, or add an existing key or certificate to the SMSA.

Installation Overview

The following steps are a broad overview of what it takes to plan, set up, and maintain your Lotus Protector for Mail Encryption Server environment. Steps 1 and 4 are described in the Lotus Protector for Mail Encryption Server Installation Guide. The remaining tasks are described in this book.

Note that these steps apply to the installation of a new, stand-alone Lotus Protector for Mail Encryption Server. If you plan to install a cluster, you must install and configure one Lotus Protector for Mail Encryption Server following the steps outlined here. Subsequent cluster members will receive most of their configuration settings from the initial Lotus Protector for Mail Encryption Server through data replication.

1 Plan where in your network you want to locate your Lotus Protector for Mail Encryption Server(s).

Where you put Lotus Protector for Mail Encryption Servers in your network, how many Lotus Protector for Mail Encryption Servers you have in your network, and other factors all have a major impact on how you add them to your existing network.

Create a diagram of your network that includes all network components and shows how email flows; this diagram details how adding a Lotus Protector for Mail Encryption Server impacts your network.

(28)

For more information on planning how to add Lotus Protector for Mail Encryption Servers to your existing network, see Adding the Lotus

Protector for Mail Encryption Server to Your Network in the Lotus Protector for Mail Encryption Server Installation Guide.

2 Perform necessary DNS changes.

Add IP addresses for your Lotus Protector for Mail Encryption Servers, an alias to your keyserver, update the MX record if necessary, add

keys.<domain>, hostnames of potential Secondary servers for a cluster, and so on.

Properly configured DNS settings (including root servers and appropriate reverse lookup records) are required to support Lotus Protector for Mail Encryption Server. Make sure both host and pointer records are correct. IP addresses must be resolvable to hostnames, as well as hostnames resolvable to IP addresses.

3 Prepare a hardware token Ignition Key.

If you want to add a hardware token Ignition Key during setup, install the drivers and configure the token before you begin the Lotus Protector for Mail Encryption Server setup process. See Protecting Lotus Protector for Mail Encryption Server with Ignition Keys (on page 369) for information on how to prepare a hardware token Ignition Key.

Note: In a cluster, the Ignition Key configured on the first Lotus Protector for Mail Encryption Server in the cluster will also apply to the subsequent members of the cluster.

4 Install and configure this Lotus Protector for Mail Encryption Server.

The Setup Assistant runs automatically when you first access the

administrative interface for the Lotus Protector for Mail Encryption Server. The Setup Assistant is where you can set or confirm a number of basic settings such as your network settings, administrator password, server placement option, mail server address and so on.

To configure multiple servers as a cluster, you must configure one server first in the normal manner, then add the additional servers as cluster members. You can do this through the Setup Assistant when you install a server that will join an existing cluster, or you can do this through the Lotus Protector for Mail Encryption Server administrative interface.

For more information, see Setting Up the Lotus Protector for Mail Encryption Server in the Lotus Protector for Mail Encryption Server Installation Guide.

5 Create a SSL/TLS certificate or obtain a valid SSL/TLS certificate.

You can create a self-signed certificate for use with SSL/TLS traffic. Because this certificate is self-signed, however, it might not be trusted by email or Web browser clients. <cn_long> recommends that you obtain a valid SSL/TLS certificate for each of your Lotus Protector for Mail

Encryption Servers from a reputable Certificate Authority.

(29)

This is especially important for Lotus Protector for Mail Encryption Servers that are accessed publicly. Older Web browsers might reject self-signed certificates or not know how to handle them correctly when they encounter them via Protector for Mail Encryption Web Messenger or Mail Encryption Smart Trailer.

For more information, see Working with Certificates (on page 386).

6 Configure the Directory Synchronization feature to synchronize an LDAP directory with your Lotus Protector for Mail Encryption Server.

You must have an LDAP directory configured and Directory Synchronization enabled for user enrollment to work. By default user enrollment assumes that you have an LDAP directory configured.

There are two parts to configuring LDAP for user enrollment:

You must have LDAP enabled on the Domino®_{server to which the}

Lotus Protector for Mail Encryption Server is communicating. To enable LDAP in the Lotus Protector for Mail Encryption Server do

the following:

Log in to the Lotus Protector for Mail Encryption Server administrative interface, go to Consumers > Directory Synchronization, and click Add LDAP Directory...

You will need to provide information about your LDAP directory: - credentials to use to contact the LDAP server (the Bind DN) - the addressing information of the server (hostname, port, and protocol)

- one or more Base DNs to use for lookup.

Make sure you have Open LDAP selected as the directory type.

When you have tested that Lotus Protector for Mail Encryption Server can communicate with the LDAP directory, you can enable directory synchronization on the Consumers > Directory Synchronization page.

For more detailed information, see Using Directory Synchronization to Manage Users (on page 249).

7 Add trusted keys, configure internal and external user policy, and establish mail policy.

All these settings are important for secure operation of Lotus Protector for Mail Encryption Server.

For more information on adding trusted keys from outside the SMSA, see Managing Trusted Keys and Certificates (on page 89).

For more information about user policy settings, see Setting Internal User Policy and Setting External User Policy.

For information on setting up mail policy, see Setting Mail Policy (on page 93).

(30)

Note: When setting policy for Consumers, Lotus Protector for Mail Encryption Server provides an option called Out of Mail Stream (OOMS) support. OOMS specifies how the email gets transmitted from the client to the server when Lotus Protector for Mail Encryption Client cannot find a key for the recipient and therefore cannot encrypt the message.

OOMS is enable by default, as this is the most secure setting. With OOMS enabled, sensitive messages that can't be encrypted locally are sent to Lotus Protector for Mail Encryption Server "out of the mail stream." Lotus Protector for Mail Encryption Client creates a separate, encrypted network connection to the Lotus Protector for Mail Encryption Server to transmit the message. However, archiving solutions, outbound anti-virus filters, or other systems which monitor or proxy mail traffic will not see these messages.

You can elect to disable OOMS, which means that sensitive messages that can't be encrypted locally are sent to Lotus Protector for Mail Encryption Server "in the mail stream" like normal email. Importantly, this email is sent in the clear (unencrypted). Mail or Network administrators could read these messages by accessing the mail server's storage or monitoring network traffic. However, archiving solutions, outbound anti virus filters, or other systems which monitor or proxy mail traffic will process these messages normally.

During your configuration of your Lotus Protector for Mail Encryption Server you should determine the appropriate settings for your

requirements. This option can be set separately for each policy group, and is set through the Consumer Policy settings. For more details on the effects of enabling or disabling OOMS, see Out of Mail Stream Support

(on page 229).

8 Add your Domino domain as a managed domain.

Usually, you specify your Internet domain during installation through the Setup Assistant. If your Lotus Protector for Mail Encryption Server is also managing a Domino server, you must add your Domino domain name manually through the Managed Domains page (Consumers > Managed Domains).

9 Reconfigure the settings of your email clients and servers, if necessary.

Depending on how you are adding the Lotus Protector for Mail Encryption Server to your network, some setting changes might be necessary. For example, if you are using a Lotus Protector for Mail Encryption Server placed internally, the email clients must have SMTP authentication turned on. For Lotus Protector for Mail Encryption Servers placed externally, you must configure your mail server to relay SMTP traffic to the Lotus Protector for Mail Encryption Server.

(31)

10 Enable SNMP Polling and Traps.

You can configure Lotus Protector for Mail Encryption Server to allow network management applications to monitor system information for the device on which Lotus Protector for Mail Encryption Server is installed and to send system and application information to an external destination. See

Configuring SNMP Monitoring (on page 351) in the Lotus Protector for Mail Encryption Server Administrator's Guide for more information.

11 Configure and distribute Lotus Protector for Mail Encryption Client to your users as appropriate.

Lotus Protector for Mail Encryption Client provides IBM Lotus enterprise customers with an automatic, transparent encryption solution for securing internal and external confidential email communications.

Before you can distribute the Lotus Protector for Mail Encryption Client installation file, you need to make the location of the Lotus Protector for Mail Encryption Server available to the client software. For more

information, see Distributing the Lotus Protector for Mail Encryption Client

(on page 201).

12 Analyze the data from Learn Mode.

In Learn Mode, your Lotus Protector for Mail Encryption Server sends messages through mail policy without actually taking action on the messages, decrypts and verifies incoming messages when possible, and dynamically creates a SMSA. You can see what the Lotus Protector for Mail Encryption Server would have done without Learn Mode by monitoring the system logs.

Learn Mode lets you become familiar with how the Lotus Protector for Mail Encryption Server operates and it lets you see the effects of the policy settings you have established before the Lotus Protector for Mail

Encryption Server actually goes live on your network. Naturally, you can fine tune settings while in Learn Mode, so that the Lotus Protector for Mail Encryption Server is operating just how you want before you go live. For more information, see Operating in Learn Mode (on page 49).

13 Adjust policies as necessary.

It might take a few tries to get everything working just the way you want. For example, you might need to revise your mail policy.

14 Perform backups of all Lotus Protector for Mail Encryption Servers before you take them out of Learn Mode.

This gives you a baseline backup in case you need to return to a clean installation. For more information, see Backing Up and Restoring System and User Data (on page 375).

(32)

15 Take your Lotus Protector for Mail Encryption Servers out of Learn Mode.

Once this is done, email messages are encrypted, signed, and

decrypted/verified, according to the relevant policy rules. Make sure you have licensed each of your Lotus Protector for Mail Encryption Servers; you cannot take a Lotus Protector for Mail Encryption Server out of Learn Mode until it has been licensed.

16 Monitor the system logs to make sure your Lotus Protector for Mail Encryption Server environment is operating as expected.

(33)

3

Open Ports

This chapter lists and describes the ports a Lotus Protector for Mail Encryption Server has open and on which it is listening.

TCP Ports

Port Protocol/Service Comment

21 FTP (File Transfer Protocol) Used for transmitting encrypted

backup archives to other servers. Data is sent via passive FTP, so port 20 (FTP Data) is not used.

22 Open SSH (Secure Shell) Used for remote shell access to

the server for low-level system administration.

25 SMTP (Simple Mail Transfer

Protocol)

Used for sending mail. With a gateway placement, the Lotus Protector for Mail Encryption Server listens on port 25 for both incoming and outgoing SMTP traffic.

80 HTTP (HyperText Transfer

Protocol)

Used to allow user access to the Mail Encryption Verified

Directory. If the Mail Encryption Verified Directory is not enabled, access on this port is

automatically redirected to port 443 over HTTPS.

Also used for Universal Services Protocal (USP) keyserver connection.

110 POP (Post Office Protocol) Used for retrieving mail by users

with POP accounts with internal placements only. Closed for gateway placements.

(34)

IBM Lotus Protector for Mail Encryption Server Open Ports

143 IMAP (Internet Message Access

Protocol)

Used for retrieving mail by users with IMAP accounts with internal placements only. Closed for gateway placements.

389 LDAP (Lightweight Directory

Access Protocol)

Used to allow remote hosts to look up public keys of local users.

443 HTTPS (HyperText Transfer

Protocol, Secure)

Used for PGP Desktop and PGP Universal Satellite policy

distribution and Protector for Mail Encryption Web Messenger access.

Used for access over HTTPS if the Verified Directory is not enabled.

Also used for Universal Services Protocal (USP)over SSL for keyserver connection.

444 SOAPS (Simple Object Access

Used for clustering replication messages.

465 SMTPS (Simple Mail Transfer

Used for sending mail securely with internal placements only. Closed for gateway placements. This is a non-standard port used only by legacy mail servers. We recommend not using this port, and instead always using STARTTLS on port 25.

636 LDAPS (Lightweight Directory

Access Protocol, Secure)

Used to securely allow remote hosts to look up public keys of local users.

993 IMAPS (Internet Message Access

Used for retrieving mail securely by users with IMAP accounts with internal placements only. Closed for gateway placements.

995 POPS (Post Office Protocol,

Secure)

Used for retrieving mail securely by users with POP accounts with internal placements only. Closed for gateway placements.

9000 HTTPS (HyperText Transfer Protocol, Secure)

Used to allow access to the Lotus Protector for Mail Encryption Server administrative interface.

(35)

IBM Lotus Protector for Mail Encryption Server Open Ports

UDP Ports

123 NTP (Network Time

Protocol)

Used to synchronize the system’s clock with a reference time source on a different server.

161 SNMP (Simple Network

Management Protocol)

Used by network management applications to query the health and activities of Lotus Protector for Mail Encryption Server software and the computer on which it is installed.

(36)

(37)

4

Naming your Lotus

Protector for Mail

Encryption Server

This section describes how and why to name your Lotus Protector for Mail Encryption Server using the keys.<domain> convention.

Considering a Name for Your Lotus Protector for Mail

Encryption Server

Unless a valid public key is found locally, Lotus Protector for Mail Encryption Servers automatically look for valid public keys for email recipients by attempting to contact a keyserver at a a special hostname, keys.<domain>, where <domain> is the email domain of the recipient.

For example, an internal user at example.com is sending email to

“[email protected].” If no valid public key for Susan is found on the Example Corp. Lotus Protector for Mail Encryption Server (keys would be found locally if they are cached, or if Susan was an external user who explicitly supplied her key via the Protector for Mail Encryption Web Messenger service), it automatically looks for a valid public key for Susan at keys.widgetcorp.com, even if there is no domain policy for widgetcorp.com on Example’s Lotus Protector for Mail Encryption Server.

Naturally, the Example Corp. Lotus Protector for Mail Encryption Server can only find a valid public key for “[email protected]” at keys.widgetcorp.com if the Widgetcorp Lotus Protector for Mail Encryption Server is named using the keys.<domain> convention.

Caution: IBM Corporation strongly recommends you name your Lotus Protector for Mail Encryption Server according to this convention, because doing so allows other Lotus Protector for Mail Encryption Servers to easily find valid public keys for email recipients in your domain. Make sure to name your externally visible Lotus Protector for Mail Encryption Server using this convention.

If your organization uses email addresses such as “[email protected]” as well as “[email protected],” then you need your Lotus Protector for Mail Encryption Server to be reachable at both keys.example.com and

(38)

IBM Lotus Protector for Mail Encryption Server Naming your Lotus Protector for Mail Encryption Server

If you have multiple Lotus Protector for Mail Encryption Servers in a cluster managing an email domain, only one of those Lotus Protector for Mail Encryption Servers needs to use the keys.<domain> convention.

Note: Keys that are found using the keys.<domain> convention are treated as valid and trusted by default.

Alternately, keys.<domain> should be the address of a load-balancing device which then distributes connections to your Lotus Protector for Mail Encryption Server’s keyserver service. The ports that would need to be load-balanced are the ones on which you are running your keyserver service (typically port 389 for LDAP and 636 for LDAPS).

Another acceptable naming convention would be to name your Lotus Protector for Mail Encryption Server according to the required naming convention your company uses, and make sure the server has a DNS alias of

keys.<domain>.com.

If you are administering multiple email domains, you should establish the keys.<domain> convention for each email domain.

If your Lotus Protector for Mail Encryption Server is behind your corporate firewall (as it should be), you need to make sure that ports 389 (LDAP) and 636 (LDAPS) are open to support the keys.<domain> convention.

Methods for Naming a Lotus Protector for Mail Encryption

Server

There are three ways to name your Lotus Protector for Mail Encryption Server to support the keys.<domain> convention:

Name your Lotus Protector for Mail Encryption Server “keys.<domain>” on the Host Name field of the Network Setup page in the Setup Assistant. Change the Host Name of your Lotus Protector for Mail Encryption Server

to keys.<domain> using the administrative interface on the Network Settings section of the System > Network page.

Create a DNS alias to your Lotus Protector for Mail Encryption Server that uses the keys.<domain> convention that is appropriate for your DNS server configuration.

(39)

5

Understanding the

Administrative Interface

This section describes the Lotus Protector for Mail Encryption Server’s Web-based administrative interface.

System Requirements

The Lotus Protector for Mail Encryption Server administrative interface has been fully tested with the following Web browsers:

Windows 2000 Professional and Advanced Server: Mozilla Firefox 3.0, Internet Explorer 6.0, Internet Explorer 7.0

Windows XP Professional and Pro x64: Mozilla Firefox 3.0, Internet Explorer 6.0, Internet Explorer 7.0

Windows Vista: Mozilla Firefox 3.0, Internet Explorer 7.0 Mac OS X 10.4: Mozilla Firefox 3.0, Safari 2.0

Mac OS X 10.5: Mozilla Firefox 3.0, Safari 3.1

While you might find that the administrative interface works with other Web browsers, we recommend these browsers for maximum compatibility.

Logging In

A login name and passphrase for the administrative interface were originally established when you configured the server using the Setup Assistant. In addition, the original administrator may have created additional administrators, and may have configured your Lotus Protector for Mail Encryption Server to accept RSA SecurID authentication.

To log in to your server’s administrative interface

1 In a Web browser, type https://<domain name of server>:9000/ and press Enter.

Note: If you see a Security Alert dialog box relating to the security

certificate, it means you need to replace the self-signed certificate created automatically with a certificate from a public Certificate Authority.