PGP Universal Admin Guide

PGP Universal Server

Administrator's Guide

Version InformationPGP Universal Server Administrator's Guide. PGP Universal Server Version 3.0.0. Released March 2010.

Copyright InformationCopyright 1991-2010 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.

Trademark InformationPGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

Licensing and Patent InformationThe IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support (https://support.pgp.com). PGP Corporation may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents.

AcknowledgmentsThis product includes or may include: -- The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation, developed by zlib (http://www.zlib.net). -- Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted under the MIT License found at http://www.opensource.org/licenses/mit-license.html. Copyright 2007 by the Open Source Initiative. -- bzip2 1.0, a freely available high-quality data compressor, is copyrighted by Julian Seward, 1996-2005. -- Application server (http://jakarta.apache.org/), web server (http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse HTML, developed by the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt. -- Castor, an open-source, data-binding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html. -- Xalan, an open-source software library from the Apache Software Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software License, version 1.1, available at http://xml.apache.org/xalan-j/#license1.1. -- Apache Axis is an implementation of the SOAP ("Simple Object Access Protocol") used for communications between various PGP products is provided under the Apache license found at http://www.apache.org/licenses/LICENSE-2.0.txt. -- mx4j, an open-source implementation of the Java Management Extensions (JMX), is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html. -- jpeglib version 6a is based in part on the work of the Independent JPEG Group. (http://www.ijg.org/) -- libxslt the XSLT C library developed for the GNOME project and used for XML transformations is distributed under the MIT License http://www.opensource.org/licenses/mit-license.html. -- PCRE Perl regular expression compiler, copyrighted and distributed by University of Cambridge. 1997-2006. The license agreement is at http://www.pcre.org/license.txt. -- BIND Balanced Binary Tree Library and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org) -- Free BSD implementation of daemon developed by The FreeBSD Project, 1994-2006. -- Simple Network Management Protocol Library developed and copyrighted by Carnegie Mellon University 1989, 1991, 1992, Networks Associates Technology, Inc, 2001- 2003, Cambridge Broadband Ltd. 2001- 2003, Sun Microsystems, Inc., 2003, Sparta, Inc, 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/license.html. -- NTP version 4.2 developed by Network Time Protocol and copyrighted to various contributors. -- Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright 1999-2003, The OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html. Secure shell OpenSSH developed by OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at http://www.openbsd.org/cgi bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. -- PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released under the BSD license. -- Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at http://www.opensource.org/licenses/ibmpl.php. -- PostgreSQL, a free software object-relational database management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence. -- PostgreSQL JDBC driver, a free Java program used to connect to a PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available at http://jdbc.postgresql.org/license.html. -- PostgreSQL Regular Expression Library, a free software object-relational database management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence. -- 21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright 1993, 1994 by Paul Vixie; used by permission. - JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL) available at http://www.jacorb.org/lgpl.html. Copyright 2006 The JacORB Project. -- TAO (The ACE ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/~schmidt/ACE-copying.html. -- libcURL, a library for downloading files via common network services, is open source software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html. Copyright (c) 1996 - 2007, Daniel Stenberg. -- libuuid, a library used to generate unique identifiers, is released under a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING. Copyright (C) 1996, 1997 Theodore Ts'o. -libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at http://directory.fsf.org/libs/COPYING.DOC. Copyright 2000-2003 Free Software Foundation, Inc. -- gSOAP, a development tool for Windows clients to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the gSOAP Public License version 1.3b, available at

http://www.cs.fsu.edu/~engelen/license.html. -- Windows Template Library (WTL) is used for developing user interface components and is distributed under the Common Public License v1.0 found at http://opensource.org/licenses/cpl1.0.php. -- The Perl Kit provides several independent utilities used to automate a variety of maintenance functions and is provided under the Perl Artistic License, found at http://www.perl.com/pub/a/language/misc/Artistic.html. -- rEFIt - libeg, provides a graphical interface library for EFI, including image rendering, text rendering, and alpha blending, and is distributed under the license found at http://refit.svn.sourceforge.net/viewvc/*checkout*/refit/trunk/refit/LICENSE.txt?revision=288. Copyright (c) 2006 Christoph Pfisterer. All rights reserved. -- Java Radius Client, used to authenticate PGP Universal Web Messenger users via Radius, is distributed under the Lesser General Public License (LGPL) found at http://www.gnu.org/licenses/lgpl.html. -- Yahoo! User Interface (YUI) library version 2.5.2, a Web UI interface library for AJAX. Copyright (c) 2009, Yahoo! Inc. All rights reserved. Released under a BSD-style license, available at http://developer.yahoo.com/yui/license.html. -JSON-lib version 2.2.1, a Java library used to convert Java objects to JSON (JavaScript Object Notation) objects for AJAX. Distributed under the Apache 2.0 license, available at http://json-lib.sourceforge.net/license.html. -- EZMorph, used by JSON-lib, is distributed under the Apache 2.0 license, available at http://ezmorph.sourceforge.net/license.html. -- Apache Commons Lang, used by JSON-lib, is distributed under the Apache 2.0 license, available at http://commons.apache.org/license.html. -- Apache Commons BeanUtils, used by JSON-lib, is distributed under the Apache 2.0 license, available at http://commons.apache.org/license.html. -- SimpleIni is an .ini format file parser and provides the ability to read and write .ini files, a common configuration file format used on Windows, on other platforms. Distributed under the MIT License found at http://www.opensource.org/licenses/mit license.html. Copyright 2006-2008, Brodie Thiesfield. -- uSTL provides a small fast implementation of common Standard Template Library functions and data structures and is distributed under the MIT License found at http://www.opensource.org/licenses/mit-license.html. Copyright (c) 2005-2009 by Mike Sharov . -- Protocol Buffers (protobuf), Google's data interchange format, are used to serialize structure data in the PGP SDK. Distributed under the BSD license found at http://www.opensource.org/licenses/bsd-license.php. Copyright 2008 Google Inc. All rights reserved. Additional acknowledgements and legal notices are included as part of the PGP Universal Server.

Export InformationExport of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.

LimitationsThe software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.

4

ContentsIntroductionWhat is PGP Universal Server? PGP Universal Server Product Family Who Should Read This Guide Common Criteria Environments Improvements in this Version of PGP Universal Server Using the PGP Universal Server with the Command Line Symbols Getting Assistance Getting product information Contact Information

1515 16 16 16 17 18 18 19 19 20

The Big PictureImportant Terms PGP Products PGP Universal Server Concepts PGP Universal Server Features PGP Universal Server User Types Installation Overview

21

21 21 22 23 25 26

Open PortsTCP Ports UDP Ports

33

33 35

Naming your PGP Universal ServerConsidering a Name for Your PGP Universal Server Methods for Naming a PGP Universal Server

37

37 38

Understanding the Administrative InterfaceSystem Requirements Logging In The System Overview Page Managing Alerts Logging In For the First Time Administrative Interface Map Icons

39

39 39 41 42 43 43 45

i


Contents

Licensing Your Software

Overview Manual and Automatic Licensing Licensing a PGP Universal Server Licensing the Mail Proxy Feature

5151 51 51 52

Operating in Learn ModePurpose of Learn Mode Checking the Logs Managing Learn Mode

53

53 54 54

Managed DomainsAbout Managed Domains Adding Managed Domains Deleting Managed Domains

57

57 58 58

Understanding KeysChoosing a Key Mode For Key Management Adding PGP Desktop Solutions to Existing Gateway Email Environments Changing Key Modes How PGP Universal Server Uses Certificate Revocation Lists Key Reconstruction Blocks Managed Key Permissions

59

59 62 63 64 64 65

Managing Organization KeysAbout Organization Keys Organization Key Inspecting the Organization Key Regenerating the Organization Key Importing an Organization Key Organization Certificate Inspecting the Organization Certificate Exporting the Organization Certificate Deleting the Organization Certificate Generating the Organization Certificate Importing the Organization Certificate Additional Decryption Key (ADK) Importing the ADK Inspecting the ADK Deleting the ADK Verified Directory Keyii

67

67 67 68 68 69 70 71 71 72 72 73 73 74 74 74 75


Contents

Importing the Verified Directory Key Inspecting the Verified Directory Key Deleting the Verified Directory Key

75 75 76

Administering Managed Keys

Viewing Managed Keys Managed Key Information Email Addresses Subkeys Certificates Permissions Attributes Symmetric Key Series Symmetric Keys Custom Data Objects Exporting Consumer Keys Exporting the Managed Key of an Internal User Exporting the Managed Key of an External User Exporting PGP Verified Directory User Keys Exporting the Managed Key of a Managed Device Deleting Consumer Keys Deleting the Managed Key of an Internal User Deleting the Managed Key of an External User Deleting the Key of a PGP Verified Directory User Deleting the Managed Key of a Managed Device Approving Pending Keys Revoking Managed Keys

7778 79 81 81 81 82 83 83 85 86 87 88 88 89 89 90 90 90 91 91 91 92

Managing Trusted Keys and CertificatesOverview Trusted Keys Trusted Certificates Adding a Trusted Key or Certificate Inspecting and Changing Trusted Key Properties Deleting Trusted Keys and Certificates Searching for Trusted Keys and Certificates

95

95 95 95 96 97 97 98

Setting Mail Policy

Overview How Policy Chains Work Mail Policy and Dictionaries Mail Policy and Key Searches Mail Policy and Cached Keys Migrating Settings from Version 2.0.x Restoring Mail Policy Rulesiii

9999 100 101 101 102 102 103


Contents

Understanding the Pre-Installed Policy Chains Mail Policy Outside the Mailflow Using the Rule Interface The Conditions Card The Actions Card Building Valid Chains and Rules Using Valid Processing Order Creating Valid Groups Creating a Valid Rule Managing Policy Chains Mail Policy Best Practices Restoring Mail Policy to Default Settings Editing Policy Chain Settings Adding Policy Chains Deleting Policy Chains Exporting Policy Chains Printing Policy Chains Managing Rules Adding Rules to Policy Chains Deleting Rules from Policy Chains Enabling and Disabling Rules Changing the Processing Order of the Rules Adding Key Searches Choosing Condition Statements, Conditions, and Actions Condition Statements Conditions Actions Working with Common Access Cards

108 110 111 111 113 114 114 115 116 117 117 117 118 118 119 120 120 121 121 121 122 122 122 123 123 124 131 144

Applying Key Not Found Settings to External UsersOverview Bounce the Message PDF Messenger Certified Delivery with PDF Messenger Send Unencrypted Smart Trailer PGP Universal Web Messenger Changing Policy Settings Changing User Delivery Method Preference

145

145 146 146 147 147 148 149 150 151

Using Dictionaries with Policy

Overview Default Dictionaries Editing Default Dictionaries User-Defined Dictionaries Adding a User-Defined Dictionaryiv

153153 154 156 157 157


Contents

Editing a User-Defined Dictionary Deleting a Dictionary Exporting a Dictionary Searching the Dictionaries

158 158 159 159

Keyservers, SMTP Archive Servers, and Mail Policy

Overview Keyservers Adding or Editing a Keyserver Deleting a Keyserver SMTP Servers Adding or Editing an Archive Server Deleting an Archive Server

161161 161 162 164 164 164 165

Managing Keys in the Key CacheOverview Changing Cached Key Timeout Purging Keys from the Cache Trusting Cached Keys Viewing Cached Keys Searching the Key Cache

167

167 167 168 168 168 169

Configuring Mail ProxiesOverview PGP Universal Server and Mail Proxies Mail Proxies in an Internal Placement Mail Proxies in a Gateway Placement Changes in Proxy Settings from PGP Universal Server 2.0 to 2.5 and later Mail Proxies Page Creating New or Editing Existing Proxies Creating or Editing a POP/IMAP Proxy Creating or Editing an Outbound SMTP Proxy Creating or Editing an Inbound SMTP Proxy Creating or Editing a Unified SMTP Proxy

171

171 171 172 173 175 175 176 176 178 180 182

Email in the Mail Queue

Overview Deleting Messages from the Mail Queue

187187 188

Specifying Mail Routes

Overview Managing Mail Routesv

189189 190


Contents

Adding a Mail Route Editing a Mail Route Deleting a Mail Route

190 191 191

Customizing System Message Templates

Overview Templates and Message Size PDF Messenger Templates Templates for New PGP Universal Web Messenger Users Editing a Message Template

193193 194 194 194 195

Managing GroupsUnderstanding Groups Sorting Consumers into Groups Everyone Group Excluded Group Policy Group Order Migrating Groups from Version 2.x Setting Policy Group Order Creating a New Group Deleting a Group Viewing Group Members Manually Adding Group Members Manually Removing Members from a Group Group Permissions Adding Group Permissions Deleting Group Permissions Setting Group Membership Searching Groups Creating Group Client Installations How Group Policy is Assigned to PGP Desktop Installers Creating PGP Desktop Installers

197

197 197 198 198 199 199 199 199 200 200 201 201 202 203 203 204 205 205 206 207

Managing DevicesManaged Devices Adding and Deleting Managed Devices Adding Managed Devices to Groups Managed Device Information Deleting Managed Devices from PGP Universal Server Deleting Managed Devices from Groups WDE Devices (Computers and Disks) WDE Computers WDE Disks Searching for Devices

211

212 212 213 214 218 219 220 220 222 223

vi


Contents

Administering Consumer Policy

Understanding Consumer Policy Making Sure Users Create Strong Passphrases Understanding Entropy Using the Windows Preinstallation Environment X.509 Certificate Management in Lotus Notes Environments Trusting Certificates Created by PGP Universal Server Setting the Lotus Notes Key Settings in PGP Universal Server Technical Deployment Information Offline Policy Using a Policy ADK Out of Mail Stream Support Enrolling Users through Silent Enrollment Silent Enrollment with Windows Silent Enrollment with Mac OS X PGP Whole Disk Encryption Administration PGP Whole Disk Encryption on Mac OS X with FileVault How Does Single Sign-On Work? Enabling Single Sign-On Managing Clients Remotely Using a PGP WDE Administrator Active Directory Group Managing Clients Locally Using the PGP WDE Administrator Key Managing Consumer Policies Adding a Consumer Policy Editing a Consumer Policy Deleting a Consumer Policy

225225 226 226 227 227 228 230 231 231 233 233 235 235 235 235 236 236 237 238 239 240 241 241 242

Setting Policy for ClientsClient and PGP Universal Server Version Compatibility Serving PGP Admin 8 Preferences Establishing PGP Desktop Settings for Your PGP Desktop Clients PGP Desktop Feature License Settings Controlling PGP Desktop Components PGP Portable PGP Mobile PGP NetShare How the PGP NetShare Policy Settings Work Together Multi-user environments and managing PGP NetShare Backing Up PGP NetShare-Protected Files

243

243 244 245 245 246 248 248 249 249 249 250

Using Directory Synchronization to Manage Consumers

How PGP Universal Server Uses Directory Synchronization Base DN and Bind DN Consumer Matching Rules Understanding User Enrollment Methodsvii

251251 253 254 254


Contents

Before Creating a Client Installer Email Enrollment Directory Enrollment Enabling Directory Synchronization Adding or Editing an LDAP Directory The LDAP Servers Tab The Base Distinguished Name Tab The Consumer Matching Rules Tab Testing the LDAP Connection Using Sample Records to Configure LDAP Settings Deleting an LDAP Directory Setting LDAP Directory Order Directory Synchronization Settings

255 256 257 260 260 261 262 262 263 263 263 264 264

Managing User AccountsUnderstanding User Account Types Viewing User Accounts User Management Tasks Setting User Authentication Editing User Attributes Adding Users to Groups Editing User Permissions Deleting Users Searching for Users Viewing User Log Entries Changing Display Names and Usernames Exporting a Users X.509 Certificate Revoking a User's X.509 Certificate Managing User Keys Managing Internal User Accounts Importing Internal User Keys Manually Creating New Internal User Accounts Exporting PGP Whole Disk Encryption Login Failure Data Internal User Settings Managing External User Accounts Importing External Users Exporting Delivery Receipts External User Settings Managing Verified Directory User Accounts Importing Verified Directory Users PGP Verified Directory User Settings

267

267 267 267 268 268 268 269 269 270 270 270 271 272 272 273 273 274 274 275 279 280 280 281 283 284 284

Recovering Encrypted Data in an Enterprise Environment

Using Key Reconstruction Recovering Encryption Key Material without Key Reconstruction Encryption Key Recovery of CKM Keysviii

287287 288 288


Contents

Encryption Key Recovery of GKM Keys Encryption Key Recovery of SCKM Keys Encryption Key Recovery of SKM Keys Using an Additional Decryption Key for Data Recovery

288 289 290 290

PGP Universal Satellite

Overview Technical Information Distributing the PGP Universal Satellite Software Configuration Deployment Mode Key Mode PGP Universal Satellite Configurations Switching Key Modes Binding Pre-Binding Manual Binding Policy and Key or Certificate Retrieval Retrieving Lost Policies Retrieving Lost Keys or Certificates

293293 294 294 295 295 295 296 300 300 301 302 303 304 305

PGP Universal Satellite for Mac OS XOverview System Requirements Obtaining the Installer Installation Updates Files

309

309 309 310 310 311 311

PGP Universal Satellite for WindowsOverview System Requirements Obtaining the Installer Installation Updates Files MAPI Support External MAPI Configuration Internal MAPI Configuration Using MAPI Lotus Notes Support External Lotus Notes Configuration Internal Lotus Notes Configuration Using Lotus Notes Notes IDsix

313

313 314 314 315 316 316 316 316 317 318 319 319 320 321 321


Contents

Configuring PGP Universal Web Messenger

Overview PGP Universal Web Messenger and Clustering External Authentication Customizing PGP Universal Web Messenger Adding a New Template Troubleshooting Customization Changing the Active Template Deleting a Template Editing a Template Downloading Template Files Restoring to Factory Defaults Configuring the PGP Universal Web Messenger Service Starting and Stopping PGP Universal Web Messenger Selecting the PGP Universal Web Messenger Network Interface Setting Up External Authentication Creating Settings for PGP Universal Web Messenger User Accounts Setting Message Replication in a Cluster

323323 324 325 326 327 331 334 334 334 335 335 335 336 336 338 339 340

Configuring the Integrated KeyserverOverview Starting and Stopping the Keyserver Service Configuring the Keyserver Service

341

341 341 342

Configuring the PGP Verified DirectoryOverview Starting and Stopping the PGP Verified Directory Configuring the PGP Verified Directory

345

345 346 346

Managing the Certificate Revocation List ServiceOverview Starting and Stopping the CRL Service Editing CRL Service Settings

349

349 349 350

Configuring Universal Services Protocol

Starting and Stopping USP Adding USP Interfaces

351351 351

x


Contents

System Graphs

Overview CPU Usage Message Activity Whole Disk Encryption Recipient Statistics Recipient Domain Statistics

353353 353 354 354 355 355

System LogsOverview Filtering the Log View Searching the Log Files Exporting a Log File Enabling External Logging

357

357 358 359 359 360

Configuring SNMP MonitoringOverview Starting and Stopping SNMP Monitoring Configuring the SNMP Service Downloading the Custom MIB File

361

361 362 362 363

Shutting Down and Restarting Services and PowerOverview Server Information Setting the Time Updating Software Licensing a PGP Universal Server Downloading the Release Notes Shutting Down and Restarting the PGP Universal Server Software Services Shutting Down and Restarting the PGP Universal Server Hardware

365

365 365 365 366 366 367 367 367

Managing Administrator AccountsOverview Administrator Roles Administrator Authentication Creating a New Administrator Importing SSH v2 Keys Deleting Administrators Inspecting and Changing the Settings of an Administrator Configuring RSA SecurID Authentication Resetting SecurID PINsxi

369

369 370 370 371 372 372 373 374 375


Contents

Daily Status Email

376

Protecting PGP Universal Server with Ignition Keys

Overview Ignition Keys and Clustering Preparing Hardware Tokens to be Ignition Keys Configuring a Hardware Token Ignition Key Configuring a Soft-Ignition Passphrase Ignition Key Deleting Ignition Keys

377377 378 379 380 381 381

Backing Up and Restoring System and User DataOverview Creating Backups Scheduling Backups Performing On-Demand Backups Configuring the Backup Location Restoring From a Backup Restoring On-Demand Restoring Configuration Restoring from a Different Version

383

383 383 384 384 384 385 386 386 387

Updating PGP Universal Server SoftwareOverview Inspecting Update Packages Establishing Software Update Settings Checking for New Updates Uploading Update Packages Manually Installing an Update

389

389 390 390 391 391 391

Setting Network InterfacesUnderstanding the Network Settings Connecting to a Proxy Server Changing Interface Settings Adding Interface Settings Deleting Interface Settings Editing Global Network Settings Assigning a Certificate Working with Certificates Importing an Existing Certificate Generating a Certificate Request Adding a Pending Certificate Inspecting a Certificate Exporting a Certificate Deleting a Certificatexii

393

393 394 394 395 395 395 396 396 397 397 398 399 399 399


Contents

Clustering your PGP Universal Servers

Overview Clustering and PGP Universal Web Messenger Cluster Status Creating a Cluster Deleting Cluster Members Managing Settings for Cluster Members Changing Network Settings in Clusters

401401 402 403 404 406 406 408

Index

409

xiii

1

IntroductionThis Administrators Guide describes both the PGP Universal Server and client software. It tells you how to get them up and running on your network, how to configure them, and how to maintain them. This section provides a high-level overview of PGP Universal Server.

What is PGP Universal Server?PGP Universal Server is a single console for managing the applications that provide email, disk, and network file encryption. PGP Universal Server with PGP Universal Gateway Email gives you secure messaging: it transparently protects your enterprise messages with little or no user interaction. The PGP Universal Server also replaces the PGP Keyserver product with a builtin keyserver, and the PGP Admin product with PGP Desktop configuration and deployment capabilities. PGP Universal Server automatically creates and maintains a Self-Managing Security Architecture (SMSA) by monitoring authenticated users and their email traffic. You can also send protected messages to addresses that are not part of the SMSA. The PGP Universal Server encrypts, decrypts, signs, and verifies messages automatically, providing strong security through policies you control. PGP Universal Satellite, a client-side feature of PGP Universal Server, extends PGP security for email messages all the way to the computer of the email user, it allows external users to become part of the SMSA, and it gives end users the option to create and manage their keys on their own computer (if allowed by the PGP administrator). PGP Desktop, a client product, is created and managed through PGP Universal Server policy. It creates PGP keypairs and can manage user keypairs as well as store the public keys of others. It encrypts user email and instant messaging (IM). It can encrypt entire or partial hard drives. It also enables secure file sharing with others over a network.

15


Introduction

PGP Universal Server Product FamilyPGP Universal Server functions as a management console for a variety of encryption solutions. You can purchase any of the PGP Desktop applications or bundles and use PGP Universal Server to create and manage client installations. You can also purchase a license that enables PGP Gateway Email to encrypt email in the mailstream. The PGP Universal Server can manage any combination of PGP encryption applications. PGP encryption applications are: PGP Universal Gateway Email provides automatic email encryption in the gateway, based on centralized mail policy. This product requires administration by the PGP Universal Server. PGP Desktop Email provides encryption at the desktop for mail, files, and AOL Instant Messenger traffic. This product can be managed by the PGP Universal Server. PGP Whole Disk Encryption provides encryption at the desktop for an entire disk. This product can be managed by the PGP Universal Server. PGP NetShare provides transparent file encryption and sharing among desktops. This product can be managed by the PGP Universal Server.

Who Should Read This GuideThis Administrators Guide is for the person or persons who implement and maintain your organizations PGP Universal Server environment. These are the PGP Universal Server administrators. This guide is also intended for anyone else who wants to learn about how PGP Universal Server works.

Common Criteria EnvironmentsTo be Common Criteria compliant, please refer to the best practices shown in PGP Universal Server 2.9 Common Criteria Supplemental. Note that these best practices supersede recommendations made elsewhere in this and other documentation.

16


Introduction

Improvements in this Version of PGP Universal ServerThis release of PGP Universal Server introduces the following new and improved features:

General Client policy management changes: Internal users, external users, PGP Verified Directory users, and devices are now called consumers. Consumers are sorted into groups manually, by user type, or by matching consumer attributes to domains, dictionary entries or through LDAP values. Group membership determines which policy consumers receive. Expanded directory synchronization: The integrated directory synchronization feature now connects to multiple LDAP directories. Previous versions of PGP Universal Server could only connect to one corporate directory at a time. Managed PGP Mobile: PGP Universal Server now manages client policy for PGP Mobile installations. Operating system change: The new CentOS operating system improves scalability and reliability, and supports a wider variety of hardware. RSA SecurID support for administrator authentication: PGP Universal Server now supports two-factor authentication using RSA SecurID. This meets strong authentication requirements for environments with higher security needs, and is compatible with existing RSA SecurID deployments.

PGP Keys Key Management Server (KMS): The new key management feature provides new and expanded key management capabilities for PGP products. Key policy changes are now immediately enforced. KMS allows management of asymmetric and symmetric keys. The API and SDK provide key management functionality to non-PGP applications. Server Key Mode offline use: The client can now store the SKM private key, encrypted to a random passphrase, so users can read email offline.

PGP Messaging ADK archival output: Administrators can archive end-to-end encrypted email messages by decrypting the messages on PGP Universal Server using the ADK, and sending the decrypted messages to an archive server. Encrypted email messages are then searchable, making possible compliance with regulatory mandates and requirements for message retention, mail server data management, and legal discovery support.

17


Introduction

Recursive encoding: Provides an additional layer of protection to email messages that have been partially protected and to email messages that have been signed. Supports an additional layer of encoding if the initial layer is not complete.

Clustering New clustering functionality: Cluster members now interact with each other as peers, replacing the previous Primary/Secondaries model. Every server in a cluster can serve all types of requests, and any server can initiate persistent changes. The new cluster model also permits up to 20 nodes in a cluster.

Using the PGP Universal Server with the Command LineUsing the PGP Universal Server command line for read-only access (such as to view settings, services, logs, processes, disk space, query the database, etc) is supported. However, performing configuration modifications via the command line voids your PGP Support agreement unless these procedures are followed. Any changes made to the PGP Universal Server via the command line must be: Authorized in writing by PGP Support. Implemented by a PGP Partner, reseller or internal employee who is certified in the PGP Advanced Administration and Deployment Training. Summarized and documented in a text file in /etc/pso on the PGP Universal Server itself.

Changes made through the command line might not persist through reboots and might be incompatible with future releases. PGP Support can require reverting any custom configurations on the PGP Universal Server back to a default state when troubleshooting new issues.

SymbolsNotes, Cautions, and Warnings are used in the following ways. Note: Notes are extra, but important, information. A Note calls your attention to important aspects of the product. You can use the product better if you read the Notes. Caution: Cautions indicate the possibility of loss of data or a minor security breach. A Caution tells you about a situation where problems can occur unless precautions are taken. Pay attention to Cautions.

18


Introduction

Warning: Warnings indicate the possibility of significant data loss or a major security breach. A Warning means serious problems will occur unless you take the appropriate action. Please take Warnings very seriously.

Getting AssistanceFor additional resources, see these sections.

Getting product informationThe following documents and online help are companions to the PGP Universal Server Administrators Guide. This guide occasionally refers to information that can be found in one or more of these sources: Online help is installed and is available within the PGP Universal Server product. PGP Universal Server Installation GuideDescribes how to install the PGP Universal Server software. PGP Universal Server Upgrade GuideDescribes the process of upgrading your PGP Universal Server. PGP Universal Mail Policy DiagramProvides a graphical representation of how email is processed through mail policy. You can access this document via the PGP Universal Server online help. TutorialsProvides animated introductions on how to manage the mail policy feature in PGP Universal Server 2.5 and later, and how upgraded PGP Universal Server settings migrate into the new mail policy feature. You can also access all the documentation and tutorials by clicking the online help icon in the upper-right corner of the PGP Universal Server screen. PGP Universal Satellite for Windows and Mac OS X include online help. PGP Universal Server and PGP Satellite release notes are also provided, which may have last-minute information not found in the product documentation.

Once PGP Universal Server is released, additional information regarding the product is added to the online Knowledge Base available on PGP Corporations Support Portal (https://support.pgp.com).

19


Introduction

Contact InformationContacting Technical Support To learn about PGP support options and how to contact PGP Technical Support, please visit the PGP Corporation Support Home Page (https://support.pgp.com). To access the PGP Support Knowledge Base or request PGP Technical Support, please visit PGP Support Portal Web Site (https://support.pgp.com). Note that you may access portions of the PGP Support Knowledge Base without a support agreement; however, you must have a valid support agreement to request Technical Support. To access the PGP Support forums, please visit PGP Support (http://forum.pgp.com). These are user community support forums hosted by PGP Corporation.

Contacting Customer Service For help with orders, downloads, and licensing, please visit PGP Corporation Customer Service (https://pgp.custhelp.com/app/cshome).

Contacting Other Departments For any other contacts at PGP Corporation, please visit the PGP Contacts Page (http://www.pgp.com/about_pgp_corporation/contact/index.html). For general information about PGP Corporation, please visit the PGP Web Site (http://www.pgp.com).

20

2PGP Products

The Big PictureThis chapter describes some important terms and concepts and gives you a high-level overview of the things you need to do to set up and maintain your PGP Universal Server environment.

Important TermsThe following sections define important terms you will encounter throughout the PGP Universal Server and this documentation.

PGP Universal Server: A device you add to your network that provides secure messaging with little or no user interaction. The PGP Universal Server automatically creates and maintains a security architecture by monitoring authenticated users and their email traffic. You can also send protected messages to addresses that are not part of the security architecture. PGP Global Directory: A free, public keyserver hosted by PGP Corporation. The PGP Global Directory provides quick and easy access to the universe of PGP keys. It uses next-generation keyserver technology that queries the email address on a key (to verify that the owner of the email address wants their key posted) and lets users manage their own keys. Using the PGP Global Directory significantly enhances your chances of finding a valid public key of someone to whom you want to send secured messages. PGP Universal Satellite: The PGP Universal Satellite software resides on the computer of the email user. It allows email to be encrypted end to end, all the way to and from the desktop (for both internal and external users). Using PGP Universal Satellite is one of the ways for external users to participate in the SMSA. It also allows users the option of controlling their keys on their local computers (if allowed by the administrator). PGP Desktop: A client software tool that uses cryptography to protect your data against unauthorized access. PGP Desktop is available for Mac OS X and Windows. PGP Whole Disk Encryption: Whole Disk Encryption is a feature of PGP Desktop that encrypts your entire hard drive or partition (on Windows systems), including your boot record, thus protecting all your files when you are not using them.

21


The Big Picture

PGP NetShare: A feature of PGP Desktop for Windows with which you can securely and transparently share files and folders among selected individuals. PGP NetShare users can protect their files and folders simply by placing them within a folder that is designated as protected. PGP Virtual Disk: PGP Virtual Disk volumes are a feature of PGP Desktop that let you use part of your hard drive space as an encrypted virtual disk. You can protect a PGP Virtual Disk volume with a key or a passphrase. You can also create additional users for a volume, so that people you authorize can also access the volume. PGP Zip: A feature of PGP Desktop that lets you put any combination of files and folders into a single encrypted, compressed package for convenient transport or backup. You can encrypt a PGP Zip archive to a PGP key or to a passphrase. PGP Universal Web Messenger: The PGP Universal Web Messenger service allows an external user to securely read a message from an internal user before the external user has a relationship with the SMSA. If PGP Universal Web Messenger is available via mail policy for a user and the recipients key cannot be found, the message is stored on the PGP Universal Server and an unprotected message is sent to the recipient. The unprotected message includes a link to the original message, held on the PGP Universal Server. The recipient must create a passphrase, and then can access his encrypted messages stored on PGP Universal Server. PDF Messenger: PDF Messenger enables sending encrypted PDF messages to external users who do not have a relationship with the SMSA. In the normal mode, as with PGP Universal Web Messenger, the user receives a message with a link to the encrypted message location and uses a PGP Universal Web Messenger passphrase to access the message. PDF Messenger also provides Certified Delivery, which encrypts the message to a one-time passphrase, and creates and logs a delivery receipt when the user retrieves the passphrase.

PGP Universal Server Concepts keys. convention: PGP Universal Server automatically looks for valid public keys for email recipients at a special hostname, if no valid public key is found locally to secure a message. This hostname is keys. (where is the email domain of the recipient). For example, Example Corporations externally visible PGP Universal Server is named keys.example.com. PGP Corporation strongly recommends you name your externally visible PGP Universal Server according to this convention because it allows other PGP Universal Servers to easily find valid public keys for email recipients in your domain. For more information, see Naming your PGP Universal Server (on page 37).

22


The Big Picture

Security Architecture: Behind the scenes, the PGP Universal Server creates and manages its own security architecture for the users whose email domain it is securing. Because the security architecture is created and managed automatically, we call this a self-managing security architecture (SMSA).

PGP Universal Server Features Administrative Interface: Each PGP Universal Server is controlled via a Web-based administrative interface. The administrative interface gives you control over PGP Universal Server. While many settings are initially established using the web-based Setup Assistant, all settings of a PGP Universal Server can be controlled via the administrative interface. Backup and Restore: Because full backups of the data stored on your PGP Universal Server are critical in a natural disaster or other unanticipated loss of data or hardware, you can schedule automatic backups of your PGP Universal Server data or manually perform a backup. You can fully restore a PGP Universal Server from a backup. In the event of a minor problem, you can restore the PGP Universal Server to any saved backup. In the event that a PGP Universal Server is no longer usable, you can restore its data from a backup onto a new PGP Universal Server during initial setup of the new PGP Universal Server using the Setup Assistant. All backups are encrypted to the Organization Key and can be stored securely off the PGP Universal Server. Cluster: When you have two or more PGP Universal Servers in your network, you configure them to synchronize with each other; this is called a cluster. Dictionary: Dictionaries are lists of terms to be matched. The dictionaries work with mail policy to allow you to define content lists that can trigger rules. Directory Synchronization: If you have LDAP directories in your organization, your PGP Universal Server can be synchronized with the directories. The PGP Universal Server automatically imports user information from the directories when users send and receive email; it also creates internal user accounts for them, including adding and using X.509 certificates if they are contained in the LDAP directories. Ignition Keys: You can protect the contents of a PGP Universal Server, even if the hardware is stolen, by requiring the use of a hardware token or a software passphrase, or both, on start. Keyserver: Each PGP Universal Server includes an integrated keyserver populated with the public keys of your internal users. When an external user sends a message to an internal user, the external PGP Universal Server goes to the keyserver to find the public key of the recipient to use to secure the message. The PGP Universal Server administrator can enable or disable the service, and control access to it via the administrative interface.

23


The Big Picture

Learn Mode: When you finish configuring a PGP Universal Server using the Setup Assistant, it begins in Learn Mode, where the PGP Universal Server sends messages through mail policy without taking any action on the messages, and does not encrypt or sign any messages. Learn Mode gives the PGP Universal Server a chance to build its SMSA (creating keys for authenticated users, for example) so that when when Learn Mode is turned off, the PGP Universal Server can immediately begin securing messages. It is also an excellent way for administrators to learn about the product. You should check the logs of the PGP Universal Server while it is in Learn Mode to see what it would be doing to email traffic if it were live on your network. You can make changes to the PGP Universal Servers policies while it is in Learn Mode until things are working as expected.

Mail Policy: The PGP Universal Server processes email messages based on the policies you establish. Mail policy applies to inbound and outbound email for both PGP Universal Server traffic and email processed by PGP client software. Mail policy consists of multiple policy chains, comprised of sequential mail processing rules. Organization Certificate: You must create or obtain an Organization Certificate to enable S/MIME support by PGP Universal Server. The Organization Certificate signs all X.509 certificates the server creates. Organization Key: The Setup Assistant automatically creates an Organization Key (actually a keypair) when it configures a PGP Universal Server. The Organization Key is used to sign all PGP keys the PGP Universal Server creates and to encrypt PGP Universal Server backups. Caution: It is extremely important to back up your Organization Key: all keys the PGP Universal Server creates are signed by the Organization Key, and all backups are encrypted to the Organization Key. If you lose your Organization Key and have not backed it up, the signatures on those keys are meaningless and you cannot restore from backups encrypted to the Organization Key.

PGP Verified Directory: The PGP Verified Directory supplements the internal keyserver by letting internal and external users manage the publishing of their own public keys. The PGP Verified Directory also serves as a replacement for the PGP Keyserver product. The PGP Verified Directory uses next-generation keyserver technology to ensure that the keys in the directory can be trusted. Server Placement: A PGP Universal Server can be placed in one of two locations in your network to process email. With an internal placement, the PGP Universal Server logically sits between your email users and your mail server. It encrypts and signs outgoing SMTP email and decrypts and verifies incoming mail being picked up by email clients using POP or IMAP. Email stored on your mail server is stored secured (encrypted).

24


The Big Picture

With a gateway placement, the PGP Universal Server logically sits between your mail server and the Internet. It encrypts and signs outgoing SMTP email and decrypts and verifies incoming SMTP email. Email stored on your mail server is stored unsecured. For more information, see Configuring Mail Proxies (on page 171) and the PGP Universal Server Installation Guide. Setup Assistant: When you attempt to log in for the first time to the administrative interface of a PGP Universal Server, the Setup Assistant takes you through the configuration of that PGP Universal Server.

PGP Universal Server User Types Administrators: Any user who manages the PGP Universal Server and its security configuration from inside the internal network. Only administrators are allowed to access the administrative interface that controls PGP Universal Server. A PGP Universal Server supports multiple administrators, each of which can be assigned a different authority: from read-only access to full control over every feature and function. Consumers: Internal, external, and Verified Directory users, and devices. External Users: External users are email users from other domains (domains not being managed by your PGP Universal Server) who have been added to the SMSA. Internal Users: Internal users are email users from the domains being managed by your PGP Universal Server. PGP Universal Server allows you to manage PGP Desktop deployments to your internal users. The administrator can control which PGP Desktop features are automatically implemented at install, and establish and update mail security policy for PGP Desktop users that those users cannot override (except on the side of being more secure). PGP Verified Directory Users: Internal and external users who have submitted their public keys to the PGP Verified Directory, a Webaccessible keyserver. Devices: Managed devices, WDE computers, and WDE disks. Managed devices are arbitrary objects whose keys are managed by PGP Universal Server. WDE computers, and WDE disks are devices that are detected when users enroll.

Other Email Users: Users within your organization can securely send email to recipients outside the SMSA. First, the PGP Universal Server attempts to find a key for the recipient. If that fails, there are four fallback options, all controlled by mail policy: bounce the message back to the sender (so it is not sent unencrypted), send unencrypted, Smart Trailer, and PGP Universal Web Messenger mail.25


The Big Picture

Smart Trailer sends the message unencrypted and adds text giving the recipient the option of joining the SMSA by installing PGP Universal Satellite, using an existing key or certificate, or using PGP Universal Web Messenger. PGP Universal Web Messenger lets the recipient securely read the message on a secure website; it also gives the recipient options for handling subsequent messages from the same domain: read the messages on a secure website using a passphrase they establish, install PGP Universal Satellite, or add an existing key or certificate to the SMSA.

Installation OverviewThe following steps are a broad overview of what it takes to plan, set up, and maintain your PGP Universal Server environment. Most of the steps described here are described in detail in later chapters. Steps 1 and 4 are described in the PGP Universal Server Installation Guide. Note that these steps apply to the installation of a new, stand-alone PGP Universal Server. If you plan to install a cluster, you must install and configure one PGP Universal Server following the steps outlined here. Subsequent cluster members will get most of their configuration settings from the initial server by replication. The steps to install and configure a PGP Universal Server are as follows: 1 Plan where in your network you want to locate your PGP Universal Server(s). Where you put PGP Universal Servers in your network, how many PGP Universal Servers you have in your network, and other factors all have a major impact on how you add them to your existing network. Create a diagram of your network that includes all network components and shows how email flows; this diagram details how adding a PGP Universal Server impacts your network. For more information on planning how to add PGP Universal Servers to your existing network, see Adding the PGP Universal Server to Your Network in the PGP Universal Server Installation Guide. 2 Perform necessary DNS changes. Add IP addresses for your PGP Universal Servers, an alias to your keyserver, update the MX record if necessary, add keys., hostnames of potential Secondary servers for a cluster, and so on. Properly configured DNS settings (including root servers and appropriate reverse lookup records) are required to support PGP Universal Server. Make sure both host and pointer records are correct. IP addresses must be resolvable to hostnames, as well as hostnames resolvable to IP addresses. 3 Prepare a hardware token Ignition Key.

26


The Big Picture

If you want to add a hardware token Ignition Key during setup, install the drivers and configure the token before you begin the PGP Universal Server setup process. See Protecting PGP Universal Server with Ignition Keys (on page 377) for information on how to prepare a hardware token Ignition Key. Note: In a cluster, the Ignition Key configured on the first PGP Universal Server in the cluster will also apply to the subsequent members of the cluster. 4 Install and configure this PGP Universal Server. The Setup Assistant runs automatically when you first access the administrative interface for the PGP Universal Server. The Setup Assistant is where you can set or confirm a number of basic settings such as your network settings, administrator password, server placement option, mail server address and so on. The details of this process are described in Setting Up the PGP Universal Server in the PGP Universal Server Installation Guide. Note: If you plan to configure multiple servers as a cluster, you must configure one server first in the normal manner, then add the additional servers as cluster members. You can do this through the Setup Assistant when you install a server that will join an existing cluster, or you can do this through the PGP Universal Server administrative interface. For more information see Cluster Member Configuration in the PGP Universal Server Installation Guide. 5 License your server. You cannot take a PGP Universal Server out of Learn Mode or install updates until the product is licensed. Once it is licensed, you should check for product updates and install them if found. For more information, see Licensing Your Software (on page 51). If you want the PGP Universal Server to provide mail proxy services, you must have a PGP Universal Server license with the mailstream feature enabled. For more information, see Licensing Your Software (on page 51). 6 If you have a PGP key you want to use as your Organization Key with PGP Universal Server, import it, then back it up. Your Organization Key does two important things: it is used to sign all user keys the PGP Universal Server creates and it is used to encrypt PGP Universal Server backups. This key represents the identity of your organization, and is the root of the Web-of-Trust for your users. If your organization uses PGP Desktop and already has an Corporate Key or Organization Key, and you want to use that key with PGP Universal Server, you should import it as soon as you have configured your server, then create a backup of the key. If your organization does not have an existing key that you want to use as your Organization Key, use the Organization Key the Setup Assistant automatically creates with default values. For more information, see Managing Organization Keys (on page 67).27


The Big Picture

No matter which key you use as your Organization Key, it is very important to make a backup of the key. Since PGP Universal Servers built-in back-up feature always encrypts backups to this key, you need to provide a copy of your Organization Key to restore your data. For more information, see Organization Certificate (on page 70). 7 If you have a PGP Additional Decryption Key (ADK) that you want to use with PGP Universal Server, add it. An ADK is a way to recover an email message if the recipient is unable or unwilling to do so; every message that is also encrypted to the ADK can be opened by the holder(s) of the ADK. You cannot create an ADK with the PGP Universal Server, but if you have an existing PGP ADK (generated by PGP Desktop, an ideal scenario for a split key; refer to the PGP Desktop Users Guide for more information), you can add it to your PGP Universal Server and use it. For more information, see Additional Decryption Key (ADK) (on page 73). 8 Create a SSL/TLS certificate or obtain a valid SSL/TLS certificate. You can create a self-signed certificate for use with SSL/TLS traffic. Because this certificate is self-signed, however, it might not be trusted by email or Web browser clients. PGP Corporation recommends that you obtain a valid SSL/TLS certificate for each of your PGP Universal Servers from a reputable Certificate Authority. This is especially important for PGP Universal Servers that are accessed publicly. Older Web browsers might reject self-signed certificates or not know how to handle them correctly when they encounter them via PGP Universal Web Messenger or Smart Trailer. For more information, see Working with Certificates (on page 396). 9 Configure the Directory Synchronization feature if you want to synchronize an LDAP directory with your PGP Universal Server. Using the Directory Synchronization feature gives you more control over who is included in your SMSA, if you have an existing LDAP server. By default, user enrollment is set to Email enrollment. If you elect to use LDAP directory enrollment, it assumes that you have an LDAP directory configured. You can change the client enrollment setting for Directory Synchronization from the Directory Synchronization Settings page in the PGP Universal Server administrative interface. You must have an LDAP directory configured and Directory Synchronization enabled for LDAP user enrollment to work. For more information, see Using Directory Synchronization to Manage Users (on page 251). 10 Add trusted keys, configure consumer policy, and establish mail policy.

28


The Big Picture

All these settings are important for secure operation of PGP Universal Server. For more information on adding trusted keys from outside the SMSA, see Managing Trusted Keys and Certificates (on page 95). For more information about consumer policy settings, see Administering Consumer Policy (on page 225). For information on setting up mail policy, see Setting Mail Policy (on page 99). Note: When setting policy for Consumers, PGP Universal Server provides an option called Out of Mail Stream (OOMS) support. OOMS specifies how the email gets transmitted from the client to the server when Protector for Mail Encryption Client cannot find a key for the recipient and therefore cannot encrypt the message. OOMS is disabled by default. With OOMS disabled, sensitive messages that can't be encrypted locally are sent to PGP Universal Server "in the mail stream" like normal email. Importantly, this email is sent in the clear (unencrypted). Mail or Network administrators could read these messages by accessing the mail server's storage or monitoring network traffic. However, archiving solutions, outbound anti-virus filters, or other systems which monitor or proxy mail traffic will process these messages normally. You can elect to enable OOMS, which means that sensitive messages that can't be encrypted locally are sent to PGP Universal Server "out of the mail stream." Protector for Mail Encryption Client creates a separate, encrypted network connection to the PGP Universal Server to transmit the message. However, archiving solutions, outbound anti-virus filters, or other systems which monitor or proxy mail traffic will not see these messages. During your configuration of your PGP Universal Server you should determine the appropriate settings for your requirements. This option can be set separately for each policy group, and is set through the Consumer Policy settings. For more details on the effects of enabling or disabling OOMS, see Out of Mail Stream Support. 11 Install and configure additional cluster server members. You can do this through the Setup Assistant when you install a server that will join an existing cluster, or you can do this through the PGP Universal Server administrative interface. Remember that you must configure one server in the normal manner before you can add and configure additional servers as cluster members. For more information, see Clustering your PGP Universal Servers (on page 401). 12 Reconfigure the settings of your email clients and servers, if necessary.

29


The Big Picture

Depending on how you are adding the PGP Universal Server to your network, some setting changes might be necessary. For example, if you are using a PGP Universal Server placed internally, the email clients must have SMTP authentication turned on. For PGP Universal Servers placed externally, you must configure your mail server to relay SMTP traffic to the PGP Universal Server. 13 Enable SNMP Polling and Traps. You can configure PGP Universal Server to allow network management applications to monitor system information for the device on which PGP Universal Server is installed and to send system and application information to an external destination. See Configuring SNMP Monitoring (on page 361) for more information. 14 Distribute PGP Universal Satellite and/or PGP Desktop to your internal users, if appropriate. If you want to provide seamless, end-to-end PGP message security without the need for any user training, have them use PGP Universal Satellite. Exchange/MAPI and Lotus Notes environments also require the use of PGP Universal Satellite. PGP Desktop provides more features and user control than PGP Universal Satellite. For more information, see PGP Universal Satellite and Configuring PGP Desktop Installations. 15 Analyze the data from Learn Mode. In Learn Mode, your PGP Universal Server sends messages through mail policy without actually taking action on the messages, decrypts and verifies incoming messages when possible, and dynamically creates a SMSA. You can see what the PGP Universal Server would have done without Learn Mode by monitoring the system logs. Learn Mode lets you become familiar with how the PGP Universal Server operates and it lets you see the effects of the policy settings you have established before the PGP Universal Server actually goes live on your network. Naturally, you can fine tune settings while in Learn Mode, so that the PGP Universal Server is operating just how you want before you go live. For more information, see Operating in Learn Mode (on page 53). 16 Adjust policies as necessary. It might take a few tries to get everything working just the way you want. For example, you might need to revise your mail policy. 17 Perform backups of all PGP Universal Servers before you take them out of Learn Mode. This gives you a baseline backup in case you need to return to a clean installation. For more information, see Backing Up and Restoring System and User Data (on page 383). 18 Take your PGP Universal Servers out of Learn Mode.

30


The Big Picture

Once this is done, email messages are encrypted, signed, and decrypted/verified, according to the relevant policy rules. Make sure you have licensed each of your PGP Universal Servers; you cannot take a PGP Universal Server out of Learn Mode until it has been licensed. 19 Monitor the system logs to make sure your PGP Universal Server environment is operating as expected.

31

3TCP Ports

Port 21

Open PortsThis chapter lists and describes the ports a PGP Universal Server has open and on which it is listening.

Protocol/Service FTP (File Transfer Protocol)

Comment Used for transmitting encrypted backup archives to other servers. Data is sent via passive FTP, so port 20 (FTP Data) is not used. Used for remote shell access to the server for low-level system administration. Used for sending mail. With a gateway placement, the PGP Universal Server listens on port 25 for both incoming and outgoing SMTP traffic Used to allow user access to the PGP Verified Directory. If the Verified Directory is not enabled, access on this port is automatically redirected to port 443 over HTTPS. Used for retrieving mail by users with POP accounts with internal placements only. Closed for gateway placements. Used for retrieving mail by users with IMAP accounts with internal placements only. Closed for gateway placements. Used to allow remote hosts to look up public keys of local users.

22

Open SSH (Secure Shell)

25

SMTP (Simple Mail Transfer Protocol)

80

HTTP (HyperText Transfer Protocol)

110

POP (Post Office Protocol)

143

IMAP (Internet Message Access Protocol)

389

LDAP (Lightweight Directory Access Protocol)

33


Open Ports

Port 443

Protocol/Service HTTPS (HyperText Transfer Protocol, Secure)

Comment Used for PGP Desktop and PGP Universal Satellite policy distribution and PGP Universal Web Messenger access. Used for clustering replication messages. Used for sending mail securely with internal placements only. Closed for gateway placements. This is a non-standard port used only by legacy mail servers. We recommend not using this port, and instead always using STARTTLS on port 25. Used to securely allow remote hosts to look up public keys of local users. Used for retrieving mail securely by users with IMAP accounts with internal placements only. Closed for gateway placements. Used for retrieving mail securely by users with POP accounts with internal placements only. Closed for gateway placements. Used to allow access to the PGP Universal Server administrative interface.

444

SOAPS (Simple Object Access Protocol, Secure) SMTPS (Simple Mail Transfer Protocol, Secure)

465

636

LDAPS (Lightweight Directory Access Protocol, Secure) IMAPS (Internet Message Access Protocol, Secure)

993

995

POPS (Post Office Protocol, Secure)

9000

HTTPS (HyperText Transfer Protocol, Secure)

34


Open Ports

UDP Ports

Port 123 Protocol/Service NTP (Network Time Protocol) SNMP (Simple Network Management Protocol) Comment Used to synchronize the systems clock with a reference time source on a different server. Used by network management applications to query the health and activities of PGP Universal Server software and the computer on which it is installed.

161

35

4

Naming your PGP Universal Server

This section describes how and why to name your PGP Universal Server using the keys. convention.

Considering a Name for Your PGP Universal ServerUnless a valid public key is found locally, PGP Universal Servers automatically look for valid public keys for email recipients by attempting to contact a keyserver at a a special hostname, keys., where is the email domain of the recipient. For example, an internal user at example.com is sending email to [email protected]. If no valid public key for Susan is found on the Example Corp. PGP Universal Server (keys would be found locally if they are cached, or if Susan was an external user who explicitly supplied her key via the PGP Universal Web Messenger service), it automatically looks for a valid public key for Susan at keys.widgetcorp.com, even if there is no domain policy for widgetcorp.com on Examples PGP Universal Server. Naturally, the Example Corp. PGP Universal Server can only find a valid public key for [email protected] at keys.widgetcorp.com if the Widgetcorp PGP Universal Server is named using the keys. convention. Caution: PGP Corporation strongly recommends you name your PGP Universal Server according to this convention, because doing so allows other PGP Universal Servers to easily find valid public keys for email recipients in your domain. Make sure to name your externally visible PGP Universal Server using this convention. If your organization uses email addresses such as [email protected] as well as [email protected], then you need your PGP Universal Server to be reachable at both keys.example.com and keys.corp.example.com. If you have multiple PGP Universal Servers in a cluster managing an email domain, only one of those PGP Universal Servers needs to use the keys. convention. Note: Keys that are found using the keys. convention are treated as valid and trusted by default.

37


Naming your PGP Universal Server

Alternately, keys. should be the address of a load-balancing device which then distributes connections to your PGP Universal Servers keyserver service. The ports that would need to be load-balanced are the ones on which you are running your keyserver service (typically port 389 for LDAP and 636 for LDAPS). Another acceptable naming convention would be to name your PGP Universal Server according to the required naming convention your company uses, and make sure the server has a DNS alias of keys..com. If you are administering multiple email domains, you should establish the keys. convention for each email domain. If your PGP Universal Server is behind your corporate firewall (as it should be), you need to make sure that ports 389 (LDAP) and 636 (LDAPS) are open to support the keys. convention.

Methods for Naming a PGP Universal ServerThere are three ways to name your PGP Universal Server to support the keys. convention: Name your PGP Universal Server keys. on the Host Name field of the Network Setup page in the Setup Assistant. Change the Host Name of your PGP Universal Server to keys. using the administrative interface on the Network Settings section of the System > Network page. Create a DNS alias to your PGP Universal Server that uses the keys. convention that is appropriate for your DNS server configuration.

38

5

Understanding the Administrative Interface

This section describes the PGP Universal Servers Web-based administrative interface.

System RequirementsThe PGP Universal Server administrative interface has been fully tested with the following Web browsers: Windows 2000 Professional and Advanced Server: Mozilla Firefox 3.0, Internet Explorer 6.0, Internet Explorer 7.0 Windows XP Professional and Pro x64: Mozilla Firefox 3.0, Internet Explorer 6.0, Internet Explorer 7.0 Windows Vista: Mozilla Firefox 3.0, Internet Explorer 7.0 Mac OS X 10.4: Mozilla Firefox 3.0, Safari 2.0 Mac OS X 10.5: Mozilla Firefox 3.0, Safari 3.1

While you might find that the administrative interface works with other Web browsers, we recommend these browsers for maximum compatibility.

Logging InA login name and passphrase for the administrative interface were originally established when you configured the server using the Setup Assistant. In addition, the original administrator may have created additional administrators, and may have configured your PGP Universal Server to accept RSA SecurID authentication. To log in to your servers administrative interface 1 In a Web browser, type https://:9000/ and press Enter. Note: If you see a Security Alert dialog box relating to the security certificate, it means you need to replace the self-signed certificate created automatically with a certificate from a public Certificate Authority. The Login page appears.

39



2 3

Type the current login name in the Username field. Type the current passphrase or SecurID passcode in the Passphrase field. (If SecurID authentication is enabled, a message below the Passphrase field will indicate that a SecurID passcode can be entered. A given administrator is configured to use either passphrase or SecurID authentication, not both.)

4 5 6

Click the Login button or press Enter. If the login credentials are accepted, the System Overview page appears. If the login credentials do not match, an error is displayed. For passphrase authentication that fails, an "Invalid Login" error appears. For SecurID authentication, different events may occur. See the following procedure for more information.

To log in using RSA SecurID authentication 1 Follow steps 1-4 in the procedure above. If your SecurID passcode is accepted, and no PIN reset is required, the System Overview page appears. Note: If PGP Universal Server fails to connect with any RSA Manager server, you will be presented with the standard "Invalid Login" message. The connection failure will be logged in the PGP Universal Server Administration log, enabling you to determine whether this was the cause of the login failure. 2 If the RSA server policy determines that a PIN reset is required, upon successful login the PIN Reset dialog appears. Depending on the RSA server policy, you may be able to have the RSA server generate a new PIN for you, or enter a new PIN manually. When this is done, the System Overview page appears. For more details see Resetting SecurID PINs (on page 375). If the RSA server detects a problem with the token code portion of your passcode, you are asked to re-enter your PIN plus the next code shown on your SecurID token. Type your PIN and the next token code that appears, then click Login or press Enter. Based on your RSA server policy, you may be given several chances to authenticate successfully using the next token code. However, eventually continued failures will result in a failed login.

3

4

Note: Log in events are logged in the PGP Universal Server Administration log. Successful and failed attempts, and next tokencode requests are logged, as are problems connecting to the RSA Manager servers.

40



The System Overview PageThe System Overview page is the first page you see when you log in to PGP Universal Server. You can also view it from Reporting > Overview. The page provides a general report of system information and statistics. The information displayed includes: System alerts, including licensing issues and PGP Whole Disk Encryption login failures. System alerts appear at the top of the page. System Graphs for CPU usage, message activity, and Whole Disk Encryption. Click the buttons to switch the graphs. Click the System Graphs heading to go to the Reporting > Graphs page. See System Graphs (on page 353) for more information about system graphs. Services information, including which services are running or stopped. Depending on the service, the entry may also include the number of users or keys handled by the service. Click the service name link to go to the administrative page for that service. For a running Web Messenger service, click the URL to go to the Web Messenger interface. For a running Verified Directory service, click the URL to go to the Verified Directory interface to search for a key, upload your own public key, or remove your key from the searchable directory.

System Statistics, including software version number, system uptime, total messages processed, and number of PGP Portable Disks created. Click the Statistics link to go to the System > General Settings page. Mail Queue statistics show the number of email messages in the queue waiting to be processed, if applicable, and the size of the mail queue. Click the Mail Queue link to go to the Mail > Mail Queue status page for detailed information about the contents of the mail queue. Estimated Policy Group Membership shows the number of members in each consumer policy group. Click a policy group name to go to the page for configuring that policy group. Clustering provides status information about the cluster configuration, if this PGP Universal Server is a member of a cluster. This display shows, for each cluster member, its hostname or IP address, its status, its location (Internal or DMZ) and a login icon (except for the member on which you are currently logged in). Click the Clustering heading to go to the System > Clustering page. This display does not appear if your PGP Universal Server is not a member of a cluster.

Click Refresh (at the top of the System Overview page) to refresh the information shown on this page.41



The Manage Alerts button takes you to the Alerts page where you can configure how you want to be notified about WDE login failures. For more details, see Managing Alerts (on page 42). The Export Data button lets you export statistics for WDE Activity, WDE Login Failures, PDF Messenger Certified Delivery Receipts, and the Mail Policy Print View (which provides in a printable format all your mail policy chains and rules).

Managing AlertsThe PGP Universal Server groups failed login attempts into reported login failures. This feature is intended to make reporting about failed login attempts more useful, because one or several failed login attempts by a PGP Whole Disk Encryption user does not necessarily mean an attempted break-in. Use the Alerts dialog box to choose how many failed login attempts constitutes a login failure. For example, you can specify that an alert should be triggered after 3 failed login attempts. If 6 failed attempts occur, 2 login failure alerts appear. Alerts about PGP Whole Disk Encryption login failures appear on the System Overview page and in the Daily Status Email. Alerts for devices belonging to specific users appear on the user's Internal Users dialog box. Alerts are also sent when a user is locked out of a system because he or she exceeded the number of allowable login failures set on the Disk Encryption tab of Consumer Policy. To specify how you want to be notified of PGP Whole Disk Encryption login failures 1 From the System Overview page, click Manage Alerts. The Alerts dialog box appears. 2 3 Specify how many consecutive failed login attempts a single device must report before the administrator is notified. Choose how long you want login failure alerts to be displayed on the System Overview page, the Daily Status Email, and the Internal Users page, in hours or days. Specify how long you want to keep login failure records in the database, in days.

4

42



Logging In For the First TimeThe first time you log in to the PGP Universal Server, a welcome dialog box appears. The welcome dialog box provides access to tutorials and documentation. You can choose to have the welcome dialog box appear every time you log in. Whats NewLists the new features in PGP Universal Server 3.0. Mail Policy DiagramProvides a graphical representation of how email is processed through mail policy. PGP Universal Upgrade GuideProvides instructions on how to migrate PGP Keyserver data, how to upgrade your PGP Universal Server, and how version 2.0.6 settings migrate into the mail policy environment. TutorialsProvides animated introductions on how to manage the new mail policy feature in PGP Universal Server, and how upgraded PGP Universal Server settings migrate into the new mail policy feature.

You can also access all the documentation and tutorials by clicking the online help icon in the upper right corner of the PGP Universal Server page.

Administrative Interface MapThe administrative interface is organized as follows: Sections Reporting Pages Overview Graphs Logs Consumers Groups Users Devices Consumer Policy Managed Domains Directory Synchronization Keys Managed Keys Trusted Keys Organization Keys43



Ignition Keys Keyservers Key Cache Mail Mail Policy Dictionaries Archive Servers Proxies Mail Queue Mail Routes Message Templates Services Web Messenger Keyserver SNMP Verified Directory Certificate Revocation USP System General Settings Administrators Backups Updates Network Clustering

44



IconsThe administrative interface uses the following icons. Type Actions Icon Description Add Remove Connect Delete Clear Search Install/Export Reinstall/Regenerate Restore Revoke Forward Back First Last Move priority up Move priority down Closed Action

45



Type

Icon

Description Opened Action Help Update software Print

Users

Internal user Administrative user Excluded user Internal user, revoked Expired internal user External user, revoked External user External user, pending Expired external user Directory user Expired directory user Directory user, pending

Keys and Certificates

Key Key, expired

46



Type

Icon

Description Key, revoked Key reconstruction Whole Disk Recovery Token Keypair Keypair, expired Keypair, revoked Certificate Expired certificate Revoked certificate Expired certificate pair Certificate pair Revoked certificate pair ADK (Additional Decryption Key)

Organization Key Verified Directory Key Mail Policy Default policy chain Policy chain Policy rule

47



Type

Icon

Description Dictionary term Excluded address

`

Pending excluded address Keyserver Default keyserver

User Policy

Default policy Excluded policy

Web Messenger

Default template

Customized template Broken template Backup Backup successful Backup pending Backup failed Update Successful install Update ready to be installed Failed install Clustering Cluster

48



Type

Icon

Description Active cluster Inactive cluster

Logs

Info Notice Warning Error

Miscellaneous

Domain Mail proxy (SMTP, POP, IMAP)

Inbound mailserver Outbound mailserver SMTP server Mail route Network interface Learn mode Access control enabled

49

6

Overview


This section describes how to license your PGP Universal Server.

Your PGP Universal Server must have a valid license to be taken out of Learn Mode. In other words, without a valid license, your PGP Universal Server will never encrypt or sign any email messages. If you licensed your PGP Universal Server using the Setup Assistant, you do not have to license it again. If you did not, then you can license it at any time afterwards using the administrative interface. The email proxying feature available on the PGP Universal Server can only be used if you have the Gateway Email license. The PGP Universal Server can provide security for email messaging by inserting itself into the flow of email traffic in your network, intercepting, or proxying, that traffic, and processing it (encrypt, sign, decrypt, verify) based on the applicable policies.

Manual and Automatic LicensingWhen you type your license number, the PGP Universal Server contacts an authorization server to automatically authorize the license number. If your PGP Universal Server does not have an active connection to the Internet, you must contact PGP Support to acquire a manual authorization block. Caution: The PGP Universal Server must not be behind a proxy server, unless it is a transparent proxy, to receive licensing information automatically. If the PGP Universal Server is behind a proxy server, use manual license authorization.

Licensing a PGP Universal ServerFor instructions, see Licensing a PGP Universal Server (on page 366).

51



Licensing the Mail Proxy FeatureYou must have a PGP Universal Gateway Email license or you cannot use the Mail Proxies feature on the administrative interface. For information about the Mail Proxies feature, see Configuring Mail Proxies (on page 171).

52

7

Operating in Learn Mode

When you finish configuring a PGP Universal Server using the Setup Assistant, it begins running in Learn Mode. In Learn Mode, messages are processed through mail policy, but none of the actions from the policy are performed. Messages are neither encrypted nor signed. This functions as a rehearsal, so that you can learn how policies would affect email traffic if implemented. While running in Learn Mode, the PGP Universal Server also creates keys for authenticated users so that when Learn Mode is turned off, the server can secure messages immediately. After messages go through mail policy, PGP Universal Server decrypts and verifies incoming messages for which there are local internal or external user keys. Outgoing messages are sent unencrypted. In Learn Mode, non-RFC compliant email is sent unprocessed and in the clear. Turn Learn Mode off to process messages through the mail policy exception chain. In Learn Mode, the PGP Universal Server: Creates user accounts with user keys, in accordance with Consumer Policy. Decrypts messages using internal and external keys stored on the server, but does not search for keys externally. Does not encrypt or sign messages. Will not apply mail policy to messages, and will not take any Key Not Found action on messages. Note: Your PGP Universal Server must be licensed before you can take it out of Learn Mode.

Purpose of Learn ModeLearn Mode allows you to: View (by examining the logs) how policies would affect email traffic if implemented. Build the SMSA (creating keys for authenticated users, for example) so that when the server goes livewhen Learn Mode is turned offthe server can secure messages immediately. Identify mailing lists your users send messages to and add their addresses to the dictionaries of Excluded Email Addresses. Most likely, users won't send encrypted messages to a mailing list.

53


Operating in Learn Mode

PGP Universal Server decrypts and verifies incoming email while operating in Learn Mode. PGP Universal Server still automatically detects

PGP Universal Admin Guide

Documents

Transcript of PGP Universal Admin Guide