PUT&GET MAIL (PGM) Key...PGM Keys management (GOST-Qiwi) 8 3. How to send a request for a...

MOSСOW March 2017

PUT&GET MAIL (PGM)

User guide to management key information

PGM Keys management (GOST-Qiwi)

i

TABLE OF CONTENTS

1. PREPARATORY WORK ................................................................................................... 1

1.1. BEFORE GENERATING KEYS, THE FOLLOWING INFORMATION TO KNOW: ............................... 1

1.2. DEFINE A PLACE FOR THE FORMATION OF KEYS .................................................................. 1

1.3. TUNING INTO CERTIFYING CENTER ...................................................................................... 1

1.4. SETTING THE KEY MANAGEMENT ....................................................................................... 2

1.4.1. E-mail Options for sending key management. .......................................................................... 2

1.4.2. Using a proxy ............................................................................................................................ 3

2. HOW TO CREATE A KEY ................................................................................................ 5

3. HOW TO SEND A REQUEST FOR A CERTIFICATE ....................................................... 8

4. HOW TO MAKE KEY ACTIVATION ................................................................................ 10

5. HOW TO SEND A MESSAGE TO KEY COMPROMISE ................................................. 12

The document describes how to use PGM:

Elaborate the keys

Send the certificate request

Enter key in effect

Report key compromise. The document describes the interaction with the certification center of QIWI Bank.


1

1. Preparatory Work

1.1. Before generating keys, the following information to know:

Number of the Agreement with the System Operator (hereinafter the Agreement)

Individual code of your organization in the system specified in the Agreement

Name of your organization specified in the Agreement

Position, name, first name of the certificate holder

Address of corporate e-mail that will be used for the exchange of information related to the generation and change of key in the system, and constantly assigned to the organization or organizational unit.

Parameters of access to the corporate mail server of QIWI Bank:

Host = CONTACT.RAPIDA.RU.

SMTP port - always 465

POP3 port - always 995

User login

Password

Username and password will be sent by the certification center in the time of registration

1.2. Define a place for the formation of keys

It is necessary to determine which carrier will be made key generation. CONTACT recommends use of an external storage device. For example USB.

It is important when using external storage!

Immediately before use, prepared key carrier must be formatted and make sure that they do not have bad sectors.

1.3. Tuning into certifying center

Select in menu "Settings" -> "Common Settings" to indicate with any certification authority will be working.

It opens a form of "Common settings.


2

Select in the field "Trust Center" QIWI Bank.

Enter in the field "Directory for temporary files" full path to the working directory.

Click "Save and Exit"

1.4. Setting the Key Management

Setting key management is used to set communication parameters to the Certification Authority.

Click "Settings" -> "Key modification settings"

1.4.1. E-mail Options for sending key management.


3

Organization Login - the code of your organization in the system CONTACT

Organization Name - name of your organization in the system

Temp directory - path to the directory for processing the intermediate files.

From - the eMail of the sender of the message. In this field, you need to register the mailbox specified in the sent message type ХХХХ@contact.rapida.ru.

Public E-mail - register the address [email protected].

Secret E-mail - register the address [email protected].

Alarm E-mail - register the address [email protected].

In Outgoing Mail

Host - SMTP server address CONTACT.RAPIDA.RU.

Port - 465

Be connected through safe join (SSL) - Use a secure connection (SSL). Be sure to install the check.

Login Name - Your username on the mail server to the box ХХХХ@contact.rapida.ru, sent by the system operator.

Password - Your password for access to the mail server to the box ХХХХ@contact.rapida.ru, sent by the system operator.

Connection Time Out - latency connections to the mail server.

Time Wait Data - while waiting for data from the mail server.

1.4.2. Using a proxy

If the Internet connection you pass use a proxy server, you must describe the parameters that provide an access to it.

To do this, go to the tab «Proxy» and adjust access settings.

If the proxy server is not used, the ChekBoks «Use Proxy» must be off.


4


5

2. How to create a key

If the key carrier is external, connect it.

Select in the menu "Actions" -> "Key modification" -> "Generate New Key".

In the window "Key generation"

check the correctness of filling the required fields (highlighted and underscores) in accordance with the rules in the table below.

Field name Value

Key generation algorithm Select «GOST»

Folder of Keys Disk Specify the root directory of keys.

In the example it is D:\KEYS

Number of key Number generated key: 1 or 2

We recommend alternate number keys to prevent accidental loss of the current key.

Further instructions for Example No. 1 is used.


6

Field name Value

Country Code A two-digit country code according to the standard ISO3166-1 A2 (eg SE). Or, select the name of the country from the drop down list "Country"

State Or Province The name of the province, region and district, which belongs to the town connection point.

For example:

Moscow Region., Podolsky district.

The maximum number of characters, given the special characters and spaces = 128

The field is not mandatory

City Enter full name and type of the village, which houses the point.

For example: New York

The maximum number of characters, given the special characters and spaces = 128

Organization Name of your organization specified in the Agreement

The maximum number of characters, given the special characters and spaces =64.

Organizational Unit Do not fill.

Responsible person Position, name of the certificate holder

For example:

CEO, SMITH John

The maximum number of characters, given the special characters and spaces =64.

Code of Organization Individual organization code in the system (specified in the Agreement)

For example: PSMO

Agreement number Agreement Number

For example: 123 / 987-01

E-mail Address Enter eMail address as ХХХХ@contact.rapida.ru

The maximum number of characters, given the special characters and spaces = 40.

After filling in all mandatory fields, click "Generate New Key and Request"

Key generation process begins.

The field displays the progress of the key generation procedures. After reaching 100% new key is created and recorded on the key carrier.

When this operation is competed, you will be asked to print a certificate request

Click "Yes".

The screen will display the text of the certificate request.


7

Check the correctness of the request header.

If all the fields are filled in correctly, click

If there are any errors in filling in the request, make the necessary corrections and click

. It will be developed (and written to key carrier) new certificate request based on patching.

On the key will be created:

• Key # 1 subdirectory \ OpenKeys, containing key certificates verify electronic signatures.

• Key # 1 subdirectory \ CRLS (must be empty).

root key carrier named Key#1 (or Key#2, depending on the key number in the generation).

subdirectory Key#1\CA, containing the certificates of the certification center

subdirectory Key#1\keys, having generated key

subdirectory Key#1\OpenKeys, containing key certificates

subdirectory Key#1\CRLS (must be empty). File a certificate request request1.PEM will be recorded in the catalog Key#1.

We recommend that you make a backup of the carrier key information.


8

3. How to send a request for a certificate

If the key carrier is external, connect it.

As a result of the operations done in n. 2. In the directory Key#1 key carrier №1 written Request for the certificate Key1 (file request1.pem), which should be sent by e-mail to the Certification Authority, is pre-configured in the menu Settings -> Key modification settings access options to e-mail server that hosts the e-mail box is used for the exchange of information related to the generation and changing the keys in the System.

Select "Actions" -> "Key modification" -> "Get certification".

In the window that opens

In the field "Sended file", select "request1.pem".

In the field "File path and name" specify the full path to the file request1.pem certificate request Key1. Or find and select the file by clicking "Choose".

Check the filling of fields and send a request for certification by clicking "Send E-mail".

If in the E-mail Options for sending key management (see point 1) not specified login and/or password to access the mail server, they will be requested program.


9

After the send message will be displayed

Then click .

Turn off the key carrier

Certification Center, receiving and processing the request, send to your e-Mail [email protected] message with processing result.

In case of the processing was made successfully, in the attached file will be your certificate.

Save it in folder Openkeys on the key carrier.


10

4. How to make key activation

Select in the menu "Actions" -> "Key modification" -> "Key 1 activation".


Click button "Send E-mail".


After the send message will be displayed


11

Then click .

Certification Center, receiving and processing the request, send to your e-Mail [email protected] message with processing result.


12

5. How to send a message to key compromise

In case of the current key is compromised, immediately perform the following steps:

Completely stop sending transactions in the system

Start program PGM.

Select in the menu "Actions" -> "Key modification" -> "Discrediting".


In the field "How many Keys was discredited" select "Only one Key".

Check correctness of the fields and send by click button "Send E-mail".



13

After the send message the window will be displayed

Important:

Timely, in accordance with the procedure described, the transfer of a well-formed e-mail message about the compromise provides the immediate withdrawal of the

compromised key actions.

Then click

As a result of these procedures, the compromised key is derived from the action.

To continue working in the system a new key must be certified to develop and put in place!

PUT&GET MAIL (PGM) Key...PGM Keys management (GOST-Qiwi) 8 3. How to send a request for a...

Documents

Transcript of PUT&GET MAIL (PGM) Key...PGM Keys management (GOST-Qiwi) 8 3. How to send a request for a...