PUT&GET MAIL (PGM) Key...PGM Keys management (GOST-Qiwi) 8 3. How to send a request for a...
Transcript of PUT&GET MAIL (PGM) Key...PGM Keys management (GOST-Qiwi) 8 3. How to send a request for a...
MOSСOW March 2017
PUT&GET MAIL (PGM)
User guide to management key information
PGM Keys management (GOST-Qiwi)
i
TABLE OF CONTENTS
1. PREPARATORY WORK ................................................................................................... 1
1.1. BEFORE GENERATING KEYS, THE FOLLOWING INFORMATION TO KNOW: ............................... 1
1.2. DEFINE A PLACE FOR THE FORMATION OF KEYS .................................................................. 1
1.3. TUNING INTO CERTIFYING CENTER ...................................................................................... 1
1.4. SETTING THE KEY MANAGEMENT ....................................................................................... 2
1.4.1. E-mail Options for sending key management. .......................................................................... 2
1.4.2. Using a proxy ............................................................................................................................ 3
2. HOW TO CREATE A KEY ................................................................................................ 5
3. HOW TO SEND A REQUEST FOR A CERTIFICATE ....................................................... 8
4. HOW TO MAKE KEY ACTIVATION ................................................................................ 10
5. HOW TO SEND A MESSAGE TO KEY COMPROMISE ................................................. 12
The document describes how to use PGM:
Elaborate the keys
Send the certificate request
Enter key in effect
Report key compromise. The document describes the interaction with the certification center of QIWI Bank.
PGM Keys management (GOST-Qiwi)
1
1. Preparatory Work
1.1. Before generating keys, the following information to know:
Number of the Agreement with the System Operator (hereinafter the Agreement)
Individual code of your organization in the system specified in the Agreement
Name of your organization specified in the Agreement
Position, name, first name of the certificate holder
Address of corporate e-mail that will be used for the exchange of information related to the generation and change of key in the system, and constantly assigned to the organization or organizational unit.
Parameters of access to the corporate mail server of QIWI Bank:
Host = CONTACT.RAPIDA.RU.
SMTP port - always 465
POP3 port - always 995
User login
Password
Username and password will be sent by the certification center in the time of registration
1.2. Define a place for the formation of keys
It is necessary to determine which carrier will be made key generation. CONTACT recommends use of an external storage device. For example USB.
It is important when using external storage!
Immediately before use, prepared key carrier must be formatted and make sure that they do not have bad sectors.
1.3. Tuning into certifying center
Select in menu "Settings" -> "Common Settings" to indicate with any certification authority will be working.
It opens a form of "Common settings.
PGM Keys management (GOST-Qiwi)
2
Select in the field "Trust Center" QIWI Bank.
Enter in the field "Directory for temporary files" full path to the working directory.
Click "Save and Exit"
1.4. Setting the Key Management
Setting key management is used to set communication parameters to the Certification Authority.
Click "Settings" -> "Key modification settings"
1.4.1. E-mail Options for sending key management.
PGM Keys management (GOST-Qiwi)
3
Organization Login - the code of your organization in the system CONTACT
Organization Name - name of your organization in the system
Temp directory - path to the directory for processing the intermediate files.
From - the eMail of the sender of the message. In this field, you need to register the mailbox specified in the sent message type ХХХХ@contact.rapida.ru.
Public E-mail - register the address [email protected].
Secret E-mail - register the address [email protected].
Alarm E-mail - register the address [email protected].
In Outgoing Mail
Host - SMTP server address CONTACT.RAPIDA.RU.
Port - 465
Be connected through safe join (SSL) - Use a secure connection (SSL). Be sure to install the check.
Login Name - Your username on the mail server to the box ХХХХ@contact.rapida.ru, sent by the system operator.
Password - Your password for access to the mail server to the box ХХХХ@contact.rapida.ru, sent by the system operator.
Connection Time Out - latency connections to the mail server.
Time Wait Data - while waiting for data from the mail server.
1.4.2. Using a proxy
If the Internet connection you pass use a proxy server, you must describe the parameters that provide an access to it.
To do this, go to the tab «Proxy» and adjust access settings.
If the proxy server is not used, the ChekBoks «Use Proxy» must be off.
PGM Keys management (GOST-Qiwi)
4
PGM Keys management (GOST-Qiwi)
5
2. How to create a key
If the key carrier is external, connect it.
Select in the menu "Actions" -> "Key modification" -> "Generate New Key".
In the window "Key generation"
check the correctness of filling the required fields (highlighted and underscores) in accordance with the rules in the table below.
Field name Value
Key generation algorithm Select «GOST»
Folder of Keys Disk Specify the root directory of keys.
In the example it is D:\KEYS
Number of key Number generated key: 1 or 2
We recommend alternate number keys to prevent accidental loss of the current key.
Further instructions for Example No. 1 is used.
PGM Keys management (GOST-Qiwi)
6
Field name Value
Country Code A two-digit country code according to the standard ISO3166-1 A2 (eg SE). Or, select the name of the country from the drop down list "Country"
State Or Province The name of the province, region and district, which belongs to the town connection point.
For example:
Moscow Region., Podolsky district.
The maximum number of characters, given the special characters and spaces = 128
The field is not mandatory
City Enter full name and type of the village, which houses the point.
For example: New York
The maximum number of characters, given the special characters and spaces = 128
Organization Name of your organization specified in the Agreement
The maximum number of characters, given the special characters and spaces =64.
Organizational Unit Do not fill.
Responsible person Position, name of the certificate holder
For example:
CEO, SMITH John
The maximum number of characters, given the special characters and spaces =64.
Code of Organization Individual organization code in the system (specified in the Agreement)
For example: PSMO
Agreement number Agreement Number
For example: 123 / 987-01
E-mail Address Enter eMail address as ХХХХ@contact.rapida.ru
The maximum number of characters, given the special characters and spaces = 40.
After filling in all mandatory fields, click "Generate New Key and Request"
Key generation process begins.
The field displays the progress of the key generation procedures. After reaching 100% new key is created and recorded on the key carrier.
When this operation is competed, you will be asked to print a certificate request
Click "Yes".
The screen will display the text of the certificate request.
PGM Keys management (GOST-Qiwi)
7
Check the correctness of the request header.
If all the fields are filled in correctly, click
If there are any errors in filling in the request, make the necessary corrections and click
. It will be developed (and written to key carrier) new certificate request based on patching.
On the key will be created:
• Key # 1 subdirectory \ OpenKeys, containing key certificates verify electronic signatures.
• Key # 1 subdirectory \ CRLS (must be empty).
root key carrier named Key#1 (or Key#2, depending on the key number in the generation).
subdirectory Key#1\CA, containing the certificates of the certification center
subdirectory Key#1\keys, having generated key
subdirectory Key#1\OpenKeys, containing key certificates
subdirectory Key#1\CRLS (must be empty). File a certificate request request1.PEM will be recorded in the catalog Key#1.
We recommend that you make a backup of the carrier key information.
PGM Keys management (GOST-Qiwi)
8
3. How to send a request for a certificate
If the key carrier is external, connect it.
As a result of the operations done in n. 2. In the directory Key#1 key carrier №1 written Request for the certificate Key1 (file request1.pem), which should be sent by e-mail to the Certification Authority, is pre-configured in the menu Settings -> Key modification settings access options to e-mail server that hosts the e-mail box is used for the exchange of information related to the generation and changing the keys in the System.
Select "Actions" -> "Key modification" -> "Get certification".
In the window that opens
In the field "Sended file", select "request1.pem".
In the field "File path and name" specify the full path to the file request1.pem certificate request Key1. Or find and select the file by clicking "Choose".
Check the filling of fields and send a request for certification by clicking "Send E-mail".
If in the E-mail Options for sending key management (see point 1) not specified login and/or password to access the mail server, they will be requested program.
PGM Keys management (GOST-Qiwi)
9
After the send message will be displayed
Then click .
Turn off the key carrier
Certification Center, receiving and processing the request, send to your e-Mail [email protected] message with processing result.
In case of the processing was made successfully, in the attached file will be your certificate.
Save it in folder Openkeys on the key carrier.
PGM Keys management (GOST-Qiwi)
10
4. How to make key activation
Select in the menu "Actions" -> "Key modification" -> "Key 1 activation".
In the window that opens
Click button "Send E-mail".
If in the E-mail Options for sending key management (see point 1) not specified login and/or password to access the mail server, they will be requested program.
After the send message will be displayed
PGM Keys management (GOST-Qiwi)
11
Then click .
Certification Center, receiving and processing the request, send to your e-Mail [email protected] message with processing result.
PGM Keys management (GOST-Qiwi)
12
5. How to send a message to key compromise
In case of the current key is compromised, immediately perform the following steps:
Completely stop sending transactions in the system
Start program PGM.
Select in the menu "Actions" -> "Key modification" -> "Discrediting".
In the window that opens
In the field "How many Keys was discredited" select "Only one Key".
Check correctness of the fields and send by click button "Send E-mail".
If in the E-mail Options for sending key management (see point 1) not specified login and/or password to access the mail server, they will be requested program.
PGM Keys management (GOST-Qiwi)
13
After the send message the window will be displayed
Important:
Timely, in accordance with the procedure described, the transfer of a well-formed e-mail message about the compromise provides the immediate withdrawal of the
compromised key actions.
Then click
As a result of these procedures, the compromised key is derived from the action.
To continue working in the system a new key must be certified to develop and put in place!