How it Works
PGP
Loading...
#
C
D
E
M
N
P
R
U
W
Loading...
Loading...
Universal Server - 2.7
Administrator’s Guide
565 pgs12.65 Mb0
Table of contents
Loading...

PGP Universal Server - 2.7 Administrator’s Guide

PGP Universal Server
Administrator's Guide
Version Information
PGP Universal Server Administrator's Guide. PGP Universal Server Version 2.7.0. Released December 2007.
Copyright Information
Copyright © 1991–2007 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.
Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support ( Corporation may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents.
http://www.pgp.com/support). PGP
Acknowledgments
This product includes or may include:
• The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation, developed by zlib ( under the MIT License found at freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. • Application server (
http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse
server ( HTML, developed by the Apache Software Foundation. The license is at binding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group under an Apache 2.0-style license, available at Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software License, version 1.1, available at (JMX), is released under an Apache-style license, available at the work of the Independent JPEG Group. ( MIT License University of Cambridge. ©1997-2006. The license agreement is at Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. ( daemon developed by The FreeBSD Project, © 1994-2006. • Simple Network Management Protocol Library developed and copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd. © 2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, © 2004. The license agreement for these is at by Network Time Protocol and copyrighted to various contributors. • Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The OpenLDAP Foundation. The license agreement is at developed by OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at
bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. • PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released
under the BSD license. • Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at
http://www.opensource.org/licenses/ibmpl.php. • PostgreSQL, a free software object-relational database management system, is released under a
BSD-style license, available at PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available at specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. • JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL) available at CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is available at services, is open source software provided under a MIT/X derivate license available at 2007, Daniel Stenberg. • libuuid, a library used to generate unique identifiers, is released under a BSD-style license, available at
http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING. Copyright (C) 1996, 1997 Theodore Ts'o. • libpopt, a library that parses command
line options, is released under the terms of the GNU Free Documentation License available at 2000-2003 Free Software Foundation, Inc.
http://www.zlib.net). • Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted
http://www.opensource.org/licenses/mit-license.html. Copyright © 2007 by the Open Source Initiative. • bzip2 1.0, a
http://jakarta.apache.org/), web
www.apache.org/licenses/LICENSE-2.0.txt. • Castor, an open-source, data-
http://www.castor.org/license.html. • Xalan, an open-source software library from the Apache Software
http://xml.apache.org/xalan-j/#license1.1. • mx4j, an open-source implementation of the Java Management Extensions
http://mx4j.sourceforge.net/docs/ch01s06.html. • jpeglib version 6a is based in part on
http://www.ijg.org/) • libxslt the XSLT C library developed for the GNOME project and distributed under the
http://www.opensource.org/licenses/mit-license.html. • PCRE version 4.5 Perl regular expression compiler, copyrighted and distributed by
http://www.pcre.org/license.txt. • BIND Balanced Binary Tree Library and Domain
http://www.isc.org) • Free BSD implementation of
http://net-snmp.sourceforge.net/about/license.html. • NTP version 4.2 developed
http://www.openldap.org/software/release/license.html. • Secure shell OpenSSH version 4.2.1
http://www.openbsd.org/cgi-
http://www.postgresql.org/about/licence. • PostgreSQL JDBC driver, a free Java program used to connect to a
http://jdbc.postgresql.org/license.html. • 21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs
http://www.jacorb.org/lgpl.html. Copyright © 2006 The JacORB Project. • TAO (The ACE ORB) is an open-source implementation of a
http://www.cs.wustl.edu/~schmidt/ACE-copying.html. • libcURL, a library for downloading files via common network
http://curl.haxx.se/docs/copyright.html. Copyright (c) 1996 -
http://directory.fsf.org/libs/COPYING.DOC. Copyright ©
PGP Universal Server Introduction
Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.
4
Contents
Introduction 15
What is PGP Universal Server? 15 PGP Universal Server Product Family 16 Who Should Read This Guide 16 Improvements in This Version of PGP Universal Server 16
PGP Universal Server 17 PGP Messaging 17 PGP Keys 18 PGP Desktop 18 PGP Desktop Email 19 PGP NetShare 20
PGP Whole Disk Encryption 20 Using the PGP Universal Server with the Command Line 22 Symbols 22 Getting Assistance 23
Getting product information 23
Contact information 23
The Big Picture 25
Important Terms 25
PGP Products 25
PGP Universal Server Concepts 25
PGP Universal Server Features 26
PGP Universal Server User Types 28 Installation Overview 29
Adding the PGP Universal Server to Your Network
Server Placement 35
Gateway Placement 36
Internal Placement 37 Using a Mail Relay 38 Microsoft Exchange Server 38 Lotus Domino Server 39 Configuration Examples 39
Internal Placement Configuration 40
Gateway Placement Configuration 41
Non-mailstream Placement Configuration 42
Cluster Configuration 43
Clustered Proxy and Keyserver Configuration 44
Gateway Cluster with Load Balancer 46
Gateway and Internal Placement Cluster 47
35
i
PGP Universal Server Contents
Encircled Configuration 49
Large Enterprise Configuration 50
Spam Filters and PGP Universal Server 51
Exchange with PGP Client Software 52
Lotus Domino Server with PGP Client Software 53
Unsupported Configurations 53
Open Ports 55
TCP Ports 55 UDP Ports 57
Naming your PGP Universal Server
Considering a Name for Your PGP Universal Server 59 Methods for Naming a PGP Universal Server 60
59
Installing the PGP Universal Server 61
About the Installation Procedure 61 System Requirements 62 Installation Materials 62 Installation Options 62 Standard Installation Procedure 63 PGP Installation Procedure 64
Setting Up the PGP Universal Server 65
About the Setup Assistant 65 Preparing for Setup after pgp Install 66
Hardware 66
System Information 66
Connect to the PGP Universal Server 67
ii
PGP Universal Server Contents
Initial Configuration with Setup Assistant 67 Primary or Secondary Configuration 76 Restoring From a Server Backup 86 Migrating the Keys from a PGP Keyserver 87
Understanding the Administrative Interface 89
System Requirements 89 Logging In 89 Managing Alerts 92 Logging In For the First Time 93 Administrative Interface Map 94 Icons 95
Licensing Your Software 101
Overview 101 License Changes for PGP Universal Server 2.5 and Later 101 Manual and Automatic Licensing 102 Licensing a PGP Universal Server 103 Licensing the Mail Proxy Feature 103
Operating in Learn Mode 105
Purpose of Learn Mode 105 Checking the Logs 106 Managing Learn Mode 106
Managed Domains 109
About Managed Domains 109 Adding Managed Domains 110 Deleting Managed Domains 111
Managing Organization Keys
About Organization Keys 113 Organization Key 113
Inspecting the Organization Key 114
Regenerating the Organization Key 116
Importing an Organization Key 117 Organization Certificate 119
Inspecting the Organization Certificate 119
Exporting the Organization Certificate 120
Deleting the Organization Certificate 121
Generating the Organization Certificate 122
Importing the Organization Certificate 124
113
iii
PGP Universal Server Contents
Additional Decryption Key (ADK) 125
Importing the ADK 126
Inspecting the ADK 127
Deleting the ADK 128 Verified Directory Key 129
Importing the Verified Directory Key 129
Inspecting the Verified Directory Key 130
Deleting the Verified Directory Key 131
Managing Trusted Keys and Certificates 133
Overview 134
Trusted Keys 135
Trusted Certificates 135 Adding a Trusted Key or Certificate 135 Inspecting and Changing Trusted Key Properties 137 Deleting Trusted Keys and Certificates 138 Searching for Trusted Keys and Certificates 138
Recovering Encrypted Data in an Enterprise Environment 139
Using Key Reconstruction 139 Recovering Encryption Key Material without Key Reconstruction 140
Encryption Key Recovery of CKM Keys 140
Encryption Key Recovery of GKM Keys 141
Encryption Key Recovery of SCKM Keys 141
Encryption Key Recovery of SKM Keys 142 Using an Additional Decryption Key for Data Recovery 142
Setting Mail Policy 145
Overview 146
How Policy Chains Work 147
Mail Policy and Dictionaries 148
Mail Policy and Key Searches 149
Mail Policy and Cached Keys 149 Migrating Settings from Version 2.0.x 149 Understanding the Pre-Installed Policy Chains 150 Mail Policy Outside the Mailflow 151 Building Valid Chains and Rules 152
Using Valid Processing Order 152
Creating Valid Groups 153
Creating a Valid Rule 154 Using the Rule Interface 155
The Conditions Card 156
The Actions Card 158 Managing Policy Chains 158
Mail Policy Best Practices 159
iv
PGP Universal Server Contents
Restoring Mail Policy to Default Settings 159
Editing Policy Chain Settings 159
Adding Policy Chains 160
Deleting Policy Chains 162
Exporting Policy Chains 163
Printing Policy Chains 163 Managing Rules 163
Adding Rules to Policy Chains 163
Deleting Rules from Policy Chains 164
Enabling and Disabling Rules 164
Changing the Processing Order of the Rules 165 Adding Key Searches 165 Choosing Condition Statements, Conditions, and Actions 166
Condition Statements 166
Conditions 166
Actions 174 Working with Common Access Cards 181
Applying Key Not Found Settings to External Users 183
Overview 183
Bounce the Message 184
PDF Messenger 184
Certified Delivery with PDF Messenger 185
Send Unencrypted 186
Smart Trailer 186
PGP Universal Web Messenger 190 Changing Policy Settings 192 Changing User Delivery Method Preference 192
Using Dictionaries with Policy 195
Overview 195 Default Dictionaries 197
Editing Default Dictionaries 198 User-Defined Dictionaries 201
Adding a User-Defined Dictionary 201
Editing a User-Defined Dictionary 203
Deleting a Dictionary 204 Exporting a Dictionary 205 Searching the Dictionaries 205
Keyservers, SMTP Servers, and Mail Policy
207
Overview 207 Keyservers 208
Adding or Editing a Keyserver 209
Deleting a Keyserver 211
v
PGP Universal Server Contents
SMTP Servers 212
Adding or Editing an SMTP Server 212
Deleting an SMTP Server 214
Managing Keys in the Key Cache
Overview 215 Changing Cached Key Timeout 216
Purging Keys from the Cache 217
Trusting Cached Keys 217
Viewing Cached Keys 217 Searching the Key Cache 218
215
Configuring Mail Proxies 219
Overview 219 PGP Universal Server and Mail Proxies 220
Mail Proxies in an Internal Placement 220
Mail Proxies in a Gateway Placement 222 Changes in Proxy Settings from PGP Universal Server 2.0 to 2.5 and later 223 Mail Proxies Card 224 Creating New or Editing Existing Proxies 224
Creating or Editing a POP/IMAP Proxy 225
Creating or Editing an Outbound SMTP Proxy 227
Creating or Editing an Inbound SMTP Proxy 230
Creating or Editing a Unified SMTP Proxy 231
Email in the Mail Queue 235
Overview 235 Deleting Messages from the Mail Queue 236
Specifying Mail Routes
Overview 237 Managing Mail Routes 238
Adding a Mail Route 238
Editing a Mail Route 239
Deleting a Mail Route 239
237
Customizing System Message Templates 241
Overview 241
Templates and Message Size 242
PDF Messenger Templates 242
Templates for New PGP Universal Web Messenger Users 243
vi
PGP Universal Server Contents
Editing a Message Template 243
Setting Internal User Policy
Overview 246 Managing Internal User Policies 247
Adding a New Internal User Policy 247
Editing Internal User Policies 248
Editing the Excluded Users Policy 258
Deleting Internal User Policies 259 Downloading Client Software 259 Directory Synchronization 262 Choosing a Key Mode For Key Management 262
Disabling Key Generation 266
Adding PGP Desktop Solutions to Existing PGP Universal Gateway Email Environments266
Changing Key Modes 266 X.509 Certificate Management in Lotus Notes Environments 268
Trusting Certificates Created by PGP Universal Server 269
Setting the Lotus Notes Key Settings in PGP Universal Server 270
Technical Deployment Information 271 Customizing the Windows Preinstallation Environment for PGP Whole Disk Encryption 272
Introduction 272
Creating a Windows PE CD 274
Customizing the Vista Installation Package to Upgrade Encrypted Operating Systems to
Windows Vista
Using PGP Whole Disk Encryption with IBM Lenovo ThinkPad Systems 280
Using PGP Whole Disk Encryption with the Microsoft Windows XP Recovery Console 281
Pgppe Commands 281
245
277
Using Directory Synchronization to Manage Users 285
Overview 285 Enabling Directory Synchronization 287
Testing the LDAP Connection 290 Excluding Users 290 Including Only Some Users 292 Matching Attributes 292 Base DN and Bind DN 294 Understanding User Enrollment Methods 296
Before Creating a Client Installer 296
Email Enrollment 297
Directory Enrollment 299
vii
PGP Universal Server Contents
Serving PGP Admin 8 Preferences 301
Configuring PGP Desktop Installations
303
Establishing PGP Desktop Settings for Your PGP Desktop Clients 303 PGP Desktop Licensing 304 Configuring PGP Desktop Settings 305
General Tab 309
Licensing Tab 313
Messaging & Keys Tab 316
File & Disk Tab 318
WDE Tab 322 PGP Desktop Installer Policies 326 Creating PGP Desktop Installers 327
Creating an Installer with No Policy Settings 327
Creating an Installer with Auto-Detect Policy 328
Creating an Installer with Preset Policy 329 Controlling PGP Desktop Components 331 PGP Whole Disk Encryption Administration 332
How Does Single Sign-On Work? 332
Enabling Single Sign-On 333 Managing Clients Remotely Using a PGP WDE Administrator Active Directory Group 335 Managing Clients Locally Using the PGP WDE Administrator Key 337
Setting External User Policy 339
Overview 340 Managing External User Policies 341
Regrouping External Users 341
Adding a New External User Policy 341
Editing External User Policies 342
Deleting External User Policies 352
Configuring PGP Universal Web Messenger 353
Overview 353
High Availability Mode 354 Customizing PGP Universal Web Messenger 355
Adding a New Template 356
Troubleshooting Customization 361
Changing the Active Template 365
Deleting a Template 365
Editing a Template 365
Downloading Template Files 366
Restoring to Factory Defaults 366
viii
PGP Universal Server Contents
Configuring the PGP Universal Web Messenger Service 367
Configuring the PGP Verified Directory
373
Overview 373 Enabling the PGP Verified Directory 374 Configuring the PGP Verified Directory 375
Managing Internal User Accounts 379
Overview 379 Certificate Revocation Lists 380 Adding Internal Users Manually 381 Deleting Internal Users 383 Approving Pending Keys 383 Searching for Internal Users 384 Exporting PGP Whole Disk Login Failure Data 385 Internal User Settings 385
Changing Internal User Settings 386
Exporting an Internal User’s X.509 Certificate 387
Revoking the PGP Key of an Internal User 387
Exporting the PGP Key of an Internal User 388
Deleting the PGP Key of an Internal User 389
Deleting a PGP Desktop Key Reconstruction Block 389
Using Whole Disk Recovery Tokens 390
Deleting Whole Disk Recovery Tokens 391
Viewing PGP Whole Disk Encryption Status 391
Viewing Internal User Log Entries 392 Key Reconstruction Blocks 393
Managing External User Accounts 395
Overview 395 Importing External Users 396 Deleting External Users 397 Searching for External Users 397 Exporting Delivery Receipts 398 External User Settings 399
Changing External User Settings 400
Viewing External User Log Entries 401
Exporting an External User’s X.509 Certificate 401
Exporting the PGP Key of an External User 402
Deleting the PGP Key of an External User 402
Changing the Passphrase of an External User 403
ix
PGP Universal Server Contents
Managing PGP Verified Directory User Accounts 405
Overview 405 Importing Verified Directory Users 406 PGP Verified Directory User Settings 408
Changing PGP Verified Directory User Settings 409
Approving Pending Keys 409
Deleting the PGP Key of a PGP Verified Directory User 410
Viewing PGP Verified Directory User Log Entries 410 Deleting PGP Verified Directory Users 410 Exporting PGP Verified Directory Users 411 Searching for PGP Verified Directory Users 411
Managing Administrator Accounts 413
Overview 413 Creating a New Administrator 414 Importing SSH v2 Keys 416 Deleting Administrators 416 Inspecting and Changing the Settings of an Administrator 417 Daily Status Email 417
PGP Universal Satellite 419
Overview 419 Technical Information 420 Distributing the PGP Universal Satellite Software 421 Configuration 422
Deployment Mode 422
Key Mode 422
Satellite Configurations 423
Switching Key Modes 428 Binding 428
Pre-Binding 429
Manual Binding 430 Policy and Key or Certificate Retrieval 431
Retrieving Lost Policies 431
Retrieving Lost Keys or Certificates 433
x
PGP Universal Server Contents
PGP Universal Satellite for Mac OS X 435
Overview 435 System Requirements 436 Obtaining the Installer 436 Installation 436 Updates 437 Files 437 User Interface 438
About PGP Universal Server 439
Help 440
Show Log 440
Clear Log 441
Policies 441
Preferences 448
Purge Caches 449
Hide and Quit PGP Universal Satellite 449
PGP Universal Satellite for Windows 453
Overview 453 System Requirements 454 Obtaining the Installer 454 Installation 455 Updates 457 Files 458 MAPI Support 458
External MAPI Configuration 459
Internal MAPI Configuration 460
Using MAPI 461 Lotus Notes Support 461
External Lotus Notes Configuration 461
Internal Lotus Notes Configuration 463
Using Lotus Notes 464
Notes IDs 464 User Interface 464
The Policy Tab 465
The Log Tab 467
The Satellite Tray Icon 469
xi
PGP Universal Server Contents
Configuring the Integrated Keyserver 473
Overview 473 Configuring the Keyserver Service 473
Managing the Certificate Revocation List Service 479
Overview 479 Enabling and Disabling the CRL Service 480 Editing CRL Service Settings 480
System Graphs
Overview 483 CPU Usage 483 Message Activity 484 Whole Disk Encryption 485 Recipient Statistics 487 Recipient Domain Statistics 487
483
System Logs 489
Overview 489 Filtering the Log View 490 Searching the Log Files 491 Exporting a Log File 491 Enabling External Logging 492
Shutting Down and Restarting Services and Power 495
Overview 496 PGP Universal Server 498
Setting the Time 498
Updating Software 499
Licensing a PGP Universal Server 500
Downloading the Release Notes 500
xii
PGP Universal Server Contents
Shutting Down and Restarting the PGP Universal Server Software Services 501 Shutting Down and Restarting the PGP Universal Server Hardware 501
Configuring SNMP Monitoring 503
Overview 503 Downloading the Custom MIB File 504 Configuring the SNMP Service 505
Setting Network Interfaces 509
Overview 510 Connecting to a Proxy Server 511 Changing Interface Settings 512 Adding Interface Settings 512 Deleting Interface Settings 513 Editing Global Network Settings 513 Assigning a Certificate 513 Working with Certificates 514
Importing an Existing Certificate 515
Generating a Certificate Request 518
Adding a Pending Certificate 519
Inspecting a Certificate 520
Exporting a Certificate 521
Deleting a Certificate 522
Clustering your PGP Universal Servers 523
Overview 523 Clustering and PGP Universal Web Messenger 524 Cluster Status 525 Creating Clusters 527 Deleting Clusters 529 Changing Network Settings in Clusters 529 Managing Secondary Settings in Clusters 530
Protecting PGP Universal Server with Ignition Keys
Overview 531
Ignition Keys and Clustering 533
xiii
531
PGP Universal Server Contents
Preparing Hardware Tokens to be Ignition Keys 533 Configuring a Hardware Token Ignition Key 535 Configuring a Soft-Ignition Passphrase Ignition Key 535 Deleting Ignition Keys 536
Backing Up and Restoring System and User Data 537
Overview 537 Creating Backups 538
Scheduling Backups 538
Performing On-Demand Backups 539 Configuring the Backup Location 539 Restoring From a Backup 541
Restoring On-Demand 541
Restoring Configuration 542
Restoring from a Different Version 546
Updating PGP Universal Server Software 549
Overview 549 Inspecting Update Packages 550 Establishing Software Update Settings 550 Checking for New Updates 551 Uploading Update Packages 551 Manually Installing an Update 551
Index 553
xiv
1
Introduction
This Administrator’s Guide describes both the PGP Universal Server and PGP Universal Satellite. It tells you how to get them up and running on your network, how to configure them, and how to maintain them. This section provides a high­level overview of PGP Universal Server.
In This Chapter
What is PGP Universal Server? ................................................................15
PGP Universal Server Product Family ......................................................16
Who Should Read This Guide ..................................................................16
Improvements in This Version of PGP Universal Server..........................16
Using the PGP Universal Server with the Command Line.......................22
Symbols....................................................................................................22
Getting Assistance ...................................................................................23

What is PGP Universal Server?

PGP Universal Server provides multiple encryption solutions managed from a single console.
PGP Universal Server with PGP Universal Gateway Email gives you secure messaging: it transparently protects your enterprise messages with little or no user interaction.
The PGP Universal Server also replaces the PGP Keyserver product with a built­in keyserver, and the PGP Admin product with PGP Desktop configuration and deployment capabilities.
It automatically creates and maintains a Self-Managing Security Architecture (SMSA) by monitoring authenticated users and their email traffic. You can also send protected messages to addresses that are not part of the SMSA. The PGP Universal Server encrypts, decrypts, signs, and verifies messages automatically, providing strong security through policies you control.
PGP Universal Satellite, a client-side feature of PGP Universal Server, extends PGP security for email messages all the way to the computer of the email user, it allows external users to become part of the SMSA, and it gives end users the option to create and manage their keys on their own computer (if allowed by the PGP administrator).
15
PGP Universal Server Introduction

PGP Universal Server Product Family

PGP Universal Server functions as a management console for a variety of encryption solutions. You can purchase any of the PGP Desktop applications or bundles and use PGP Universal Server to create and manage client installations. You can also purchase a license that enables PGP Gateway Email to encrypt email in the mailstream.
The PGP Universal Server can manage any combination of PGP encryption applications. PGP encryption applications are:
PGP Universal Gateway Email provides automatic email encryption in the
gateway, based on centralized mail policy. This product requires administration by the PGP Universal Server.
PGP Desktop Email provides encryption at the desktop level for mail, files,
and AOL Instant Messenger traffic. This product can be managed by the PGP Universal Server.
PGP Whole Disk Encryption provides encryption at the desktop level for
an entire disk. This product can be managed by the PGP Universal Server.
PGP NetShare provides transparent file encryption and sharing among
desktops. This product can be managed by the PGP Universal Server.

Who Should Read This Guide

This Administrator’s Guide is for the person or persons who will be implementing and maintaining your organization’s PGP Universal Server environment. These are the PGP administrators.
This guide is also intended for anyone else who wants to learn about how PGP Universal Server works.

Improvements in This Version of PGP Universal Server

This release of PGP Universal Server introduces the following new features:
PGP Universal Server (on page PGP Messaging (on page PGP Keys (on page
18)
17)
17)
PGP Desktop (on page
18)
PGP Desktop Email (on page
16
19)
PGP Universal Server Introduction
PGP NetShare (on page 20) PGP Whole Disk Encryption (on page

PGP Universal Server

Changes in this release
Changes in this release
Where to find
For more information
Additional platform certification. PGP Universal Server is now
certified to operate with VMWare ESX Server Standard 3.0 including VMWare Tools.
LDAP Ping testing. PGP Universal administrators can now test their LDAP Directory Synchronization configuration. The configuration test feature reports success or failure and, to the extent possible, the reason for any failure.
Policy>Internal User Policy>Directory Synchronization
Testing the LDAP Connection (on page

PGP Messaging

Changes in this release
PDF Messenger and certified delivery. PGP Universal Gateway Email
enables users to send secure content to recipients who do not have PGP software installed using Portable Document Format (PDF). PGP Universal Gateway Email can encrypt existing PDFs sent by the user, or also create secure PDFs out of normal email content. The design of this system enables secure delivery certification, ensuring that successful delivery of the message content to the recipient can be recorded at the PGP Universal Server if selected by an Administrator.
20)
290)
Where to find
For more information
Changes in this release
Where to find
For more information
Changes in this release
Policy>Mail Policy, Policy>External User Policy
Editing External User Policies (on page Settings to External Users (on page
342) , Applying Key Not Found
183)
Web Messenger customizable user interface. PGP Universal Gateway Email now provides extensive options for customizing the Web Messenger interface. Administrators are able to make customizations ranging from simple color scheme changes to radical alterations of the Web Messenger HTML itself.
Services>Web Messenger
Customizing PGP Universal Web Messenger (on page
355)
IMAP speed improvements. This release contains significant IMAP performance improvements. Users will experience quicker responses and shorter downloads, particularly when accessing large mailboxes, switching between folders, and checking for new messages.
17
PGP Universal Server Introduction
Changes in this release
Where to find
For more information
Changes in this release
Where to find
For more information

PGP Keys

Changes in this release
Web Messenger connectivity over HTTP. The PGP Universal Gateway
Email administrator can configure Web Messenger to accept connections over HTTP, enabling interoperability with HTTPS accelerator products.
Services>Web Messenger
Configuring the PGP Universal Web Messenger Service (on page
367)
Improved handling of malformed email messages. PGP Universal administrators have greater control in specifying how to handle malformed email messages not in compliance with Internet standards. When a mail message cannot be parsed in the course of evaluating mail policy, processing immediately jumps to a special chain, designated as the “Exception Chain.” This chain has limited capabilities, but allows the administrator to specify what to do with the malformed mail based on information outside of the mail itself (what interface it came in on, what port, and so on).
Policy>Mail Policy
Understanding the Pre-Installed Policy Chains (on page
150)
Certificate Revocation List (CRL) publishing. PGP Universal Server 2.7 now publishes Certificate Revocation Lists (CRLs) for X.509 certificates that it issues. Administrators are able to revoke individual certificates by adding them to the CRL. CRLs can be retrieved by via HTTP or LDAP.
Where to find
For more information
Changes in this release
Where to find
Benefits

PGP Desktop

Changes in this release
Services>Certificate Revocation
The Certificate Revocation List Service (see " Revocation List Service" on page
Controlled
private key generation. PGP Universal administrators can now
479)
Managing the Certificate
disable key generation in the PGP Desktop user interface, making it impossible for end users to generate their own key pairs.
Policy>Internal User Policy
Configuring PGP Desktop Installations (on page
303)
Additional platform support. PGP Desktop and PGP Universal Satellite are now available for Microsoft Windows Vista 64-bit and Mac OS X
10.5 (Leopard).
18
PGP Universal Server Introduction
Changes in this release
Where to find
For more information
Changes in this release
Where to find
For more information
Changes in this release
Where to find
Feature deployment control. Administrators can now enforce policy by
providing end users only with authorized client features, enabling or disabling client capabilities before distributing PGP client software to end-users. Disabled features are then unavailable in the PGP Desktop user interface.
Policy>Internal User Policy
Setting Internal User Policy (on page Installations (on page
303)
245), Configuring PGP Desktop
Updated key reconstruction user interface. The PGP Desktop Key Reconstruction user interface has been significantly improved in this release. Primary new features include the ability to select and customize a set of provided questions, a visually more appealing experience, and a new Assistant to help guide the user through the process.
PGP Desktop
PGP Desktop User's Guide
Silent enrollment. Silent setup and enrollment enables pre-configured enrollment settings in PGP Universal-managed environments. PGP Desktop can now be deployed in most cases without installation or enrollment prompts other than the creation of a passphrase.
Policy>Internal User Policy
For more information

PGP Desktop Email

Changes in this release
Changes in this release
Changes in this release
Where to find
Setting Internal User Policy (on page Installations (on page
303)
245), Configuring PGP Desktop
MAPI support for PGP/MIME formatted messages. PGP Desktop and PGP Universal Satellite now provide the ability to encrypt PGP/MIME messages in Outlook clients using MAPI. PGP/MIME decryption has also been significantly improved in this area.
Microsoft CAPI integration. PGP Desktop and PGP Universal Satellite support the use of Microsoft Cryptographic Application Programming Interface (CAPI) credentials, enabling the user to make use of existing X.509 certificates directly from the Microsoft operating system certificate store. PGP Universal administrators can specify automatic enrollment of such certificates as well.
Out-of-the-mail-stream support. PGP Desktop and PGP Universal Satellite will selectively send email messages directly to the PGP Universal Server via a SOAP connection if required by policy, such that the server does not need to be in the mail stream to support Web Messenger or Smart Trailer functionality.
Policy>Internal User Policy>PGP Desktop
19
PGP Universal Server Introduction
For more information
Changes in this release

PGP NetShare

Changes in this release
Where to find
For more information
Changes in this release
Where to find
Configuring PGP Desktop Installations (on page
303)
Weak-cipher decryption. PGP products now decrypt S/MIME encoded messages encrypted with weak 40-bit RC2 encryption for backwards compatibility with older email clients. Additional warnings are added to messages decrypted using that algorithm. Note that PGP Desktop and PGP Universal Satellite will not encrypt using weak ciphers.
PGP NetShare per-folder administration. PGP NetShare administrative granularity has been extended to restrict administrator control to a per­folder level, thus limiting administrative access to exactly where it is needed.
Policy>Internal User Policy>PGP Desktop
Configuring PGP Desktop Installations (on page
303)
Whitelists and blacklists. Administrators can now centrally define PGP NetShare policy to protect files stored in specific directory locations, enforcing security policy without impacting user behavior. Conversely, administrators can also force specific directories to prevent encryption.
Policy>Internal User Policy>PGP Desktop
For more information
Changes in this release
Configuring PGP Desktop Installations (on page
Centralized PGP NetShare logging. Centralized logging on PGP Universal provides visibility into the activity of PGP NetShare deployments to satisfy management and auditing requirements.
Where to find
Reporting>Logs

PGP Whole Disk Encryption

Changes in this release
Where to find
For more information
Advanced centralized event logging. PGP Universal now provides
significantly expanded reporting on PGP Whole Disk Encryption usage on client systems. This logging feature itemizes events such as which systems have been encrypted, the progress of encryption or decryption for an individual system, errors encountered during encryption, the status of recovery tokens, removable storage usage, and failed/successful login attempts. Administrators can set thresholds that raise alerts in PGP Universal on the PGP Daily Status Email or dashboard screen after a configured number of failed logins has been exceeded.
Reporting>Graphs, Reporting>Logs
Managing Alerts (on page PGP Whole Disk Login Failure Data (on page
303)
92), System Graphs (on page 483), Exporting
385)
20
PGP Universal Server Introduction
Changes in this release
Where to find
For more information
Changes in this release
Changes in this release
Changes in this release
Where to find
Group administration access tokens. PGP Whole Disk Encryption admin
accounts can be added, allowing an administrator with a smart card key to override the BootGuard prompt. This key can be specified separately for each Internal User Policy. Using a single keypair copied to multiple smart cards (each with its own PIN), an organization can enable multiple administrators for each Policy.
Policy>Internal User Policy>PGP Desktop
Configuring PGP Desktop Installations (on page
303)
Domain administrator restart bypass. Windows System and Administrator account(s) may now engage a mode to bypass WDE authentication on the next restart by utilizing the privileges of the administration account to act as the authenticated user. This feature enables administrators to perform remote software installations requiring a restart of the target computer. Use of this feature is logged to the PGP Universal server.
Extended pre-boot smart card support. PGP Whole Disk Encryption has greatly expanded pre-boot authentication to a variety of smart cards.
Partition encryption deployment. Administrators in a PGP Universal­managed environment may now configure encryption of only the boot partition or only Windows partitions rather than always encrypting entire disks.
Policy>Internal User Policy>PGP Desktop
For more information
Changes in this release
Where to find
For more information
Changes in this release
Changes in this release
Where to find
For more information
Configuring PGP Desktop Installations (on page
303)
Customizable WDE BootGuard screens. Administrators in a PGP Universal-managed environment can configure the PGP Whole Disk Encryption boot screen to display the text and graphics of their choice.
Policy>Internal User Policy>PGP Desktop
Configuring PGP Desktop Installations (on page
303)
Lenovo laptop Recovery button. PGP Whole Disk Encryption now provides complete support for the Lenovo Rescue and Recovery software (version 3.x and 4.x) including using the “Access IBM” blue button for boot-level recovery of the OS even when the disk (or partition) is encrypted.
User Interface modifications for ADA compliance. As part of our expanding support for the Americans with Disabilities Act (ADA) standards for accessible design, the PGP WDE BootGuard screen has been modified to provide audible feedback when the screen is ready for user input, when a user types in an incorrect password, and when a user types a correct password. This audio feedback is optional, configurable using PGP Universal for managed clients.
Policy>Internal User Policy>PGP Desktop
Configuring PGP Desktop Installations (on page
303)
21
PGP Universal Server Introduction
Changes in this release
Microsoft Windows PE support. PGP Desktop provides administrators
with the ability to create a Windows PE (Preinstallation Environment) boot disk containing a subset of PGP Whole Disk Encryption. This bootable disc can be used to perform a variety of management and recovery tasks.
Changes in this release
Trusted Platform Module (TPM) support for PGP WDE. PGP Desktop
supports using the Trusted Platform Module as an additional authentication device for PGP Whole Disk Encryption if present on the motherboard and enabled via proper driver installation for your hardware. When use of the TPM is specified prior to encryption, the user can authenticate to the disk only on that particular machine, locking the disk to the machine hardware and thus deterring attacks such as hard disk theft. This feature works with passphrase users only and is compatible with the PGP WDE Single Sign-On feature.
Where to find
For more information
Policy>Internal User Policy>PGP Desktop
Configuring PGP Desktop Installations (on page
303)

Using the PGP Universal Server with the Command Line

Accessing the PGP Universal Server command line for read-only purposes (such as to view settings, services, logs, processes, disk space, query the database, etc) is supported. However, performing configuration modifications or customizations via the command line may void your PGP Support agreement unless the following procedures are followed. Any changes made to the PGP Universal Server via the command line must be:

Symbols

Authorized in writing by PGP Support. Implemented by a PGP Partner, reseller or internal employee who is
certified in the PGP Advanced Administration and Deployment Training.
Summarized and documented in a text file in /etc/pso on the PGP Universal
Server itself.
Changes made through the command line may not persist through reboots and may be incompatible with future releases. PGP Support may also require reverting any custom configurations on the PGP Universal Server back to a default state when troubleshooting new issues.
Notes, Cautions, and Warnings are used in the following ways.
Note: Notes are extra, but important, information. A Note calls your attention
to important aspects of the product. You will be able to use the product better if you read the Notes.
22
PGP Universal Server Introduction
Caution: Cautions indicate the possibility of loss of data or a minor security
breach. A Caution tells you about a situation where problems could occur unless precautions are taken. Pay attention to Cautions.
Warning: Warnings indicate the possibility of significant data loss or a major
security breach. A Warning means serious problems will occur unless you take the appropriate action. Please take Warnings very seriously.

Getting Assistance

Getting product information

The following documents and on-line help are companions to the PGP Universal Administrator’s Guide. This guide occasionally refers to information that can be
found in one or more of the following sources:
PGP Universal Upgrade Guide—Describes the process of upgrading your
PGP Universal Server to version 2.6.
PGP Universal Mail Policy Diagram—Provides a graphical representation
of how email is processed through mail policy. You can access this document via the PGP Universal Server online help.
Tutorials—Provides animated introductions on how to manage the mail
policy feature in PGP Universal Server 2.6, and how upgraded PGP Universal Server settings migrate into the new mail policy feature.
You can also access all the documentation and tutorials by clicking the online help icon in the upper-right corner of the PGP Universal Server screen.
The administrative interface and PGP Universal Satellite for Windows and
Mac OS X include online help.
Refer to these sections for additional resources.
PGP Universal Server and PGP Satellite release notes are also provided,
Once PGP Universal Server is released, additional information regarding the product is added to the online Knowledge Base available on PGP Corporation’s Support Portal (

Contact information

All PGP customers have access to the comprehensive set of tools and discussion forums available on the PGP Support Portal.
which may have last-minute information not found in the product documentation.
https://support.pgp.com).
23
PGP Universal Server Introduction
The PGP Support Portal provides access to tutorials, recent support briefs, the Knowledge Base, and other valuable technical information.
Contacting Technical Support
To learn about PGP support options and how to contact PGP Technical
Support, please visit the PGP Corporation Support Home Page (
http://www.pgp.com/support).
To access the PGP Support Knowledge Base or request PGP Technical
Support, please visit PGP Support Portal Web Site (
https://support.pgp.com). Note that you may access portions of the
PGP Support Knowledge Base without a support agreement; however, you must have a valid support agreement to request Technical Support.
For any other contacts at PGP, please visit the PGP Contacts Page
http://www.pgp.com/company/contact/index.html).
(
For general information about PGP Corporation, please visit the PGP Web
Site (
http://www.pgp.com).
To access the PGP Support forums, please visit PGP Support
(
http://forums.pgpsupport.com). These are user community support forums
hosted by PGP Corporation.
24
2
The Big Picture
This chapter describes some important terms and concepts and gives you a high-level overview of the things you need to do to set up and maintain your PGP Universal Server environment.
In This Chapter
Important Terms.......................................................................................25
Installation Overview................................................................................29

Important Terms

PGP Products

PGP Universal Server: A device you add to your network that provides
secure messaging with little or no user interaction. The PGP Universal Server automatically creates and maintains a security architecture by monitoring authenticated users and their email traffic. You can also send protected messages to addresses that are not part of the security architecture.
PGP Universal Satellite: The PGP Universal Satellite software resides on
the computer of the email user. It allows email to be encrypted end to end, all the way to and from the desktop (for both internal and external users). Using PGP Universal Satellite is one of the ways for external users to participate in the SMSA. It also allows users the option of controlling their

PGP Universal Server Concepts

keys on their local machines (if allowed by the PGP administrator).
Security Architecture: Behind the scenes, the PGP Universal Server
creates and manages its own security architecture for the users whose email domain it is securing. Because the security architecture is created and managed automatically, we call this a self-managing security architecture (SMSA).
25
PGP Universal Server The Big Picture
keys.<domain> convention: PGP Universal Server automatically looks for
valid public keys for email recipients at a special hostname, if no valid public key is found locally to secure a message. This hostname is keys.<domain> (where <domain> is the email domain of the recipient). For example, Example Corporation’s externally visible PGP Universal Server is named keys.example.com.
PGP Corporation strongly recommends you name your externally visible PGP Universal Server according to this convention because it allows other PGP Universal Servers to easily find valid public keys for email recipients in your domain.
Refer to Naming your PGP Universal Server (on page information about this convention.

PGP Universal Server Features

Server Placement: A PGP Universal Server can be placed in one of two
locations in your network to process email.
With an internal placement, the PGP Universal Server logically sits between your email users and your mail server. It encrypts and signs outgoing SMTP email and decrypts and verifies incoming mail being picked up by email clients using POP or IMAP. Email stored on your mail server is stored secured (encrypted).
With a gateway placement, the PGP Universal Server logically sits between your mail server and the Internet. It encrypts and signs outgoing SMTP email and decrypts and verifies incoming SMTP email. Email stored on your mail server is stored unsecured.
Refer to Adding the PGP Universal Server to Your Network (on page and Configuring Mail Proxies (on page server placement.
Administrative Interface: Each PGP Universal Server is controlled via a
Web-based administrative interface. The administrative interface gives you control over the PGP Universal Server’s operation. While many settings are initially established using the web-based Setup Assistant, all settings of a PGP Universal Server can be controlled via the administrative interface.
59) for more
35)
219) for more information about
Setup Assistant: When you attempt to log in for the first time to the
administrative interface of a PGP Universal Server, the Setup Assistant takes you through the configuration of that PGP Universal Server.
Learn Mode: When you finish configuring a PGP Universal Server using
the Setup Assistant, it begins operation in Learn Mode, which is a special mode where the PGP Universal Server proxies traffic normally but does not encrypt or sign any messages.
26
Loading...
+ 535 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use