How it Works
PGP
Loading...
#
C
D
E
M
N
P
R
U
W
Loading...
Loading...
Universal Server - 3.0.1
Installation Manual
63 pgs992.25 Kb0
Table of contents
Loading...

PGP Universal Server - 3.0.1 Administrator’s Guide

PGP Universal™ Server
Administrator's Guide
Version Information
PGP Universal Server Administrator's Guide. PGP Universal Server Version 3.0.1. Released June 2010.
Copyright Information
Copyright © 1991-2010 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.
Trademark Information
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support ( may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents.
https://support.pgp.com). PGP Corporation
Acknowledgments
This product includes or may include:
-- The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation, developed by zlib ( under the MIT License found at freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. -- Application server (
http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse
server ( HTML, developed by the Apache Software Foundation. The license is at binding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group under an Apache 2.0-style license, available at Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software License, version 1.1, available at Protocol") used for communications between various PGP products is provided under the Apache license found at
http://www.apache.org/licenses/LICENSE-2.0.txt. -- mx4j, an open-source implementation of the Java Management Extensions (JMX), is released
under an Apache-style license, available at Independent JPEG Group. ( distributed under the MIT License distributed by University of Cambridge. ©1997-2006. The license agreement is at and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. ( implementation of daemon developed by The FreeBSD Project, © 1994-2006. -- Simple Network Management Protocol Library developed and copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd. © 2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, © 2004. The license agreement for these is at by Network Time Protocol and copyrighted to various contributors. -- Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The OpenLDAP Foundation. The license agreement is at OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at
bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. -- PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released
under the BSD license. -- Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at
http://www.opensource.org/licenses/ibmpl.php. -- PostgreSQL, a free software object-relational database management system, is released under a
BSD-style license, available at PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available at database management system, is released under a BSD-style license, available at version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. -
- JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL) available at is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is available at downloading files via common network services, is open source software provided under a MIT/X derivate license available at
http://curl.haxx.se/docs/copyright.html. Copyright (c) 1996 - 2007, Daniel Stenberg. -- libuuid, a library used to generate unique identifiers, is released
under a BSD-style license, available at libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at
http://directory.fsf.org/libs/COPYING.DOC. Copyright © 2000-2003 Free Software Foundation, Inc. -- gSOAP, a development tool for Windows clients
to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the gSOAP Public License version 1.3b, available at
http://www.zlib.net). -- Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted
http://www.opensource.org/licenses/mit-license.html. Copyright © 2007 by the Open Source Initiative. -- bzip2 1.0, a
http://jakarta.apache.org/), web
www.apache.org/licenses/LICENSE-2.0.txt. -- Castor, an open-source, data-
http://www.castor.org/license.html. -- Xalan, an open-source software library from the Apache Software
http://xml.apache.org/xalan-j/#license1.1. -- Apache Axis is an implementation of the SOAP ("Simple Object Access
http://mx4j.sourceforge.net/docs/ch01s06.html. -- jpeglib version 6a is based in part on the work of the
http://www.ijg.org/) -- libxslt the XSLT C library developed for the GNOME project and used for XML transformations is
http://www.opensource.org/licenses/mit-license.html. -- PCRE Perl regular expression compiler, copyrighted and
http://www.pcre.org/license.txt. -- BIND Balanced Binary Tree Library
http://www.isc.org) -- Free BSD
http://net-snmp.sourceforge.net/about/license.html. -- NTP version 4.2 developed
http://www.openldap.org/software/release/license.html. Secure shell OpenSSH developed by
http://www.openbsd.org/cgi-
http://www.postgresql.org/about/licence. -- PostgreSQL JDBC driver, a free Java program used to connect to a
http://jdbc.postgresql.org/license.html. -- PostgreSQL Regular Expression Library, a free software object-relational
http://www.postgresql.org/about/licence. -- 21.vixie-cron is the Vixie
http://www.jacorb.org/lgpl.html. Copyright © 2006 The JacORB Project. -- TAO (The ACE ORB)
http://www.cs.wustl.edu/~schmidt/ACE-copying.html. -- libcURL, a library for
http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING. Copyright (C) 1996, 1997 Theodore Ts'o. --
http://www.cs.fsu.edu/~engelen/license.html. -- Windows Template Library (WTL) is used for developing user interface components and is distributed
under the Common Public License v1.0 found at automate a variety of maintenance functions and is provided under the Perl Artistic License, found at
http://www.perl.com/pub/a/language/misc/Artistic.html. -- rEFIt - libeg, provides a graphical interface library for EFI, including image rendering, text
rendering, and alpha blending, and is distributed under the license found at
http://refit.svn.sourceforge.net/viewvc/*checkout*/refit/trunk/refit/LICENSE.txt?revision=288. Copyright (c) 2006 Christoph Pfisterer. All rights
reserved. -- Java Radius Client, used to authenticate PGP Universal Web Messenger users via Radius, is distributed under the Lesser General Public License (LGPL) found at Copyright (c) 2009, Yahoo! Inc. All rights reserved. Released under a BSD-style license, available at
JSON-lib version 2.2.1, a Java library used to convert Java objects to JSON (JavaScript Object Notation) objects for AJAX. Distributed under the
Apache 2.0 license, available at available at available at available at common configuration file format used on Windows, on other platforms. Distributed under the MIT License found at
http://www.opensource.org/licenses/mit-license.html. Copyright 2006-2008, Brodie Thiesfield. -- uSTL provides a small fast implementation of common
Standard Template Library functions and data structures and is distributed under the MIT License found at
license.html. Copyright (c) 2005-2009 by Mike Sharov <msharov@users.sourceforge.net>. -- Protocol Buffers (protobuf), Google's data interchange
format, are used to serialize structure data in the PGP SDK. Distributed under the BSD license found at
license.php. Copyright 2008 Google Inc. All rights reserved.
Additional acknowledgements and legal notices are included as part of the PGP Universal Server.
http://ezmorph.sourceforge.net/license.html. -- Apache Commons Lang, used by JSON-lib, is distributed under the Apache 2.0 license, http://commons.apache.org/license.html. -- Apache Commons BeanUtils, used by JSON-lib, is distributed under the Apache 2.0 license, http://commons.apache.org/license.html. -- SimpleIni is an .ini format file parser and provides the ability to read and write .ini files, a
http://www.gnu.org/licenses/lgpl.html. -- Yahoo! User Interface (YUI) library version 2.5.2, a Web UI interface library for AJAX.
http://json-lib.sourceforge.net/license.html. -- EZMorph, used by JSON-lib, is distributed under the Apache 2.0 license,
http://opensource.org/licenses/cpl1.0.php. -- The Perl Kit provides several independent utilities used to
http://developer.yahoo.com/yui/license.html. --
http://www.opensource.org/licenses/mit-
http://www.opensource.org/licenses/bsd-
Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.
Unsupported Third Party Products
By utilizing third party products, software, drivers, or other components ("Unsupported Third Party Product") to interact with the PGP software and/or by utilizing any associated PGP command or code provided by to you by PGP at its sole discretion to interact with the Unsupported Third Party Product ("PGP Third Party Commands"), you acknowledge that the PGP software has not been designed for or formally tested with the Unsupported Third Party Product, and therefore PGP provides no support or warranties with respect to the PGP Third Party Commands or the PGP software's compatibility with Unsupported Third Party Products. THE PGP THIRD PARTY COMMANDS ARE PROVIDED "AS IS," WITH ALL FAULTS, AND THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH YOU. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PGP DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS, WHETHER EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NONINFRINGEMENT, QUIET ENJOYMENT, AND ACCURACY WITH RESPECT TO THE PGP THIRD PARTY COMMANDS OR THE PGP SOFTWARE'S COMPATIBILITY WITH THE UNSUPPORTED THIRD PARTY PRODUCT.
4
Contents
Introduction
What is PGP Universal Server? 15 PGP Universal Server Product Family 16 Who Should Read This Guide 16 Common Criteria Environments 16 Improvements in this Version of PGP Universal Server 17 Using the PGP Universal Server with the Command Line 18 Symbols 18 Getting Assistance 19
Getting product information 19 Contact Information 20
15
The Big Picture 21
Important Terms 21
PGP Products 21 PGP Universal Server Concepts 23 PGP Universal Server Features 23 PGP Universal Server User Types 25
Installation Overview 26
Open Ports 33
TCP Ports 33 UDP Ports 35
Naming your PGP Universal Server
Considering a Name for Your PGP Universal Server 37 Methods for Naming a PGP Universal Server 38
Understanding the Administrative Interface
System Requirements 39 Logging In 39 The System Overview Page 41 Managing Alerts 42 Logging In For the First Time 43 Administrative Interface Map 43 Icons 44
i
37
39
PGP Universal™ Server Contents
Licensing Your Software 51
Overview 51 Manual and Automatic Licensing 51 Licensing a PGP Universal Server 51 Licensing the Mail Proxy Feature 52
Operating in Learn Mode 53
Purpose of Learn Mode 53 Checking the Logs 54 Managing Learn Mode 54
Managed Domains 57
About Managed Domains 57 Adding Managed Domains 58 Deleting Managed Domains 58
Understanding Keys 59
Choosing a Key Mode For Key Management 59
Changing Key Modes 62 How PGP Universal Server Uses Certificate Revocation Lists 63 Key Reconstruction Blocks 63 Managed Key Permissions 64
Managing Organization Keys 65
About Organization Keys 65 Organization Key 65
Inspecting the Organization Key 66
Regenerating the Organization Key 66
Importing an Organization Key 67 Organization Certificate 68
Inspecting the Organization Certificate 69
Exporting the Organization Certificate 69
Deleting the Organization Certificate 70
Generating the Organization Certificate 70
Importing the Organization Certificate 71 Additional Decryption Key (ADK) 71
Importing the ADK 72
Inspecting the ADK 72
Deleting the ADK 72 Verified Directory Key 73
Importing the Verified Directory Key 73
Inspecting the Verified Directory Key 73
Deleting the Verified Directory Key 74
ii
PGP Universal™ Server Contents
Administering Managed Keys 75
Viewing Managed Keys 76 Managed Key Information 77
Email Addresses 80
Subkeys 80
Certificates 80
Permissions 80
Attributes 81 Symmetric Key Series 82 Symmetric Keys 84 Custom Data Objects 85 Exporting Consumer Keys 86
Exporting the Managed Key of an Internal User 86
Exporting the Managed Key of an External User 87
Exporting PGP Verified Directory User Keys 88
Exporting the Managed Key of a Managed Device 88 Deleting Consumer Keys 89
Deleting the Managed Key of an Internal User 89
Deleting the Managed Key of an External User 89
Deleting the Key of a PGP Verified Directory User 90
Deleting the Managed Key of a Managed Device 90 Approving Pending Keys 90 Revoking Managed Keys 91
Managing Trusted Keys and Certificates 93
Overview 93
Trusted Keys 93
Trusted Certificates 93 Adding a Trusted Key or Certificate 94 Inspecting and Changing Trusted Key Properties 95 Deleting Trusted Keys and Certificates 95 Searching for Trusted Keys and Certificates 96
Setting Mail Policy
Overview 97
How Policy Chains Work 98
Mail Policy and Dictionaries 99
Mail Policy and Key Searches 99
Mail Policy and Cached Keys 100 Migrating Settings from Version 2.0.x 100 Restoring Mail Policy Rules 101 Understanding the Pre-Installed Policy Chains 107 Mail Policy Outside the Mailflow 109 Using the Rule Interface 110
The Conditions Card 110
97
iii
PGP Universal™ Server Contents
The Actions Card 112 Building Valid Chains and Rules 113
Using Valid Processing Order 113
Creating Valid Groups 114
Creating a Valid Rule 115 Managing Policy Chains 116
Mail Policy Best Practices 116
Restoring Mail Policy to Default Settings 116
Editing Policy Chain Settings 117
Adding Policy Chains 117
Deleting Policy Chains 118
Exporting Policy Chains 119
Printing Policy Chains 119 Managing Rules 120
Adding Rules to Policy Chains 120
Deleting Rules from Policy Chains 120
Enabling and Disabling Rules 121
Changing the Processing Order of the Rules 121 Adding Key Searches 121 Choosing Condition Statements, Conditions, and Actions 122
Condition Statements 122
Conditions 123
Actions 129 Working with Common Access Cards 144
Applying Key Not Found Settings to External Users 145
Overview 145
Bounce the Message 146
PDF Messenger 146
Certified Delivery with PDF Messenger 147
Send Unencrypted 147
Smart Trailer 148
PGP Universal Web Messenger 149 Changing Policy Settings 150 Changing User Delivery Method Preference 151
Using Dictionaries with Policy
Overview 153 Default Dictionaries 154
Editing Default Dictionaries 156 User-Defined Dictionaries 157
Adding a User-Defined Dictionary 157
Editing a User-Defined Dictionary 158
Deleting a Dictionary 158 Exporting a Dictionary 159 Searching the Dictionaries 160
153
iv
PGP Universal™ Server Contents
Keyservers, SMTP Archive Servers, and Mail Policy 161
Overview 161 Keyservers 161
Adding or Editing a Keyserver 162
Deleting a Keyserver 164 SMTP Servers 164
Adding or Editing an Archive Server 165
Deleting an Archive Server 165
Managing Keys in the Key Cache
Overview 167 Changing Cached Key Timeout 167
Purging Keys from the Cache 168
Trusting Cached Keys 168
Viewing Cached Keys 168 Searching the Key Cache 169
167
Configuring Mail Proxies 171
Overview 171 PGP Universal Server and Mail Proxies 171
Mail Proxies in an Internal Placement 172
Mail Proxies in a Gateway Placement 174 Changes in Proxy Settings from PGP Universal Server 2.0 to 2.5 and later 175 Mail Proxies Page 176 Creating New or Editing Existing Proxies 176
Creating or Editing a POP/IMAP Proxy 176
Creating or Editing an Outbound SMTP Proxy 179
Creating or Editing an Inbound SMTP Proxy 181
Creating or Editing a Unified SMTP Proxy 182
Email in the Mail Queue
187
Overview 187 Deleting Messages from the Mail Queue 188
Specifying Mail Routes 189
Overview 189 Managing Mail Routes 190
Adding a Mail Route 190
Editing a Mail Route 191
Deleting a Mail Route 191
v
PGP Universal™ Server Contents
Customizing System Message Templates 193
Overview 193
Templates and Message Size 194
PDF Messenger Templates 194
Templates for New PGP Universal Web Messenger Users 194 Editing a Message Template 195
Managing Groups 197
Understanding Groups 197
Sorting Consumers into Groups 197
Everyone Group 198
Excluded Group 198 Policy Group Order 199
Migrating Groups from Version 2.x 199
Setting Policy Group Order 199 Creating a New Group 200 Deleting a Group 200 Viewing Group Members 200 Manually Adding Group Members 201 Manually Removing Members from a Group 201 Group Permissions 202
Adding Group Permissions 203
Deleting Group Permissions 203 Setting Group Membership 204 Searching Groups 205 Creating Group Client Installations 206
How Group Policy is Assigned to PGP Desktop Installers 206
When to Bind a Client Installation 207
Creating PGP Desktop Installers 208
Managing Devices
Managed Devices 214
Adding and Deleting Managed Devices 214
Adding Managed Devices to Groups 215
Managed Device Information 216 Deleting Managed Devices from PGP Universal Server 220 Deleting Managed Devices from Groups 220
vi
213
PGP Universal™ Server Contents
WDE Devices (Computers and Disks) 221
WDE Computers 222
WDE Disks 223 Searching for Devices 225
Administering Consumer Policy 227
Understanding Consumer Policy 227 Making Sure Users Create Strong Passphrases 227
Understanding Entropy 228 Using the Windows Preinstallation Environment 229 X.509 Certificate Management in Lotus Notes Environments 229
Trusting Certificates Created by PGP Universal Server 230
Setting the Lotus Notes Key Settings in PGP Universal Server 232
Technical Deployment Information 233 Offline Policy 233 Using a Policy ADK 235 Out of Mail Stream Support 235 Enrolling Users through Silent Enrollment 237
Silent Enrollment with Windows 237
Silent Enrollment with Mac OS X 237 PGP Whole Disk Encryption Administration 237
PGP Whole Disk Encryption on Mac OS X with FileVault 238
How Does Single Sign-On Work? 238
Enabling Single Sign-On 239
Managing Clients Remotely Using a PGP WDE Administrator Active Directory Group 240
Managing Clients Locally Using the PGP WDE Administrator Key 241 Managing Consumer Policies 242
Adding a Consumer Policy 243
Editing a Consumer Policy 243
Deleting a Consumer Policy 244
Setting Policy for Clients 245
Client and PGP Universal Server Version Compatibility 245
Serving PGP Admin 8 Preferences 246 Establishing PGP Desktop Settings for Your PGP Desktop Clients 247
PGP Desktop Feature License Settings 248
Controlling PGP Desktop Components 248 PGP Portable 250 PGP Mobile 250 PGP NetShare 251
How the PGP NetShare Policy Settings Work Together 251
Multi-user environments and managing PGP NetShare 251
Backing Up PGP NetShare-Protected Files 252
Using Directory Synchronization to Manage Consumers
How PGP Universal Server Uses Directory Synchronization 253
vii
253
PGP Universal™ Server Contents
Base DN and Bind DN 255
Consumer Matching Rules 256 Understanding User Enrollment Methods 256
Before Creating a Client Installer 257
Email Enrollment 258
Directory Enrollment 260 Enabling Directory Synchronization 262 Adding or Editing an LDAP Directory 262
The LDAP Servers Tab 264
The Base Distinguished Name Tab 264
The Consumer Matching Rules Tab 265
Testing the LDAP Connection 265
Using Sample Records to Configure LDAP Settings 265 Deleting an LDAP Directory 266 Setting LDAP Directory Order 266 Directory Synchronization Settings 266
Managing User Accounts 269
Understanding User Account Types 269 Viewing User Accounts 269 User Management Tasks 269
Setting User Authentication 270
Editing User Attributes 270
Adding Users to Groups 270
Editing User Permissions 271
Deleting Users 271
Searching for Users 272
Viewing User Log Entries 272
Changing Display Names and Usernames 272
Exporting a User’s X.509 Certificate 273
Revoking a User's X.509 Certificate 274
Managing User Keys 274 Managing Internal User Accounts 275
Importing Internal User Keys Manually 275
Creating New Internal User Accounts 276
Exporting PGP Whole Disk Encryption Login Failure Data 276
Internal User Settings 277 Managing External User Accounts 281
Importing External Users 282
Exporting Delivery Receipts 282
External User Settings 283
viii
PGP Universal™ Server Contents
Managing Verified Directory User Accounts 285
Importing Verified Directory Users 286
PGP Verified Directory User Settings 286
Recovering Encrypted Data in an Enterprise Environment
Using Key Reconstruction 289 Recovering Encryption Key Material without Key Reconstruction 290
Encryption Key Recovery of CKM Keys 290
Encryption Key Recovery of GKM Keys 290
Encryption Key Recovery of SCKM Keys 291
Encryption Key Recovery of SKM Keys 292 Using an Additional Decryption Key for Data Recovery 292
289
PGP Universal Satellite 295
Overview 295 Technical Information 296 Distributing the PGP Universal Satellite Software 296 Configuration 296
Key Mode 296
PGP Universal Satellite Configurations 297
Switching Key Modes 300 Policy and Key or Certificate Retrieval 300
Retrieving Lost Policies 300
Retrieving Lost Keys or Certificates 301
PGP Universal Satellite for Mac OS X 305
Overview 305 System Requirements 305 Obtaining the Installer 306 Installation 306 Updates 307 Files 307
PGP Universal Satellite for Windows
Overview 309 System Requirements 309 Obtaining the Installer 310 Installation 310 Updates 311 Files 311
ix
309
PGP Universal™ Server Contents
MAPI Support 311
External MAPI Configuration 312 Lotus Notes Support 312
External Lotus Notes Configuration 313
Configuring PGP Universal Web Messenger 315
Overview 315
PGP Universal Web Messenger and Clustering 316
External Authentication 317 Customizing PGP Universal Web Messenger 318
Adding a New Template 319
Troubleshooting Customization 323
Changing the Active Template 326
Deleting a Template 326
Editing a Template 326
Downloading Template Files 327
Restoring to Factory Defaults 327 Configuring the PGP Universal Web Messenger Service 327
Starting and Stopping PGP Universal Web Messenger 328
Selecting the PGP Universal Web Messenger Network Interface 328
Setting Up External Authentication 330
Creating Settings for PGP Universal Web Messenger User Accounts 331
Setting Message Replication in a Cluster 332
Configuring the Integrated Keyserver 333
Overview 333 Starting and Stopping the Keyserver Service 333 Configuring the Keyserver Service 333
Configuring the PGP Verified Directory 337
Overview 337 Starting and Stopping the PGP Verified Directory 338 Configuring the PGP Verified Directory 338
Managing the Certificate Revocation List Service 341
Overview 341 Starting and Stopping the CRL Service 341 Editing CRL Service Settings 342
Configuring Universal Services Protocol
Starting and Stopping USP 343 Adding USP Interfaces 343
343
x
PGP Universal™ Server Contents
System Graphs 345
Overview 345 CPU Usage 345 Message Activity 345 Whole Disk Encryption 346
System Logs 349
Overview 349 Filtering the Log View 350 Searching the Log Files 351 Exporting a Log File 351 Enabling External Logging 352
Configuring SNMP Monitoring 353
Overview 353 Starting and Stopping SNMP Monitoring 354 Configuring the SNMP Service 354 Downloading the Custom MIB File 355
Shutting Down and Restarting Services and Power 357
Overview 357 Server Information 357
Setting the Time 357
Updating Software 358
Licensing a PGP Universal Server 358
Downloading the Release Notes 359 Shutting Down and Restarting the PGP Universal Server Software Services 359 Shutting Down and Restarting the PGP Universal Server Hardware 359
Managing Administrator Accounts
Overview 361
Administrator Roles 362
Administrator Authentication 362 Creating a New Administrator 363 Importing SSH v2 Keys 364 Deleting Administrators 364 Inspecting and Changing the Settings of an Administrator 365 Configuring RSA SecurID Authentication 366 Resetting SecurID PINs 367 Daily Status Email 368
361
xi
PGP Universal™ Server Contents
Protecting PGP Universal Server with Ignition Keys 371
Overview 371
Ignition Keys and Clustering 372 Preparing Hardware Tokens to be Ignition Keys 373 Configuring a Hardware Token Ignition Key 374 Configuring a Soft-Ignition Passphrase Ignition Key 375 Deleting Ignition Keys 375
Backing Up and Restoring System and User Data 377
Overview 377 Creating Backups 378
Scheduling Backups 378
Performing On-Demand Backups 378 Configuring the Backup Location 378 Restoring From a Backup 379
Restoring On-Demand 380
Restoring Configuration 380
Restoring from a Different Version 381
Updating PGP Universal Server Software 383
Overview 383 Inspecting Update Packages 384 Establishing Software Update Settings 384 Checking for New Updates 385 Uploading Update Packages 385 Manually Installing an Update 385
Setting Network Interfaces 387
Understanding the Network Settings 387 Connecting to a Proxy Server 388 Changing Interface Settings 388 Adding Interface Settings 389 Deleting Interface Settings 389 Editing Global Network Settings 389 Assigning a Certificate 390 Working with Certificates 390
Importing an Existing Certificate 391
Generating a Certificate Request 391
Adding a Pending Certificate 392
Inspecting a Certificate 393
Exporting a Certificate 393
Deleting a Certificate 393
xii
PGP Universal™ Server Contents
Clustering your PGP Universal Servers 395
Overview 395 Cluster Status 396 Creating a Cluster 397 Deleting Cluster Members 399 Clustering and PGP Universal Web Messenger 400 Managing Settings for Cluster Members 401 Changing Network Settings in Clusters 402
Index
403
xiii

Introduction

1
This Administrator’s Guide describes both the PGP Universal™ Server and Client software. It tells you how to get them up and running on your network, how to configure them, and how to maintain them. This section provides a high-level overview of PGP Universal Server.

What is PGP Universal Server?

PGP Universal Server is a single console for managing the applications that provide email, disk, and network file encryption.
PGP Universal Server with PGP Universal Gateway Email gives you secure messaging: it transparently protects your enterprise messages with little or no user interaction.
The PGP Universal Server also replaces the PGP Keyserver product with a built­in keyserver, and the PGP Admin product with PGP Desktop configuration and deployment capabilities.
PGP Universal Server automatically creates and maintains a Self-Managing Security Architecture (SMSA) by monitoring authenticated users and their email traffic. You can also send protected messages to addresses that are not part of the SMSA. The PGP Universal Server encrypts, decrypts, signs, and verifies messages automatically, providing strong security through policies you control.
PGP Universal Satellite, a client-side feature of PGP Universal Server, extends PGP security for email messages all the way to the computer of the email user, it allows external users to become part of the SMSA, and it gives end users the option to create and manage their keys on their own computer (if allowed by the PGP administrator).
PGP Desktop, a client product, is created and managed through PGP Universal Server policy. It creates PGP keypairs and can manage user keypairs as well as store the public keys of others. It encrypts user email and instant messaging (IM). It can encrypt entire or partial hard drives. It also enables secure file sharing with others over a network.
15
PGP Universal™ Server Introduction

PGP Universal Server Product Family

PGP Universal Server functions as a management console for a variety of encryption solutions. You can purchase any of the PGP Desktop applications or bundles and use PGP Universal Server to create and manage client installations. You can also purchase a license that enables PGP Gateway Email to encrypt email in the mailstream.
The PGP Universal Server can manage any combination of PGP encryption applications. PGP encryption applications are:
PGP Universal Gateway Email provides automatic email encryption in the
gateway, based on centralized mail policy. This product requires administration by the PGP Universal Server.
PGP Desktop Email provides encryption at the desktop for mail, files, and
AOL Instant Messenger traffic. This product can be managed by the PGP Universal Server.
PGP Whole Disk Encryption provides encryption at the desktop for an
entire disk. This product can be managed by the PGP Universal Server.
PGP NetShare provides transparent file encryption and sharing among
desktops. This product can be managed by the PGP Universal Server.

Who Should Read This Guide

This Administrator’s Guide is for the person or persons who implement and maintain your organization’s PGP Universal Server environment. These are the PGP Universal Server administrators.
This guide is also intended for anyone else who wants to learn about how PGP Universal Server works.

Common Criteria Environments

To be Common Criteria compliant, please refer to the best practices shown in PGP Universal Server 2.9 Common Criteria Supplemental. Note that these best practices supersede recommendations made elsewhere in this and other documentation.
16
PGP Universal™ Server Introduction

Improvements in this Version of PGP Universal Server

The 3.0.0 release of PGP Universal Server introduces the following new and improved features:
General
Client policy management changes: Internal users, external users, PGP
Verified Directory users, and devices are now called consumers. Consumers are sorted into groups manually, by user type, or by matching consumer attributes to domains, dictionary entries or through LDAP values. Group membership determines which policy consumers receive.
Expanded directory synchronization: The integrated directory
synchronization feature now connects to multiple LDAP directories. Previous versions of PGP Universal Server could only connect to one corporate directory at a time.
Managed PGP Mobile: PGP Universal Server now manages client policy
for PGP Mobile installations.
Operating system change: The new CentOS operating system improves
scalability and reliability, and supports a wider variety of hardware.
RSA SecurID support for administrator authentication: PGP Universal
Server now supports two-factor authentication using RSA SecurID. This meets strong authentication requirements for environments with higher security needs, and is compatible with existing RSA SecurID deployments.
PGP Keys
Key Management Server (KMS): The new key management feature
provides new and expanded key management capabilities for PGP products. Key policy changes are now immediately enforced. KMS allows management of asymmetric and symmetric keys. The API and SDK provide key management functionality to non-PGP applications.
Server Key Mode offline use: The client can now store the SKM private
key, encrypted to a random passphrase, so users can read email offline.
PGP Messaging
ADK archival output: Administrators can archive end-to-end encrypted
email messages by decrypting the messages on PGP Universal Server using the ADK, and sending the decrypted messages to an archive server. Encrypted email messages are then searchable, making possible compliance with regulatory mandates and requirements for message retention, mail server data management, and legal discovery support.
17
PGP Universal™ Server Introduction
Recursive encoding: Provides an additional layer of protection to email
messages that have been partially protected and to email messages that have been signed. Supports an additional layer of encoding if the initial layer is not complete.
Clustering
New clustering functionality: Cluster members now interact with each
other as peers, replacing the previous Primary/Secondaries model. Every server in a cluster can serve all types of requests, and any server can initiate persistent changes. The new cluster model also permits up to 20 nodes in a cluster.

Using the PGP Universal Server with the Command Line

Using the PGP Universal Server command line for read-only access (such as to view settings, services, logs, processes, disk space, query the database, etc) is supported. However, performing configuration modifications via the command line voids your PGP Support agreement unless these procedures are followed.

Symbols

Any changes made to the PGP Universal Server via the command line must be:
Authorized in writing by PGP Support.
Implemented by a PGP Partner, reseller or internal employee who is
certified in the PGP Advanced Administration and Deployment Training.
Summarized and documented in a text file in
/var/lib/ovid/customization on the PGP Universal Server itself.
Changes made through the command line might not persist through reboots and might be incompatible with future releases. PGP Support can require reverting any custom configurations on the PGP Universal Server back to a default state when troubleshooting new issues.
Notes, Cautions, and Warnings are used in the following ways.
Note: Notes are extra, but important, information. A Note calls your attention
to important aspects of the product. You can use the product better if you read the Notes.
18
PGP Universal™ Server Introduction
Caution: Cautions indicate the possibility of loss of data or a minor security
breach. A Caution tells you about a situation where problems can occur unless precautions are taken. Pay attention to Cautions.
Warning: Warnings indicate the possibility of significant data loss or a major
security breach. A Warning means serious problems will occur unless you take the appropriate action. Please take Warnings very seriously.

Getting Assistance

For additional resources, see these sections.

Getting Product Information

The following documents and online help are companions to the PGP Universal Server Administrator’s Guide. This guide occasionally refers to information that
can be found in one or more of these sources:
Online help is installed and is available within the PGP Universal Server
product.
PGP Universal Server Installation Guide—Describes how to install the
PGP Universal Server software.
PGP Universal Server Upgrade Guide—Describes the process of
upgrading your PGP Universal Server.
PGP Universal Mail Policy Diagram—Provides a graphical representation
of how email is processed through mail policy. You can access this document via the PGP Universal Server online help.
Tutorials—Provides animated introductions on how to manage the mail
policy feature in PGP Universal Server 2.5 and later, and how upgraded PGP Universal Server settings migrate into the new mail policy feature.
You can also access all the documentation and tutorials by clicking the online help icon in the upper-right corner of the PGP Universal Server screen.
PGP Universal Satellite for Windows and Mac OS X include online help.
PGP Universal Server and PGP Satellite release notes are also provided,
which may have last-minute information not found in the product documentation.
The documentation, provided as Adobe Acrobat PDF files, are available on the Documentation ( Portal.
https://pgp.custhelp.com/app/docs) section on the PGP Support
19
PGP Universal™ Server Introduction
Once PGP Universal Server is released, additional information regarding the product is added to the online Knowledge Base available on PGP Corporation’s
Support Portal (
https://support.pgp.com).

Contact Information

Contacting Technical Support
To learn about PGP support options and how to contact PGP Technical
Support, please visit the PGP Corporation Support Home Page
https://support.pgp.com).
(
To access the PGP Support Knowledge Base or request PGP Technical
Support, please visit PGP Support Portal Web Site
https://support.pgp.com). Note that you may access portions of the
(
PGP Support Knowledge Base without a support agreement; however, you must have a valid support agreement to request Technical Support.
To access the PGP Support forums, please visit PGP Support
http://forum.pgp.com). These are user community support forums hosted
( by PGP Corporation.
Contacting Customer Service
For help with orders, downloads, and licensing, please visit PGP
Corporation Customer Service (
https://pgp.custhelp.com/app/cshome).
Contacting Other Departments
For any other contacts at PGP Corporation, please visit the PGP Contacts
Page (
http://www.pgp.com/about_pgp_corporation/contact/index.html).
For general information about PGP Corporation, please visit the PGP Web
Site (
http://www.pgp.com).
20

The Big Picture

2
This chapter describes some important terms and concepts and gives you a high-level overview of the things you need to do to set up and maintain your PGP Universal Server environment.

Important Terms

The following sections define important terms you will encounter throughout the PGP Universal Server and this documentation.

PGP Products

PGP Universal Server: A device you add to your network that provides
secure messaging with little or no user interaction. The PGP Universal Server automatically creates and maintains a security architecture by monitoring authenticated users and their email traffic. You can also send protected messages to addresses that are not part of the security architecture.
PGP Global Directory: A free, public keyserver hosted by PGP
Corporation. The PGP Global Directory provides quick and easy access to the universe of PGP keys. It uses next-generation keyserver technology that queries the email address on a key (to verify that the owner of the email address wants their key posted) and lets users manage their own keys. Using the PGP Global Directory significantly enhances your chances of finding a valid public key of someone to whom you want to send secured messages.
For external users without encryption keys, PGP Universal Server offers multiple secure delivery options, leveraging third-party software that is already installed on typical computer systems, such as a web browser or Adobe Acrobat Reader. For email recipients who do not have an encryption solution, you can use of of the following secure delivery options from PGP Universal Server:
PGP Universal Satellite: The PGP Universal Satellite software
resides on the computer of the email user. It allows email to be encrypted end to end, all the way to and from the desktop (for both internal and external users). Using PGP Universal Satellite is one of the ways for external users to participate in the SMSA. It also allows users the option of controlling their keys on their local computers (if allowed by the administrator).
21
PGP Universal™ Server The Big Picture
PGP Universal Web Messenger: The PGP Universal Web Messenger
service allows an external user to securely read a message from an internal user before the external user has a relationship with the SMSA. If PGP Universal Web Messenger is available via mail policy for a user and the recipient’s key cannot be found, the message is stored on the PGP Universal Server and an unprotected message is sent to the recipient. The unprotected message includes a link to the original message, held on the PGP Universal Server. The recipient must create a passphrase, and then can access his encrypted messages stored on PGP Universal Server.
PDF Messenger: PDF Messenger enables sending encrypted PDF
messages to external users who do not have a relationship with the SMSA. In the normal mode, as with PGP Universal Web Messenger, the user receives a message with a link to the encrypted message location and uses a PGP Universal Web Messenger passphrase to access the message. PDF Messenger also provides Certified Delivery, which encrypts the message to a one-time passphrase, and creates and logs a delivery receipt when the user retrieves the passphrase.
PGP Desktop: A client software tool that uses cryptography to protect your
data against unauthorized access. PGP Desktop is available for Mac OS X and Windows.
PGP Whole Disk Encryption: Whole Disk Encryption is a feature of
PGP Desktop that encrypts your entire hard drive or partition (on Windows systems), including your boot record, thus protecting all your files when you are not using them.
PGP NetShare: A feature of PGP Desktop for Windows with which
you can securely and transparently share files and folders among selected individuals. PGP NetShare users can protect their files and folders simply by placing them within a folder that is designated as protected.
PGP Virtual Disk: PGP Virtual Disk volumes are a feature of PGP
Desktop that let you use part of your hard drive space as an encrypted virtual disk. You can protect a PGP Virtual Disk volume with a key or a passphrase. You can also create additional users for a volume, so that people you authorize can also access the volume.
PGP Zip: A feature of PGP Desktop that lets you put any combination
of files and folders into a single encrypted, compressed package for convenient transport or backup. You can encrypt a PGP Zip archive to a PGP key or to a passphrase.
PGP Portable: A separately-licensed feature that enables you to send
encrypted files to users who do not have PGP Desktop software, and to transport files securely to systems that do not or cannot have PGP software installed.
22
PGP Universal™ Server The Big Picture

PGP Universal Server Concepts

keys.<domain> convention: PGP Universal Server automatically looks for
valid public keys for email recipients at a special hostname, if no valid public key is found locally to secure a message. This hostname is keys.<domain> (where <domain> is the email domain of the recipient). For example, Example Corporation’s externally visible PGP Universal Server is named keys.example.com.
®
Corporation strongly recommends you name your externally visible
PGP PGP Universal Server according to this convention because it allows other PGP Universal Servers to easily find valid public keys for email recipients in your domain.
For more information, see Naming your PGP Universal Server (on page
Security Architecture: Behind the scenes, the PGP Universal Server
creates and manages its own security architecture for the users whose email domain it is securing. Because the security architecture is created and managed automatically, we call this a self-managing security architecture (SMSA).

PGP Universal Server Features

Administrative Interface: Each PGP Universal Server is controlled via a
Web-based administrative interface. The administrative interface gives you control over PGP Universal Server. While many settings are initially established using the web-based Setup Assistant, all settings of a PGP Universal Server can be controlled via the administrative interface.
Backup and Restore: Because full backups of the data stored on your PGP
Universal Server are critical in a natural disaster or other unanticipated loss of data or hardware, you can schedule automatic backups of your PGP Universal Server data or manually perform a backup.
You can fully restore a PGP Universal Server from a backup. In the event of a minor problem, you can restore the PGP Universal Server to any saved backup. In the event that a PGP Universal Server is no longer usable, you can restore its data from a backup onto a new PGP Universal Server during initial setup of the new PGP Universal Server using the Setup Assistant. All backups are encrypted to the Organization Key and can be stored securely off the PGP Universal Server.
37).
Cluster: When you have two or more PGP Universal Servers in your
network, you configure them to synchronize with each other; this is called a “cluster.”
Dictionary: Dictionaries are lists of terms to be matched. The dictionaries
work with mail policy to allow you to define content lists that can trigger rules.
23
PGP Universal™ Server The Big Picture
Directory Synchronization: If you have LDAP directories in your
organization, your PGP Universal Server can be synchronized with the directories. The PGP Universal Server automatically imports user information from the directories when users send and receive email; it also creates internal user accounts for them, including adding and using X.509 certificates if they are contained in the LDAP directories.
Ignition Keys: You can protect the contents of a PGP Universal Server,
even if the hardware is stolen, by requiring the use of a hardware token or a software passphrase, or both, on start.
Keyserver: Each PGP Universal Server includes an integrated keyserver
populated with the public keys of your internal users. When an external user sends a message to an internal user, the external PGP Universal Server goes to the keyserver to find the public key of the recipient to use to secure the message. The PGP Universal Server administrator can enable or disable the service, and control access to it via the administrative interface.
Learn Mode: When you finish configuring a PGP Universal Server using
the Setup Assistant, it begins in Learn Mode, where the PGP Universal Server sends messages through mail policy without taking any action on the messages, and does not encrypt or sign any messages.
Learn Mode gives the PGP Universal Server a chance to build its SMSA (creating keys for authenticated users, for example) so that when when Learn Mode is turned off, the PGP Universal Server can immediately begin securing messages. It is also an excellent way for administrators to learn about the product.
You should check the logs of the PGP Universal Server while it is in Learn Mode to see what it would be doing to email traffic if it were live on your network. You can make changes to the PGP Universal Server’s policies while it is in Learn Mode until things are working as expected.
Mail Policy: The PGP Universal Server processes email messages based
on the policies you establish. Mail policy applies to inbound and outbound email processed by both PGP Universal Server and client software. Mail policy consists of multiple policy chains, comprised of sequential mail processing rules.
Organization Certificate: You must create or obtain an Organization
Certificate to enable S/MIME support by PGP Universal Server. The Organization Certificate signs all X.509 certificates the server creates.
Organization Key: The Setup Assistant automatically creates an
Organization Key (actually a keypair) when it configures a PGP Universal Server. The Organization Key is used to sign all PGP keys the PGP Universal Server creates and to encrypt PGP Universal Server backups.
24
PGP Universal™ Server The Big Picture
Caution: It is extremely important to back up your Organization Key: all
keys the PGP Universal Server creates are signed by the Organization Key, and all backups are encrypted to the Organization Key. If you lose your Organization Key and have not backed it up, the signatures on those keys are meaningless and you cannot restore from backups encrypted to the Organization Key.
PGP Verified Directory: The PGP Verified Directory supplements the
internal keyserver by letting internal and external users manage the publishing of their own public keys. The PGP Verified Directory also serves as a replacement for the PGP Keyserver product. The PGP Verified Directory uses next-generation keyserver technology to ensure that the keys in the directory can be trusted.
Server Placement: A PGP Universal Server can be placed in one of two
locations in your network to process email.
With an internal placement, the PGP Universal Server logically sits between your email users and your mail server. It encrypts and signs outgoing SMTP email and decrypts and verifies incoming mail being picked up by email clients using POP or IMAP. Email stored on your mail server is stored secured (encrypted).
With a gateway placement, the PGP Universal Server logically sits between your mail server and the Internet. It encrypts and signs outgoing SMTP email and decrypts and verifies incoming SMTP email. Email stored on your mail server is stored unsecured.
For more information, see Configuring Mail Proxies (on page PGP Universal Server Installation Guide.
Setup Assistant: When you attempt to log in for the first time to the
administrative interface of a PGP Universal Server, the Setup Assistant takes you through the configuration of that PGP Universal Server.

PGP Universal Server User Types

Administrators: Any user who manages the PGP Universal Server and its
security configuration from inside the internal network.
Only administrators are allowed to access the administrative interface that controls PGP Universal Server. A PGP Universal Server supports multiple administrators, each of which can be assigned a different authority: from read-only access to full control over every feature and function.
Consumers: Internal, external, and Verified Directory users, and devices.
External Users: External users are email users from other domains
(domains not being managed by your PGP Universal Server) who have been added to the SMSA.
171) and the
25
PGP Universal™ Server The Big Picture
Internal Users: Internal users are email users from the domains being
managed by your PGP Universal Server.
PGP Universal Server allows you to manage PGP Desktop deployments to your internal users. The administrator can control which PGP Desktop features are automatically implemented at install, and establish and update security policy for PGP Desktop users that those users cannot override (except on the side of being more secure).
PGP Verified Directory Users: Internal and external users who have
submitted their public keys to the PGP Verified Directory, a Web­accessible keyserver.
Devices: Managed devices, WDE computers, and WDE disks.
Managed devices are arbitrary objects whose keys are managed by PGP Universal Server. WDE computers, and WDE disks are devices that are detected when users enroll.
Other Email Users: Users within your organization can securely send
email to recipients outside the SMSA.
First, the PGP Universal Server attempts to find a key for the recipient. If that fails, there are four fallback options, all controlled by mail policy: bounce the message back to the sender (so it is not sent unencrypted), send unencrypted, Smart Trailer, and PGP Universal Web Messenger mail.
Smart Trailer sends the message unencrypted and adds text giving the recipient the option of joining the SMSA by installing PGP Universal Satellite, using an existing key or certificate, or using PGP Universal Web Messenger. PGP Universal Web Messenger lets the recipient securely read the message on a secure website; it also gives the recipient options for handling subsequent messages from the same domain: read the messages on a secure website using a passphrase they establish, install PGP Universal Satellite, or add an existing key or certificate to the SMSA.

Installation Overview

The following steps are a broad overview of what it takes to plan, set up, and maintain your PGP Universal Server environment.
Most of the steps described here are described in detail in later chapters. Steps 1 and 4 are described in the PGP Universal Server Installation Guide. Note that these steps apply to the installation of a new, stand-alone PGP Universal Server.
If you plan to install a cluster, you must install and configure one PGP Universal Server following the steps outlined here. Subsequent cluster members will get most of their configuration settings from the initial server by replication.
The steps to install and configure a PGP Universal Server are as follows:
1 Plan where in your network you want to locate your PGP Universal
Server(s).
26
Loading...
+ 384 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use