17.9 Sending S/MIME Secure Messages

17.9.1 Requirements

The security features described in this section are available through any cryptographic providers that use the Microsoft Cryptographic API and support full RSA and/or AES.

Adding Security

You can add security to the items you send by digitally signing them or encrypting them. When you digitally sign an item, the recipient is able to verify that the item was not modified en route and that it originated from you. When you encrypt an item, you are able to ensure that the intended recipient is the only one who can read it.

When you sign or encrypt items using GroupWise, the recipients can read the items with any other S/MIME-enabled email product.

Understanding Security Certificates

A security certificate is a file that identifies an individual or organization. Before you can send secure items, you must obtain a security certificate. Use your web browser to obtain a certificate from an independent certificate authority. See the GroupWise Specs page for a list of certificate authorities.

You can also use LDAP to search for a security certificate.

You use your security certificate to digitally sign items you send. You use other users’ public security certificates to verify digitally signed items they send to you.

To encrypt an item and have the recipient user decrypt it, you must have already received the user’s public security certificate. An element of this security certificate, called the public key, is used to encrypt the item. When the recipient opens the encrypted item, it is decrypted with another element from the security certificate, called the private key.

There are two ways to obtain a user’s public security certificate:

  • The user can send you a digitally signed item. When you open the item, you are prompted to add and trust the security certificate.

  • The user can export his or her public certificate, save it to a disk or external drive, and deliver it to you. You then import the public certificate.

Receiving a Secure Item

Secure items are marked in your Item List with the following icons:

Icon

Description

Signed item

Encrypted item

Signed and Encrypted item

Using Security Service Providers

Depending on the security software you have installed, you can select different security service providers for the items you send. For example, your organization might require you to use one security service provider for work items because of a preferred encryption method, but you might want a different security service provider for sending personal items. The security options available depend on the security service provider you select.

See Selecting a Security Service Provider for more information.

Advanced Information

GroupWise is compatible with the S/MIME version 2 and 3 specification. The security service providers that GroupWise supports have common encryption algorithms such as RC2, RC4, and in Windows 7 or later, AES. When digitally signing an item, GroupWise hashes the item into a message digest using the standard SHA-1 algorithm. The message digest is distributed with the item being sent.

See Selecting a Security Service Provider for more information.

17.9.2 Digitally Signing or Encrypting a Message

To encrypt an item and enable the recipient to decrypt it, you must have received the recipient’s public security certificate.

  1. Ensure that you have a security certificate and that you have selected the security service provider you want to use.

  2. Open an item view.

  3. Click the To field, type a user name, and then press Enter. Repeat for additional users.

  4. Click to digitally sign the item.

  5. Click to encrypt the item.

  6. Type a subject and message.

  7. Click Send on the toolbar.

    If you receive a Recipient Certificate Not Found message when you attempt to send the item, one of the following is true: 1) You are trying to encrypt an item for a recipient and don’t have his or her public certificate; 2) The email address in the public certificate does not match the recipient’s email address; or 3) There is no email address in the recipient’s public certificate and the recipient’s email address cannot be verified.

    If 1) is true, you need to obtain the recipient’s public security certificate. If 2) or 3) is true, click Find Certificate to locate the recipient’s certificate.

17.9.3 Digitally Signing or Encrypting All Messages

To digital sign or encrypt all messages:

  1. Click Tools > Options.

  2. Double-click Security, and then click the Send Options tab.

  3. Select Sign digitally or Encrypt for recipients.

  4. Click Advanced options, and then make selections.

  5. Click OK twice, and then click Close.

17.9.4 Obtaining a Security Certificate from a Certificate Authority

For most companies, the local GroupWise administrator issues security certificates. If you are unsure about where to obtain a security certificate, please contact your local GroupWise administrator.

  1. Click Tools > Options.

  2. Double-click Certificates.

  3. Click Get Certificate.

    Your web browser launches and displays the GroupWise web page, which contains a list of certificate authorities. This is only a partial list; GroupWise supports a wide variety of certificate authorities.

  4. Select the certificate authority you want to use, and then follow the instructions on the website.

    If you used Internet Explorer to obtain the certificate, the certificate is available in GroupWise. If you used Firefox or Chrome to obtain the certificate, you need to export or back up the certificate from the browser (see your browser’s documentation for how this is accomplished). For more information, see Importing or Exporting Security Certificates.

  5. In GroupWise, click Tools > Options, double-click Security, and then click the Send Options tab.

  6. Select Microsoft Base Cryptographic Provider or Microsoft Enhanced Cryptographic Provider from the Name drop-down list under Select a security service provider.

    Select the appropriate security service provider based on the encryption strength of the certificate you are using. The encryption strength of a certificate depends on the encryption strength of the browser used to obtain the certificate. For example, if you have Internet Explorer with 128-bit encryption installed, the encryption is high, and only works with Microsoft Enhanced Cryptographic Provider.

  7. Click OK.

  8. Double-click Certificates, click the certificate you want to use, and then click Set As Default.

  9. Click OK, and then click Close.

17.9.5 Selecting a Security Service Provider

  1. In the Main window, click Tools > Options.

  2. Double-click Security, and then click the Send Options tab.

  3. Select a security service provider from the Name drop-down list.

  4. Click OK, and then click Close.

The security service provider you select takes effect as soon as you log in to the provider (if login is required). The options and encryption methods available depend on the security service provider you have selected.

You cannot select security service provider options in an individual item. You must select these options from the Main Window.

17.9.6 Selecting a Security Certificate for Digitally Signing Items

To select a security certificate for digital signing:

  1. Click Tools > Options.

  2. Double-click Certificates.

  3. Click the certificate name.

  4. Click Set As Default.

  5. Click OK, and then click Close.

17.9.7 Using LDAP to Search for Recipient Encryption Certificates

Before you can use an LDAP directory service to search for security certificates, you must add the LDAP directory service to your GroupWise Address Book. For more information, see Adding a Directory Service to an Address Book.

  1. Click Tools > Options, and then double-click Security.

  2. Click the Send Options tab.

  3. Click Advanced options.

  4. Select Search for recipient encryption certificates in the default LDAP directory defined in LDAP Address Book.

  5. Click OK twice, and then click Close.

17.9.8 Selecting the Method Used for Encrypting Items

  1. Click Tools > Options.

  2. Double-click Security, and then click the Send Options tab.

  3. Click Advanced options.

    Use recipient’s preferred encryption algorithm if available: GroupWise attempts to use the recipient’s preferred encryption algorithm, if it is available.

    Search for Recipient encryption certificates in the default LDAP directory defined in LDAP Address Book: GroupWise uses the defined LDAP Address Book to attempt to find encryption certificates for the recipient.

    Default encryption algorithm: In the Encrypted Item box, the encryption algorithm drop-down lists are scrollable and include all encryption algorithms that are supported by the version of the web browser installed on the workstation where you are running the GroupWise client. The following list is a sample:

    • 3DES (168 bits)

    • DES (56 bits)

    • RC2 (128 bits)

    • RC2 (40 bits)

    • RC2 (56 bits)

    • RC2 (64 bits)

    • RC4 (128 bits)

    • AES (128 bits)

    • AES (256 bits)

    Broadcast my preferred encryption algorithm in signed item as: When you send an encrypted item, you can specify your preferred encryption algorithm to use.

    Send the message portion in clear text format (clear signing): Sends the message in clear text; otherwise, it is sent as a PKCS7 encoded message.

    Include my Certificate Authority’s certificates: Your certificate authority’s certificate is included in the message you send.

    Check incoming/outgoing security item for revoked certificates: Checks the incoming and outgoing security item against the Certificate Revocation List.

    Warn if revocation server is offline: You receive a warning if the revocation server is offline when GroupWise checks for it.

    Warn if there is no certificate revocation information in certificates: You receive a warning if there is no certificate revocation information inside the certificate.

    Do not check certificate for S/MIME compliance: The certificate is not checked for compliance with S/MIME.

    Check certificate for Compliance with S/MIME version 2: The certificate is checked for compliance with the S/MIME version 2 standard.

    Check certificate for Compliance with S/MIME version 3: The certificate is checked for compliance with the S/MIME version 3 standard.

  4. Make selections in the Encrypted item group box.

  5. Click OK twice, and then click Close.

The available encryption methods depend on the security service provider you have selected.

17.9.9 Checking Whether the Digital Signature of an Item Was Verified

To see if a digital signature was verified:

  1. Open a digitally signed item that you received.

  2. Click File > Security Properties.

  3. Click the tabs to view information about the security certificate that was used.

The digital signature is verified when you open the item. If there are any concerns about the certificates that sign the item, a warning or an error displays immediately and the status bar of the item displays “Untrusted.”

If the digital signature was not verified, the security certificate might be invalid or the message text has been changed since the item was sent.

17.9.10 Viewing Received Security Certificates and Changing the Trust

To view received security certificates or to change a trust:

  1. Click Contacts in the Full Folder List.

    To access the Full Folder List, click the folder list header drop-down list (located above the Folder List; it probably displays Online or Caching to indicate what mode of GroupWise you are running in). Then click Full Folder List.

    or

    Open the Address Book.

  2. Double-click a contact, and then click the Advanced tab.

  3. Click Manage Certificates.

  4. Click a certificate, and then click View Details.

If you initially did not trust a recipient’s security certificate and want to trust it, open a digitally signed item from the recipient, click the security certificate, click Modify Trust, click a trust option, and then click OK.

If you no longer want to trust a recipient’s security certificate, click the security certificate, click Remove, and then click Yes.

When you remove a recipient’s security certificate from the list, it is removed from your certificate database. If you receive an item using that security certificate in the future, it is considered unknown.

17.9.11 Viewing Your Own Security Certificates

To view your own security certificates:

  1. Click Tools > Options.

  2. Double-click Certificates.

  3. Click a certificate, and then click View Details.

If you have multiple security certificates, the default security certificate is indicated by a check mark. To change the default, click a certificate, and then click Set As Default.

You can change the name of your security certificate by clicking Edit Properties, and then editing the text in the Certificate name field. The certificate name is reflected in the list and is not stored in the actual certificate.

17.9.12 Importing or Exporting Security Certificates

When you export your security certificate with the private key to a file, a password is required to protect the exported file. You can use the exported file as a backup copy, or you can import the file on another workstation. If another user obtains the file and its associated password, he or she can digitally sign items in your name, and can read encrypted items you receive.

When you export your public certificate, you can send it to another user. The other user can then import your public certificate and send you encrypted items.

  1. Click Tools > Options.

  2. Double-click Certificates.

  3. Click Import or Export.

    or

    Click Certificate Authorities’ Certificates, and then click Import or Export.

  4. Type a file name, including the path.

    You can also click Browse to find the certificate file, click the file name, and then click Save or Open.

  5. If required, type your certificate password.

  6. Click OK.