Open topic with navigation

E-Mail Encryption

Introduction

Due to security policies, it might be required to encrypt e-mail traffic (including the e-mails which are sent and received by the ConSol CM installation) using standard S/MIME encryption. If the topic is new to you, you might want to read some articles about it, e.g. the Public-key cryptography article in Wikipedia.

In order to enable the use of encrypted e-mails with ConSol CM, you first have to enable the e-mail encryption in the system:

1. Mandatory:
   Set the system property cmas-core-server, mail.encryption to true. It is set to false as default value. This is the basic configuration to enable e-mail encryption for the entire system.
2. Optional:
   Set the page customization attribute mailEncryptionAvailable to true. This activates an option in the Web Client to choose whether an e-mail should be encrypted.

General Explanation about E-Mail Encryption in ConSol CM

There are two types of certificates:

• Server certificates, mainly used for incoming e-mails
  The public key (in the certificate) and the private key of the receiving e-mail address can be manually imported into the CM system from a PKCS12 file (.p12 or .pfx). If the certificate is password-protected, the administrator has to provide this password when the certificate is imported.
• Client certificates, used for outgoing e-mails
  For outgoing e-mails, the certificates (public keys) of the receiving e-mail addresses are required. These certificates can be imported into the CM system in two ways:
  
  • Manually
    By selecting (uploading) the respective X.509 file (.cer or .crt)
  • Automatically
    From an LDAP repository where it is stored in the correct format (i.e. in the same format which is required for the file import). This automatic retrieval of the requested certificate can be performed on-the-fly when the e-mail is sent.

The certificates discussed here are used for e-mail encryption only and not for the access of ConSol CM (as e-mail client) to the e-mail server! That has to be managed using certificates which are stored in the security store of the application server.

The following figure shows the basic principle of e-mail encryption for incoming and outgoing e-mails in ConSol CM.

Figure 378: Basic principle of ConSol CM e-mail encryption

Requirements

• The client certificate must contain the e-mail address of the customer (receiver of the e-mail) in the attribute SubjectDN (E= or EMAILADDRESS=) or the X509v3 Subject Alternative Name element from the Extensions section of the certificate.
• Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files has to be installed on the server and on the machine where the Admin Tool is started. This is required to enable the Admin Tool to import certificates.
• X.509 Base64-encoded certificates are supported.

Certificate Import from LDAP (Available for Client Certificates)

If LDAP is configured, ConSol CM will look up the client certificate for the requested contact in the LDAP repository. This is done as follows:

1. Someone tries to send an encrypted e-mail.
2. The cryptography service looks for a client certificate (with the public key) of the recipient.
3. If a client certificate is found, the e-mail is encrypted using the client's public key and sent.
4. If a client certificate is not found in the Admin Tool or it has expired, it is looked up in the LDAP repository.
5. If it is found, it is imported to ConSol CM and the e-mail is encrypted and sent.
6. If it is not found, the e-mail is sent unencrypted.

The following configuration properties have to be set to enable certificate lookup via LDAP:

• ldap.certificate.basedn
• ldap.certificate.searchattr
• ldap.certificate.content.attribute

Please see section LDAP certificate parameters in System Properties for details.

Certificate Management in the Admin Tool

In the Admin Tool, the navigation items Server Certificates and Client Certificates in the navigation group E-Mail are used to configure the CM environment for e-mail encryption.

Server Certificates

Server certificates are used to decipher incoming e-mail messages. In some exceptional cases, they are also used to encrypt outgoing e-mails: if one of the recipients is the same as one of the incoming e-mail accounts, the server certificate will be used to encrypt that message. Server certificates each contain the public and the private key for the given e-mail address. If you define an incoming e-mail account (see section above), you have to upload a server certificate for that e-mail address (or for all e-mail addresses covered by this mailbox) to be able to receive encrypted messages (because the server certificate contains the respective private key). If you have several incoming accounts, you either have to upload a server certificate for each of them or you can upload one certificate with all required e-mail addresses.

When you open the navigation item Server certificates, a list of all existing server certificates is displayed. To add a new server certificate, click the Add button and use the file browser to find the required certificate. The certificate is validated before it is imported. If there are any incompatibilities, an error message is displayed and the certificate is not imported.

Supported formats for server certificates are:

• PKCS #12 archive file containing certificate (public) and private key (password protected).
  Supported filename extensions for PKCS #12 files are:
  • .p12
  • .pfx

Client Certificates

A client certificate contains only the public key of an external recipient (e.g., a customer). It allows encrypting messages which are sent to that user, i.e. client certificates are used for outgoing e-mails.

When you open the navigation item Client certificates, a list of all existing client certificates is displayed. To add a new client certificate, click the Add button and use the file browser to find the required certificate. The certificate is validated before it is imported. If there are any incompatibilities, an error message is displayed and the certificate is not imported.

Supported formats for client certificates are:

• X509 standard format.
  Supported file name extensions for X.509 certificates are:
  • .cer
  • .crt
  • .der
  • .pem

Figure 379: ConSol CM Admin Tool - Pop-up window for adding a client certificate

Here are some example use cases:

1. An engineer works in the ConSol CM Web Client and writes an encrypted e-mail using the Ticket E-Mail Editor. When the Send button is clicked, the ConSol CM system looks up the receiver address in the list of e-mail addresses under Client certificates and uses the public key of the recipient to encrypt the outgoing e-mail. If ConSol CM cannot find a matching certificate (the e-mail address is not in the certificate list), the certificate for the e-mail address is loaded from LDAP. If no compatible certificate is found there either, the e-mail is sent unencrypted.
   If one of the recipients is one of the incoming e-mail accounts, the server certificate (public key) will also be used to encrypt that message.
2. ConSol CM receives an e-mail and checks the To address. If it is found in the list under Server certificates, ConSol CM uses the private key given in this certificate to decrypt the message and to either create a new ticket or append the message to an existing ticket.

Sending Encrypted E-Mails

Choosing if E-Mails Should Be Sent Encrypted from the Web Client

If the page customization property mailEncryptionAvailable has been set to true, a checkbox Send encrypted is available in the Ticket E-Mail Editor in the Web Client. Thus, the user can choose whether the e-mail should be sent encrypted.

Figure 380: ConSol CM Web Client - Send encrypted e-mail

Sending an Encrypted E-Mail from the Workflow

An encrypted e-mail can be sent by using the method enableEncryption(). Please see the ConSol CM Process Designer Manual for a detailed explanation.

Sending Encrypted E-Mails by Default

If the system property cmas-core-server, mail.encryption is set to true, all outgoing e-mails from the workflow and Web Client are encrypted by default.

If users would like to send selected e-mails unencrypted, they can uncheck the checkbox Send encrypted in the Web Client. For e-mails sent by the workflow the method disableEncryption() can be used for this purpose.