E-Mail Encryption

Introduction

Due to security policies, it might be required to encrypt e-mail traffic (including the e-mails which are sent and received by the ConSol CM installation) using standard S/MIME encryption. If the topic is new to you, you might want to read some articles about it, e.g. the Public-key cryptography article in Wikipedia.

In order to enable the use of encrypted e-mails with ConSol CM, you first have to enable the e-mail encryption in the system:

  1. Mandatory:
    Set the system property cmas-core-server, mail.encryption to true. It is set to false as default value. This is the basic configuration to enable e-mail encryption for the entire system.
  2. Optional:
    Set the page customization attribute mailEncryptionAvailable to true. This activates an option in the Web Client to choose whether an e-mail should be encrypted.

General Explanation about E-Mail Encryption in ConSol CM

There are two types of certificates:

The certificates discussed here are used for e-mail encryption only and not for the access of ConSol CM (as e-mail client) to the e-mail server! That has to be managed using certificates which are stored in the security store of the application server.

The following figure shows the basic principle of e-mail encryption for incoming and outgoing e-mails in ConSol CM.

Figure 378: Basic principle of ConSol CM e-mail encryption

Requirements

Certificate Import from LDAP (Available for Client Certificates)

If LDAP is configured, ConSol CM will look up the client certificate for the requested contact in the LDAP repository. This is done as follows:

  1. Someone tries to send an encrypted e-mail.
  2. The cryptography service looks for a client certificate (with the public key) of the recipient.
  3. If a client certificate is found, the e-mail is encrypted using the client's public key and sent.
  4. If a client certificate is not found in the Admin Tool or it has expired, it is looked up in the LDAP repository.
  5. If it is found, it is imported to ConSol CM and the e-mail is encrypted and sent.
  6. If it is not found, the e-mail is sent unencrypted.

The following configuration properties have to be set to enable certificate lookup via LDAP:

Please see section LDAP certificate parameters in System Properties for details.

Certificate Management in the Admin Tool

In the Admin Tool, the navigation items Server Certificates and Client Certificates in the navigation group E-Mail are used to configure the CM environment for e-mail encryption.

Server Certificates

Server certificates are used to decipher incoming e-mail messages. In some exceptional cases, they are also used to encrypt outgoing e-mails: if one of the recipients is the same as one of the incoming e-mail accounts, the server certificate will be used to encrypt that message. Server certificates each contain the public and the private key for the given e-mail address. If you define an incoming e-mail account (see section above), you have to upload a server certificate for that e-mail address (or for all e-mail addresses covered by this mailbox) to be able to receive encrypted messages (because the server certificate contains the respective private key). If you have several incoming accounts, you either have to upload a server certificate for each of them or you can upload one certificate with all required e-mail addresses.

When you open the navigation item Server certificates, a list of all existing server certificates is displayed. To add a new server certificate, click the Add button and use the file browser to find the required certificate. The certificate is validated before it is imported. If there are any incompatibilities, an error message is displayed and the certificate is not imported.

Supported formats for server certificates are:

Client Certificates

A client certificate contains only the public key of an external recipient (e.g., a customer). It allows encrypting messages which are sent to that user, i.e. client certificates are used for outgoing e-mails.

When you open the navigation item Client certificates, a list of all existing client certificates is displayed. To add a new client certificate, click the Add button and use the file browser to find the required certificate. The certificate is validated before it is imported. If there are any incompatibilities, an error message is displayed and the certificate is not imported.

Supported formats for client certificates are:

Figure 379: ConSol CM Admin Tool - Pop-up window for adding a client certificate

Here are some example use cases:

  1. An engineer works in the ConSol CM Web Client and writes an encrypted e-mail using the Ticket E-Mail Editor. When the Send button is clicked, the ConSol CM system looks up the receiver address in the list of e-mail addresses under Client certificates and uses the public key of the recipient to encrypt the outgoing e-mail. If ConSol CM cannot find a matching certificate (the e-mail address is not in the certificate list), the certificate for the e-mail address is loaded from LDAP. If no compatible certificate is found there either, the e-mail is sent unencrypted.
    If one of the recipients is one of the incoming e-mail accounts, the server certificate (public key) will also be used to encrypt that message.
  2. ConSol CM receives an e-mail and checks the To address. If it is found in the list under Server certificates, ConSol CM uses the private key given in this certificate to decrypt the message and to either create a new ticket or append the message to an existing ticket.

Sending Encrypted E-Mails

Choosing if E-Mails Should Be Sent Encrypted from the Web Client

If the page customization property mailEncryptionAvailable has been set to true, a checkbox Send encrypted is available in the Ticket E-Mail Editor in the Web Client. Thus, the user can choose whether the e-mail should be sent encrypted.

Figure 380: ConSol CM Web Client - Send encrypted e-mail

Sending an Encrypted E-Mail from the Workflow

An encrypted e-mail can be sent by using the method enableEncryption(). Please see the ConSol CM Process Designer Manual for a detailed explanation.

Sending Encrypted E-Mails by Default

If the system property cmas-core-server, mail.encryption is set to true, all outgoing e-mails from the workflow and Web Client are encrypted by default.

If users would like to send selected e-mails unencrypted, they can uncheck the checkbox Send encrypted in the Web Client. For e-mails sent by the workflow the method disableEncryption() can be used for this purpose.