Due to security policies, it might be required to encrypt e-mail traffic (including the e-mails which are sent and received by the ConSol CM installation) using standard S/MIME encryption. If the topic is new to you, you might want to read some articles about it, e.g. the Public-key cryptography article in Wikipedia.
In order to enable the use of encrypted e-mails with ConSol CM, you first have to enable the e-mail encryption in the system:
There are two types of certificates:
The certificates discussed here are used for e-mail encryption only and not for the access of ConSol CM (as e-mail client) to the e-mail server! That has to be managed using certificates which are stored in the security store of the application server.
The following figure shows the basic principle of e-mail encryption for incoming and outgoing e-mails in ConSol CM.
Figure 378: Basic principle of ConSol CM e-mail encryption
If LDAP is configured, ConSol CM will look up the client certificate for the requested contact in the LDAP repository. This is done as follows:
The following configuration properties have to be set to enable certificate lookup via LDAP:
Please see section LDAP certificate parameters in System Properties for details.
In the Admin Tool, the navigation items Server Certificates and Client Certificates in the navigation group E-Mail are used to configure the CM environment for e-mail encryption.
Server certificates are used to decipher incoming e-mail messages. In some exceptional cases, they are also used to encrypt outgoing e-mails: if one of the recipients is the same as one of the incoming e-mail accounts, the server certificate will be used to encrypt that message. Server certificates each contain the public and the private key for the given e-mail address. If you define an incoming e-mail account (see section above), you have to upload a server certificate for that e-mail address (or for all e-mail addresses covered by this mailbox) to be able to receive encrypted messages (because the server certificate contains the respective private key). If you have several incoming accounts, you either have to upload a server certificate for each of them or you can upload one certificate with all required e-mail addresses.
When you open the navigation item Server certificates, a list of all existing server certificates is displayed. To add a new server certificate, click the Add button and use the file browser to find the required certificate. The certificate is validated before it is imported. If there are any incompatibilities, an error message is displayed and the certificate is not imported.
Supported formats for server certificates are:
A client certificate contains only the public key of an external recipient (e.g., a customer). It allows encrypting messages which are sent to that user, i.e. client certificates are used for outgoing e-mails.
When you open the navigation item Client certificates, a list of all existing client certificates is displayed. To add a new client certificate, click the Add button and use the file browser to find the required certificate. The certificate is validated before it is imported. If there are any incompatibilities, an error message is displayed and the certificate is not imported.
Supported formats for client certificates are:
Figure 379: ConSol CM Admin Tool - Pop-up window for adding a client certificate
Here are some example use cases:
If the page customization property mailEncryptionAvailable has been set to true, a checkbox Send encrypted is available in the Ticket E-Mail Editor in the Web Client. Thus, the user can choose whether the e-mail should be sent encrypted.
Figure 380: ConSol CM Web Client - Send encrypted e-mail
An encrypted e-mail can be sent by using the method enableEncryption(). Please see the ConSol CM Process Designer Manual for a detailed explanation.
If the system property cmas-core-server, mail.encryption is set to true, all outgoing e-mails from the workflow and Web Client are encrypted by default.
If users would like to send selected e-mails unencrypted, they can uncheck the checkbox Send encrypted in the Web Client. For e-mails sent by the workflow the method disableEncryption() can be used for this purpose.