Cisco Registered Envelope Service 4.7 Account Administrator Guide March 19, 2016 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco Registered Envelope Service 4.7 Account Administrator Guide © 2011—2016 Cisco Systems, Inc. and/or its affiliates. All rights reserved. CONTENTS CHAPTER 1 Overview 1-1 Role of Cisco Registered Envelope Service in Encryption 1-1 Corporate Account Administration 1-3 CHAPTER 2 Administration 2-1 Administration FAQs 2-1 What is a Cisco Registered Envelope Service corporate account? 2-1 What are the typical tasks of an account administrator? 2-2 Which email administration topics are covered in this guide? 2-2 What is recipient enrollment? 2-2 Cisco Registered Envelope Service Accounts 2-3 Users 2-3 What are user groups and roles? 2-3 Getting Started 2-4 Understanding the Corporate Account Setup Process 2-4 Logging In 2-4 Understanding the Icons in the Administration Console 2-7 Common Tasks 2-8 Cisco Registered Envelope Recipient Guide iii Contents Customizing the Logo on Registered Envelopes 2-8 Adding a Corporate Account Administrator 2-10 Customizing Templates 2-11 Monitoring Account Activity 2-12 Managing Messages 2-13 Managing Security Questions 2-14 Managing Password Requirements 2-15 Managing Users 2-16 Creating Users 2-16 Resetting User Passwords 2-17 Adding Users to Groups 2-18 Disabling Users 2-19 Using TLS Delivery 2-20 Adding and Testing TLS Domains 2-20 TLS Error Handling 2-23 Enabling Sender Registration 2-25 Enabling Java Applet 2-26 Selecting an Authentication Method 2-27 Configuring CRES Account Authentication 2-27 Authenticating with SAML 2-27 Configuring SAML Account Authentication 2-31 Configuring BCE Plug-in or Mobile Application Settings 2-40 Disabling and Enabling Access to Secure Compose 2-43 Configuring DNS to Include CRES 2-44 CHAPTER 3 Reporting 3-1 Reporting Overview Account Usage Report Cisco Registered Envelope Recipient Guide iv 3-1 3-2 Contents CHAPTER 4 Migrating the Data Needed to Create Keys from the IEA to CRES 4-1 Information About Migrating the Data Needed to Create Keys from the IEA to CRES 4-1 How to Migrate the Data Needed to Create Keys from the IEA to CRES 4-3 Migration Prerequisites 4-3 Features That Are Not Supported on CRES 4-4 Migration Procedure 4-5 Differences In Functionality Once the Migration Is Complete 4-12 Migration Error Messages 4-13 Example Configuration of HTTP Proxy 4-14 Cisco Content Security Welcomes Your Comments 4-15 Cisco Content Security Welcomes Your Comments A-2 Additional Parameters for Migrating the Data Needed to Create Keys from the IEA to CRES B-1 Cisco Registered Envelope Recipient Guide v Contents Cisco Registered Envelope Recipient Guide vi CHAPTER 1 Overview The Cisco Registered Envelope Service (CRES) is a hosted service that provides support for Cisco IronPort Encryption technology. CRES works in conjunction with Cisco IronPort Email Security appliances and Cisco IronPort Encryption appliances, which provide on-premises content scanning, policy enforcement, and encryption. CRES stores per-message encryption keys for encrypted messages. Recipients of encrypted messages authenticate themselves with the service to receive decryption keys. Note The latest version of this guide and other CRES documentation is available on this product page. Role of Cisco Registered Envelope Service in Encryption The service manages the following elements of encryption: • Recipient enrollment. Recipients of a registered envelope (an encrypted message) must enroll with the service the first time they open an envelope, unless the message is sent with low security. Enrollment is free of charge. • Authentication. Enrolled users use Single Sign-On (SSO) or provide a password to open registered envelopes and read encrypted messages. • Encryption keys. An encryption key is created for each encrypted message. When enrolled recipient enter their password in the registered envelope, the service sends the decryption key that opens the envelope. Cisco Registered Envelope Service Account Administrator Guide 1-1 Chapter 1 Overview • Message expiration and locking. Enrolled users can set the expiration date and control message locking for the encrypted messages that they send. Corporate account administrators can control expiration dates and message locking for all encrypted messages sent using the corporate account. • Secure Forward and Secure Reply messages. Depending on the corporate account configuration, recipients may be able to forward and reply to encrypted messages using encryption. CRES handles the encryption for Secure Forward and Secure Reply messages. The figure shows how CRES works in conjunction with a Cisco IronPort Email Security appliance. The service supplies the decryption key to the registered recipient of a encrypted message. The diagram depicts the following process: Step 1 A Cisco IronPort Email Security appliance uses encryption to encrypt a message and deliver it. Step 2 The recipient enters his or her CRES password in the registered envelope. Note If the message is configured for low security, then the recipient need not enter a password to open the secure envelope. Cisco Registered Envelope Service Account Administrator Guide 1-2 Chapter 1 Overview Step 3 CRES supplies the decryption key that opens the envelope. Step 4 The recipient’s web browser displays the decrypted message. Corporate Account Administration CRES provides administrative functionality for organizations’ corporate accounts. The initial CRES administration role is assigned to the Registered Technical Contact. An administrator for a corporate account can perform the following tasks, among others: • Customize the logo displayed on registered envelopes • Manage messages sent through the service • Generate account usage reports • Manage users (such as lock accounts and reset passwords) • Configure TLS settings for encrypted secure reply without requiring an envelope Cisco Registered Envelope Service Account Administrator Guide 1-3 Chapter 1 Cisco Registered Envelope Service Account Administrator Guide 1-4 Overview CHAPTER 2 Administration This chapter includes the following topics: • Administration FAQs, page 2-1 • Getting Started, page 2-4 • Common Tasks, page 2-8 Administration FAQs This section provides answers to frequently asked questions (FAQs) about the role of a Cisco Registered Envelope Service (CRES) corporate account administrator. What is a Cisco Registered Envelope Service corporate account? Each organization that uses encryption technology and CRES has a corporate account with the service. This account can be used in conjunction with one or more Cisco IronPort Email Security appliances that send encrypted messages. Typically, an organization has a single corporate account, and the account administrator(s) manages only that account. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-1 Chapter 2 Administration What are the typical tasks of an account administrator? Typical administrative tasks include: Note • Configuring the corporate account (for example, uploading an organization’s logo to display it on Registered Envelopes sent using the account). • Monitoring account usage (for example, viewing statistics about user registration and user account activation). • Managing messages sent using the account (for example, disabling access to a particular message). Account administrators cannot access the content of user messages that they manage in the Administration Console. For more information about administrative tasks, see the “Common Tasks” section on page 2-8. Which email administration topics are covered in this guide? Administration of a Cisco IronPort secure email solution involves two distinct areas of responsibility: • Managing Cisco IronPort appliances, such as Cisco Email Security appliances and Cisco IronPort Encryption appliances • Managing a CRES corporate account This guide contains information about managing a CRES corporate account. For information about managing Cisco IronPort Email Security appliances, see the product documentation available on the Cisco Customer Support Portal. What is recipient enrollment? Recipient enrollment, also called user registration, is the process of creating a CRES user account for a first-time recipient of a Registered Envelope. Most message recipients must complete the enrollment process before they can open the encrypted messages that they receive. However, if the message uses low security, the user can open the message without registering. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-2 Chapter 2 Administration During the enrollment process, the recipient provides user profile information, chooses a password, and selects security questions and answers. Cisco Registered Envelope Service Accounts When a user enrolls with CRES, the user is not associated with a particular sender’s corporate account. Senders have accounts, and recipients have accounts. The sender CRES account allows the sender of an encrypted message to manage their secure messages by expiring or recalling them. Users User account administration is handled by system administrators at CRES. Typically, corporate account administrators do not manage individual user accounts. It is possible for a corporate administrator to manage internal CRES users for the purpose of resetting passwords or locking existing accounts. If a CRES administrator wishes to manage their user accounts, a customer support ticket must be filed to add the managed domains to the account. What are user groups and roles? Groups are lists of enrolled users. Roles are sets of privileges that you can associate with groups. For example, to create an account administrator, someone with administrative privileges for the account must add the user to the account administrator group. Roles are not associated with individuals. Note Every user in a particular account administrator group can administer that account. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-3 Chapter 2 Administration Getting Started This section explains how to get started using the Administration Console for a CRES corporate account. Understanding the Corporate Account Setup Process When an organization configures a Cisco IronPort Email Security appliance to use encryption with CRES as the hosted key service, a corporate account is created for the organization. The organization’s Cisco IronPort Email Security appliance is associated with the corporate account. Note As a corporate account administrator, you are not involved in the initial account setup process. By default, the Account Administrator group for the new account includes the organization’s initial corporate account administrator. The corporate account administrator can create additional administrators by adding users to the Account Administrator group. For more information, see the “Adding a Corporate Account Administrator” section on page 2-10. The Account Administrator group may also include IronPort Sales Engineers who are familiar with the organization’s Cisco IronPort Email Security appliances and system configuration. Logging In To manage your corporate account, log in using this URL: https://res.cisco.com/admin If you are the administrator for multiple accounts, you are asked to select an account when you log in. You can then select whether you want: • The selected account to be remembered on your computer. • The remembered account to be automatically selected the next time you log in. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-4 Chapter 2 Administration These options are represented by the following two checkboxes: • Remember account on this computer — If checked, the selected account will also be selected in the list the next time you log in using the same browser. Only active accounts are shown in the list. • Automatically select remembered account — If checked, the list of accounts is not displayed and the information for the remembered account is displayed when you log in. The Automatically select remembered account checkbox is not enabled if the Remember account on this computer checkbox is not checked. To select another account after you are logging in, use the Select Account link at the bottom of the home page of the Administration Console. This link also allows you to uncheck the Automatically select remembered account checkbox. When you log in to a corporate account, the Administration Console is displayed. Figure 2-1 Administration Console for a Corporate Account Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-5 Chapter 2 Administration The home page is the Monitor Account page, which displays a summary of account activity. The Administration Console contains the following tabs and links for navigating the site: • Home. Displays the Monitor Account page. Use the Monitor Account page to view system and account status. Click the Update button to retrieve the latest status information, or enter a value in the Update Interval field and click Update to refresh the page at regular intervals (for example, every 10 seconds). • Users. Displays the User Management page. Typically, this page is used only by system administrators at Cisco. Corporate account administrators have access to only the individuals assigned to their account, and only if they have added the correct domain. • Reports. Displays the View Reports page. The View Reports page is typically used to run the Account Usage report. For more information about the Account Usage report, see Chapter 3, “Reporting.” The View Reports page includes links to the following reports: – User Information report. Shows a listing of the users associated with your account, but only if one or more domains are associated with the account, including sequence number ( # ), User ID, Email Address, First Name, Last Name, Status, Date Created, Last Login Date, and Last Modified Date. – Users Status report. Shows the status (New, Active, Blocked) for users associated with your domain. – Account Usage report. Run this report to view usage statistics for your corporate account. For more information about the Account Usage report, see Chapter 3, “Reporting.” • Accounts. Displays tabs for the Account Management page and the Manage Registered Envelopes page. Click the Manage Accounts tab to view the Account Management page, where you can configure your CRES corporate account. For more information, see the “Customizing the Logo on Registered Envelopes” section on page 2-8, the “Adding a Corporate Account Administrator” section on page 2-10, and the “Customizing Templates” section on page 2-11. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-6 Chapter 2 Administration Click the Manage Registered Envelopes tab to search for and manage the Registered Envelopes that were sent using your corporate account. For more information, see the “Managing Messages” section on page 2-13. Understanding the Icons in the Administration Console Use the icons in the Administration Console to navigate the system and manage areas such as accounts and users. Hover text indicates what each icon represents. Table 2-1 Icon Icon Listing Title Action Manage Users Access the Group Membership page. Manage Roles Access the Group Authorization page. Save Token Save the token to your local machine. Tokens are customer-specific keys used to encrypt data between the Cisco Email Security Applicance (ESA) and CRES (or a local key server). Currently used only by Customer Support. Manage Rules Access the Rules page. Close or Delete item Delete the item. Preview Template Preview template in the selected language. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-7 Chapter 2 Administration Common Tasks This section explains how to use the Administration Console to perform the following administrative tasks: Note • Customizing the logo on Registered Envelopes • Adding a corporate account administrator • Customizing templates • Monitoring account activity • Managing messages • Managing security questions • Managing password requirements • Managing users • Using TLS for encrypted but user-transparent delivery of secured messages • Enabling sender registration • Selecting an authentication method • Configuring BCE plug-in or mobile application settings • Disabling and enabling access to Secure Compose • Configuring DNS to Include CRES Users can set the timestamp to their local time zone and to their desired format (12 hours or 24 hours). Any Administration Console screen that includes user timestamps will be affected by this feature for those users that have set the timestamp to their local time zone. Customizing the Logo on Registered Envelopes To change the logo displayed on messages sent using your account: Step 1 Log in to the Administration Console for the corporate account. Step 2 Click the Accounts tab. The Account Management page is displayed. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-8 Chapter 2 Administration Figure 2-2 Step 3 Account Management Page Click the link for your account number. Note Each organization typically has a single corporate account. The Details tab for the account is displayed. Step 4 Click the Images tab for the account. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-9 Chapter 2 Figure 2-3 Step 5 Administration Images Tab Browse to the logo file that you want to upload, and click Add Image. Note The file size cannot exceed 102,400 bytes. Cisco recommends that logo file also does not exceed 60×160 pixels. You can use any type of file for the logo. However, Cisco recommends that you use only file types that are supported by the browsers your users typically use (for example: GIF, JPEG, or PNG). Adding a Corporate Account Administrator To add a corporate account administrator: Step 1 Log in to the Administration Console for the corporate account. Step 2 Click the Accounts tab. The Account Management page is displayed, as shown in Figure 2-2. Step 3 Click the link for your account number. Note Organizations typically have a single corporate account. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-10 Chapter 2 Administration The Details tab for your account is displayed. Step 4 Click the Groups tab for the account. Step 5 Click the Manage Users icon. For more information, see the “Understanding the Icons in the Administration Console” section on page 2-7. Step 6 On the Group Membership page, enter the user ID of the registered user that you want to add as a corporate account administrator. Step 7 Click Add to Group. Customizing Templates To customize a template for the notification messages: Step 1 Log in to the Administration Console for the corporate account. Step 2 Click the Accounts tab. The Account Management page opens. Step 3 Click the link for your account number. Note Each organization typically has a single corporate account. The Details tab for the account opens. Step 4 Click the Templates tab for the account. Step 5 From the Base Template Set drop-down list, select a template you want to copy, and then enter a title of new template set. Step 6 Click Add. Step 7 Click the link of the added template. Step 8 Click the needed locale for template. The Edit Template page opens. Step 9 Edit the information in the HTML and Text fields as appropriate. Step 10 Click Save. Step 11 Click Back to Templates List. Step 12 Click Back to Template Set List. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-11 Chapter 2 Administration Step 13 From the Active Template Set drop-down list, select the needed template. Step 14 Click Save. Monitoring Account Activity The IronPort Email Security appliance provides detailed information about encryption usage. For example, you can use the appliance to generate reports on the content filters that mark messages for encryption. To supplement the reports that the appliance generates, CRES provides general information about corporate account activity. You can view this information in the Administration Console. The Monitor Accounts tab on the home page displays information about account activity, including user registration, login counts, and statistics about opened and sent encrypted messages (Registered Envelopes). In addition, you can view the Account Usage report on the Accounts tab. For more information about CRES reports, see Chapter 3, “Reporting.” Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-12 Chapter 2 Administration Managing Messages As a corporate account administrator, you can view and manage the status of any message sent using the account. To manage messages: Step 1 Log in to the Administration Console for the corporate account. Step 2 Click the Accounts tab. The Account Management page is displayed, as shown in Figure 2-2. Step 3 Click the Manage Registered Envelopes tab. The Manage Registered Envelopes page is displayed. Figure 2-4 Step 4 Manage Registered Envelopes Page Click Search to view all messages sent in the last hour, or enter search criteria and click Search to view particular messages. The search results display the status of each message, including time sent, time last opened, message expiration time, and message lock information. To set an expiration date, select one or more messages and click the Update Expiration Dates link. To lock or unlock messages, select one or more messages and click the Lock/Unlock Envelopes link. When you lock envelopes, you can enter a reason for the lock. The reason is displayed on the envelope when a recipient attempts to open it. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-13 Chapter 2 Administration Managing Security Questions With the Security tab, you can allow or forbid the users to define custom security questions. You can change the security questions by selecting the corresponding check boxes from the Sort column in the table. If you select the Advanced registration process check box, users will have to answer the security questions and enter personal security phrase during registration. If you clear this check box, users can register without answering the security questions, or they can complete the Advanced Settings form and answer the security questions. All users who do not belong to the administrators group can disable the security questions on the Edit Profile page. Figure 2-5 Managing Security Questions Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-14 Chapter 2 Administration Managing Password Requirements When creating or changing a password, ensure that password meets the following requirements: • Password must be alphanumeric (required). • Password must be case-sensitive (required). • Password must contain characters from at least three of the available character types: lowercase letters, uppercase letters, digits, and special characters. • Password must not contain a character repeated more than three times consecutively. • Password must not contain the username or the reversed username. • Password must not be "Cisco", "ocsic" or any similar words by changing the capitalization of letters, or replacing "i" with "1", "|", "!", "o" with "0", or "s" with "$". Only two password requirements are set by default. You can change password requirements for users by selecting other options. You can manage the password requirements on the Security tab of the Manage Accounts page. Figure 2-6 Managing Password Requirements Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-15 Chapter 2 Administration Managing Users With the Users tab, you can manage users of the system: create users, search for users, reset passwords, add users to groups, and disable users. You can manage users only for a domain associated with your account. If you need to associate a domain with your account, contact support. Note Users existing in the system before the domain was associated with your account will need to be migrated to your account. Let support know if you have existing users when requesting the domain association. Creating Users To create a user: Step 1 Click Add User on the Manage Users page. Step 2 Fill in the form. Note Password must comply with the Cisco password requirements. For more information, see the“Managing Security Questions” section on page 2-14. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-16 Chapter 2 Administration Figure 2-7 Create User Page Step 3 You can set custom options, such as enforcing a password expiration date, allowing users to bypass security questions when resetting passwords, or skipping the creation of mailboxes for certain users. Step 4 Click Save. Note The user that you create must belong to your email domain. Resetting User Passwords Users can reset their passwords using the following link: https://res.cisco.com/websafe/pswdForgot.action If that method is unsuccessful (for example, if the user cannot recall the answers to the challenge questions), you can reset a user’s password through the administrator interface. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-17 Chapter 2 Administration To reset a user’s password: Step 1 Select the user (click the username in the search results on the Manage Users page). Step 2 Click View Password Challenge Answers. Step 3 Click Reauthenticate. Step 4 Click Next. Step 5 Click Reset Password. Note After resetting a password, the user receives an email with a link to create a new password. Adding Users to Groups You can add a user to a group (or remove a user from a group) to give that user additional (or fewer) privileges. To manage a user’s group membership: Step 1 Select the user (click the username in the search results on the Manage Users page). Step 2 Click the Groups icon in the Actions column for the user. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-18 Chapter 2 Administration Figure 2-8 Groups Icon on the User Listing Step 3 The Group Membership page is displayed. The box on the left shows the groups of which the user is a member. The box on the right shows any other available groups. Step 4 Click a group to select it and then click the right or left arrow to move the group between the two boxes. Step 5 Click Done to save your changes. Disabling Users You may need to temporarily disable a user’s account—for example, when a user leaves a company. To disable a user: Step 1 Select the user (click the username in the search results on the Manage Users page). Step 2 Click Modify. Step 3 Set the User Status to Locked. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-19 Chapter 2 Figure 2-9 Step 4 Administration Setting a User’s Status to Locked Save your changes. Using TLS Delivery Transport Layer Security (TLS) delivery allows CRES-originated messages such as secure replies to be delivered encrypted back to the sending domain without having to use an envelope. You can enable TLS delivery to provide a secure method of delivering email without requiring end users to log in to CRES or install the encryption plug-in to receive or view email. TLS is enabled on a per-account basis. For each account, you specify one or more TLS domains and error handling behavior. Adding and Testing TLS Domains To enable TLS for an account, you must add at least one domain. Adding a domain initiates a process where the domain is scanned for TLS support. A domain must pass TLS domain testing before it can be added. The TLS domain test uses the CRES servers to verify information and connectivity. The check ensures that: • that there are MX records associated with the domain entry, and • that the MX records can be resolved to an IP address and each MX record has working mail servers associated with it, and • that the CRES servers can establish an SMTP connection via port 25 with the above-mentioned mail servers, and Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-20 Chapter 2 Administration • that each above-mentioned mail server supports the STARTTLS extension, and • finally, that the CRES servers can initiate a successful TLS connection to each mail server serving the MX record. To use TLS for secure replies, you must use a certificate signed by, or chained to, one of the certificates listed in the Supported Certificate Authorities for CRES section of the Cisco Email Encryption Compatibility Matrix. You must also use a certificate that has not expired. A certificate has expired if the date and time when a TLS connection is made is not within the certificate’s validity window. A TLS test for a domain generates one of three possible results: pass, inconclusive (partial pass), and failure. • Pass: A domain is considered to pass a TLS test when the test on all servers in the MX records passes. Domains that pass TLS tests are added as TLS domains and receive a status of “processing” while they await approval by Customer Support. • Inconclusive: If the test has passed on at least one associated mail server but not all, the result is considered inconclusive. Inconclusive domains are, by default, not added as TLS domains. You can add an inconclusive domain by clicking the Request Approval button displayed by the results. Enter information about why the domain should be added and then submit. • Failure: If no mail servers associated with the domain support TLS, the domain has failed the test. Domains that fail TLS tests are not added as TLS domains. A customer support ticket is opened for each passing domain or approval request for inconclusive domains. You will receive an email indicating that the domain has been added or requesting more information about the domain. You can also test domains without adding them to the list of TLS domains by using the Test Domain button rather than the Add Domain button. Support requests are not opened for tested domains. To add or test a TLS domain: Step 1 On the Accounts tab, choose the Manage Accounts tab. Step 2 Click on an account number and choose the Features tab. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-21 Chapter 2 Figure 2-10 Step 3 Account Management Page, Features Tab Enter a domain. a. To test the domain, click Test Domain. b. To add the domain, click Add Domain. Step 4 A message is displayed indicating the results. Step 5 If an added domain passes, it is displayed in the “Domain” list with a status of “Processing.” Step 6 Delete domains by clicking the trash can icon. Note Do not forget to specify the TLS error handling behavior. See “TLS Error Handling” on page 23 for more information. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-22 Administration Chapter 2 Administration TLS Error Handling If TLS delivery stops working (due to an expired certificate, for example), you need to configure TLS error handling. You can choose “Bounce Messages” or “Fallback to Registered Envelope Delivery.” Note If the TLS failure delivery preference is set to “Fallback to Registered Envelope Delivery,” remember to change the TLS delivery option to TLS Preferred on your in-house mail server. • Fallback to Registered Envelope Delivery: If the TLS delivery fails (due to an expired certificate, for example), the system reverts to sending registered envelopes. • Bounce Messages: For accounts configured to bounce messages during TLS delivery failure, the bounce will happen after 24 hours, during which a retry will be attempted every hour. For accounts configured to fall back to registered envelope delivery, fall back will happen after 1 hour, during which a retry will be attempted every 20 minutes. To specify TLS error handling behavior for an account: Step 1 On the Accounts tab, choose the Manage Accounts tab. Step 2 Click on an account number and choose the Details tab. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-23 Chapter 2 Figure 2-11 Account Management Page Step 3 Select a TLS failure delivery preference. Step 4 Click Save. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-24 Administration Chapter 2 Administration Enabling Sender Registration You can configure the system to automatically offer to register senders on a per-account basis. This is also useful if you would like to offer CRES accounts to your email senders who do not currently use CRES to send encrypted mail. Once registered, senders can learn more about the options available to them for controlling their encrypted messages. If you enable this feature, senders receive email messages inviting them to create an account on the CRES server. They receive these invitations once every 30 days, and they can opt out easily by following the instructions included in the invitation. You cannot change the frequency of invitations. To enable sender registration for an account: Step 1 On the Accounts tab, choose the Manage Accounts tab. Step 2 Click an account number and choose the Details tab. Figure 2-12 Enabling Sender Registration Step 3 Select the Enable Sender Registration check box. Step 4 Click Save. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-25 Chapter 2 Administration Enabling Java Applet By default, Java Applet in the envelope is disabled, so the CRES users can more easily read the secure messages with attachments or open the secure messages in a web browser. To enable Java Applet: Step 1 On the Accounts tab, click the Manage Accounts tab. Step 2 Click an account number and then click the Details tab. Figure 2-13 Enabling Java Applet Step 3 Clear the Suppress Java Applet in Envelope check box. Step 4 Click Save. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-26 Chapter 2 Administration Selecting an Authentication Method You must assign one of the two authentication methods to an account and correctly configure the authentication. However, you can change an account’s authentication method if required. CRES provides two different methods for authenticating users: • Configuring CRES Account Authentication, page 2-27 • Configuring SAML Account Authentication, page 2-31 You may want to use CRES authentication if you want to retain full control over the authentication process. SAML is an XML application for Single Sign-On (SSO). For further information on how CRES implements SAML authentication, see Authenticating with SAML, page 2-27. You may want to use SAML-based authentication if you are already using the Cisco IronPort Web Security Appliance or PingFederate as a SAML identity provider for SSO. For more information, see Configuring the PingFederate Logout URL, page 2-39. Configuring CRES Account Authentication To configure CRES authentication for an account: Step 1 On the Accounts tab, choose the Manage Accounts tab. Step 2 Click an account number and choose the Details tab. Step 3 In the Authentication Method list, click CRES. Step 4 Click Save. Authenticating with SAML SAML is an XML-based standard primarily used for Single Sign-On (SSO), a simpler way for end users to authenticate with multiple web services, such as CRES. Currently only SAML 2.0 is supported. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-27 Chapter 2 Administration Single Sign-On means users log in once to authenticate (with an identity provider) and thereafter use a range of services from service providers without having to log in again. The protocol also supports Single Log-Out. This simplifies the user experience, and improves security because the user no longer has to remember login details for multiple services. CRES support for SAML works for new and existing CRES envelopes. SAML authentication must be enabled individually for each corporate account. After this is done, all users in that account must authenticate with SAML. Any users not owned by the account will continue to use CRES authentication. SAML Overview SAML enables exchanging authentication and authorization data between different secure networks, sometimes referred to as security domains. Typically, SAML is used when there are users in one domain accessing a network (a different domain) using a web browser. To achieve Single Sign-On, a SAML dialogue must be engaged by an entity in each domain, which SAML defines using the following terms: • Identity provider (IdP). An identity provider is an entity that produces SAML assertions. The identity provider is expected to authenticate its end users before producing a SAML assertion. CRES should work with most SAML 2.0 identity providers. However, it is certified to work only with the Cisco IronPort Web Security Appliance, Active Directory Federation Services (AD FS), and PingFederate. • Service provider (SP). A service provider is an entity that consumes SAML assertions. The service provider relies on the identity provider to identify the end user and communicate that identification to the service provider in the SAML assertion. The service provider makes an access control decision based on the assertion. With SAML authentication enabled, CRES acts as a service provider. SAML assertions are containers of information passed between identity providers and service providers inside SAML requests and responses. Assertions contain statements (such as authentication and authorization statements) that service providers use to make access control decisions. Assertions start with the <saml:Assertion> tag. SAML dialogues are called flows, and flows can be initiated by either provider: Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-28 Chapter 2 Administration • Service provider initiated flow. The service provider is contacted by an end user requesting access, so it starts a SAML dialogue by contacting the identity provider to provide identification for the user. For service provider initiated flows, the end user accesses the service provider using a URL that contains the service provider’s domain, such as http://www.serviceprovider.com/. • Identity provider initiated flow. The identity provider starts a SAML dialogue by contacting the service provider, requesting access on behalf of an end user. For identity provider initiated flows, the end user accesses the service provider using a URL that contains a local domain, such as http://saas.example.com/. CRES supports only service provider initiated flows. Note This section does not provide a comprehensive discussion of SAML, nor how identity and security providers communicate with each other. For more detailed information, see http://saml.xml.org/wiki/saml-wiki-knowledgebase. For further information about using the Web Security appliance as an identity provider, see the “Controlling Access to SaaS Applications” chapter in the Cisco IronPort AsyncOS for Web User Guide (release 7.0 or later). Requirements To use SAML authentication with CRES as the service provider, the following requirements must be met: • CRES currently supports using only the Cisco IronPort Web Security Appliance, Active Directory Federation Services (AD FS), or PingFederate as an identity provider. • The indentity provider’s SAML login mechanism must be able to work without JavaScript. • The identity provider must support SAML 2.0. • In the SAML assertion, the SAML NameID or attribute must contain the email address. Caveats There are some caveats when using SAML authentication: Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-29 Chapter 2 Administration • SAML must be enabled individually for each corporate account. • The SAML login page is provided by the SAML identity provider, not by CRES. This means no CRES logging is available for the SAML logins and login problems should be reported to your SAML identity provider. • User password maintenance, such as recovering a forgotten password or changing a password, must be performed via the identity provider, not CRES, for users with SAML-authenticated accounts. • SAML authentication is not enabled for administration accounts (admin config) to prevent those accounts being inadvertently locked out. • Unlike CRES-authenticated accounts, you cannot consolidate SAML authenticated accounts. • When the Cisco IronPort Web Security Appliance is used as the identity provider, JavaScript must be enabled for the login page to function correctly. • When the Cisco IronPort Web Security Appliance is used as the identity provider, passwords are not cached and the user must authenticate every session. • If there is a problem with the identity provider, SAML users may be unable to authenticate even when their credentials are valid. • If the identity provider becomes permanently unavailable, you must change the authentication method to CRES to enable users to authenticate. • The administrator is dependent on the identity provider to provide an alert if there is a problem with the SAML service. • Even if end users have valid credentials, they may be unable to access the service if there is a problem with the identity provider. User Experience The user experience with SAML authentication is much the same whether JavaScript is enabled, whether there are one or more recipients, or whether those are BCC recipients. Users open an envelope (or Mobile Device Support (MDS) link), select their user identity or provide their email address as required, and authenticate through the identity provider. Alternatively, users can navigate to https://res.cisco.com in a web browser, enter an email address, and authenticate through the identity provider. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-30 Chapter 2 Administration Configuring SAML Account Authentication You can configure SAML authentication to use one of the following identity providers: • Active Directory Federation Services (AD FS) • Cisco Ironport Web Security Appliance • PingFederate The configuration procedures for using these identity providers are described in the following sections: • Configuring SAML Account Authentication When Using AD FS as the Identify Provider, page 2-31 • Configuring SAML Account Authentication When Using a Cisco Ironport Web Security Appliance or PingFederate as the Identify Provider, page 2-36 Configuring SAML Account Authentication When Using AD FS as the Identify Provider When you enable SAML authentication, it is very important to configure the CRES account to match the settings of the AD FS account. You will need the following information (AD FS equivalents): • Service provider entity ID (SaaS application name / connection ID) • Customer service URL (Single sign-on URL / base URL) • Identity provider verification certificate • (Optional) Alternate email attribute name (SAML attribute / email address) The procedure for SAML Account Authentication When Using AD FS as the Identify Provider is described in the following sections: • Configuring the Relaying Party Trust for AD FS • Configuring Claim Rules • Exporting the signing certificate from ADFS • Configuring CRES • Configuring AD FS Signing Settings • Activating the SAML login • Logging into Web Safe with LDAP Credentials Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-31 Chapter 2 Administration Configuring Relaying Party Trust for AD FS Step 1 Start the AD FS 2.0 Management tool. Step 2 Click Add. Step 3 Click Start on the Welcome screen. Step 4 Select “Enter data about the relying party manually” and click Next. Step 5 Enter a display name for the CRES SP and click Next. Step 6 Select “AD FS 2.0 profile” and click Next. Step 7 Select “Enable support for the SAML 2.0 Web SSO protocol.” Step 8 For the “Relying party SAML 2.0 SSO service URL,” enter https://res.cisco.com/websafe/ssourl and click Next. Step 9 For the “Relying party trust identifier,” enter https://res.cisco.com/ and click Add. Step 10 Click Next. Step 11 Select “Permit all users to access this relying party” and click Next. Step 12 Check your settings and click Next. Step 13 Select “Open the Edit Claim Rules dialog for this relying party trust when the wizard closes” and click Close. Configuring Claim Rules Step 1 When the “Edit Claim Rules for CRES SP” dialog opens, select the “Issuance Transform Rules” tab and click Add Rule. Step 2 For the “Claim rule template,” select “Send LDAP Attributes as Claims” and click Next. Step 3 Enter a “Claim rule name.” Step 4 For the “Attribute store,” select “Active Directory.” Step 5 In the LDAP Attribute column, select either “User-Principal-Name” or “E-Mail Addresses.” Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-32 Chapter 2 Administration The recommended value is “User-Principal-Name” because it can be used for any user in your Active Directory catalogue. During SAML authentication, CRES compares the user’s name from Active Directory with the user’s CRES account. To use “E-Mail Addresses,” value, you must enter the email address in the “E-mail” field under the General tab of the User’s Properties configuration. Because CRES takes the email address from the user’s account in Active Directory, an error will occur if the optional “E-mail” field is not correctly configured for all users. Step 6 In the Outgoing Claim Type column, select “E-Mail Addresses.” Step 7 Click Finish and click Add Rule. Step 8 For the “Claim rule template,” select “Transform an Incoming Claim” and click Next. Step 9 Enter a “Claim rule name.” Step 10 For the “Incoming claim type,” select “E-mail Address.” Step 11 For the “Outgoing claim type,” select “Name ID.” Step 12 For the “Outgoing name ID format,” select “Transient Identifier.” Step 13 Select “Pass through all claim values.” Step 14 Click Finish. Exporting the Signing Certificate from ADFS Step 1 Start the AD FS 2.0 Management tool. Step 2 In the left pane, select AD FS 2.0 > Service > Certificates. Step 3 Select the Token-signing certificate. Step 4 In the right pane, click View Certificate. Step 5 On the Details tab, click Copy to File. Step 6 Click Next on the “Welcome to the Certificate Export Wizard” screen. Step 7 For the export file format, select “DER excoded binary X .509 (.CER)” and click Next. Step 8 Enter the location and file name of the export file and click Next. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-33 Chapter 2 Step 9 Administration Click Finish. Configuring CRES Step 1 Log into CRES using your Admin account credentials. Step 2 On the Accounts tab, choose the Manage Accounts tab. Step 3 Click an account number and choose the Details tab. Step 4 For the Authentication Method, select SAML 2.0. Step 5 For the SSO Alternate Email Attribute Name, leave it blank. Step 6 For the SSO Service Provider Entity ID, enter https://AD FS/ (where AD FS is the appropriate value for your AD FS, for example myadfs.com). Step 7 For the SSO Customer Service URL, enter https://AD FS/adfs/ls. Step 8 For the SSO Logout URL, enter https://AD FS/adfs/ls. Step 9 For the Verification Certificate, click Browse and upload the Signing-Certificate exported from the AD FS settings. Step 10 Click Save. Step 11 After the page has saved, click Download to download CRES signing certificate. Configuring the AD FS Signing Settings Step 1 Start the AD FS 2.0 Management tool. Step 2 In the left pane, select AD FS 2.0 > Trust Relationships > Relying Party Trusts. Step 3 Select your Relying Party (CRES SP) and click Properties in the right pane. Step 4 Select the Signature tab, click Add, and select the CRES Signing Certificate that was downloaded from CRES admin page. Step 5 Select the Advanced tab. Step 6 For the Secure hash algorith, select SHA-1 and click OK. Step 7 The AD FS Management tool will create the /adfs/ls website in Internet Information Services (IIS). Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-34 Chapter 2 Administration Step 8 Start the Server Manager Tool. Step 9 In the left pane, select Server Manager > Roles > Web Server (IIS) > Internet Information Services (IIS) Manager. Step 10 In the Connections pane, select your server > Sites > Default Web Site > adfs > ls. Step 11 In the /adfs/ls Home pane, select “Authentication” under IIS. Step 12 Enable “Anonymous Authentication” and disable all others. Step 13 Right-click “ls” in Connections tree and click Explore. Step 14 Right-click the web.config file and click Edit. Step 15 Find the “localAuthenticationTypes” section and remove all entries except for <add name="Forms" page="FormsSignIn.aspx" />. This allows only forms authentication instead of the Windows integrated one. Step 16 Save and close the file. Activating the SAML Login Step 1 Retrun to the CRES Account page by choosing the Manage Accounts tab under the Accounts tab. Step 2 Click an account number and choose the Details tab. Step 3 Click Activate SAML at the bottom of the page. Step 4 Click Continue. Step 5 Enter your domain User name and Password and click Sign In. Step 6 Click Continue to continue. Step 7 Click Continue to close the window. Step 8 Verify that the message “SAML Activated Successfully” is displayed at the top of the CRES Account Details page. Step 9 Verify that the SSO Enable Date set to the current time. Step 10 Check that SAML 2.0 is selected for the Authentication Method for the account. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-35 Chapter 2 Administration Logging into Web Safe with LDAP Credentials Step 1 Go to Web safe https://res.cisco.com/websafe/root Step 2 Verify that you are redirected to the AD FS authenticating page. Step 3 Enter your Active Directory user and password. Step 4 Click Sign In. Step 5 Verify that you have successfully logged into Web Safe. Step 6 Send a message to any user in the same domain. Step 7 Open the encrypted email that was received by the user. Step 8 Verify that a new window is opened so that you can enter your Active Directory credentials. Step 9 Enter your Active Directory credentials. Step 10 Verify that your envelope is decrypted. Configuring SAML Account Authentication When Using a Cisco Ironport Web Security Appliance or PingFederate as the Identify Provider When you enable SAML authentication, it is very important to configure the CRES account to match the settings of the identity provider account. You will need the following information (Cisco Ironport Web Security Appliance or PingFederate equivalents): • Service provider entity ID (SaaS application name / connection ID) • Customer service URL (Single sign-on URL / base URL) • Identity provider verification certificate • (Optional) Alternate email attribute name (SAML attribute / email address) If you are using the Cisco IronPort Web Security Appliance as the identity provider, this information can be found on the SaaS Application Authentication Policies page. The certificate can be downloaded from the Edit Identity Provider Settings for SaaS Single Sign On page. If you are using PingFederate as the identity provider, this information can be found in the Summary area. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-36 Chapter 2 Administration Note When configuring PingFederate as the IDP, you must specify the CRES Assertion Consumer Service URL as an endpoint. In addition, for the users to log out, the SSO Logout URL must be configured. For instructions on configuring this setting, see “Configuring the PingFederate Logout URL” on page 39. To configure SAML authentication for an account: Step 1 On the Accounts tab, choose the Manage Accounts tab. Step 2 Click an account number and choose the Details tab. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-37 Chapter 2 Figure 2-14 Selecting an Authentication Method Step 3 In the Authentication Method drop-down list, choose SAML 2.0. The SSO Enable Date, the last date SAML was successfully configured and activated, is displayed. The SSO Email Name ID Format is shown. Currently only the transient SAML name format is supported. Step 4 Enter the SSO Alternate Email Attribute Name. This is the attribute name that contains the alternate email addresses used as the name identifier. Step 5 Enter the service provider’s entity ID in the SSO Service Provider Entity ID field. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-38 Administration Chapter 2 Administration Step 6 Enter the SSO Customer Service URL. This is the SAML identity provider Single Sign-On URL. Step 7 Enter the SSO Logout URL. This is the SAML identity provider logout URL. The Single Sign-On binding, typically HTTP-Redirect or HTTP-POST, is displayed together with the SSO Assertion Consumer URL. Step 8 (Optional) Click Download to download a copy of the SSO service provider verification certificate. This is the public self-signed certificate that is required by your identity provider (IdP) to verify the signature of the SAML logout request from CRES. Step 9 Click Browse, and select and upload the SSO identity provider verification certificate, provided by the SAML identity provider (Cisco IronPort Web Security Appliance or PingFederate). The current certificate is displayed. Step 10 Click Save. Step 11 Click Activate. Note When you have saved the details, you must then activate the SAML login. This prevents you from accidentally locking out users in case of a configuration error. Configuring the PingFederate Logout URL In order to log out from an envelope that was configured with PingFederate as the IDP, the logout URL must be configured in PingFederate. This is critical because the end user must click the logout button to completely log out of CRES. To configure the logout URL in PingFederate: Step 1 From the CRES Account Management screen for the account, download and save the public certificate. Step 2 On the PingFederate server for the account, click Signature Verification Certificate. Step 3 Click Manage Certificates. Step 4 Import the certificate that you saved in Step 1. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-39 Chapter 2 Step 5 Note Administration Ensure that the imported certificate is the primary certificate. PingFederate allows you have more than one public certificate when verifying SAML logout requests. As a result, after you download the public certificate from CRES, you must ensure that this certificate is the first, or primary, certificate in PingFederate. Configuring BCE Plug-in or Mobile Application Settings To deploy Business Class Email (BCE) plug-ins or mobile applications, you will need to send a signed configuration file to each user. You must be an account administrator to complete these steps. To sign and deploy the BCE Configuration file, go to the Accounts tab and choose the account from which you want to enable the BCE plug-in. Then, go to the BCE Config tab and follow the instructions below. Note If you use a Cisco IronPort appliance as your key server, you will need to download the token from your Cisco IronPort Encryption appliance before you begin. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-40 Chapter 2 Administration Figure 2-15 Step 1 BCE Configuration Tab Choose the token to use with the configuration template. If you use CRES as your key server, choose a CRES token. If you use a Cisco IronPort appliance, navigate to the IEA token you downloaded to your local machine, and then upload it. Step 2 Download the template file in order to edit it. Step 3 Edit the configuration file. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-41 Chapter 2 Administration The BCE_Config.xml file contains detailed instructions for the fields you will need to edit based on your particular environment. Open the file in a text editor and follow the instructions included in the comments to make the necessary modifications. Step 4 Click Browse to navigate to the BCE_Config.xml file, and click Upload and Sign after you have located the file. Once the configuration file is signed, it will appear as BCE_Config_signed.xml. Save this file to your local machine. To deploy the signed configuration file to individual end users: a. Compose an encrypted email, and attach the BCE_Config_signed.xml file to the encrypted email. b. Then send this email to all end users for which you want to enable BCE (Business Class Email). Note Step 5 Note The sender of the email must be the same as the account administrator who signed the BCE_Config.xml file. Do not send the BCE_Config_signed.xml file to a mailing list. CRES does not support mailing lists. (Optional) To send the signed configuration file to a bulk list: The following method of bulk distribution is available only to CRES Administrators. In order for IEA Administrators to distribute the signed BCE_Config_signed.xml file to their users properly, the file must be attached to an encrypted email that is sent from the IEA administrator email address. a. Click Browse to navigate to the BCE_Config_signed.xml file that you are sending to the end users. b. Click the next Browse button to navigate to the .csv file of email addresses for which you want to enable BCE, or manually enter a list of email addresses, separated commas or semicolons. c. By default, the Email Subject is “Cisco BCE Configuration File.” To change, type new text in this field. d. Click Distribute Config to send the BCE_Config_signed.xml file to the list of email addresses. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-42 Chapter 2 Administration Note For security purposes, the BCE_Config_signed.xml file is only recognized in an encrypted envelope. Therefore, the optional TLS settings of recipient domains is ignored when a BCE_Config_signed.xml file is sent. Disabling and Enabling Access to Secure Compose This feature enables you to restrict your users from sending emails through Secure Compose. This feature therefore allows you to have control over emails from Secure Compose that cannot be scanned or archived and could cause issues with security or violations of corporate policy. Disabling Secure Compose will remove the Compose Message link from the left-hand navigation menu of the end-user portal for users in your account. You can disable Secure Compose only for users in a domain associated with your account. To associate a domain with your account, contact customer support. Figure 2-16 Disabling Access to Secure Compose Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-43 Chapter 2 Administration Step 1 On the Accounts tab, choose the Manage Accounts tab. Step 2 Click on an account number and choose the Details tab. Step 3 To enable access to Secure Compose, check the Make Secure Compose Available checkbox. Step 4 To disable access to Secure Compose, uncheck the Make Secure Compose Available checkbox. Step 5 Click Save. Note Any SecureCompose token on your account’s Tokens tab is used internally and should not be modified. Modifying or deleting that token will not disable Secure Compose. To disable Secure Compose use the procedure described above. Configuring DNS to Include CRES In order to avoid Sender Policy Framework (SPF) verification failures, you must add mx:res.cisco.com to your SPF record. Where and how you add CRES to your SPF record depends on how Domain Name System (DNS) is implemented in your network topology. Contact your DNS administrator for more information. If DNS is not configured to include CRES, when secure compose and secure replies are generated and delivered through the hosted key servers, the outgoing IP address will not match the listed IP addresses at the recipients end, resulting in a SPF verification failure. Cisco Registered Envelope Service 4.7 Account Administrator Guide 2-44 CHAPTER 3 Reporting This chapter covers the following subjects: • “Reporting Overview” on page 1 • “Account Usage Report” on page 2 Reporting Overview The Reporting feature has an easy-to-use interface allowing you to simply enter your search criteria and generate the desired report. Select reports can be downloaded in spreadsheet or PDF format. To access the reporting feature, click the Reports tab. The following reports are available: • User Information report. Shows a listing of the users associated with your account, but only if one or more domains are associated with the account, including sequence number ( # ), User ID, Email Address, First Name, Last Name, Status, Date Created, Last Login Date, and Last Modified Date. • Users Status report. Shows the status (New, Active, Blocked) for users associated with your domain. • Account Usage report. Run this report to view usage statistics for your corporate account. For information about the Account Usage report, see “Account Usage Report” on page 2. The User Information report and the User Status report are typically used by system administrators. These reports are available only if you have a domain (and users) associated with your account. Cisco Registered Envelope Service Account Administrator Guide 3-1 Chapter 3 Reporting Account Usage Report Account Usage Report The Account Usage report displays usage information for a specific account. The data is grouped by token and includes a list of the messages sent and a message count. A token is a customer specific key used to encrypt data between the Cisco Email Security Appliance (ESA) and CRES (or a local key server) and is used only by Customer Support. Note Typically, an account administrator for an organization manages a single corporate account. To generate the Account Usage report: Step 1 Click the Reports tab to access the View Reports page. Step 2 Click the Account Usage Report link. The Account Usage Report page is displayed. Figure 3-1 Account Usage Report Step 3 Enter or select the time range for the report data. Step 4 Enter optional search criteria, such as the sender email address or the recipient email address. Cisco Registered Envelope Service Account Administrator Guide 3-2 Chapter 3 Reporting Account Usage Report Step 5 Select the sort order for the report data. Step 6 Select the columns to include in the report data. Select a value, and then click Add to sort to include the column or Remove from sort to exclude the column. Step 7 Click Create Report. After you generate the report, you can download the report information in either PDF or spreadsheet format. In addition, you can bookmark or print the web page of the report. Cisco Registered Envelope Service Account Administrator Guide 3-3 Chapter 3 Account Usage Report Cisco Registered Envelope Service Account Administrator Guide 3-4 Reporting CHAPTER 4 Migrating the Data Needed to Create Keys from the IEA to CRES This chapter contains the following sections: • Information About Migrating the Data Needed to Create Keys from the IEA to CRES, page 4-1 • How to Migrate the Data Needed to Create Keys from the IEA to CRES, page 4-3 • Example Configuration of HTTP Proxy, page 4-14 • Cisco Content Security Welcomes Your Comments, page 4-15 Information About Migrating the Data Needed to Create Keys from the IEA to CRES If you have an existing installation of Cisco Ironport Encryption Appliance (IEA) and you want to use Cisco Registered Envelope Service (CRES) for key creation and management, instead of using IEA as a local key server, you must perform the migration procedure. The preferred method is to copy all existing user and key data from IEA into CRES so that the end users can still open their old envelopes and will not need to re-register. To do this, CRES now provides a data migration client for the IEA and a data import service for CRES. These utilities use the existing hardware and do not require any changes to your infrastructure, allowing you to continue to take advantage of existing capabilities such as load balancing and failover. Cisco Registered Envelope Service 4.7 Account Administrator Guide OL-22158-02 4-1 Chapter 4 Migrating the Data Needed to Create Keys from the IEA to CRES By default, the migration client will perform one pass at migrating the data. You can configure the client to run multiple passes. The migration client keeps track of which records have already been sent and will not re-send any data that has already been received by CRES. After the IEA records have been migrated, you must complete several steps to ensure the redirection of traffic from the IEA to CRES. These steps are described in detail in the next section and include, but are not limited to: 1. Set up the redirection of HTTP traffic from end users to go to an HTTP proxy instead of to the IEA. 2. Set up the HTTP proxy to use an existing or new SSL certificate that the end users can trust for their HTTP traffic with the proxy, in place of the certificate used with the IEA. You must use a certificate signed by, or chained to, one of the certificates listed in the Supported Certificate Authorities for CRES section of the Cisco Email Encryption Compatibility Matrix. 3. Configure the proxy to use an SSL certificate for trusted HTTP communication with CRES. 4. Update your DNS server and firewall rules to redirect all HTTP traffic intended for the IEA to go to your HTTP proxy instead. 5. Update the tokens on all encryption appliances and clients. 6. Disable the IEA. 7. Associate your email domains with your CRES account. Because the switchover process is not instantaneous, some IEA clients may continue to use the IEA, so there may be database updates that need to be mirrored to CRES. You can configure the data migration client to periodically check for any updated data and to migrate any updated data to CRES. The CRES administrator can configure simple policies that permit the importation of keys for a given account and that specify time periods when data can be imported. The migration process will copy user data and any pending user activity from IEA to CRES. However, the migration data will not include any user role or permission data, and the migration process will not change the CRES permissions for account administrators or any other user belonging to an account. So, the permissions for users will not be upgraded to those for account administrators on CRES, but if a user already has account administrator permissions, that access will not be removed, regardless of their status on the IEA. After the migration, users can be upgraded to account administrators in the usual manner. Cisco Registered Envelope Service 4.7 Account Administrator Guide 4-2 OL-22158-02 Chapter 4 Migrating the Data Needed to Create Keys from the IEA to CRES How to Migrate the Data Needed to Create Keys from the IEA to CRES Migration Prerequisites Before you migrate to CRES, you must meet the following perquisites: • Ensure that you do not need to use any existing features that will not supported after you migrate to CRES. For more information and examples of these features, see the “Features That Are Not Supported on CRES” section on page 4-4. Discuss your situation with Cisco Technical Support when you contact them to initiate the migration process. • Ensure that the person performing the migration is a database administrator or has access to a database administrator that can help them. • Ensure that you have a machine that can be used as an HTTP proxy and the software required to run an HTTP proxy. • You must upgrade your Cisco IEA software to version 6.5.6.1. • If you do not have a CRES account, send an email to stg-cres-provisioning@cisco.com and provide the following information: – Name of the account—This is usually a company name. For Hosted customers, the account name should be “Company Name ‹ HOSTED” – Customer’s mail address that will be used for the Account Administrator – Serial number(s) of ESA appliances that will be doing the encryption • Initiate the migration process by contacting a Cisco Customer Support Representative at iea-migrations@cisco.com and providing the following information: – Your CRES account number. If you do not have a CRES account, contact Cisco to create an account, as described in the previous prerequisite. – The date that you would like to start the migration. You should contact Cisco at least 30 days before you plan to actually perform the migration. The Cisco Customer Support Representative will then: – Configure your account to enable migration. Cisco Registered Envelope Service 4.7 Account Administrator Guide OL-22158-02 4-3 Chapter 4 Migrating the Data Needed to Create Keys from the IEA to CRES – Set the start and end date and times for the migration. – Send you an email with the details of your account and links to the migration software. – Send you an email with the security key in a secure envelope. • Download the following installation script as instructed in the email sent to you by the Cisco Customer Support Representative: – cres-dbmigrate_install-4.5.1.xxx.sh • Verify that the installation script downloaded correctly by running the following command and comparing the SHA1 digest printed to the console against the SHA1 digest shown on the download site: openssl dgst -SHA1 cres-dbmigrate_install-4.5.1.xxx.sh • Obtain the following items as described in the first two steps in the procedure that follows: – token.jar – security key (emailed to you in a secure envelope after you schedule your migration. • If you use PostgreSQL to manage your database, you must have PL/pgSQL installed in order to run the database modification script for Step 4 below. Features That Are Not Supported on CRES When you migrate to CRES, you must use a Cisco Email Security Appliance instead of your Cisco Ironport Encryption Appliance (IEA). Because CRES is a hosted service, it cannot support some of the features provided by a local key server, such as an IEA. Therefore, before you migrate to CRES, you must make sure that you do not need any IEA features that are not supported on CRES. To help you determine whether you can migrate to CRES, the following list includes some examples of commonly used IEA features that are not currently available on CRES: • ORACLE database — An IEA using Oracle is not currently eligible for migration. This will be supported in a future release. • Secure mailbox • LFS (large file support) Cisco Registered Envelope Service 4.7 Account Administrator Guide 4-4 OL-22158-02 Chapter 4 Migrating the Data Needed to Create Keys from the IEA to CRES • Statement delivery • Some authentication methods — Users registered in the CRES local database and SAML (for customer owned email domains only) are the only available authentication methods for CRES. The remaining IEA authentication methods such as LDAP, Kerberos, and others are not supported. Also, authentication lookups in multiple sources (known as chained lookups) are not supported. For detailed information about IEA features, see the Cisco Ironport Encryption Appliance 6.5 Configuration Manual. Migration Procedure To migrate data from IEA to CRES: Step 1 Save the token.jar file to your local drive: a. Log in to CRES as an administrator and choose the Accounts tab. b. Choose the Manage Accounts tab. c. Choose the Customer Account Manager’s account. d. Choose the Tokens tab. e. Click the download icon under the Actions column for the SecureCompose token in the table of tokens. Step 2 The security key will be emailed to you by Cisco Technical Support in a secure envelope after you schedule your migration. Step 3 Install the migration client on the IEA. a. Enter the following commands to use SCP to copy the migration client files to your IEA. scp cres-dbmigrate_install-4.5.1.xxx.sh admin@<IEA IP Address>: scp token.jar admin@<IEA IP Address>: b. Use SSH to connect to the IEA. For example, enter: ssh admin@<IEA IP Address> c. At the main menu, enter option x to exit to the UNIX command prompt. Cisco Registered Envelope Service 4.7 Account Administrator Guide OL-22158-02 4-5 Chapter 4 Note d. Migrating the Data Needed to Create Keys from the IEA to CRES The x option is a hidden command and does not appear in the list of menu options. Use the following command to install the migration client: sh ./cres-dbmigrate_install-4.5.1.xxx.sh Step 4 Run the database modification script. • For PostgreSQL, enter: cd dbmigrate/scripts/postgres psql -p 5432 -h localhost -d database-name -U db-admin-name -f ~/dbmigrate/scripts/postgresql/migration_table.sql Note You must have PL/pgSQL installed to complete this procedure. • For MSSQL, copy the script to a Windows machine with the SQL Server administrator tools installed and execute the script by either: – Using the SQL Server Management Studio GUI – Running the following CLI command: sqlcmd -H hostname -S sqlserver-instance-name -d database-name -U db-admin-name -P db-admin-password -i migration_table.sql Step 5 Work with Cisco Technical Support to set the parameters in the dbmigrate.properties file, which are used to configure the functionality of the migration client. These parameters are described in the following table. In addition to the basic configuration parameters shown in the following table, you can also use several more advanced parameters, which are explained in Appendix B. One of the functions that you can configure is the sending of a notification email to you and Cisco Technical Support when the migration is complete. Configure the following parameters for this notification: mailserver, mailserverport, notifyComplete, notificationRecipient, and notifyCompleteForm. Cisco Registered Envelope Service 4.7 Account Administrator Guide 4-6 OL-22158-02 Chapter 4 Migrating the Data Needed to Create Keys from the IEA to CRES You can also configure the sending of a notification email to end users when the migration of their data is complete. If you configure notifications for end users, Cisco recommends that you explain the migration process to your end users to avoid any confusion when they receive the notification email. Therefore, this functionality is considered an advanced feature. For information about the optional advanced parameters for end user notifications, see Appendix B. You can configure the migration client parameters listed in the following table using either in the dbmigrate.properties file or using CLI. The dbmigrate.properties file is located in the conf subdirectory of the folder with the migration client installer: Parameter Required or Optional url required JDBC connection URL for the database. For suggested values, see the note below. driver required JDBC driver name. See the note below. user required Database username. password required Database password. token required Name of the token JAR file for the CRES account. securitykey required Additional security key for authentication. importserver optional URL of the CRES migration import service. passcount optional Number of passes of the user and key tables to make before finishing. (Default: 1. Maximum: none.) passdelay optional Number of seconds between migration runs. A value of 0 means the delay is infinite. (Default: 12 hours. Minimum: 1 hour.) mailserver optional IP Address of the mail server. mailserverport optional Port number of the mail server. notifyComplete optional Enables or disables the sending of a notification email when the migration is complete. Valid values are true or false. Definition Cisco Registered Envelope Service 4.7 Account Administrator Guide OL-22158-02 4-7 Chapter 4 Parameter Note Migrating the Data Needed to Create Keys from the IEA to CRES Required or Optional Definition notificationRecipi ent optional Email address of the person you want to receive notification email when the migration is complete. notifyCompleteFr om optional Email address of the sender of the notification email when the migration is complete. notifyComplete Subject optional Subject line of the email sent to notify that the migration is complete. If you use a different JDBC driver from the one used for IEA, you must copy the JAR file for the driver in the lib folder. If you are using MSSQL, set the following parameters: • driver=com.microsoft.sqlserver.jdbc.SQLServerDriver • url=jdbc:sqlserver://database_server;instanceName=instance_name;database Name=postx;other_options All parameters that can be configured in the dbmigrate.properties file can also be configured using the command line. However, the command line has two additional optional parameters, and only four parameters are required for the command line, as shown in the following table: Parameter Required or Optional Definition url required JDBC connection URL for the database. driver required JDBC driver name. user required Database username. password required Database password. help optional Prints a description of the configuration parameters. config optional Name of the configuration properties file. Cisco Registered Envelope Service 4.7 Account Administrator Guide 4-8 OL-22158-02 Chapter 4 Migrating the Data Needed to Create Keys from the IEA to CRES Step 6 Enter the following command to run the dbmigrate_check script: ./dbmigrate_check The dbmigrate_check script verifies that the migration client is configured properly (the tables needed for migration are created, and you have proper token and security key). The script also provides information on the user, key, contact, uuid count, keys count by year and checks the database for non-PostxAuth keys. The following information from database will be printed to the console: Step 7 • Count of keys in the T_KEYSTORE table • Count of users in the T_USER table • Count of users in the T_CONTACT table • Count of users in the T_UUID table • Count of keys split by year in the T_KEYSTORE table • Count of keys in the T_EXPORT_KEYSTORE table • Count of users in the T_EXPORT_USER table • Warning if your database uses the non-PostxAuth keys (the T_KEYSTORE table) Enter the following command to run the script included in the downloaded files to start the migration client. ./dbmigrate_client --password=db_password When the migration is complete, the migration client sends a completion notification email to you and Cisco Technical Support, if you configured the mail server and notification parameters as described in Step 5. Cisco Technical Support then checks the results of the migration and notifies you whether the migration was successful. Note User account and domain membership will not be handled by the migration process. Existing user records will not be moved to a different account, and all new user records are added to the default Users account (id 1). Cisco Technical Support must log in and manually move users to the correct account after the migration. If the IEA user already exists on CRES, the CRES data for that user is preserved and no error message is generated. Cisco Registered Envelope Service 4.7 Account Administrator Guide OL-22158-02 4-9 Chapter 4 Migrating the Data Needed to Create Keys from the IEA to CRES If the sender of IEA message cannot be found on CRES (for example, when messages were sent from currently inexistent or removed user), this key will not migrate, and error message will be shown. To migrate such keys, you need to create an appropriate user on CRES manually and rerun migration. After the migration is complete, and the proxy is set up, your users will need to use their CRES credentials to open envelopes instead of their IEA credentials. It is the Administrator’s responsibility to inform the end users that this will happen. Step 8 After the migration is complete, you must set up the redirection of HTTP traffic from end users to go to an HTTP proxy instead of the IEA. The traffic that needs to be redirected includes: • Key server requests to create a new key for an envelope or retrieve a key for an existing envelope • Connections to Websafe • Connections to Secure Compose • Connections to the online envelope opener • Connections to any other web applications To redirect this traffic, you should set up an HTTP/HTTPS proxy to act in place of the IEA. How you implement this proxy depends on your existing network. If you do not have an existing web server or proxy server on which to run the HTTP proxy, you will need to set up a new machine to run the HTTP proxy. For an example configuration, see the “Example Configuration of HTTP Proxy” section on page 4-14. Note After the migration process, the default CRES logo will be displayed instead of your custom logo for the IEA secured envelopes. To set up your custom logo, configure the proxy to change the requests for an IEA custom logo to requests for a CRES custom logo. An example of the IEA logo request is at https://customer_domain/websafe/branding/customer-logo.gif An example of the request for the CRES custom logo is at https://res.cisco.com/websafe/logo/your_CRES_account_ID/branding/c ustomer-logo.gif To add a custom logo to your CRES account, see the “Customizing the Logo on Registered Envelopes” section on page 2-8. Cisco Registered Envelope Service 4.7 Account Administrator Guide 4-10 OL-22158-02 Chapter 4 Migrating the Data Needed to Create Keys from the IEA to CRES Step 9 Note Set up the HTTP proxy to use an existing or new SSL certificate that the end users can trust for their HTTP traffic with the proxy, in place of the certificate used with the IEA. You must use a certificate signed by, or chained to, one of the certificates listed in the Supported Certificate Authorities for CRES section of the Cisco Email Encryption Compatibility Matrix. SSL version 3 will not be supported in future releases. Therefore you should make sure that you use software that works with Transport Layer Security (TLS). You can use the same certificate that you used with the IEA, if it is signed by a supported Certificate Authority, or you can use a new one. If possible, Cisco recommends that you use your existing certificate. Step 10 Configure the HTTP proxy to use an SSL certificate for trusted HTTP communication with CRES. The best way to do this is to configure the proxy to reference a trusted store of CA certificates. A less manageable alternative is for you to configure the proxy to explicitly trust the CRES certificate, but this approach requires you to update the explicit trust relationship every time the CRES certificate is updated. Step 11 Once you set up the HTTP proxy, you must update your DNS server and firewall rules to redirect all HTTP traffic intended for the IEA to go to your HTTP proxy instead. Step 12 Update the tokens on all encryption appliances and clients. This is required for the encryption and decryption of keyserver parameters to work. To update the token on the Cisco Email Security Appliance, a CRES encryption profile should be provisioned. To update the tokens on clients such as the Outlook plug-in, the Cisco BCE Mobile App for Android, and the Cisco BCE Mobile App for iOS, download a new BCE configuration file created with a CRES profile and send it to those users as an encrypted email from an administrator of the CRES account. Step 13 Stop the IEA encryption server, but do not physically disconnect the IEA. Cisco Registered Envelope Service 4.7 Account Administrator Guide OL-22158-02 4-11 Chapter 4 Step 14 Migrating the Data Needed to Create Keys from the IEA to CRES Run the migration client again to propagate any updates since the first run. Alternatively, you can leave the migration client running in multiple pass mode. Once the second run has completed successfully, Cisco Technical Support disables further migration for the account. Step 15 Contact Cisco Technical Support to associate your email domains with your CRES account. As part of this process, Cisco Technical Support will move any preexisting CRES users within those email domains to your accounts. Only email domains owned by you can be associated with your CRES account. Differences In Functionality Once the Migration Is Complete CRES has a different feature set than IEA and this difference may cause some confusion with your users. Cisco recommends that you educate your users on differences in functionality between the two feature sets. For detailed information about IEA features, see the Cisco Ironport Encryption Appliance 6.5 Configuration Manual. Also, as stated in Step 15 above, if an email account is not owned by you, it cannot be associated with your CRES account. Emails originating from those accounts will therefore have a different domain name in the email alias. Cisco recommends that you also educate your users on this difference to help them avoid confusion. Cisco Registered Envelope Service 4.7 Account Administrator Guide 4-12 OL-22158-02 Chapter 4 Migrating the Data Needed to Create Keys from the IEA to CRES Migration Error Messages The following error messages are the most common messages that will be generated during the migration process. If you receive any other error messages, contact Cisco Customer Support for information about how to resolve the issue. Error Message This IEA database uses a non-standard authentication system for keys, you may continue with this migration, but when these keys are moved to CRES they will be modified to use CRES authentication. Explanation The IEA database is using a key server authentication type other than PostXAuth. Recommended Action As a workaround, you can respond Yes to continue with the migration and use CRES authentication, but we recommend that you contact Cisco Customer Support before you make that decision. Error Message This IEA database uses non-standard key authentication, i.e., C_LOOKUPNAME <> 'PostXDatabase' and the Keystore checker failed to prompt the user for resolution (console not available). Explanation The IEA database is using a key server authentication type other than PostXAuth, and the precondition.keychecker.actionOnFail parameter is set to fail. Recommended Action Contact Cisco Customer Support. Cisco Registered Envelope Service 4.7 Account Administrator Guide OL-22158-02 4-13 Chapter 4 Migrating the Data Needed to Create Keys from the IEA to CRES Error Message ERROR: language "‘plpgsql’" does not exist. Explanation You have not met the prerequisite that if you use PostgreSQL to manage your database, you must have PL/pgSQL installed to run the database modification script. Recommended Action Ensure that you have PL/pgSQL installed, if you use PostgreSQL. Example Configuration of HTTP Proxy This example shows how to configure one of the most commonly used products when configuring a HTTP/HTTPS proxy, the Apache HTTP server. This is by no means the only possible example or the most recommended product. Your infrastructure will determine which product is best for you to use as an HTTP/HTTPS proxy. Use the following procedure to configure this scenario. Step 1 Enable the proxy and SSLs by entering the following commands in the Apache httpd.conf file or the equivalent file. LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule ssl_module modules/mod_ssl.so Step 2 Make sure the CA certificates are located in the appropriate folder (for example, in /etc/ssl/certs) and enter the following command to configure the Apache server to look for the CA certificate in that folder. SSLCACertificatePath /etc/ssl/certs/ Step 3 Install the IEA certificate by copying the certificate file into the directory that your Apache installation uses for certificates (for example, /etc/ssl/your-host-certificate.pem). Step 4 Enable proxying for HTTP port 80 by entering the following commands: <VirtualHost www.your-hostname.com:80> ServerName www.your-hostname.com Cisco Registered Envelope Service 4.7 Account Administrator Guide 4-14 OL-22158-02 Chapter 4 Migrating the Data Needed to Create Keys from the IEA to CRES ProxyPreserveHost On ProxyRequests off ProxyPass / http://res.cisco.com:80/ ProxyPassReverse / http://res.cisco.com:80/ </VirtualHost> Step 5 Enable proxying for HTTPS port 443 by entering the following commands: <VirtualHost www.your-hostname.com:443> ServerName www.your-hostname.com ProxyPreserveHost On ProxyRequests off ProxyPass / https://res.cisco.com:443/ ProxyPassReverse / https://res.cisco.com:443/ SSLEngine on SSLProxyEngine on SSLCertificateFile </VirtualHost> /etc/ssl/your-host-certificate.pem Cisco Content Security Welcomes Your Comments The Cisco Content Security Technical Publications team is interested in improving the product documentation. Your comments and suggestions are always welcome. You can send comments to the following email address: contentsecuritydocs@cisco.com Cisco Registered Envelope Service 4.7 Account Administrator Guide OL-22158-02 4-15 Chapter 4 Migrating the Data Needed to Create Keys from the IEA to CRES Cisco Registered Envelope Service 4.7 Account Administrator Guide 4-16 OL-22158-02 APPENDIX A Contacting Customer Support To contact Customer Support for Cisco Registered Envelope Service (CRES), you can send an email message to the following address: support@res.cisco.com See the following URL for complete Customer Support information: https://res.cisco.com/websafe/help?topic=ContactSupport Note You can also access Instant Message Chat Support from this URL. Alternatively, you can request support by phone or online 24 hours a day, 7 days a week. You can contact Cisco Customer Support using one of the following methods: • Cisco Support Portal: http://www.cisco.com/support • Phone support: Contact Cisco Technical Assistance Center (TAC) within the United States and Canada at 800-553-2447 and Worldwide Phone Numbers If you purchased support through a reseller or another supplier, contact that supplier directly with your product support issues. Note The level of support available to you depends upon your service level agreement. Cisco IronPort Customer Support service level agreement details are available on the Support Portal. Check this page for details about your level of support. Cisco Registered Envelope Service Account Administrator Guide A-1 Appendix A Contacting Customer Support Reasons for contacting support include: • Reporting issues • Adding domains to your account • Adding users to your domain • Managing users (for example, resetting passwords and locking users) if you are not managing users directly via CRES. Cisco Content Security Welcomes Your Comments The Cisco Content Security Technical Publications team is interested in improving the product documentation. Your comments and suggestions are always welcome. You can send comments to the following email address: contentsecuritydocs@cisco.com Cisco Registered Envelope Service Account Administrator Guide A-2 APPENDIX B Additional Parameters for Migrating the Data Needed to Create Keys from the IEA to CRES In addition to the parameters used in the migration client’s dbmigrate.properties file or the command line that are described in Chapter 2, you can also use the parameters in the following table. You should not change the default values of these parameters using either the dbmigrate.properties file or the command line, without the help of Cisco Technical Support. The max-Errors parameters indicate the maximum number of errors that can occur before the migration client abandons the current run. A value of 0 for the max-Errors parameters indicates that there is no limit to the number of errors that can occur. Some parameters are used for the key checker process to specify the preconditions that must be met before the migration can be run. The key checker process scans the database for the presence of any key server authentication types other than PostXAuth. You can configure the parameters to cause the key checker process to take specific actions if the specified preconditions are not met. For information about the errors that can occur during the migration process, see the “Migration Error Messages” section on page 4-13. Cisco Registered Envelope Service 4.7 Account Administrator Guide B-1 Appendix B Additional Parameters for Migrating the Data Needed to Create Keys from the IEA to CRES Parameter Used with the Command Line/ Properties File Definition maxUserErrors both Maximum number of errors that can occur while migrating the user tables before stopping the migration. maxUuidErrors both Maximum number of errors that can occur while migrating the UUID tables before stopping the migration. maxKeyErrors both Maximum number of errors that can occur while migrating the key tables before stopping the migration. maxContactErrors both Maximum number of errors that can occur while migrating the contact tables before stopping the migration. precondition.key checker.database Name=dbname both Names the database that must be set in the rules file for use by the key checker process, before the migration can be run. precondition.key checker.class= class both Names the class that must be invoked as a precondition that must be met by the key checker process before the migration can be run. precondition.key checker.actionOn Fail=action both Sets the action to take if preconditions for the key checker process are not met. autoNotifyUser optional Enables or disables the sending of a notification email per user when the migration is complete. Valid values are true and false. notifyUserFrom optional Email address of the sender of the user notification email when the migration is complete. Available values for action are prompt, pass, and fail. Cisco Registered Envelope Service 4.7 Account Administrator Guide B-2 Appendix B Additional Parameters for Migrating the Data Needed to Create Keys from the IEA to CRES Parameter Used with the Command Line/ Properties File Definition notifyUserSubject optional Subject line of the email sent to the users to notify that the migration is complete. notifyUser.params .company optional Name of the users’ company that will receive notification that the migration is complete. notifyUser.params .cres.login optional URL for the CRES login of the users’ company that will receive notification that the migration is complete. level both Logging level. Available values are ERROR, WARN, INFO (default), DEBUG. logfile both Log filename (default: dbmigrate.log). tableset both Comma separated list of which sets of tables to export. Possible values are: reportProcessors maxsize both both • users—Used to export all user, usermap, and user profile tables. • contacts—Used to export all address book tables. • keys—Used to export all keys. • uuids—Used to export UUIDs. Comma separated list of which sets of tables to generate reports for. Possible values are: • users-report—Report for user, usermap, and user profile tables. • keys-report—Report for keys. Maximum size in bytes of HTTP message body sent from the IEA (Default: 2 MB. Maximum: 10 MB). Cisco Registered Envelope Service 4.7 Account Administrator Guide B-3 Appendix B Additional Parameters for Migrating the Data Needed to Create Keys from the IEA to CRES Parameter Used with the Command Line/ Properties File Definition batchsize both Maximum number of records sent per request (Default: 200. Maximum: 10000). batchdelay both Amount of time to pause between batches (Default: 0.6 seconds. Minimum: 0.2 seconds). retrycount both Number of times to retry each batch before giving up (Default: 5. Maximum: 30). retrydelay both Amount of time to pause between retries (Default: 20 seconds. Minimum: 1 second). rules both Name of the rules file. help command line Prints a description of the configuration parameters. config command line Name of the configuration properties file. connectTimeout both HTTP connect timeout. socketTimeout both HTTP socket timeout. sendBufferSize both Size of the HTTP send buffer. receiveBufferSize both Size of the HTTP receive buffer. acceptSelfSigned both You must leave this parameter at the default setting of false because you cannot use self-signed SSL certificates. acceptUntrusted both You must leave this parameter at the default setting of false because you cannot use untrusted SSL certificates. Cisco Registered Envelope Service 4.7 Account Administrator Guide B-4 Appendix B Additional Parameters for Migrating the Data Needed to Create Keys from the IEA to CRES Parameter Used with the Command Line/ Properties File Definition acceptExpired both You must leave this parameter at the default setting of false because you cannot use expired SSL certificates. requireServerTLS both Requires the use of a TLS server. Valid values are true and false. Cisco Registered Envelope Service 4.7 Account Administrator Guide B-5 Appendix B Additional Parameters for Migrating the Data Needed to Create Keys from the IEA to CRES Cisco Registered Envelope Service 4.7 Account Administrator Guide B-6