Cisco Registered Envelope Service 4.3
Account Administrator Guide
December 6, 2014
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase,
Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good,
Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks;
Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card,
and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA,
CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus,
Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast,
EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream,
Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV,
PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are
registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (0910R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any
examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only.
Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
Cisco Registered Envelope Service 4.3 Account Administrator Guide
© 2014 Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER
1
Overview 1-1
Role of Cisco Registered Envelope Service in Encryption 1-1
Corporate Account Administration 1-3
CHAPTER
2
Administration 2-1
Administration FAQs 2-1
What is a Cisco Registered Envelope Service corporate account? 2-1
What are the typical tasks of an account administrator? 2-2
Which email administration topics are covered in this guide? 2-2
What is recipient enrollment? 2-2
Cisco Registered Envelope Service Accounts 2-3
Users 2-3
What are user groups and roles? 2-3
Getting Started 2-4
Understanding the Corporate Account Setup Process 2-4
Logging In 2-4
Understanding the Icons in the Administration Console 2-7
Common Tasks 2-8
Customizing the Logo on Registered Envelopes 2-8
Adding a Corporate Account Administrator 2-10
Monitoring Account Activity 2-11
Managing Messages 2-12
Cisco Registered Envelope Service Account Administrator Guide
iii
Contents
Managing Users 2-13
Creating Users 2-13
Resetting User Passwords 2-14
Adding Users to Groups 2-15
Disabling Users 2-16
Using TLS Delivery 2-17
Adding and Testing TLS Domains 2-17
TLS Error Handling 2-19
Enabling Sender Registration 2-21
Selecting an Authentication Method 2-22
Configuring CRES Account Authentication 2-23
Authenticating with SAML 2-23
Configuring SAML Account Authentication 2-26
Configuring the PingFederate Logout URL 2-29
Configuring BCE Plug-in or Mobile Application Settings 2-30
Disabling and Enabling Access to Secure Compose 2-33
Configuring DNS to Include CRES 2-35
CHAPTER
3
Reporting 3-1
Reporting Overview 3-1
Account Usage Report 3-2
Cisco Registered Envelope Service Account Administrator Guide
iv
Contents
CHAPTER
4
Migrating the Data Needed to Create Keys from the IEA to CRES 4-1
Information About Migrating the Data Needed to Create Keys from the IEA to
CRES 4-1
How to Migrate the Data Needed to Create Keys from the IEA to CRES 4-3
Migration Prerequisites 4-3
Features That Are Not Supported on CRES 4-4
Migration Procedure 4-5
Differences In Functionality Once the Migration Is Complete 4-11
Migration Error Messages 4-11
Example Configuration of HTTP Proxy 4-12
Cisco Content Security Welcomes Your Comments 4-14
APPENDIX
A
Contacting Customer Support A-1
Cisco Content Security Welcomes Your Comments A-2
APPENDIX
B
Additional Parameters for Migrating the Data Needed to Create Keys from the
IEA to CRES B-1
Cisco Registered Envelope Service Account Administrator Guide
v
Contents
Cisco Registered Envelope Service Account Administrator Guide
vi
CH A P T E R
1
Overview
The Cisco Registered Envelope Service (CRES) is a hosted service that provides
support for Cisco IronPort Encryption technology. CRES works in conjunction
with Cisco IronPort Email Security appliances and Cisco IronPort Encryption
appliances, which provide on-premises content scanning, policy enforcement, and
encryption. CRES stores per-message encryption keys for encrypted messages.
Recipients of encrypted messages authenticate themselves with the service to
receive decryption keys.
Note
The latest version of this guide and other CRES documentation is available on this
product page.
Role of Cisco Registered Envelope Service in Encryption
The service manages the following elements of encryption:
•
Recipient enrollment. Recipients of a registered envelope (an encrypted
message) must enroll with the service the first time they open an envelope,
unless the message is sent with low security. Enrollment is free of charge.
•
Authentication. Enrolled users use Single Sign-On (SSO) or provide a
password to open registered envelopes and read encrypted messages.
•
Encryption keys. An encryption key is created for each encrypted message.
When enrolled recipient enter their password in the registered envelope, the
service sends the decryption key that opens the envelope.
Cisco Registered Envelope Service Account Administrator Guide
1-1
Chapter 1
Overview
•
Message expiration and locking. Enrolled users can set the expiration date
and control message locking for the encrypted messages that they send.
Corporate account administrators can control expiration dates and message
locking for all encrypted messages sent using the corporate account.
•
Secure Forward and Secure Reply messages. Depending on the corporate
account configuration, recipients may be able to forward and reply to
encrypted messages using encryption. CRES handles the encryption for
Secure Forward and Secure Reply messages.
The figure shows how CRES works in conjunction with a Cisco IronPort Email
Security appliance. The service supplies the decryption key to the registered
recipient of a encrypted message.
The diagram depicts the following process:
Step 1
A Cisco IronPort Email Security appliance uses encryption to encrypt a message
and deliver it.
Step 2
The recipient enters his or her CRES password in the registered envelope.
Note
If the message is configured for low security, then the recipient need not
enter a password to open the secure envelope.
Cisco Registered Envelope Service Account Administrator Guide
1-2
Chapter 1
Overview
Step 3
CRES supplies the decryption key that opens the envelope.
Step 4
The recipient’s web browser displays the decrypted message.
Corporate Account Administration
CRES provides administrative functionality for organizations’ corporate
accounts. The initial CRES administration role is assigned to the Registered
Technical Contact. An administrator for a corporate account can perform the
following tasks, among others:
•
Customize the logo displayed on registered envelopes
•
Manage messages sent through the service
•
Generate account usage reports
•
Manage users (such as lock accounts and reset passwords)
•
Configure TLS settings for encrypted secure reply without requiring an
envelope
Cisco Registered Envelope Service Account Administrator Guide
1-3
Chapter 1
Cisco Registered Envelope Service Account Administrator Guide
1-4
Overview
CH A P T E R
2
Administration
This chapter includes the following topics:
•
Administration FAQs, page 2-1
•
Getting Started, page 2-4
•
Common Tasks, page 2-8
Administration FAQs
This section provides answers to frequently asked questions (FAQs) about the role
of a Cisco Registered Envelope Service (CRES) corporate account administrator.
What is a Cisco Registered Envelope Service corporate account?
Each organization that uses encryption technology and CRES has a corporate
account with the service. This account can be used in conjunction with one or
more Cisco IronPort Email Security appliances that send encrypted messages.
Typically, an organization has a single corporate account, and the account
administrator(s) manages only that account.
Cisco Registered Envelope Service Account Administrator Guide
2-1
Chapter 2
Administration
Administration FAQs
What are the typical tasks of an account administrator?
Typical administrative tasks include:
Note
•
Configuring the corporate account (for example, uploading an organization’s
logo to display it on Registered Envelopes sent using the account).
•
Monitoring account usage (for example, viewing statistics about user
registration and user account activation).
•
Managing messages sent using the account (for example, disabling access to
a particular message).
Account administrators cannot access the content of user messages that they
manage in the Administration Console.
For more information about administrative tasks, see the “Common Tasks”
section on page 2-8.
Which email administration topics are covered in this guide?
Administration of a Cisco IronPort secure email solution involves two distinct
areas of responsibility:
•
Managing Cisco IronPort appliances, such as Cisco Email Security
appliances and Cisco IronPort Encryption appliances
•
Managing a CRES corporate account
This guide contains information about managing a CRES corporate account. For
information about managing Cisco IronPort Email Security appliances, see the
product documentation available on the Cisco Customer Support Portal.
What is recipient enrollment?
Recipient enrollment, also called user registration, is the process of creating a
CRES user account for a first-time recipient of a Registered Envelope. Most
message recipients must complete the enrollment process before they can open
the encrypted messages that they receive. However, if the message uses low
security, the user can open the message without registering.
Cisco Registered Envelope Service Account Administrator Guide
2-2
Chapter 2
Administration
Administration FAQs
During the enrollment process, the recipient provides user profile information,
chooses a password, and selects security questions and answers.
Cisco Registered Envelope Service Accounts
When a user enrolls with CRES, the user is not associated with a particular
sender’s corporate account.
Senders have accounts, and recipients have accounts. The sender CRES account
allows the sender of an encrypted message to manage their secure messages by
expiring or recalling them.
Users
User account administration is handled by system administrators at CRES.
Typically, corporate account administrators do not manage individual user
accounts.
It is possible for a corporate administrator to manage internal CRES users for the
purpose of resetting passwords or locking existing accounts. If a CRES
administrator wishes to manage their user accounts, a customer support ticket
must be filed to add the managed domains to the account.
What are user groups and roles?
Groups are lists of enrolled users. Roles are sets of privileges that you can
associate with groups. For example, to create an account administrator, someone
with administrative privileges for the account must add the user to the account
administrator group. Roles are not associated with individuals.
Note
Every user in a particular account administrator group can administer that
account.
Cisco Registered Envelope Service Account Administrator Guide
2-3
Chapter 2
Administration
Getting Started
Getting Started
This section explains how to get started using the Administration Console for a
CRES corporate account.
Understanding the Corporate Account Setup Process
When an organization configures a Cisco IronPort Email Security appliance to use
encryption with CRES as the hosted key service, a corporate account is created
for the organization. The organization’s Cisco IronPort Email Security appliance
is associated with the corporate account.
Note
As a corporate account administrator, you are not involved in the initial account
setup process.
By default, the Account Administrator group for the new account includes the
organization’s initial corporate account administrator. The corporate account
administrator can create additional administrators by adding users to the Account
Administrator group. For more information, see the “Adding a Corporate Account
Administrator” section on page 2-10. The Account Administrator group may also
include IronPort Sales Engineers who are familiar with the organization’s Cisco
IronPort Email Security appliances and system configuration.
Logging In
To manage your corporate account, log in using this URL:
https://res.cisco.com/admin
If you are the administrator for multiple accounts, you are asked to select an
account when you log in. You can then select whether you want:
•
The selected account to be remembered on your computer.
•
The remembered account to be automatically selected the next time you log
in.
Cisco Registered Envelope Service Account Administrator Guide
2-4
Chapter 2
Administration
Getting Started
These options are represented by the following two checkboxes:
•
Remember account on this computer — If checked, the selected account
will also be selected in the list the next time you log in using the same
browser. Only active accounts are shown in the list.
•
Automatically select remembered account — If checked, the list of
accounts is not displayed and the information for the remembered account is
displayed when you log in.
The Automatically select remembered account checkbox is not enabled if the
Remember account on this computer checkbox is not checked.
To select another account after you are logging in, use the Select Account link at
the bottom of the home page of the Administration Console. This link also allows
you to uncheck the Automatically select remembered account checkbox.
When you log in to a corporate account, the Administration Console is displayed.
Figure 2-1
Administration Console for a Corporate Account
Cisco Registered Envelope Service Account Administrator Guide
2-5
Chapter 2
Administration
Getting Started
The home page is the Monitor Account page, which displays a summary of
account activity.
The Administration Console contains the following tabs and links for navigating
the site:
•
Home. Displays the Monitor Account page.
Use the Monitor Account page to view system and account status. Click the
Update button to retrieve the latest status information, or enter a value in the
Update Interval field and click Update to refresh the page at regular intervals
(for example, every 10 seconds).
•
Users. Displays the User Management page.
Typically, this page is used only by system administrators at Cisco. Corporate
account administrators have access to only the individuals assigned to their
account, and only if they have added the correct domain.
•
Reports. Displays the View Reports page.
The View Reports page is typically used to run the Account Usage report. For
more information about the Account Usage report, see Chapter 3,
“Reporting.”
The View Reports page includes links to the following reports:
– User Information report. Shows a listing of the users associated with
your account, but only if one or more domains are associated with the
account, including sequence number ( # ), User ID, Email Address, First
Name, Last Name, Status, Date Created, Last Login Date, and Last
Modified Date.
– Users Status report. Shows the status (New, Active, Blocked) for users
associated with your domain.
– Account Usage report. Run this report to view usage statistics for your
corporate account. For more information about the Account Usage
report, see Chapter 3, “Reporting.”
•
Accounts. Displays tabs for the Account Management page and the Manage
Registered Envelopes page.
Click the Manage Accounts tab to view the Account Management page,
where you can configure your CRES corporate account. For more
information, see the “Customizing the Logo on Registered Envelopes”
section on page 2-8 and the “Adding a Corporate Account Administrator”
section on page 2-10.
Cisco Registered Envelope Service Account Administrator Guide
2-6
Chapter 2
Administration
Getting Started
Click the Manage Registered Envelopes tab to search for and manage the
Registered Envelopes that were sent using your corporate account. For more
information, see the “Managing Messages” section on page 2-12.
Understanding the Icons in the Administration Console
Use the icons in the Administration Console to navigate the system and manage
areas such as accounts and users. Hover text indicates what each icon represents.
Table 2-1
Icon
Icon Listing
Title
Action
Manage Users Access the Group Membership page.
Manage Roles Access the Group Authorization page.
Save Token
Save the token to your local machine. Tokens are
customer-specific keys used to encrypt data between the
Cisco Email Security Applicance (ESA) and CRES (or a local
key server). Currently used only by Customer Support.
Manage Rules Access the Rules page.
Close or
Delete item
Delete the item.
Cisco Registered Envelope Service Account Administrator Guide
2-7
Chapter 2
Administration
Common Tasks
Common Tasks
This section explains how to use the Administration Console to perform the
following administrative tasks:
Note
•
Customizing the logo on Registered Envelopes
•
Adding a corporate account administrator
•
Monitoring account activity
•
Managing messages
•
Managing users
•
Using TLS for encrypted but user-transparent delivery of secured messages
•
Enabling sender registration
•
Selecting an authentication method
•
Configuring BCE plug-in or mobile application settings
•
Disabling and enabling access to Secure Compose
•
Configuring DNS to Include CRES
Users can set the timestamp to their local time zone and to their desired format
(12 hours or 24 hours). Any Administration Console screen that includes user
timestamps will be affected by this feature for those users that have set the
timestamp to their local time zone.
Customizing the Logo on Registered Envelopes
To change the logo displayed on messages sent using your account:
Step 1
Log in to the Administration Console for the corporate account.
Step 2
Click the Accounts tab. The Account Management page is displayed.
Cisco Registered Envelope Service Account Administrator Guide
2-8
Chapter 2
Administration
Common Tasks
Figure 2-2
Step 3
Account Management Page
Click the link for your account number.
Note
Each organization typically has a single corporate account.
The Details tab for the account is displayed.
Step 4
Click the Images tab for the account.
Cisco Registered Envelope Service Account Administrator Guide
2-9
Chapter 2
Administration
Common Tasks
Figure 2-3
Step 5
Images Tab
Browse to the logo file that you want to upload, and click Add Image.
Note
The logo should be at most 60×160 pixels.
Adding a Corporate Account Administrator
To add a corporate account administrator:
Step 1
Log in to the Administration Console for the corporate account.
Step 2
Click the Accounts tab. The Account Management page is displayed, as shown in
Figure 2-2.
Step 3
Click the link for your account number.
Note
Organizations typically have a single corporate account.
The Details tab for your account is displayed.
Step 4
Click the Groups tab for the account.
Step 5
Click the Manage Users icon.
Cisco Registered Envelope Service Account Administrator Guide
2-10
Chapter 2
Administration
Common Tasks
For more information, see the “Understanding the Icons in the Administration
Console” section on page 2-7.
Step 6
On the Group Membership page, enter the user ID of the registered user that you
want to add as a corporate account administrator.
Step 7
Click Add to Group.
Monitoring Account Activity
The IronPort Email Security appliance provides detailed information about
encryption usage. For example, you can use the appliance to generate reports on
the content filters that mark messages for encryption.
To supplement the reports that the appliance generates, CRES provides general
information about corporate account activity. You can view this information in the
Administration Console. The Monitor Accounts tab on the home page displays
information about account activity, including user registration, login counts, and
statistics about opened and sent encrypted messages (Registered Envelopes).
In addition, you can view the Account Usage report on the Accounts tab. For more
information about CRES reports, see Chapter 3, “Reporting.”
Cisco Registered Envelope Service Account Administrator Guide
2-11
Chapter 2
Administration
Common Tasks
Managing Messages
As a corporate account administrator, you can view and manage the status of any
message sent using the account.
To manage messages:
Step 1
Log in to the Administration Console for the corporate account.
Step 2
Click the Accounts tab. The Account Management page is displayed, as shown in
Figure 2-2.
Step 3
Click the Manage Registered Envelopes tab.
The Manage Registered Envelopes page is displayed.
Figure 2-4
Step 4
Manage Registered Envelopes Page
Click Search to view all messages sent in the last hour, or enter search criteria and
click Search to view particular messages.
The search results display the status of each message, including time sent, time
last opened, message expiration time, and message lock information.
To set an expiration date, select one or more messages and click the Update
Expiration Dates link.
Cisco Registered Envelope Service Account Administrator Guide
2-12
Chapter 2
Administration
Common Tasks
To lock or unlock messages, select one or more messages and click the
Lock/Unlock Envelopes link. When you lock envelopes, you can enter a reason
for the lock. The reason is displayed on the envelope when a recipient attempts to
open it.
Managing Users
The Users tab provides access to the Manage Users functionality, including
creating users, searching for users, resetting passwords, adding users to groups,
and disabling users.
You can manage users only for a domain associated with your account. To
associate a domain with your account, contact support.
Note
Users existing in the system before the domain was associated with your account
will need to be migrated to your account. Let support know if you have existing
users when requesting the domain association.
Creating Users
To create a user:
Step 1
Click Add User on the Manage Users page.
Step 2
Fill in the form.
Cisco Registered Envelope Service Account Administrator Guide
2-13
Chapter 2
Administration
Common Tasks
Figure 2-5
Create User Page
Step 3
You can set custom options such as enforcing a password expiration date,
allowing users to bypass security questions when resetting passwords, or skipping
the creation of mailboxes for certain users.
Step 4
Click Save.
Note
The user that you create must belong to your email domain.
Resetting User Passwords
Users can reset their passwords via the following link:
https://res.cisco.com/websafe/pswdForgot.action
Cisco Registered Envelope Service Account Administrator Guide
2-14
Chapter 2
Administration
Common Tasks
If that method is unsuccessful (for example, if the user cannot recall the answers
to the challenge questions), you can reset a user’s password via the administrator
interface.
To reset a user’s password:
Step 1
Select the user (click the username in the search results on the Manage Users
page).
Step 2
Click Modify.
Step 3
Click Change by the password field.
Step 4
Reauthenticate.
Step 5
Enter the user’s new password.
Step 6
Confirm the password.
Step 7
Save your changes.
Adding Users to Groups
You can add a user to a group (or remove a user from a group) to give that user
additional (or fewer) privileges.
To manage a user’s group membership:
Step 1
Select the user (click the username in the search results on the Manage Users
page).
Step 2
Click the Groups icon in the Actions column for the user.
Cisco Registered Envelope Service Account Administrator Guide
2-15
Chapter 2
Administration
Common Tasks
Figure 2-6
Groups Icon on the User Listing
Step 3
The Group Membership page is displayed. The box on the left shows the groups
of which the user is a member. The box on the right shows any other available
groups.
Step 4
Click a group to select it and then click the right or left arrow to move the group
between the two boxes.
Step 5
Click Done to save your changes.
Disabling Users
You may need to temporarily disable a user’s account—for example, when a user
leaves a company. To disable a user:
Step 1
Select the user (click the username in the search results on the Manage Users
page).
Step 2
Click Modify.
Step 3
Set the User Status to Locked.
Cisco Registered Envelope Service Account Administrator Guide
2-16
Chapter 2
Administration
Common Tasks
Figure 2-7
Step 4
Setting a User’s Status to Locked
Save your changes.
Using TLS Delivery
Transport Layer Security (TLS) delivery allows CRES-originated messages such
as secure replies to be delivered encrypted back to the sending domain without
having to use an envelope.
You can enable TLS delivery to provide a secure method of delivering email
without requiring end users to log in to CRES or install the encryption plug-in to
receive or view email.
TLS is enabled on a per-account basis. For each account, you specify one or more
TLS domains and error handling behavior.
Adding and Testing TLS Domains
To enable TLS for an account, you must add at least one domain. Adding a domain
initiates a process where the domain is scanned for TLS support. A domain must
pass TLS domain testing before it can be added.
The TLS domain test uses the CRES servers to verify information and
connectivity. The check ensures that:
•
that there are MX records associated with the domain entry, and
•
that the MX records can be resolved to an IP address and each MX record has
working mail servers associated with it, and
•
that the CRES servers can establish an SMTP connection via port 25 with the
above-mentioned mail servers, and
Cisco Registered Envelope Service Account Administrator Guide
2-17
Chapter 2
Administration
Common Tasks
•
that each above-mentioned mail server supports the STARTTLS extension,
and
•
finally, that the CRES servers can initiate a successful TLS connection to
each mail server serving the MX record.
With CRES 4.1 and later, to use TLS for secure replies, you must use a CA-signed
certificate. CRES 4.0 and earlier will support TLS connections to self-signed,
untrusted (non-chained), or trusted certificates. It will not set up a connection if a
certificate has expired.
A TLS test for a domain generates one of three possible results: pass, inconclusive
(partial pass), and failure.
•
Pass: A domain is considered to pass a TLS test when the test on all servers
in the MX records passes. Domains that pass TLS tests are added as TLS
domains and receive a status of “processing” while they await approval by
Customer Support.
•
Inconclusive: If the test has passed on at least one associated mail server but
not all, the result is considered inconclusive. Inconclusive domains are, by
default, not added as TLS domains. You can add an inconclusive domain by
clicking the Request Approval button displayed by the results. Enter
information about why the domain should be added and then submit.
•
Failure: If no mail servers associated with the domain support TLS, the
domain has failed the test. Domains that fail TLS tests are not added as TLS
domains.
A customer support ticket is opened for each passing domain or approval request
for inconclusive domains. You will receive an email indicating that the domain
has been added or requesting more information about the domain.
You can also test domains without adding them to the list of TLS domains by
using the Test Domain button rather than the Add Domain button. Support
requests are not opened for tested domains.
To add or test a TLS domain:
Step 1
On the Accounts tab, choose the Manage Accounts tab.
Step 2
Click on an account number and choose the Features tab.
Cisco Registered Envelope Service Account Administrator Guide
2-18
Chapter 2
Administration
Common Tasks
Figure 2-8
Step 3
Account Management Page, Features Tab
Enter a domain.
a.
To test the domain, click Test Domain.
b.
To add the domain, click Add Domain.
Step 4
A message is displayed indicating the results.
Step 5
If an added domain passes, it is displayed in the “Domain” list with a status of
“Processing.”
Step 6
Delete domains by clicking the trash can icon.
Note
Do not forget to specify the TLS error handling behavior. See “TLS Error
Handling” on page 19 for more information.
TLS Error Handling
If TLS delivery stops working (due to an expired certificate, for example), you
need to configure TLS error handling. You can choose “Bounce Messages” or
“Fallback to Registered Envelope Delivery.”
Cisco Registered Envelope Service Account Administrator Guide
2-19
Chapter 2
Administration
Common Tasks
Note
If the TLS failure delivery preference is set to “Fallback to Registered Envelope
Delivery,” remember to change the TLS delivery option to TLS Preferred on your
in-house mail server.
•
Fallback to Registered Envelope Delivery: If the TLS delivery fails (due to an
expired certificate, for example), the system reverts to sending registered
envelopes.
•
Bounce Messages: For accounts configured to bounce messages during TLS
delivery failure, the bounce will happen after 24 hours, during which a retry
will be attempted every hour. For accounts configured to fall back to
registered envelope delivery, fall back will happen after 1 hour, during which
a retry will be attempted every 20 minutes.
To specify TLS error handling behavior for an account:
Step 1
On the Accounts tab, choose the Manage Accounts tab.
Step 2
Click on an account number and choose the Details tab.
Cisco Registered Envelope Service Account Administrator Guide
2-20
Chapter 2
Administration
Common Tasks
Figure 2-9
Account Management Page
Step 3
Select a TLS failure delivery preference.
Step 4
Click Save.
Enabling Sender Registration
You can configure the system to automatically offer to register senders on a
per-account basis. This is also useful if you would like to offer CRES accounts to
your email senders who do not currently use CRES to send encrypted mail. Once
registered, senders can learn more about the options available to them for
controlling their encrypted messages.
If you enable this feature, senders receive email messages inviting them to create
an account on the CRES server. They receive these invitations once every 30 days,
and they can opt out easily by following the instructions included in the invitation.
You cannot change the frequency of invitations.
To enable sender registration for an account:
Cisco Registered Envelope Service Account Administrator Guide
2-21
Chapter 2
Administration
Common Tasks
Step 1
On the Accounts tab, choose the Manage Accounts tab.
Step 2
Click an account number and choose the Details tab.
Figure 2-10
Enabling Sender Registration
Step 3
Check the for Enable Sender Registration checkbox.
Step 4
Click Save.
Selecting an Authentication Method
You must assign one of the two authentication methods to an account and
correctly configure the authentication. However, you can change an account’s
authentication method if required.
CRES provides two different methods for authenticating users:
•
Configuring CRES Account Authentication, page 2-23.
•
Configuring SAML Account Authentication, page 2-26.
You may want to use CRES authentication if you want to retain full control over
the authentication process.
SAML is an XML application for Single Sign-On (SSO). For further information
on how CRES implements SAML authentication, see Authenticating with SAML,
page 2-23.
You may want to use SAML-based authentication if you are already using the
Cisco IronPort Web Security Appliance or PingFederate as a SAML identity
provider for SSO. For more information, see Configuring the PingFederate
Logout URL, page 2-29.
Cisco Registered Envelope Service Account Administrator Guide
2-22
Chapter 2
Administration
Common Tasks
Configuring CRES Account Authentication
To configure CRES authentication for an account:
Step 1
On the Accounts tab, choose the Manage Accounts tab.
Step 2
Click an account number and choose the Details tab.
Step 3
In the Authentication Method list, click CRES.
Step 4
Click Save.
Authenticating with SAML
SAML is an XML-based standard primarily used for Single Sign-On (SSO), a
simpler way for end users to authenticate with multiple web services, such as
CRES. Currently only SAML 2.0 is supported.
Single Sign-On means users log in once to authenticate (with an identity provider)
and thereafter use a range of services from service providers without having to log
in again. The protocol also supports Single Log-Out.
This simplifies the user experience, and improves security because the user no
longer has to remember login details for multiple services. CRES support for
SAML works for new and existing CRES envelopes. SAML authentication must
be enabled individually for each corporate account. After this is done, all users in
that account must authenticate with SAML. Any users not owned by the account
will continue to use CRES authentication.
SAML Overview
SAML enables exchanging authentication and authorization data between
different secure networks, sometimes referred to as security domains. Typically,
SAML is used when there are users in one domain accessing a network (a different
domain) using a web browser.
To achieve Single Sign-On, a SAML dialogue must be engaged by an entity in
each domain, which SAML defines using the following terms:
Cisco Registered Envelope Service Account Administrator Guide
2-23
Chapter 2
Administration
Common Tasks
•
Identity provider (IdP). An identity provider is an entity that produces
SAML assertions. The identity provider is expected to authenticate its end
users before producing a SAML assertion. CRES should work with most
SAML 2.0 identity providers. However, it is certified to work only with the
Cisco IronPort Web Security Appliance and PingFederate.
•
Service provider (SP). A service provider is an entity that consumes SAML
assertions. The service provider relies on the identity provider to identify the
end user and communicate that identification to the service provider in the
SAML assertion. The service provider makes an access control decision
based on the assertion. With SAML authentication enabled, CRES acts as a
service provider.
SAML assertions are containers of information passed between identity providers
and service providers inside SAML requests and responses. Assertions contain
statements (such as authentication and authorization statements) that service
providers use to make access control decisions. Assertions start with the
<saml:Assertion> tag.
SAML dialogues are called flows, and flows can be initiated by either provider:
•
Service provider initiated flow. The service provider is contacted by an end
user requesting access, so it starts a SAML dialogue by contacting the identity
provider to provide identification for the user. For service provider initiated
flows, the end user accesses the service provider using a URL that contains
the service provider’s domain, such as http://www.serviceprovider.com/.
•
Identity provider initiated flow. The identity provider starts a SAML
dialogue by contacting the service provider, requesting access on behalf of an
end user. For identity provider initiated flows, the end user accesses the
service provider using a URL that contains a local domain, such as
http://saas.example.com/.
CRES supports only service provider initiated flows.
Note
This section does not provide a comprehensive discussion of SAML, nor how
identity and security providers communicate with each other. For more detailed
information, see http://saml.xml.org/wiki/saml-wiki-knowledgebase.
For further information about using the Web Security appliance as an identity
provider, see the “Controlling Access to SaaS Applications” chapter in the Cisco
IronPort AsyncOS for Web User Guide (release 7.0 or later).
Cisco Registered Envelope Service Account Administrator Guide
2-24
Chapter 2
Administration
Common Tasks
Requirements
To use SAML authentication with CRES as the service provider, the following
requirements must be met:
•
CRES currently supports using PingFederate or the Cisco IronPort Web
Security Appliance as an identity provider.
•
The indentity provider’s SAML login mechanism must be able to work
without JavaScript.
•
The identity provider must support SAML 2.0.
•
In the SAML assertion, the SAML NameID or attribute must contain the
email address.
Caveats
There are some caveats when using SAML authentication:
•
SAML must be enabled individually for each corporate account.
•
The SAML login page is provided by the SAML identity provider, not by
CRES. This means no CRES logging is available for the SAML logins and
login problems should be reported to your SAML identity provider.
•
User password maintenance, such as recovering a forgotten password or
changing a password, must be performed via the identity provider, not CRES,
for users with SAML-authenticated accounts.
•
SAML authentication is not enabled for administration accounts (admin
config) to prevent those accounts being inadvertently locked out.
•
Unlike CRES-authenticated accounts, you cannot consolidate SAML
authenticated accounts.
•
When the Cisco IronPort Web Security Appliance is used as the identity
provider, JavaScript must be enabled for the login page to function correctly.
•
When the Cisco IronPort Web Security Appliance is used as the identity
provider, passwords are not cached and the user must authenticate every
session.
•
If there is a problem with the identity provider, SAML users may be unable
to authenticate even when their credentials are valid.
•
If the identity provider becomes permanently unavailable, you must change
the authentication method to CRES to enable users to authenticate.
Cisco Registered Envelope Service Account Administrator Guide
2-25
Chapter 2
Administration
Common Tasks
•
The administrator is dependent on the identity provider to provide an alert if
there is a problem with the SAML service.
•
Even if endusers have valid credentials, they may be unable to access the
service if there is a problem with the identity provider.
User Experience
The user experience with SAML authentication is much the same whether
JavaScript is enabled, whether there are one or more recipients, or whether those
are BCC recipients. Users open an envelope (or Mobile Device Support (MDS)
link), select their user identity or provide their email address as required, and
authenticate through the identity provider. Alternatively, users can navigate to
https://res.cisco.com in a web browser, enter an email address, and authenticate
through the identity provider.
Configuring SAML Account Authentication
When you enable SAML authentication, it is very important to configure the
CRES account to match the settings of the identity provider account.
You will need the following information (Web Security Appliance / PingFederate
equivalents):
•
Service provider entity ID (SaaS application name / connection ID)
•
Customer service URL (Single sign-on URL / base URL)
•
Identity provider verification certificate
•
(Optional) Alternate email attribute name (SAML attribute / email address)
If you are using the Cisco IronPort Web Security Appliance as the identity
provider, this information can be found on the SaaS Application Authentication
Policies page. The certificate can be downloaded from the Edit Identity Provider
Settings for SaaS Single Sign On page.
If you are using PingFederate as the identity provider, this information can be
found in the Summary area.
Cisco Registered Envelope Service Account Administrator Guide
2-26
Chapter 2
Administration
Common Tasks
Note
When configuring PingFederate as the IDP, you must specify the CRES Assertion
Consumer Service URL as an endpoint. In addition, for the users to log out, the
SSO Logout URL must be configured. For instructions on configuring this setting,
see “Configuring the PingFederate Logout URL” on page 29.
To configure SAML authentication for an account:
Step 1
On the Accounts tab, choose the Manage Accounts tab.
Step 2
Click an account number and choose the Details tab.
Cisco Registered Envelope Service Account Administrator Guide
2-27
Chapter 2
Common Tasks
Figure 2-11
Selecting an Authentication Method
Cisco Registered Envelope Service Account Administrator Guide
2-28
Administration
Chapter 2
Administration
Common Tasks
Step 3
In the Authentication Method drop-down list, choose SAML 2.0. The SSO Enable
Date, the last date SAML was successfully configured and activated, is displayed.
The SSO Email Name ID Format is shown. Currently only the transient SAML
name format is supported.
Step 4
Enter the SSO Alternate Email Attribute Name. This is the attribute name that
contains the alternate email addresses used as the name identifier.
Step 5
Enter the service provider’s entity ID in the SSO Service Provider Entity ID field.
Step 6
Enter the SSO Customer Service URL. This is the SAML identity provider Single
Sign-On URL.
Step 7
Enter the SSO Logout URL. This is the SAML identity provider logout URL.
The Single Sign-On binding, typically HTTP-Redirect or HTTP-POST, is
displayed together with the SSO Assertion Consumer URL.
Step 8
(Optional) Click Download to download a copy of the SSO service provider
verification certificate. This is the public self-signed certificate that is required by
your identity provider (IdP) to verify the signature of the SAML logout request
from CRES.
Step 9
Click Browse, and select and upload the SSO identity provider verification
certificate, provided by the SAML identity provider (Cisco IronPort Web Security
Appliance or PingFederate). The current certificate is displayed.
Step 10
Click Save.
Step 11
Click Activate.
Note
When you have saved the details, you must then activate the SAML login.
This prevents you from accidentally locking out users in case of a
configuration error.
Configuring the PingFederate Logout URL
In order to log out from an envelope that was configured with PingFederate as the
IDP, the logout URL must be configured in PingFederate. This is critical because
the end user must click the logout button to completely log out of CRES.
To configure the logout URL in PingFederate:
Cisco Registered Envelope Service Account Administrator Guide
2-29
Chapter 2
Administration
Common Tasks
Step 1
From the CRES Account Management screen for the account, download and save
the public certificate.
Step 2
On the PingFederate server for the account, click Signature Verification
Certificate.
Step 3
Click Manage Certificates.
Step 4
Import the certificate that you saved in Step 1.
Step 5
Ensure that the imported certificate is the primary certificate.
Note
PingFederate allows you have more than one public certificate when verifying
SAML logout requests. As a result, after you download the public certificate from
CRES, you must ensure that this certificate is the first, or primary, certificate in
PingFederate.
Configuring BCE Plug-in or Mobile Application Settings
To deploy Business Class Email (BCE) plug-ins or mobile applications, you will
need to send a signed configuration file to each user. You must be an account
administrator to complete these steps.
To sign and deploy the BCE Configuration file, go to the Accounts tab and choose
the account from which you want to enable the BCE plug-in. Then, go to the BCE
Config tab and follow the instructions below.
Note
If you use a Cisco IronPort appliance as your key server, you will need to
download the token from your Cisco IronPort Encryption appliance before you
begin.
Cisco Registered Envelope Service Account Administrator Guide
2-30
Chapter 2
Administration
Common Tasks
Figure 2-12
BCE Configuration Tab
Cisco Registered Envelope Service Account Administrator Guide
2-31
Chapter 2
Administration
Common Tasks
Step 1
Choose the token to use with the configuration template.
If you use CRES as your key server, choose a CRES token. If you use a Cisco
IronPort appliance, navigate to the IEA token you downloaded to your local
machine, and then upload it.
Step 2
Download the template file in order to edit it.
Step 3
Edit the configuration file.
The BCE_Config.xml file contains detailed instructions for the fields you will
need to edit based on your particular environment. Open the file in a text editor
and follow the instructions included in the comments to make the necessary
modifications.
Step 4
Click Browse to navigate to the BCE_Config.xml file, and click Upload and Sign
after you have located the file. Once the configuration file is signed, it will appear
as BCE_Config_signed.xml. Save this file to your local machine.
To deploy the signed configuration file to individual end users:
a.
Compose an encrypted email, and attach the BCE_Config_signed.xml file to
the encrypted email.
b.
Then send this email to all end users for which you want to enable BCE
(Business Class Email).
Note
Step 5
The sender of the email must be the same as the account administrator
who signed the BCE_Config.xml file. Do not send the
BCE_Config_signed.xml file to a mailing list. CRES does not support
mailing lists.
(Optional) To send the signed configuration file to a bulk list:
a.
Click Browse to navigate to the BCE_Config_signed.xml file that you are
sending to the end users.
b.
Click the next Browse button to navigate to the .csv file of email addresses
for which you want to enable BCE, or manually enter a list of email
addresses, separated commas or semicolons.
c.
By default, the Email Subject is “Cisco BCE Configuration File.” To change,
type new text in this field.
Cisco Registered Envelope Service Account Administrator Guide
2-32
Chapter 2
Administration
Common Tasks
d.
Note
Click Distribute Config to send the BCE_Config_signed.xml file to the list
of email addresses.
For security purposes, the BCE_Config_signed.xml file is only recognized in an
encrypted envelope. Therefore, the optional TLS settings of recipient domains is
ignored when a BCE_Config_signed.xml file is sent.
Disabling and Enabling Access to Secure Compose
This feature enables you to restrict your users from sending emails through Secure
Compose. This feature therefore allows you to have control over emails from
Secure Compose that cannot be scanned or archived and could cause issues with
security or violations of corporate policy.
Disabling Secure Compose will remove the Compose Message link from the
left-hand navigation menu of the end-user portal for users in your account.
You can disable Secure Compose only for users in a domain associated with your
account. To associate a domain with your account, contact customer support.
Cisco Registered Envelope Service Account Administrator Guide
2-33
Chapter 2
Administration
Common Tasks
Figure 2-13
Disabling Access to Secure Compose
Step 1
On the Accounts tab, choose the Manage Accounts tab.
Step 2
Click on an account number and choose the Details tab.
Step 3
To enable access to Secure Compose, check the Make Secure Compose
Available checkbox.
Step 4
To disable access to Secure Compose, uncheck the Make Secure Compose
Available checkbox.
Step 5
Click Save.
Cisco Registered Envelope Service Account Administrator Guide
2-34
Chapter 2
Administration
Common Tasks
Note
Any SecureCompose token on your account’s Tokens tab is used internally and
should not be modified. Modifying or deleting that token will not disable Secure
Compose. To disable Secure Compose use the procedure described above.
Configuring DNS to Include CRES
In order to avoid Sender Policy Framework (SPF) verification failures, you must
add mx:res.cisco.com to your SPF record.
Where and how you add CRES to your SPF record depends on how Domain Name
System (DNS) is implemented in your network topology. Contact your DNS
administrator for more information.
If DNS is not configured to include CRES, when secure compose and secure
replies are generated and delivered through the hosted key servers, the outgoing
IP address will not match the listed IP addresses at the recipients end, resulting in
a SPF verification failure.
Cisco Registered Envelope Service Account Administrator Guide
2-35
Chapter 2
Common Tasks
Cisco Registered Envelope Service Account Administrator Guide
2-36
Administration
CH A P T E R
3
Reporting
This chapter covers the following subjects:
•
“Reporting Overview” on page 1
•
“Account Usage Report” on page 2
Reporting Overview
The Reporting feature has an easy-to-use interface allowing you to simply enter
your search criteria and generate the desired report. Select reports can be
downloaded in spreadsheet or PDF format. To access the reporting feature, click
the Reports tab.
The following reports are available:
•
User Information report. Shows a listing of the users associated with your
account, but only if one or more domains are associated with the account,
including sequence number ( # ), User ID, Email Address, First Name, Last
Name, Status, Date Created, Last Login Date, and Last Modified Date.
•
Users Status report. Shows the status (New, Active, Blocked) for users
associated with your domain.
•
Account Usage report. Run this report to view usage statistics for your
corporate account. For information about the Account Usage report, see
“Account Usage Report” on page 2.
The User Information report and the User Status report are typically used by
system administrators. These reports are available only if you have a domain (and
users) associated with your account.
Cisco Registered Envelope Service Account Administrator Guide
3-1
Chapter 3
Reporting
Account Usage Report
Account Usage Report
The Account Usage report displays usage information for a specific account. The
data is grouped by token and includes a list of the messages sent and a message
count. A token is a customer specific key used to encrypt data between the Cisco
Email Security Appliance (ESA) and CRES (or a local key server) and is used
only by Customer Support.
Note
Typically, an account administrator for an organization manages a single
corporate account.
To generate the Account Usage report:
Step 1
Click the Reports tab to access the View Reports page.
Step 2
Click the Account Usage Report link.
The Account Usage Report page is displayed.
Figure 3-1
Account Usage Report
Step 3
Enter or select the time range for the report data.
Step 4
Enter optional search criteria, such as the sender email address or the recipient
email address.
Cisco Registered Envelope Service Account Administrator Guide
3-2
Chapter 3
Reporting
Account Usage Report
Step 5
Select the sort order for the report data.
Step 6
Select the columns to include in the report data. Select a value, and then click Add
to sort to include the column or Remove from sort to exclude the column.
Step 7
Click Create Report.
After you generate the report, you can download the report information in either
PDF or spreadsheet format. In addition, you can bookmark or print the web page
of the report.
Cisco Registered Envelope Service Account Administrator Guide
3-3
Chapter 3
Account Usage Report
Cisco Registered Envelope Service Account Administrator Guide
3-4
Reporting
CH A P T E R
4
Migrating the Data Needed to Create
Keys from the IEA to CRES
This chapter contains the following sections:
•
Information About Migrating the Data Needed to Create Keys from the IEA
to CRES, page 4-1
•
How to Migrate the Data Needed to Create Keys from the IEA to CRES,
page 4-3
•
Example Configuration of HTTP Proxy, page 4-12
•
Cisco Content Security Welcomes Your Comments, page 4-14
Information About Migrating the Data Needed to
Create Keys from the IEA to CRES
If you have an existing installation of Cisco Ironport Encryption Appliance (IEA)
and you want to use Cisco Registered Envelope Service (CRES) for key creation
and management, instead of using IEA as a local key server, you must perform the
migration procedure.
The preferred method is to copy all existing user and key data from IEA into
CRES so that the end users can still open their old envelopes and will not need to
re-register. To do this, CRES now provides a data migration client for the IEA and
a data import service for CRES. These utilities use the existing hardware and do
not require any changes to your infrastructure, allowing you to continue to take
advantage of existing capabilities such as load balancing and failover.
Cisco Registered Envelope Service Account Administrator Guide
4-1
Chapter 4
Migrating the Data Needed to Create Keys from the IEA to CRES
By default, the migration client will perform one pass at migrating the data. You
can configure the client to run multiple passes. The migration client keeps track
of which records have already been sent and will not re-send any data that has
already been received by CRES.
After the IEA records have been migrated, you must complete several steps to
ensure the redirection of traffic from the IEA to CRES. These steps are described
in detail in the next section and include, but are not limited to:
1.
Set up the redirection of HTTP traffic from end users to go to an HTTP proxy
instead of to the IEA.
2.
Set up the HTTP proxy to use an existing or new SSL certificate that the end
users can trust for their HTTP traffic with the proxy, in place of the certificate
used with the IEA.
3.
Configure the proxy to use an SSL certificate for trusted HTTP
communication with CRES.
4.
Update your DNS server and firewall rules to redirect all HTTP traffic
intended for the IEA to go to your HTTP proxy instead.
5.
Update the tokens on all encryption appliances and clients.
6.
Disable the IEA.
7.
Associate your email domains with your CRES account.
Because the switchover process is not instantaneous, some IEA clients may
continue to use the IEA, so there may be database updates that need to be mirrored
to CRES. You can configure the data migration client to periodically check for any
updated data and to migrate any updated data to CRES.
The CRES administrator can configure simple policies that permit the importation
of keys for a given account and that specify time periods when data can be
imported.
The migration process will copy user data and any pending user activity from IEA
to CRES. However, the migration data will not include any user role or permission
data, and the migration process will not change the CRES permissions for account
administrators or any other user belonging to an account. So, the permissions for
users will not be upgraded to those for account administrators on CRES, but if a
user already has account administrator permissions, that access will not be
removed, regardless of their status on the IEA. After the migration, users can be
upgraded to account administrators in the usual manner.
Cisco Registered Envelope Service Account Administrator Guide
4-2
Chapter 4
Migrating the Data Needed to Create Keys from the IEA to CRES
How to Migrate the Data Needed to Create Keys from
the IEA to CRES
Migration Prerequisites
Before you migrate to CRES, you must meet the following perquisites:
•
Ensure that you do not need to use any existing features that will not
supported after you migrate to CRES. For more information and examples of
these features, see the “Features That Are Not Supported on CRES” section
on page 4-4. Discuss your situation with Cisco Technical Support when you
contact them to initiate the migration process.
•
Ensure that the person performing the migration is a database administrator
or has access to a database administrator that can help them.
•
Ensure that you have a machine that can be used as an HTTP proxy and the
software required to run an HTTP proxy.
•
You must upgrade your Cisco IEA software to version 6.5.6.1.
•
If you do not have a CRES account, send an email to
stg-cres-provisioning@cisco.com and provide the following information:
– Name of the account—This is usually a company name. For Hosted
customers, the account name should be “Company Name ‹ HOSTED”
– Customer’s mail address that will be used for the Account Administrator
– Serial number(s) of ESA appliances that will be doing the encryption
•
Initiate the migration process by contacting a Cisco Customer Support
Representative at iea-migrations@cisco.com and providing the following
information:
– Your CRES account number. If you do not have a CRES account, contact
Cisco to create an account, as described in the previous prerequisite.
– The date that you would like to start the migration. You should contact
Cisco at least 30 days before you plan to actually perform the migration.
The Cisco Customer Support Representative will then:
– Configure your account to enable migration.
Cisco Registered Envelope Service Account Administrator Guide
4-3
Chapter 4
Migrating the Data Needed to Create Keys from the IEA to CRES
– Set the start and end date and times for the migration.
– Send you an email with the details of your account and links to the
migration software.
– Send you an email with the security key in a secure envelope.
•
Download the following installation script as instructed in the email sent to
you by the Cisco Customer Support Representative:
– cres-dbmigrate_install-4.3.0.xxx.sh
•
Verify that the installation script downloaded correctly by running the
following command and comparing the MD5 digest printed to the console
against the MD5 digest shown on the download site:
openssl dgst -MD5 cres-dbmigrate_install-4.3.0.xxx.sh
•
Obtain the following items as described in the first two steps in the procedure
that follows:
– token.jar
– security key (emailed to you in a secure envelope after you schedule your
migration.
•
If you use PostgreSQL to manage your database, you must have PL/pgSQL
installed in order to run the database modification script for Step 4 below.
Features That Are Not Supported on CRES
When you migrate to CRES, you must use a Cisco Email Security Appliance
instead of your Cisco Ironport Encryption Appliance (IEA). Because CRES is a
hosted service, it cannot support some of the features provided by a local key
server, such as an IEA. Therefore, before you migrate to CRES, you must make
sure that you do not need any IEA features that are not supported on CRES.
To help you determine whether you can migrate to CRES, the following list
includes some examples of commonly used IEA features that are not currently
available on CRES:
•
ORACLE database — An IEA using Oracle is not currently eligible for
migration. This will be supported in a future release.
•
Secure mailbox
•
LFS (large file support)
Cisco Registered Envelope Service Account Administrator Guide
4-4
Chapter 4
Migrating the Data Needed to Create Keys from the IEA to CRES
•
Statement delivery
•
Some authentication methods — Users registered in the CRES local database
and SAML (for customer owned email domains only) are the only available
authentication methods for CRES. The remaining IEA authentication
methods such as LDAP, Kerberos, and others are not supported. Also,
authentication lookups in multiple sources (known as chained lookups) are
not supported.
For detailed information about IEA features, see the Cisco Ironport Encryption
Appliance 6.5 Configuration Manual.
Migration Procedure
Use this procedure to migrate data from IEA to CRES:
Step 1
Save the token.jar file to your local drive:
a.
Log in to CRES as an administrator and choose the Accounts tab.
b.
Choose the Manage Accounts tab.
c.
Choose the Customer Account Manager’s account.
d.
Choose the Tokens tab.
e.
Click the download icon under the Actions column for the SecureCompose
token in the table of tokens.
Step 2
The security key will be emailed to you by Cisco Technical Support in a secure
envelope after you schedule your migration.
Step 3
Install the migration client on the IEA.
a.
Enter the following commands to use SCP to copy the migration client files
to your IEA.
scp cres-dbmigrate_install-4.3.0.xxx.sh admin@<IEA IP Address>:
scp token.jar admin@<IEA IP Address>:
b.
Use SSH to connect to the IEA. For example, enter:
ssh admin@<IEA IP Address>
c.
At the main menu, enter option x to exit to the UNIX command prompt.
Cisco Registered Envelope Service Account Administrator Guide
4-5
Chapter 4
Note
d.
Migrating the Data Needed to Create Keys from the IEA to CRES
The x option is a hidden command and does not appear in the list of menu
options
Use the following command to install the migration client:
sh ./cres-dbmigrate_install-4.3.0.xxx.sh
Step 4
Run the database modification script.
•
For PostgreSQL, enter:
cd dbmigrate/scripts/postgres
psql -p 5432 -h localhost -d database-name -U db-admin-name
-f ~/dbmigrate/scripts/postgresql/migration_table.sql
Note
You must have PL/pgSQL installed in order to perform this procedure.
•
For MSSQL, copy the script to a Windows machine with the SQL Server
administrator tools installed and execute the script by either:
– Using the SQL Server Management Studio GUI
– Running the following command-line command:
sqlcmd -H hostname -S sqlserver-instance-name -d database-name -U
db-admin-name -P db-admin-password -i migration_table.sql
Step 5
Work with Cisco Technical Support to set the parameters in the
dbmigrate.properties file, which are used to configure the functionality of the
migration client. These parameters are described in the following table.
In addition to the basic configuration parameters shown in the following table,
you can also use several more advanced parameters, which are explained in
Appendix B.
One of the functions that you can configure is the sending of a notification email
to you and Cisco Technical Support when the migration is complete. The
parameters that must be configured for this notification are mailserver,
mailserverport, notifyComplete, notificationRecipient, and notifyCompleteForm.
You can also configure the sending of a notification email to end users when the
migration of their data is complete. If you configure notifications for end users,
Cisco recommends that you explain the migration process to your end users to
Cisco Registered Envelope Service Account Administrator Guide
4-6
Chapter 4
Migrating the Data Needed to Create Keys from the IEA to CRES
avoid any confusion when they receive the notification email. Therefore, this
functionality is considered an advanced feature. For information about the
optional advanced parameters for end user notifications, see Appendix B.
You can configure the migration client parameters listed in the following table
using either the dbmigrate.properties file or the command line. The
dbmigrate.properties file is located in the conf subdirectory of the folder with the
migration client installer:
Parameter
Required or
Optional
url
required
JDBC connection URL for the database. For
suggested values, see the note below.
driver
required
JDBC driver name. See the note below.
user
required
Database username.
password
required
Database password.
token
required
Name of the token JAR file for the CRES
account.
securitykey
required
Additional security key for authentication.
importserver
optional
URL of the CRES migration import service.
passcount
optional
Number of passes of the user and key tables
to make before finishing. (Default: 1.
Maximum: none.)
passdelay
optional
Number of seconds between migration runs.
A value of 0 means the delay is infinite.
(Default: 12 hours. Minimum: 1 hour.)
mailserver
optional
IP Address of the mail server.
mailserverport
optional
Port number of the mail server.
notifyComplete
optional
Enables or disables the sending of a
notification email when the migration is
complete. Valid values are true or false.
notificationRecipi
ent
optional
Email address of the person you want to
receive notification email when the
migration is complete.
Definition
Cisco Registered Envelope Service Account Administrator Guide
4-7
Chapter 4
Parameter
Note
Migrating the Data Needed to Create Keys from the IEA to CRES
Required or
Optional
Definition
notifyCompleteFr
om
optional
Email address of the sender of the
notification email when the migration is
complete.
notifyComplete
Subject
optional
Subject line of the email sent to notify that
the migration is complete.
If you use a different JDBC driver from the one used for IEA, you must copy the
JAR file for the driver in the lib folder.
If you are using MSSQL, set the following parameters:
•
driver=com.microsoft.sqlserver.jdbc.SQLServerDriver
•
url=jdbc:sqlserver://database_server;instanceName=instance_name;database
Name=postx;other_options
All of the parameters that can be configured in the dbmigrate.properties file can
also be configured using the command line. However, the command line has two
additional optional parameters and only four parameters are required for the
command line, as shown in the following table:
Parameter
Required or
Optional
Definition
url
required
JDBC connection URL for the database.
driver
required
JDBC driver name.
user
required
Database username.
password
required
Database password.
help
optional
Prints a description of the configuration
parameters.
config
optional
Name of the configuration properties file.
Cisco Registered Envelope Service Account Administrator Guide
4-8
Chapter 4
Migrating the Data Needed to Create Keys from the IEA to CRES
Step 6
Enter the following command to run the script included in the downloaded files
to start the migration client.
./dbmigrate_client --password=db_password
When the migration is complete, the migration client sends a completion
notification email to you and Cisco Technical Support, if you configured the mail
server and notification parameters as described in Step 5. Cisco Technical
Support then checks the results of the migration and notifies you whether the
migration was successful.
Note
User account and domain membership will not be handled by the migration
process. Existing user records will not be moved to a different account, and all
new user records are added to the default Users account (id 1). Cisco Technical
Support must log in and manually move users to the correct account after the
migration.
If the IEA user already exists on CRES, the CRES data for that user is preserved
and no error message is generated.
After the migration is complete, and the proxy is set up, your users will need to
use their CRES credentials to open envelopes instead of their IEA credentials. It
is the Administrator’s responsibility to inform the end users that this will happen.
Step 7
After the migration is complete, you must set up the redirection of HTTP traffic
from end users to go to an HTTP proxy instead of the IEA. The traffic that needs
to be redirected includes:
•
Key server requests to create a new key for an envelope or retrieve a key for
an existing envelope
•
Connections to Websafe
•
Connections to Secure Compose
•
Connections to the online envelope opener
•
Connections to any other web applications
To redirect this traffic, you should set up an HTTP/HTTPS proxy to act in place
of the IEA. How you implement this proxy depends on your existing network. If
you do not have an existing web server or proxy server on which to run the HTTP
Cisco Registered Envelope Service Account Administrator Guide
4-9
Chapter 4
Migrating the Data Needed to Create Keys from the IEA to CRES
proxy, you will need to set up a new machine to run the HTTP proxy. For an
example configuration, see the “Example Configuration of HTTP Proxy” section
on page 4-12.
Step 8
Set up the HTTP proxy to use an existing or new SSL certificate that the end users
can trust for their HTTP traffic with the proxy, in place of the certificate used with
the IEA.
You can use the same certificate that you used with the IEA, or you can use a new
one. Cisco recommends that you use your existing certificate.
Step 9
Configure the HTTP proxy to use an SSL certificate for trusted HTTP
communication with CRES.
The best way to do this is to configure the proxy to reference a trusted store of CA
certificates. A less manageable alternative is for you to configure the proxy to
explicitly trust the CRES certificate, but this approach requires you to update the
explicit trust relationship every time the CRES certificate is updated.
Step 10
Once you set up the HTTP proxy, you must update your DNS server and firewall
rules to redirect all HTTP traffic intended for the IEA to go to your HTTP proxy
instead.
Step 11
Update the tokens on all encryption appliances and clients. This is required for the
encryption and decryption of keyserver parameters to work.
To update the token on the Cisco Email Security Appliance, a CRES encryption
profile should be provisioned. To update the tokens on clients such as the Outlook
plug-in, the Cisco BCE Mobile App for Android, and the Cisco BCE Mobile App
for iOS, download a new BCE configuration file created with a CRES profile and
send it to those users as an encrypted email from an administrator of the CRES
account.
Step 12
Stop the IEA encryption server, but do not physically disconnect the IEA.
Step 13
Run the migration client again to propagate any updates since the first run.
Alternatively, you can leave the migration client running in multiple pass mode.
Once the second run has completed successfully, Cisco Technical Support
disables further migration for the account.
Step 14
Contact Cisco Technical Support to associate your email domains with your
CRES account. As part of this process, Cisco Technical Support will move any
preexisting CRES users within those email domains to your accounts. Only email
domains owned by you can be associated with your CRES account.
Cisco Registered Envelope Service Account Administrator Guide
4-10
Chapter 4
Migrating the Data Needed to Create Keys from the IEA to CRES
Differences In Functionality Once the Migration Is Complete
CRES has a different feature set than IEA and this difference may cause some
confusion with your users. Cisco recommends that you educate your users on
differences in functionality between the two feature sets.
For detailed information about IEA features, see the Cisco Ironport Encryption
Appliance 6.5 Configuration Manual.
Also, as stated in Step 14 above, if an email account is not owned by you, it cannot
be associated with your CRES account. Emails originating from those accounts
will therefore have a different domain name in the email alias. Cisco recommends
that you also educate your users on this difference to help them avoid confusion.
Migration Error Messages
The following error messages are the most common messages that will be
generated during the migration process. If you receive any other error messages,
contact Cisco Customer Support for information about how to resolve the issue.
Error Message
This IEA database uses a non-standard authentication system for
keys, you may continue with this migration, but when these keys
are moved to CRES they will be modified to use CRES
authentication.
Do you wish to proceed with this migration and use CRES
authentication for your keys?
Explanation The IEA database is using a key server authentication type other
than PostXAuth, and the precondition.keychecker.actionOnFail parameter is
set to prompt.
Recommended Action As a workaround, you can respond Yes to continue with
the migration and use CRES authentication, but we recommend that you
contact Cisco Customer Support before you make that decision.
Cisco Registered Envelope Service Account Administrator Guide
4-11
Chapter 4
Migrating the Data Needed to Create Keys from the IEA to CRES
Error Message
This IEA database uses non-standard key authentication, i.e.,
C_LOOKUPNAME <> 'PostXDatabase' and the Keystore checker failed
to prompt the user for resolution (console not available).
Explanation The IEA database is using a key server authentication type other
than PostXAuth, and the precondition.keychecker.actionOnFail parameter is
set to fail.
Recommended Action Contact Cisco Customer Support.
Error Message
ERROR: language "‘plpgsql’" does not exist.
Explanation You have not met the prerequisite that if you use PostgreSQL to
manage your database, you must have PL/pgSQL installed to run the database
modification script.
Recommended Action Ensure that you have PL/pgSQL installed, if you use
PostgreSQL.
Example Configuration of HTTP Proxy
This example shows how to configure one of the most commonly used products
when configuring a HTTP/HTTPS proxy, the Apache HTTP server. This is by no
means the only possible example or the most recommended product. Your
infrastructure will determine which product is best for you to use as an
HTTP/HTTPS proxy.
Use the following procedure to configure this scenario.
Step 1
Enable the proxy and SSLs by entering the following commands in the Apache
httpd.conf file or the equivalent file.
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule ssl_module modules/mod_ssl.so
Cisco Registered Envelope Service Account Administrator Guide
4-12
Chapter 4
Migrating the Data Needed to Create Keys from the IEA to CRES
Step 2
Make sure the CA certificates are located in the appropriate folder (for example,
in /etc/ssl/certs) and enter the following command to configure the Apache server
to look for the CA certificate in that folder.
SSLCACertificatePath /etc/ssl/certs/
Step 3
Install the IEA certificate by copying the certificate file into the directory that
your Apache installation uses for certificates (for example,
/etc/ssl/your-host-certificate.pem).
Step 4
Enable proxying for HTTP port 80 by entering the following commands:
<VirtualHost www.your-hostname.com:80>
ServerName www.your-hostname.com
ProxyPreserveHost On
ProxyRequests off
ProxyPass / http://res.cisco.com:80/
ProxyPassReverse / http://res.cisco.com:80/
</VirtualHost>
Step 5
Enable proxying for HTTPS port 443 by entering the following commands:
<VirtualHost www.your-hostname.com:443>
ServerName www.your-hostname.com
ProxyPreserveHost On
ProxyRequests off
ProxyPass / https://res.cisco.com:443/
ProxyPassReverse / https://res.cisco.com:443/
SSLEngine on
SSLProxyEngine on
SSLCertificateFile
</VirtualHost>
/etc/ssl/your-host-certificate.pem
Cisco Registered Envelope Service Account Administrator Guide
4-13
Chapter 4
Migrating the Data Needed to Create Keys from the IEA to CRES
Cisco Content Security Welcomes Your Comments
The Cisco Content Security Technical Publications team is interested in
improving the product documentation. Your comments and suggestions are
always welcome. You can send comments to the following email address:
contentsecuritydocs@cisco.com
Cisco Registered Envelope Service Account Administrator Guide
4-14
APPENDIX
A
Contacting Customer Support
To contact Customer Support for Cisco Registered Envelope Service (CRES), you
can send an email message to the following address:
support@res.cisco.com
See the following URL for complete Customer Support information:
https://res.cisco.com/websafe/help?topic=ContactSupport
Note
You can also access Instant Message Chat Support from this URL.
Alternatively, you can request support by phone or online 24 hours a day, 7 days
a week. You can contact Cisco Customer Support using one of the following
methods:
•
Cisco Support Portal: http://www.cisco.com/support
•
Phone support: Contact Cisco Technical Assistance Center (TAC) within the
United States and Canada at 800-553-2447 and Worldwide Phone Numbers
If you purchased support through a reseller or another supplier, contact that
supplier directly with your product support issues.
Note
The level of support available to you depends upon your service level agreement.
Cisco IronPort Customer Support service level agreement details are available on
the Support Portal. Check this page for details about your level of support.
Cisco Registered Envelope Service Account Administrator Guide
A-1
Appendix A
Contacting Customer Support
Reasons for contacting support include:
•
Reporting issues
•
Adding domains to your account
•
Adding users to your domain
•
Managing users (for example, resetting passwords and locking users) if you
are not managing users directly via CRES.
Cisco Content Security Welcomes Your Comments
The Cisco Content Security Technical Publications team is interested in
improving the product documentation. Your comments and suggestions are
always welcome. You can send comments to the following email address:
contentsecuritydocs@cisco.com
Cisco Registered Envelope Service Account Administrator Guide
A-2
APPENDIX
B
Additional Parameters for Migrating
the Data Needed to Create Keys from
the IEA to CRES
In addition to the parameters used in the migration client’s dbmigrate.properties
file or the command line that are described in Chapter 2, you can also use the
parameters in the following table.
You should not change the default values of these parameters using either the
dbmigrate.properties file or the command line, without the help of Cisco
Technical Support.
The max-Errors parameters indicate the maximum number of errors that can occur
before the migration client abandons the current run. A value of 0 for the
max-Errors parameters indicates that there is no limit to the number of errors that
can occur.
Some parameters are used for the key checker process to specify the preconditions
that must be met before the migration can be run. The key checker process scans
the database for the presence of any key server authentication types other than
PostXAuth. You can configure the parameters to cause the key checker process to
take specific actions if the specified preconditions are not met.
For information about the errors that can occur during the migration process, see
the “Migration Error Messages” section on page 4-11.
Cisco Registered Envelope Service Account Administrator Guide
B-1
Appendix B
Additional Parameters for Migrating the Data Needed to Create Keys from the IEA to CRES
Parameter
Used with the
Command Line/
Properties File Definition
maxUserErrors
both
Maximum number of errors that can
occur while migrating the user tables
before stopping the migration.
maxUuidErrors
both
Maximum number of errors that can
occur while migrating the UUID tables
before stopping the migration.
maxKeyErrors
both
Maximum number of errors that can
occur while migrating the key tables
before stopping the migration.
maxContactErrors
both
Maximum number of errors that can
occur while migrating the contact tables
before stopping the migration.
precondition.key
checker.database
Name=dbname
both
Names the database that must be set in
the rules file for use by the key checker
process, before the migration can be run.
precondition.key
checker.class=
class
both
Names the class that must be invoked as
a precondition that must be met by the
key checker process before the migration
can be run.
precondition.key
checker.actionOn
Fail=action
both
Sets the action to take if preconditions for
the key checker process are not met.
autoNotifyUser
optional
Enables or disables the sending of a
notification email per user when the
migration is complete. Valid values are
true and false.
notifyUserFrom
optional
Email address of the sender of the user
notification email when the migration is
complete.
Available values for action are prompt,
pass, and fail.
Cisco Registered Envelope Service Account Administrator Guide
B-2
Appendix B
Additional Parameters for Migrating the Data Needed to Create Keys from the IEA to CRES
Parameter
Used with the
Command Line/
Properties File Definition
notifyUserSubject
optional
Subject line of the email sent to the users
to notify that the migration is complete.
notifyUser.params
.company
optional
Name of the users’ company that will
receive notification that the migration is
complete.
notifyUser.params
.cres.login
optional
URL for the CRES login of the users’
company that will receive notification
that the migration is complete.
level
both
Logging level. Available values are
ERROR, WARN, INFO (default),
DEBUG.
logfile
both
Log filename (default: dbmigrate.log).
tableset
both
Comma separated list of which sets of
tables to export. Possible values are:
reportProcessors
maxsize
both
both
•
users—Used to export all user,
usermap, and user profile tables.
•
contacts—Used to export all address
book tables.
•
keys—Used to export all keys.
•
uuids—Used to export UUIDs.
Comma separated list of which sets of
tables to generate reports for. Possible
values are:
•
users-report—Report for user,
usermap, and user profile tables.
•
keys-report—Report for keys.
Maximum size in bytes of HTTP message
body sent from the IEA (Default: 2 MB.
Maximum: 10 MB).
Cisco Registered Envelope Service Account Administrator Guide
B-3
Appendix B
Additional Parameters for Migrating the Data Needed to Create Keys from the IEA to CRES
Parameter
Used with the
Command Line/
Properties File Definition
batchsize
both
Maximum number of records sent per
request (Default: 200. Maximum:
10000).
batchdelay
both
Amount of time to pause between batches
(Default: 0.6 seconds. Minimum:
0.2 seconds).
retrycount
both
Number of times to retry each batch
before giving up (Default: 5. Maximum:
30).
retrydelay
both
Amount of time to pause between retries
(Default: 20 seconds. Minimum: 1
second).
rules
both
Name of the rules file.
help
command line
Prints a description of the configuration
parameters.
config
command line
Name of the configuration properties file.
connectTimeout
both
HTTP connect timeout.
socketTimeout
both
HTTP socket timeout.
sendBufferSize
both
Size of the HTTP send buffer.
receiveBufferSize
both
Size of the HTTP receive buffer.
acceptSelfSigned
both
Accept self-signed SSL certificates.
Valid values are true and false.
acceptUntrusted
both
Accept untrusted SSL certificates. Valid
values are true and false.
acceptExpired
both
Accept expired SSL certificates. Valid
values are true and false.
requireServerTLS
both
Requires the use of a TLS server. Valid
values are true and false.
Cisco Registered Envelope Service Account Administrator Guide
B-4