search cancel

Configuring Encryption Management Server Verified Directory

book

Article ID: 180146

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption PGP Command Line Desktop Email Encryption File Share Encryption

Issue/Introduction

The Symantec Encryption Management Server (PGP Server) Verified Directory (VKD) service allows internal or external users to upload their public keys using a web interface running on HTTP or HTTPS.

It also allows users running Symantec Encryption Desktop (PGP Desktop) or PGP Command Line to upload public keys to Encryption Management Server. However, this is only available over LDAP or LDAPS and it also requires the Keyserver service to be enabled.

The Verified Directory service is disabled by default.

Depending on the Vetting Method that is configured, Verified Directory sends verification messages to the email addresses of the keys that are submitted to it. If the key owner responds to the verification message with permission to add the key, then the key is added to the directory.

Clearly, if an internal user submits a third party's public key to Verified Directory then the email Vetting Method is not appropriate because the third party would receive verification emails.

Published user keys are signed by another key. Keys submitted by internal users are signed by the Encryption Management Server Organization Key. Keys submitted by external users are signed by the Verified Directory Key. Prior to enabling Verified Directory, you must upload a Verified Directory key by navigating to Keys / Organization Keys and clicking on the button to upload a Verified Directory Key. This key pair should be created on a standalone system running PGP Command Line or Encryption Desktop.

The Verified Directory web interface allows users to search the directory for the public keys of persons to whom they want to send secured messages.

Once a key that has been uploaded using Verified Directory is published, it is available for use in encryption in the same way as the keys of External Users. However, unlike External User keys, Verified Directory keys are not replicated to other cluster members.

Resolution

 

Section 1 of 4: Enabling the Verified Directory service

  1. On the Services/Verified Directory card, click the Enable button to enable the service.

  2. To disable the PGP Verified Directory service, click the Disable button on the Verified Directory card.

Important Note about VKD Signing Keys: Before you can properly use Verified Directory, you need a VKD Signing key.  Ensure this key does not have an expiration date for the near future as this will cause keys uploaded to the VKD to be removed.  We recommend choosing an expiration date a few years in advanced so that you never have to worry about this. 

Section 2 of 4: Configuring Verified Directory

  1. On the Services/Verified Directory card, click the Edit button.

    The Edit Verified Directory screen appears.

  2. The Interface tab is displayed by default.

  3. In the Public URL field, enter the PGP Verified Directory network name. Directory users access the PGP Verified Directory using this URL. The default URL is the hostname of the server prefixed by http://. If you wish to use a secure connection, change the prefix to https://.  You may want to change the URL, depending on your network configuration. 

  4. In the Interface field, select the appropriate network interface for Verified Directory from the drop-down list. Note that if you use HTTPS then a TLS certificate that matches the URL will need to be assigned to the interface.

  5. In the Port field, enter a port number for Verified Directory. The default is port 80 but if you are using https then change this to port 443. You can also use a custom port.

  6. Enable the SSL option if you are using a secure connection.

  7. Click the Options tab to specify key and user interaction settings.

  8. Establish key submission criteria for internal users:

    Allow Submission. When checked, users can submit their public keys to Verified Directory. You can choose whether Internal Users or Verified Directory Users can submit their keys. An Internal User is one where the domain part of the email address of a submitted key is listed under Consumers / Managed Domains in the management console. There are very limited circumstances whereby Internal Users will need to submit keys to Verified Directory and by default, Internal Users are not allowed to submit keys.

    Vetting Method. This determines how submitted keys are posted to Verified Directory. The choices are Implicit, Manual or Email. The Implicit option means that any key that is uploaded to Verified Directory is added automatically. Manual means that the Encryption Management Server administrator must manually approve or reject all submitted keys. Email means an email message will be sent to the primary email address of the key and must be responded to.

  9. In the Re-email Timeout field, enter a timeout value for resending email. The default is 24 hours. If for some reason a user's key is submitted multiple times, the timeout value specifies how often the user will receive the vetting email in response. The default of 24 hours means that users will only receive the email once every 24 hours.

  10. In the Email Token Timeout field, enter the timeout value for the expiration of the email token. The default is 336 hours (14 days).

  11. In the Signature Expiration field, enter the expiration time for the signature of the Organization Key or Verified Directory Key signature. The default is 6 months.

    When the signature expiration time period is reached, the user's key will automatically be re-verified using the selected vetting method.

  12. In the Max Search Results field, enter the maximum number of results users receive for a web-based search. The default number of results returned for
    web-based searches is 25.

 

 

 

Section 3 of 4: Allow SMIME Certificates to be uploaded via the Verified Directory web portal

The PGP Server has always allowed the upload of PGP keys to the portal.  Starting with PGP Server 10.5.1, there is new functionality to allow the upload of SMIME Certificates to the portal.

To be able to do this, there is a preference that needs to be enabled (disabled by default).

To do this, you would modify the prefs.xml making the allow-smime-cert-import parameter "true".

There is no need to restart services.

If you would like assistance making this change, please reach out to Symantec Encryption Supportand we can assist in doing this.

 

 

Section 4 of 4: Clustering and Verified Directory

Internal user keys submitted through Verified Directory are replicated throughout a cluster. However, submitted external user keys are not replicated.

To make sure these keys are replicated across your cluster, you can manually add Verified Directory user keys to the external user list. Export the Verified Directory user keys, then re-import them into the External Users page.

You can also make sure external user Verified Directory keys are always available by building an Encryption Management Server to function as a dedicated Verified Directory server. Make sure that you add the Verified Directory server to your list of searchable key servers for any mail policy rule that requires it.

Additional Information

EPG-27231