Cannot upload a public key to Encryption Management Server from Encryption Desktop or PGP Command Line
Article ID: 201374
Updated On:
Products
Issue/Introduction
The Encryption Management Server Verified Directory service allows external and/or internal users to upload public keys to Encryption Management Server.
An internal user is a user whose key has an email address domain that matches any of the domains listed on the Consumers / Managed Domains page of the Encryption Management Server administration console. For example, if the Managed Domains list contains the domain example.com, a user whose key has an email address of [email protected] is considered to be an internal user. All other keys are considered to belong to external users.
Users can upload keys to Verified Directory using its web interface.
Provided that the Encryption Management Server Keyserver service is running on the same interface as the Verified Directory service, users can also upload keys using PGP Command Line or Encryption Desktop.
PGP Command Line can upload keys over LDAP or LDAPS using the --keyserver-send switch. For example:
pgp --keyserver-send [email protected] --keyserver ldap://keys.example.com
pgp --keyserver-send [email protected] --keyserver ldaps://keys.example.com
Encryption Desktop users can upload keys by doing the following:
- Open Encryption Desktop. The default page is PGP Keys / All Keys.
- Right click on the key to upload and choose Send To.
- Select the name of a keyserver from the list.
By default, a managed Encryption Desktop has Symantec Encryption Server listed as one of its Send To locations. This is the Encryption Management Server that manages the client. However, attempting to upload to this location results in the error some keys could not be added to the server:
PGP Command Line may output Server is unwilling to perform errors:
# pgp --keyserver-send [email protected] --keyserver ldaps://keys.example.com
0x2A5147D1:keyserver send (2509:keyserver error)
ldaps://keys.example.com:keyserver send (3090:operation failed, Server is unwilling to perform)
Environment
Symantec Encryption Management Server, Symantec Encryption Desktop and PGP Command Line 10.5 and above.
Cause
The Symantec Encryption Server entry in the Encryption Desktop Keyservers list has a type of PGP Universal Services Protocol. It connects to Encryption Management Server over port 443. Keys cannot be uploaded using this connection, even if the Universal Services Protocol is enabled in Encryption Management Server:
Also, if the Verified Directory service and Keyserver service are not configured correctly in Encryption Management Server, neither Encryption Desktop or PGP Command Line will be able to send keys to it.
Resolution
In Encryption Desktop, select Edit Keyservers from the Tools menu. Add the Encryption Management Server to Encryption Desktop as a separate Keyserver with a type of PGP Keyserver LDAP or PGP Keyserver LDAPS:
The new keyserver entry will appear in the Send To menu as one of the following, depending on whether the connection uses LDAP (port 389) or LDAPS (port 636):
- ldap://keys.example.com
- ldaps://keys.example.com
External user keys can then be uploaded to the new location using the Send To menu provided the Verified Directory service and Keyserver service is configured correctly on Encryption Management Server.
Starting in release 10.5.1, users can create Verified Key Directory users by uploading S/MIME certificates. This functionality needs to be enabled in order for PGP keys to be sent to the Encryption Server from Encryption Desktop, as described in article 180146 which details how to configure Verified Directory.
Additional Information
EPG-35249
Feedback
