search cancel

Encryption Management Server allows key searches using wildcards

book

Article ID: 229269

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

If Encryption Management Server is configured to allow third parties to perform key searches using LDAP or LDAPS, by default it will allow wildcard searches and return the first 100 matches.

For example, a third party could search for a* and return the first 100 email addresses beginning with the letter A.

Environment

Symantec Encryption Management Server 10.5 and above.

Resolution

Wildcard searches can be disabled by adding an entry to the /etc/ovid/prefs.xml file. In addition, the number of results returned can be reduced from the default of 100 by adding another entry to the /etc/ovid/prefs.xml file.

To disable wildcard searches and limit the results to 10, please do the following:

  1. ssh to Encryption Management Server.
  2. Backup the file /etc/ovid/prefs.xml:
    cp /etc/ovid/prefs.xml /etc/ovid/prefs.xml.bak
  3. Edit /etc/ovid/prefs.xml and change this:
        </keyserver>
        <crl>

    to this:
            <max-keysearch-results>10</max-keysearch-results>
            <allow-substring-key-search>false</allow-substring-key-search>
        </keyserver>
        <crl>
  4. Restart the ldap service:
    pgpsysconf --restart ldap
  5. Repeat the above steps on all cluster members that allow key lookups from third parties.