2. Computers & electronics
  3. Software
  4. PGP
  5. Universal Server 2.6

PGP Universal Server 2.6 User guide

  • Hello! I am an AI chatbot trained to assist you with the PGP Universal Server 2.6 User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
PGP
®
Universal Server
Administrators Guide
Version Information
PGP Universal Server Administrators Guide. PGP Universal Server
(TM)
and PGP Universal Satellite version 2.6.3. Released August
2007.
Copyright Information
Copyright © 1991– 2007 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted
in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP
Corporation.
Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks and Rest Secured is a trademark of PGP Corporation in
the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of
Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red
Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus
Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark
of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company.
SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or
registered trademarks of Apple Computer, Inc. Symantec, the Symantec logo, and LiveUpdate are registered trademarks of
Symantec Corporation. All other registered and unregistered trademarks in this document are the sole property of their
respective owners.
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST
encryption algorithm is licensed from Northern Telecom, Ltd. PGP Corporation has secured a license to the patent rights
contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block
Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party
software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a
whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP
Universal Server, contact PGP Support (http://www.pgp.com/support). PGP Corporation may have patents and/or pending
patent applications covering subject matter in this software or its documentation; the furnishing of this software or
documentation does not give you any license to these patents.
Acknowledgments
This product includes or may include:
• The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gaill, is used with permission from the free
Info-ZIP implementation, developed by zlib (http://www.zlib.net). • Libxml2, the XML C parser and toolkit developed for the
Gnome project and distributed and copyrighted under the MIT License found at
http://www.opensource.org/licenses/mit-license.html. Copyright © 2007 by the Open Source Initiative. • bzip2 1.0, a freely
available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. • Application server
(http://www.jakarta.apache.org/), web server (http://www.apache.org/), Jakarta Commons
(http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse HTML, developed by the Apache
Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt. • Castor, an open-source, data-binding
framework for moving data from XML to Java programming language objects and from Java to databases, is released by the
ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html. • Xalan, an open-source
software library from the Apache Software Foundation that implements the XSLT XML transformation language and the XPath
XML query language, is released under the Apache Software License, version 1.1, available at
http://xml.apache.org/xalan-j/#license1.1. • mx4j, an open-source implementation of the Java Management Extensions (JMX),
is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html. • jpeglib version 6a is
based in part on the work of the Independent JPEG Group. (http://www.ijg.org/) • libxslt the XSLT C library developed for the
GNOME project and distributed under the MIT License http://www.opensource.org/licenses/mit-license.html. • PCRE version
4.5 Perl regular expression compiler, copyrighted and distributed by University of Cambridge. ©1997-2006. The license
agreement is at http://www.pcre.org/license.txt. • BIND Balanced Binary Tree Library and Domain Name System (DNS)
protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org) • Free BSD implementation of
daemon developed by The FreeBSD Project, © 1994-2006. • Simple Network Management Protocol Library developed and
copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003,
Cambridge Broadband Ltd. © 2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and
Information Network Center of Beijing University of Posts and Telecommunications, © 2004. The license agreement for these
is at http://net-snmp.sourceforge.net/about/license.html. • NTP version 4.2 developed by Network Time Protocol and
copyrighted to various contributors. • Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP
Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright ©
1999-2003, The OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html.
• Secure shell OpenSSH version 4.2.1 developed by OpenBSD project is released by the OpenBSD Project under a BSD-style
license, available at http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. • PC/SC Lite is a free
implementation of PC/SC, a specification for SmartCard integration is released under the BSD license. • Postfix, an open
source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at
http://www.opensource.org/licenses/ibmpl.php. • PostgreSQ, a free software object-relational database management system,
is released under a BSD-style license, available at http://www.postgresql.org/about/licence. • 21.vixie-cron is the Vixie version
of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used
by permission.
Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from
time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and
re-export of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User
License Agreement provided with the software. The information in this document is subject to change without notice. PGP
Corporation does not warrant that the information meets your requirements or that the information is free of errors. The
information may include technical inaccuracies or typographical errors. Changes may be made to the information and
incorporated in new editions of this document, if and when made available by PGP Corporation.
iv
Contents
An Overview of the PGP Universal Server
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
What is PGP Universal Server? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
PGP Universal Server Product Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Who Should Read This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Improvements in This Version of PGP Universal Server . . . . . . . . . . . . . . . . 2
Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Getting Assistance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 The Big Picture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Important Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Deploying your Server
3 Adding the PGP Universal Server to Your Network . . . . . . . . . . . . . 16
Server Placement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Using a Mail Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Microsoft Exchange Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Lotus Domino Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4 Open Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
TCP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
UDP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
5 Naming your PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Installing the PGP Universal Server Software
6 Installing the PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . . 39
About the Installation Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Installation Materials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
PGP Universal Administrator’s Guide Contents
v
Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Standard Installation Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
PGP Installation Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
7 Setting Up the PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . 43
About the Setup Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Preparing for Setup after pgp Install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Initial Configuration with Setup Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Primary or Secondary Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Restoring From a Server Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Migrating the Keys from a PGP Keyserver. . . . . . . . . . . . . . . . . . . . . . . . . . 61
8 Understanding the Administrative Interface . . . . . . . . . . . . . . . . . . . 63
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Logging In For the First Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Administrative Interface Map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
9 Licensing Your Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
License Changes for PGP Universal Server 2.5 and Later . . . . . . . . . . . . . . 74
Manual and Automatic Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Licensing a PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Licensing the AntiVirus Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Licensing the File Blocking Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Licensing the Mail Proxy Feature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
10 Operating in Learn Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Purpose of Learn Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Checking the Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Managing Learn Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Organization Information
11 Managed Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Working with Managed Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
12 Managing Organization Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
PGP Universal Administrator’s Guide Contents
vi
Organization Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Organization Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Additional Decryption Key (ADK) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Verified Directory Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
13 Managing Trusted Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . 98
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Adding a Trusted Key or Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Inspecting and Changing Trusted Key Properties . . . . . . . . . . . . . . . . . . . 101
Deleting Trusted Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Searching for Trusted Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . 102
14 Recovering Encrypted Data in an Enterprise Environment . . . . . . 104
Using Key Reconstruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Recovering Encryption Key Material without Key Reconstruction. . . . . . . 105
Using an Additional Decryption Key for Data Recovery . . . . . . . . . . . . . . . 107
Managing Mail Processing
15 Setting Mail Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Migrating Settings from Version 2.0.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Understanding the Pre-Installed Policy Chains. . . . . . . . . . . . . . . . . . . . . . 113
Mail Policy Outside the Mailflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Building Valid Chains and Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Using the Rule Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Managing Policy Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Managing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Adding Key Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Choosing Condition Statements, Conditions, and Actions. . . . . . . . . . . . . 127
Working with Common Access Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
16 Applying Key Not Found Settings to External Users . . . . . . . . . . . 139
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Changing Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Changing User Delivery Method Preference . . . . . . . . . . . . . . . . . . . . . . . 144
17 Using Dictionaries with Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Default Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
User-Defined Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
PGP Universal Administrator’s Guide Contents
vii
Exporting a Dictionary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Searching the Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
18 Keyservers, SMTP Servers, and Mail Policy . . . . . . . . . . . . . . . . . . . 157
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Keyservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
SMTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
19 Managing Keys in the Key Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Changing Cached Key Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Searching the Key Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
20 Scanning Email for Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
AntiVirus Scanning and Mail Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
The AntiVirus Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
AntiVirus Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Scanning Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
21 Blocking Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
File Blocking and Mail Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Adding a Filename to be Blocked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
22 Configuring Mail Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
PGP Universal Server and Mail Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Changes in Proxy Settings from PGP Universal Server 2.0 to 2.5 and Later . .
183
Mail Proxies Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Creating New or Editing Existing Proxies. . . . . . . . . . . . . . . . . . . . . . . . . . 184
Mail Processing Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
23 Email in the Mail Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Deleting Messages from the Mail Queue . . . . . . . . . . . . . . . . . . . . . . . . . 195
24 Specifying Mail Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Managing Mail Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
25 Customizing System Message Templates . . . . . . . . . . . . . . . . . . . . 201
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Editing a Message Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
PGP Universal Administrator’s Guide Contents
viii
Managing Users
26 Setting Internal User Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Managing Internal User Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Downloading Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Directory Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Choosing a Key Mode For Key Management . . . . . . . . . . . . . . . . . . . . . . 217
X.509 Certificate Management in Lotus Notes Environments. . . . . . . . . . 221
27 Using Directory Synchronization to Manage Users . . . . . . . . . . . . 226
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Enabling Directory Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Excluding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Including Only Some Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Matching Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Base DN and Bind DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Understanding User Enrollment Methods . . . . . . . . . . . . . . . . . . . . . . . . . 234
Serving PGP Admin 8 Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
28 Configuring PGP Desktop Installations . . . . . . . . . . . . . . . . . . . . . . 240
PGP Desktop Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
PGP Whole Disk Encryption Administration. . . . . . . . . . . . . . . . . . . . . . . . 241
PGP Desktop Installer Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Creating PGP Desktop Installers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Configuring PGP Desktop Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
29 Setting External User Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Managing External User Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
30 Configuring PGP Universal Web Messenger . . . . . . . . . . . . . . . . . . 266
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Configuring the PGP Universal Web Messenger Service . . . . . . . . . . . . . 267
31 Configuring the PGP Verified Directory . . . . . . . . . . . . . . . . . . . . . . 272
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Enabling the PGP Verified Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Configuring the PGP Verified Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
32 Managing Internal User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
PGP Universal Administrator’s Guide Contents
ix
Certificate Revocation Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Adding Internal Users Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Deleting Internal Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Approving Pending Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Searching for Internal Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Internal User Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Key Reconstruction Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
33 Managing External User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Importing External Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Deleting External Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Searching for External Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
External User Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
34 Managing PGP Verified Directory User Accounts . . . . . . . . . . . . . . 298
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Importing Verified Directory Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
PGP Verified Directory User Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Deleting PGP Verified Directory Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Exporting PGP Verified Directory Users. . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Searching for PGP Verified Directory Users. . . . . . . . . . . . . . . . . . . . . . . . 303
35 Managing Administrator Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . 304
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Creating a New Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Importing SSH v2 Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Deleting Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Inspecting and Changing the Settings of an Administrator . . . . . . . . . . . . 308
Daily Status Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
36 PGP Universal Satellite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Technical Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Distributing the PGP Universal Satellite Software . . . . . . . . . . . . . . . . . . . 312
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Policy and Key or Certificate Retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
37 PGP Universal Satellite for Mac OS X. . . . . . . . . . . . . . . . . . . . . . . . 324
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
PGP Universal Administrator’s Guide Contents
x
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Obtaining the Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
38 PGP Universal Satellite for Windows . . . . . . . . . . . . . . . . . . . . . . . . 338
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Obtaining the Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
MAPI Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Lotus Notes Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
39 Configuring the Integrated Keyserver . . . . . . . . . . . . . . . . . . . . . . . 354
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Configuring the Keyserver Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Managing Your PGP Universal Server
40 System Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
CPU Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Message Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Recipient Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Recipient Domain Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
41 System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Filtering the Log View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Searching the Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Exporting a Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Enabling External Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
42 Shutting Down and Restarting Services and Power. . . . . . . . . . . . 367
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
PGP Universal Administrator’s Guide Contents
xi
Shutting Down and Restarting the PGP Universal Server Software Services .
369
Shutting Down and Restarting the PGP Universal Server Hardware. . . . . 370
43 Configuring SNMP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Downloading the Custom MIB File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Configuring the SNMP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
44 Setting Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Changing Interface Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Adding Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Deleting Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Editing Global Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Assigning a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Working with Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
45 Clustering your PGP Universal Servers . . . . . . . . . . . . . . . . . . . . . . 385
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Clustering and PGP Universal Web Messenger. . . . . . . . . . . . . . . . . . . . . 386
Cluster Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Creating Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Deleting Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Changing Network Settings in Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Managing Secondary Settings in Clusters . . . . . . . . . . . . . . . . . . . . . . . . . 389
46 Protecting PGP Universal Server with Ignition Keys . . . . . . . . . . . 391
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Preparing Hardware Tokens to be Ignition Keys . . . . . . . . . . . . . . . . . . . . 392
Configuring a Hardware Token Ignition Key. . . . . . . . . . . . . . . . . . . . . . . . 394
Configuring a Soft-Ignition Passphrase Ignition Key . . . . . . . . . . . . . . . . . 395
Deleting Ignition Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
47 Backing Up and Restoring System and User Data . . . . . . . . . . . . . 397
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Creating Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Configuring the Backup Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Restoring From a Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
48 Updating PGP Universal Server Software . . . . . . . . . . . . . . . . . . . . 405
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
PGP Universal Administrator’s Guide Contents
xii
Inspecting Update Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Establishing Software Update Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Checking for New Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Uploading Update Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Manually Installing an Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
49 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
PGP Universal Administrator’s Guide Contents
xiii
SECTION 1
An Overview of the PGP
Universal Server
This section provides a high-level overview of the components, concepts, and terminology of the PGP Universal
Server. It also provides a high-level overview of the entire installation and setup process.
Chapter 1, “Introduction”
Chapter 2, “The Big Picture
1
1
Introduction
This Administrators Guide describes both the PGP Universal Server and PGP Universal
Satellite. It tells you how to get them up and running on your network, how to configure
them, and how to maintain them. This section provides a high-level overview of PGP
Universal Server. Topics include:
“What is PGP Universal Server?”
“PGP Universal Server Product Family” on page 2
“Who Should Read This Guide” on page 2
“Improvements in This Version of PGP Universal Server” on page 2
“Symbols” on page 3
“Getting Assistance” on page 4
What is PGP Universal Server?
PGP Universal Server provides multiple encryption solutions managed from a single
console.
PGP Universal Server with PGP Universal Gateway Email gives you secure messaging: it
transparently protects your enterprise messages with little or no user interaction.
The PGP Universal Server also replaces the PGP Keyserver product with a built-in
keyserver, and the PGP Admin product with PGP Desktop configuration and deployment
capabilities.
It automatically creates and maintains a Self-Managing Security Architecture (SMSA) by
monitoring authenticated users and their email traffic. You can also send protected
messages to addresses that are not part of the SMSA. The PGP Universal Server
encrypts, decrypts, signs, and verifies messages automatically, providing strong security
through policies you control.
PGP Universal Satellite, a client-side feature of PGP Universal Server, extends PGP
security for email messages all the way to the computer of the email user, it allows
external users to become part of the SMSA, and it gives end users the option to create
and manage their keys on their own computer (if allowed by the PGP administrator).
PGP Universal Server Administrator’s Guide 1: Introduction
2
PGP Universal Server Product Family
PGP Universal Server functions as a management console for a variety of encryption
solutions. You can purchase any of the PGP Desktop applications or bundles and use PGP
Universal Server to create and manage client installations. You can also purchase a
license that enables PGP Gateway Email to encrypt email in the mailstream.
The PGP Universal Server can manage any combination of PGP encryption applications.
PGP encryption applications are:
PGP Universal Gateway Email provides automatic email encryption in the gateway,
based on centralized mail policy. This product requires administration by the PGP
Universal Server.
PGP Desktop Email provides encryption at the desktop level for mail, files, and AOL
Instant Messenger traffic. This product can be managed by the PGP Universal
Server.
PGP Whole Disk Encryption provides encryption at the desktop level for an entire
disk. This product can be managed by the PGP Universal Server.
PGP NetShare provides transparent file encryption and sharing among desktops.
This product can be managed by the PGP Universal Server.
Who Should Read This Guide
This Administrators Guide is for the person or persons who will be implementing and
maintaining your organizations PGP Universal Server environment. These are the PGP
administrators.
This guide is also intended for anyone else who wants to learn about how PGP Universal
Server works.
Improvements in This Version of PGP Universal Server
This release of PGP Universal introduces the following new features:
“General” on page 3
“PGP Messaging” on page 3
“PGP Whole Disk Encryption” on page 3
“PGP Keys” on page 3
PGP Universal Server Administrator’s Guide 1: Introduction
3
General
PGP Messaging
PGP Whole Disk Encryption
PGP Keys
Symbols
Notes, Cautions, and Warnings are used in the following ways.
Changes in this
release
Microsoft Internet Explorer 7 support. The PGP Universal Server administrative
interface now runs in Internet Explorer 7.
Changes in this
release
PGP Verified Directory enhancements. You can now specify a “From” address that
will display on all PGP Verified Directory-initiated email messages.
Benefits
The customized sender address prevents your PGP Universal Server’s hostname from
appearing in the “From” email line.
Where to find
Services>Verified Directory screen.
For more
information
See Chapter 31, “Configuring the PGP Verified Directory” for more information.
Changes in this
release
PGP Whole Disk Encryption (WDE) Recovery Token encryption. Whole Disk
Recovery Tokens are now encrypted to the PGP Universal Server Ignition Key.
Benefits
Improves user data security.
Changes in this
release
Key Reconstruction for Mac OS X. Key reconstruction is now available in PGP
Desktop for Mac OS X.
Where to find
Policy>Internal User Policy screen.
For more
information
See Chapter 28, “Configuring PGP Desktop Installations” and Chapter 32, “Managing
Internal User Accounts” for more information on key reconstruction.
Caution
Notes are extra, but important, information. A Note calls your attention to important aspects
of the product. You will be able to use the product better if you read the Notes.
PGP Universal Server Administrator’s Guide 1: Introduction
4
Getting Assistance
Refer to these sections for additional resources.
Getting product information
The following documents and on-line help are companions to the PGP Universal
Administrator’s Guide. This guide occasionally refers to information that can be found in
one or more of the following sources:
PGP Universal Upgrade Guide—Describes the process of upgrading your PGP
Universal Server to version 2.6
PGP Universal Mail Policy Diagram—Provides a graphical representation of how
email is processed through mail policy. You can access this document via the PGP
Universal Server online help.
Tu t o r i a l s —Provides animated introductions on how to manage the mail policy
feature in PGP Universal Server, and how upgraded PGP Universal Server settings
migrate into the new mail policy feature.
You can also access all the documentation and tutorials by clicking the online help
icon in the upper-right corner of the PGP Universal Server screen.
The administrative interface and PGP Universal Satellite for Windows and Mac OS X
include online help.
PGP Universal and PGP Satellite release notes are also provided, which may have
last-minute information not found in the product documentation.
Once PGP Universal is released, additional information regarding the product is added to
the online Knowledge Base available on PGP Corporations Support Portal at
www.pgpsupport.com.
Contact information
All PGP customers have access to the comprehensive set of tools and discussion forums
available on the PGP Support Portal.
The PGP Support Portal provides access to tutorials, recent support briefs, the
Knowledge Base, and other valuable technical information.
You must have a valid support agreement to request Technical Support.
Caution
Cautions indicate the possibility of loss of data or a minor security breach. A Caution tells you
about a situation where problems could occur unless precautions are taken. Pay attention to
Cautions.
Caution
Warnings indicate the possibility of significant data loss or a major security breach. A
Warning means serious problems will occur unless you take the appropriate action. Please
take Warnings very seriously.
PGP Universal Server Administrator’s Guide 1: Introduction
5
Contacting Technical Support
To access the PGP Support Knowledge Base or request PGP Technical Support:
https://support.pgp.com. Note that you must have a valid support agreement to
request Technical Support.
To learn about PGP support options and how to contact PGP Technical Support:
http://www.pgp.com/support/
To access the PGP Universal section of the PGP Support forums: http://
forums.pgpsupport.com
For any other contacts at PGP, please visit the PGP Contacts Page: http://
www.pgp.com/company/contact/index.html.
For general information about PGP Corporation, please visit the PGP Web Site: http:/
/www.pgp.com.
PGP Universal Server Administrator’s Guide 1: Introduction
6
/