PGP Universal Server 2.6 User guide

PGP

®

Universal Server

Administrator’s Guide

Version Information

PGP Universal Server Administrator’s Guide. PGP Universal Server

(TM)

and PGP Universal Satellite version 2.6.3. Released August

2007.

Copyright Information

in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP

Corporation.

Trademark Information

PGP, Pretty Good Privacy, and the PGP logo are registered trademarks and Rest Secured is a trademark of PGP Corporation in

the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of

Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red

Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus

Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark

of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company.

SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or

registered trademarks of Apple Computer, Inc. Symantec, the Symantec logo, and LiveUpdate are registered trademarks of

Symantec Corporation. All other registered and unregistered trademarks in this document are the sole property of their

respective owners.

Licensing and Patent Information

The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST

encryption algorithm is licensed from Northern Telecom, Ltd. PGP Corporation has secured a license to the patent rights

contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block

Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party

software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a

whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP

Universal Server, contact PGP Support (http://www.pgp.com/support). PGP Corporation may have patents and/or pending

patent applications covering subject matter in this software or its documentation; the furnishing of this software or

documentation does not give you any license to these patents.

Acknowledgments

This product includes or may include:

• The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gaill, is used with permission from the free

Info-ZIP implementation, developed by zlib (http://www.zlib.net). • Libxml2, the XML C parser and toolkit developed for the

Gnome project and distributed and copyrighted under the MIT License found at

(http://www.jakarta.apache.org/), web server (http://www.apache.org/), Jakarta Commons

(http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse HTML, developed by the Apache

Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt. • Castor, an open-source, data-binding

framework for moving data from XML to Java programming language objects and from Java to databases, is released by the

ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html. • Xalan, an open-source

software library from the Apache Software Foundation that implements the XSLT XML transformation language and the XPath

XML query language, is released under the Apache Software License, version 1.1, available at

http://xml.apache.org/xalan-j/#license1.1. • mx4j, an open-source implementation of the Java Management Extensions (JMX),

is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html. • jpeglib version 6a is

based in part on the work of the Independent JPEG Group. (http://www.ijg.org/) • libxslt the XSLT C library developed for the

GNOME project and distributed under the MIT License http://www.opensource.org/licenses/mit-license.html. • PCRE version

agreement is at http://www.pcre.org/license.txt. • BIND Balanced Binary Tree Library and Domain Name System (DNS)

protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org) • Free BSD implementation of

is at http://net-snmp.sourceforge.net/about/license.html. • NTP version 4.2 developed by Network Time Protocol and

copyrighted to various contributors. • Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP

1999-2003, The OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html.

• Secure shell OpenSSH version 4.2.1 developed by OpenBSD project is released by the OpenBSD Project under a BSD-style

license, available at http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. • PC/SC Lite is a free

implementation of PC/SC, a specification for SmartCard integration is released under the BSD license. • Postfix, an open

source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at

http://www.opensource.org/licenses/ibmpl.php. • PostgreSQ, a free software object-relational database management system,

is released under a BSD-style license, available at http://www.postgresql.org/about/licence. • 21.vixie-cron is the Vixie version

by permission.

Export Information

Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from

time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and

re-export of certain products and technical data.

Limitations

The software provided with this documentation is licensed to you for your individual use under the terms of the End User

License Agreement provided with the software. The information in this document is subject to change without notice. PGP

Corporation does not warrant that the information meets your requirements or that the information is free of errors. The

information may include technical inaccuracies or typographical errors. Changes may be made to the information and

incorporated in new editions of this document, if and when made available by PGP Corporation.

iv

Contents

An Overview of the PGP Universal Server

1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

What is PGP Universal Server? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

PGP Universal Server Product Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Who Should Read This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Improvements in This Version of PGP Universal Server . . . . . . . . . . . . . . . . 2

Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Getting Assistance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 The Big Picture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Important Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Deploying your Server

3 Adding the PGP Universal Server to Your Network . . . . . . . . . . . . . 16

Server Placement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Using a Mail Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Microsoft Exchange Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Lotus Domino Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

4 Open Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

TCP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

UDP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

5 Naming your PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Installing the PGP Universal Server Software

6 Installing the PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . . 39

About the Installation Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Installation Materials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

PGP Universal Administrator’s Guide Contents

v

Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Standard Installation Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

PGP Installation Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

7 Setting Up the PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . 43

About the Setup Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Preparing for Setup after pgp Install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Initial Configuration with Setup Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Primary or Secondary Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Restoring From a Server Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Migrating the Keys from a PGP Keyserver. . . . . . . . . . . . . . . . . . . . . . . . . . 61

8 Understanding the Administrative Interface . . . . . . . . . . . . . . . . . . . 63

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Logging In For the First Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Administrative Interface Map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

9 Licensing Your Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

License Changes for PGP Universal Server 2.5 and Later . . . . . . . . . . . . . . 74

Manual and Automatic Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Licensing a PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Licensing the AntiVirus Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Licensing the File Blocking Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Licensing the Mail Proxy Feature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

10 Operating in Learn Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Purpose of Learn Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Checking the Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Managing Learn Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Organization Information

11 Managed Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Working with Managed Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

12 Managing Organization Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

PGP Universal Administrator’s Guide Contents

vi

Organization Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Organization Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Additional Decryption Key (ADK) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Verified Directory Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

13 Managing Trusted Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . 98

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Adding a Trusted Key or Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Inspecting and Changing Trusted Key Properties . . . . . . . . . . . . . . . . . . . 101

Deleting Trusted Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Searching for Trusted Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . 102

14 Recovering Encrypted Data in an Enterprise Environment . . . . . . 104

Using Key Reconstruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Recovering Encryption Key Material without Key Reconstruction. . . . . . . 105

Using an Additional Decryption Key for Data Recovery . . . . . . . . . . . . . . . 107

Managing Mail Processing

15 Setting Mail Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Migrating Settings from Version 2.0.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Understanding the Pre-Installed Policy Chains. . . . . . . . . . . . . . . . . . . . . . 113

Mail Policy Outside the Mailflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Building Valid Chains and Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Using the Rule Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Managing Policy Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Managing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Adding Key Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Choosing Condition Statements, Conditions, and Actions. . . . . . . . . . . . . 127

Working with Common Access Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

16 Applying Key Not Found Settings to External Users . . . . . . . . . . . 139

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Changing Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Changing User Delivery Method Preference . . . . . . . . . . . . . . . . . . . . . . . 144

17 Using Dictionaries with Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Default Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

User-Defined Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

PGP Universal Administrator’s Guide Contents

vii

Exporting a Dictionary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Searching the Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

18 Keyservers, SMTP Servers, and Mail Policy . . . . . . . . . . . . . . . . . . . 157

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Keyservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

SMTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

19 Managing Keys in the Key Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Changing Cached Key Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Searching the Key Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

20 Scanning Email for Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

AntiVirus Scanning and Mail Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

The AntiVirus Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

AntiVirus Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Scanning Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

21 Blocking Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

File Blocking and Mail Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Adding a Filename to be Blocked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

22 Configuring Mail Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

PGP Universal Server and Mail Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Changes in Proxy Settings from PGP Universal Server 2.0 to 2.5 and Later . .

183

Mail Proxies Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Creating New or Editing Existing Proxies. . . . . . . . . . . . . . . . . . . . . . . . . . 184

Mail Processing Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

23 Email in the Mail Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Deleting Messages from the Mail Queue . . . . . . . . . . . . . . . . . . . . . . . . . 195

24 Specifying Mail Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Managing Mail Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

25 Customizing System Message Templates . . . . . . . . . . . . . . . . . . . . 201

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Editing a Message Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

PGP Universal Administrator’s Guide Contents

viii

Managing Users

26 Setting Internal User Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Managing Internal User Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Downloading Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Directory Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Choosing a Key Mode For Key Management . . . . . . . . . . . . . . . . . . . . . . 217

X.509 Certificate Management in Lotus Notes Environments. . . . . . . . . . 221

27 Using Directory Synchronization to Manage Users . . . . . . . . . . . . 226

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Enabling Directory Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Excluding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Including Only Some Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Matching Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Base DN and Bind DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Understanding User Enrollment Methods . . . . . . . . . . . . . . . . . . . . . . . . . 234

Serving PGP Admin 8 Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

28 Configuring PGP Desktop Installations . . . . . . . . . . . . . . . . . . . . . . 240

PGP Desktop Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

PGP Whole Disk Encryption Administration. . . . . . . . . . . . . . . . . . . . . . . . 241

PGP Desktop Installer Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Creating PGP Desktop Installers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Configuring PGP Desktop Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

29 Setting External User Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Managing External User Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

30 Configuring PGP Universal Web Messenger . . . . . . . . . . . . . . . . . . 266

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Configuring the PGP Universal Web Messenger Service . . . . . . . . . . . . . 267

31 Configuring the PGP Verified Directory . . . . . . . . . . . . . . . . . . . . . . 272

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Enabling the PGP Verified Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Configuring the PGP Verified Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

32 Managing Internal User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

PGP Universal Administrator’s Guide Contents

ix

Certificate Revocation Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Adding Internal Users Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Deleting Internal Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Approving Pending Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Searching for Internal Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Internal User Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Key Reconstruction Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

33 Managing External User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . 290

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

Importing External Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Deleting External Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Searching for External Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

External User Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

34 Managing PGP Verified Directory User Accounts . . . . . . . . . . . . . . 298

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Importing Verified Directory Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

PGP Verified Directory User Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Deleting PGP Verified Directory Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Exporting PGP Verified Directory Users. . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Searching for PGP Verified Directory Users. . . . . . . . . . . . . . . . . . . . . . . . 303

35 Managing Administrator Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . 304

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Creating a New Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Importing SSH v2 Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

Deleting Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Inspecting and Changing the Settings of an Administrator . . . . . . . . . . . . 308

Daily Status Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

36 PGP Universal Satellite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Technical Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Distributing the PGP Universal Satellite Software . . . . . . . . . . . . . . . . . . . 312

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Policy and Key or Certificate Retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

37 PGP Universal Satellite for Mac OS X. . . . . . . . . . . . . . . . . . . . . . . . 324

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

PGP Universal Administrator’s Guide Contents

x

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Obtaining the Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

38 PGP Universal Satellite for Windows . . . . . . . . . . . . . . . . . . . . . . . . 338

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Obtaining the Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

MAPI Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Lotus Notes Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

39 Configuring the Integrated Keyserver . . . . . . . . . . . . . . . . . . . . . . . 354

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Configuring the Keyserver Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Managing Your PGP Universal Server

40 System Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

CPU Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Message Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

Recipient Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

Recipient Domain Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

41 System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Filtering the Log View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

Searching the Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

Exporting a Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Enabling External Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

42 Shutting Down and Restarting Services and Power. . . . . . . . . . . . 367

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

PGP Universal Administrator’s Guide Contents

xi

Shutting Down and Restarting the PGP Universal Server Software Services .

369

Shutting Down and Restarting the PGP Universal Server Hardware. . . . . 370

43 Configuring SNMP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Downloading the Custom MIB File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

Configuring the SNMP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

44 Setting Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Changing Interface Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

Adding Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

Deleting Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

Editing Global Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Assigning a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Working with Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

45 Clustering your PGP Universal Servers . . . . . . . . . . . . . . . . . . . . . . 385

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Clustering and PGP Universal Web Messenger. . . . . . . . . . . . . . . . . . . . . 386

Cluster Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Creating Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Deleting Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Changing Network Settings in Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Managing Secondary Settings in Clusters . . . . . . . . . . . . . . . . . . . . . . . . . 389

46 Protecting PGP Universal Server with Ignition Keys . . . . . . . . . . . 391

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Preparing Hardware Tokens to be Ignition Keys . . . . . . . . . . . . . . . . . . . . 392

Configuring a Hardware Token Ignition Key. . . . . . . . . . . . . . . . . . . . . . . . 394

Configuring a Soft-Ignition Passphrase Ignition Key . . . . . . . . . . . . . . . . . 395

Deleting Ignition Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

47 Backing Up and Restoring System and User Data . . . . . . . . . . . . . 397

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

Creating Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

Configuring the Backup Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Restoring From a Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

48 Updating PGP Universal Server Software . . . . . . . . . . . . . . . . . . . . 405

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

PGP Universal Administrator’s Guide Contents

xii

Inspecting Update Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Establishing Software Update Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Checking for New Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Uploading Update Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Manually Installing an Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

49 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

PGP Universal Administrator’s Guide Contents

xiii

SECTION 1

An Overview of the PGP

Universal Server

This section provides a high-level overview of the components, concepts, and terminology of the PGP Universal

Server. It also provides a high-level overview of the entire installation and setup process.

 Chapter 1, “Introduction”

 Chapter 2, “The Big Picture”

1

Introduction

This Administrator’s Guide describes both the PGP Universal Server and PGP Universal

Satellite. It tells you how to get them up and running on your network, how to configure

them, and how to maintain them. This section provides a high-level overview of PGP

Universal Server. Topics include:

 “What is PGP Universal Server?”

 “PGP Universal Server Product Family” on page 2

 “Who Should Read This Guide” on page 2

 “Improvements in This Version of PGP Universal Server” on page 2

 “Symbols” on page 3

 “Getting Assistance” on page 4

What is PGP Universal Server?

PGP Universal Server provides multiple encryption solutions managed from a single

console.

PGP Universal Server with PGP Universal Gateway Email gives you secure messaging: it

transparently protects your enterprise messages with little or no user interaction.

The PGP Universal Server also replaces the PGP Keyserver product with a built-in

keyserver, and the PGP Admin product with PGP Desktop configuration and deployment

capabilities.

It automatically creates and maintains a Self-Managing Security Architecture (SMSA) by

monitoring authenticated users and their email traffic. You can also send protected

messages to addresses that are not part of the SMSA. The PGP Universal Server

encrypts, decrypts, signs, and verifies messages automatically, providing strong security

through policies you control.

PGP Universal Satellite, a client-side feature of PGP Universal Server, extends PGP

security for email messages all the way to the computer of the email user, it allows

external users to become part of the SMSA, and it gives end users the option to create

and manage their keys on their own computer (if allowed by the PGP administrator).

PGP Universal Server Administrator’s Guide 1: Introduction

2

PGP Universal Server Product Family

PGP Universal Server functions as a management console for a variety of encryption

solutions. You can purchase any of the PGP Desktop applications or bundles and use PGP

Universal Server to create and manage client installations. You can also purchase a

license that enables PGP Gateway Email to encrypt email in the mailstream.

The PGP Universal Server can manage any combination of PGP encryption applications.

PGP encryption applications are:

 PGP Universal Gateway Email provides automatic email encryption in the gateway,

based on centralized mail policy. This product requires administration by the PGP

Universal Server.

 PGP Desktop Email provides encryption at the desktop level for mail, files, and AOL

Instant Messenger traffic. This product can be managed by the PGP Universal

Server.

 PGP Whole Disk Encryption provides encryption at the desktop level for an entire

disk. This product can be managed by the PGP Universal Server.

 PGP NetShare provides transparent file encryption and sharing among desktops.

This product can be managed by the PGP Universal Server.

Who Should Read This Guide

This Administrator’s Guide is for the person or persons who will be implementing and

maintaining your organization’s PGP Universal Server environment. These are the PGP

administrators.

This guide is also intended for anyone else who wants to learn about how PGP Universal

Server works.

Improvements in This Version of PGP Universal Server

This release of PGP Universal introduces the following new features:

 “General” on page 3

 “PGP Messaging” on page 3

 “PGP Whole Disk Encryption” on page 3

 “PGP Keys” on page 3

PGP Universal Server Administrator’s Guide 1: Introduction

3

General

PGP Messaging

PGP Whole Disk Encryption

PGP Keys

Symbols

Notes, Cautions, and Warnings are used in the following ways.

Changes in this

release

Microsoft Internet Explorer 7 support. The PGP Universal Server administrative

interface now runs in Internet Explorer 7.

Changes in this

release

PGP Verified Directory enhancements. You can now specify a “From” address that

will display on all PGP Verified Directory-initiated email messages.

Benefits

The customized sender address prevents your PGP Universal Server’s hostname from

appearing in the “From” email line.

Where to find

Services>Verified Directory screen.

For more

information

See Chapter 31, “Configuring the PGP Verified Directory” for more information.

Changes in this

release

PGP Whole Disk Encryption (WDE) Recovery Token encryption. Whole Disk

Recovery Tokens are now encrypted to the PGP Universal Server Ignition Key.

Benefits

Improves user data security.

Changes in this

release

Key Reconstruction for Mac OS X. Key reconstruction is now available in PGP

Desktop for Mac OS X.

Where to find

Policy>Internal User Policy screen.

For more

information

See Chapter 28, “Configuring PGP Desktop Installations” and Chapter 32, “Managing

Internal User Accounts” for more information on key reconstruction.

Caution

Notes are extra, but important, information. A Note calls your attention to important aspects

of the product. You will be able to use the product better if you read the Notes.

PGP Universal Server Administrator’s Guide 1: Introduction

4

Getting Assistance

Refer to these sections for additional resources.

Getting product information

The following documents and on-line help are companions to the PGP Universal

Administrator’s Guide. This guide occasionally refers to information that can be found in

one or more of the following sources:

 PGP Universal Upgrade Guide—Describes the process of upgrading your PGP

Universal Server to version 2.6

 PGP Universal Mail Policy Diagram—Provides a graphical representation of how

email is processed through mail policy. You can access this document via the PGP

Universal Server online help.

 Tu t o r i a l s —Provides animated introductions on how to manage the mail policy

feature in PGP Universal Server, and how upgraded PGP Universal Server settings

migrate into the new mail policy feature.

You can also access all the documentation and tutorials by clicking the online help

icon in the upper-right corner of the PGP Universal Server screen.

 The administrative interface and PGP Universal Satellite for Windows and Mac OS X

include online help.

 PGP Universal and PGP Satellite release notes are also provided, which may have

last-minute information not found in the product documentation.

Once PGP Universal is released, additional information regarding the product is added to

the online Knowledge Base available on PGP Corporation’s Support Portal at

www.pgpsupport.com.

Contact information

All PGP customers have access to the comprehensive set of tools and discussion forums

available on the PGP Support Portal.

The PGP Support Portal provides access to tutorials, recent support briefs, the

Knowledge Base, and other valuable technical information.

You must have a valid support agreement to request Technical Support.

Caution

Cautions indicate the possibility of loss of data or a minor security breach. A Caution tells you

about a situation where problems could occur unless precautions are taken. Pay attention to

Cautions.

Caution

Warnings indicate the possibility of significant data loss or a major security breach. A

Warning means serious problems will occur unless you take the appropriate action. Please

take Warnings very seriously.

PGP Universal Server Administrator’s Guide 1: Introduction

5

Contacting Technical Support

 To access the PGP Support Knowledge Base or request PGP Technical Support:

https://support.pgp.com. Note that you must have a valid support agreement to

request Technical Support.

 To learn about PGP support options and how to contact PGP Technical Support:

http://www.pgp.com/support/

 To access the PGP Universal section of the PGP Support forums: http://

forums.pgpsupport.com

 For any other contacts at PGP, please visit the PGP Contacts Page: http://

www.pgp.com/company/contact/index.html.

 For general information about PGP Corporation, please visit the PGP Web Site: http:/

/www.pgp.com.

PGP Universal Server Administrator’s Guide 1: Introduction

6

Page is loading ...

PGP Universal Server 2.6 User guide

PGP Universal Server 2.6 User guide

Related papers

Other documents