If desired, you can implement S/MIME encryption for GroupWise client users by installing various security providers on users’ workstations, including:
Microsoft Base Cryptographic Provider 1.0 or later (included with Internet Explorer 4.0 or later)
For additional providers, consult the Novell Partner Product Guide.
These products enable users to digitally sign and encrypt their messages using S/MIME encryption. When a sender digitally signs a message, the recipient is able to verify that the item was not modified en route and that it originated from the sender specified. When a sender encrypts a message, the sender ensures that the intended recipient is the only one who can read it. Digitally signed and encrypted messages are protected as they travel across the Internet, but native GroupWise encryption is removed as messages leave your GroupWise system.
After users have installed an S/MIME security provider on their workstations, you can configure default functionality for it in ConsoleOne (Domain, Post Office, or User object > Section 76.2.2, Modifying Send Options.). You can specify a URL from which you want users to obtain their S/MIME certificates. You can require the use of digital signatures and encryption, rather than letting users decide when to use them. You can even select the encryption algorithm and encryption key size if necessary. For more information, see
After you have configured S/MIME functionality in ConsoleOne, GroupWise users must select the security provider (Windows client >) and then obtain a personal digital certificate. Unless you installed Entrust, users can request certificates (Windows client > ). If you provided a URL, users are taken to the certificate authority of your choice. Otherwise, certificates for use with GroupWise can be obtained from various certificate providers, including:
NOTE:Some certificate providers charge a fee for certificates and some do not.
After users have selected the appropriate security provider and obtained a personal digital certificate, they can protect their messages with S/MIME encryption by digitally signing them (Windows client >) and encrypting them (Windows client > ). Buttons are added to the GroupWise toolbar for convenient use on individual messages, or users can configure GroupWise to always use digital signatures and encryption (Windows client > ). The messages they send with digital signatures and encryption can be read by recipients using any other S/MIME-enabled email product.
GroupWise Windows client users are responsible for managing their personal digital certificates. Users can have multiple personal digital certificates. In the GroupWise client, users can view their own certificates, view the certificates they have received from their contacts, access recipient certificates from LDAP directories (see Section 83.4, Accessing S/MIME Certificates in an LDAP Directory for details), change the trust level on certificates, import and export certificates, and so on.
The certificates are stored in the local certificate store on the user’s workstation. They are not stored in GroupWise. Therefore, if a user moves to a different workstation, he or she must import the personal digital certificate into the certificate store on the new workstation, even though the same GroupWise account is being accessed.
If your system includes smart card readers on users’ workstations, certificates can also be retrieved from this source, so that after composing a message, users can sign them by inserting their smart cards into the card readers. The GroupWise client picks up the digital signature and adds it to the message.
The GroupWise Windows client verifies the user certificate to ensure that it has not been revoked. It also verifies the certificate authority. If a certificate has expired, the GroupWise user receives a warning message.
NOTE:S/MIME encryption is not available in GroupWise WebAccess.
Any messages that are not digitally signed or encrypted are still protected by native GroupWise encryption as long as they are within your GroupWise system.