If desired, you can enhance native GroupWise encryption with S/MIME encryption for GroupWise client users by installing various security providers on users' workstations, including:
These products enable users to digitally sign and/or encrypt their messages using S/MIME encryption. When a sender digitally signs a message, the recipient is able to verify that the item was not modified en route and that it originated from the sender specified. When a sender encrypts a message, the sender ensures that the intended recipient is the only one who can read it. Digitally signed and/or encrypted messages are protected as they travel across the Internet, whereas native GroupWise encryption is removed as messages leave your GroupWise system.
Once users have installed the S/MIME security providers on their workstations, you can configure default functionality for it in ConsoleOne® (Domain, Post Office, or User object > Tools menu > GroupWise Utilities > Client Options > Send > Security tab). You can specify a URL from which you want users to obtain their S/MIME certificates. You can require the use of digital signatures and/or encryption, rather than letting users decide when to use them. You can even select the encryption algorithm and encryption key size if necessary. For more information, see Modifying Send Options.
After you have configured S/MIME functionality in ConsoleOne, GroupWise users must select the security provider (Tools menu > Options > Security > Send Options) and then obtain a personal digital certificate. Unless you installed Entrust, users can request certificates in the GroupWise client (Tools menu > Options > Certificates > Get Certificate). If you provided a URL, users are taken to the Certificate Authority of your choice. Otherwise, certificates for use with GroupWise can be obtained from various certificate providers, including:
NOTE: Some certificate provides charge a fee for certificates and some do not.
After users have selected the appropriate security provider and obtained a personal digital certificate, they can protect their messages with S/MIME encryption by digitally signing them (Actions > Sign Digitally) and/or encrypting them (Actions > Encrypt). Buttons are added to the GroupWise toolbar for convenient use on individual messages, or users can configure GroupWise to always use digital signatures and/or encryption (Tools menu > Options > Security > Send Options tab). The messages they send with digital signatures and/or encryption can be read by recipients using any other S/MIME-enabled e-mail products.
GroupWise client users are responsible for managing their personal digital certificates. Users can have multiple personal digital certificates. In the GroupWise client, users can view their own certificates, view the certificates they have received from their contacts, access recipient certificates from LDAP directories (see Accessing S/MIME Certificates in an LDAP Directory for details), change the trust level on certificates, import and export certificates, and so on.
The certificates are stored in the local certificate store on the user's workstation. They are not stored in GroupWise. Therefore, if a user moves to a different workstation, he or she must import the personal digital certificate into the certificate store on the new workstation, even though the same GroupWise account is being accessed.
If your system includes smart card readers on users' workstations, certificates can be retrieved from this source as well, so that after composing a message, users can sign them by inserting their smart cards into their card readers. The GroupWise client picks up the digital signature and adds it to the message.
The GroupWise client verifies the user certificate to ensure that it has not been revoked. It also verifies the Certificate Authority. If a certificate has expired, the GroupWise user receives a warning message.
For complete details about using S/MIME encryption in the GroupWise Windows client, see "Sending Secure Message (S/MIME)" in the GroupWise 6.5 Windows Client User Guide. S/MIME encryption is not available in the WebAccess client.
Any messages that are not digitally signed or encrypted are still protected by native GroupWise encryption as long as they are within your GroupWise system.