75.1 Personal Digital Certificates, Digital Signatures, and S/MIME Encryption

If desired, you can implement S/MIME encryption for GroupWise client users by installing various security providers on users’ workstations, including:

For additional providers, consult the Novell Partner Product Guide.

These products enable users to digitally sign and/or encrypt their messages using S/MIME encryption. When a sender digitally signs a message, the recipient is able to verify that the item was not modified en route and that it originated from the sender specified. When a sender encrypts a message, the sender ensures that the intended recipient is the only one who can read it. Digitally signed and/or encrypted messages are protected as they travel across the Internet, whereas native GroupWise encryption is removed as messages leave your GroupWise system.

After users have installed the S/MIME security providers on their workstations, you can configure default functionality for it in ConsoleOne (Domain, Post Office, or User object > Tools > GroupWise Utilities > Client Options > Send > Security > Secure Item Options). You can specify a URL from which you want users to obtain their S/MIME certificates. You can require the use of digital signatures and/or encryption, rather than letting users decide when to use them. You can even select the encryption algorithm and encryption key size if necessary. For more information, see Section 69.2.2, Modifying Send Options.

After you have configured S/MIME functionality in ConsoleOne, GroupWise users must select the security provider (Windows client > Tools > Options > Security > Send Options) and then obtain a personal digital certificate. Unless you installed Entrust, users can request certificates (Windows client > Tools > Options > Certificates > Get Certificate). If you provided a URL, users are taken to the Certificate Authority of your choice. Otherwise, certificates for use with GroupWise can be obtained from various certificate providers, including:

NOTE:Some certificate providers charge a fee for certificates and some do not.

After users have selected the appropriate security provider and obtained a personal digital certificate, they can protect their messages with S/MIME encryption by digitally signing them (Windows client > Actions > Sign Digitally) and/or encrypting them (Windows client > Actions > Encrypt). Buttons are added to the GroupWise toolbar for convenient use on individual messages, or users can configure GroupWise to always use digital signatures and/or encryption (Windows client > Tools > Options > Security > Send Options). The messages they send with digital signatures and/or encryption can be read by recipients using any other S/MIME-enabled e-mail product.

GroupWise Windows client users are responsible for managing their personal digital certificates. Users can have multiple personal digital certificates. In the GroupWise client, users can view their own certificates, view the certificates they have received from their contacts, access recipient certificates from LDAP directories (see Section 76.4, Accessing S/MIME Certificates in an LDAP Directory for details), change the trust level on certificates, import and export certificates, and so on.

The certificates are stored in the local certificate store on the user’s workstation. They are not stored in GroupWise. Therefore, if a user moves to a different workstation, he or she must import the personal digital certificate into the certificate store on the new workstation, even though the same GroupWise account is being accessed.

If your system includes smart card readers on users’ workstations, certificates can be retrieved from this source as well, so that after composing a message, users can sign them by inserting their smart cards into their card readers. The GroupWise client picks up the digital signature and adds it to the message.

The GroupWise Windows client verifies the user certificate to ensure that it has not been revoked. It also verifies the Certificate Authority. If a certificate has expired, the GroupWise user receives a warning message.

For complete details about using S/MIME encryption in the GroupWise Windows client, see Sending S/MIME Secure Messages in E-Mail in the GroupWise 8 Windows Client User Guide.

NOTE:S/MIME encryption is not available in the Linux/Mac client or the WebAccess client.

Any messages that are not digitally signed or encrypted are still protected by native GroupWise encryption as long as they are within your GroupWise system.