90.1 Personal Digital Certificates, Digital Signatures, and S/MIME Encryption

If desired, you can implement S/MIME encryption for GroupWise client users by installing various security providers on users’ workstations, including:

For additional providers, consult the Novell Partner Product Guide.

These products enable users to digitally sign and encrypt their messages using S/MIME encryption. When a sender digitally signs a message, the recipient is able to verify that the item was not modified en route and that it originated from the sender specified. When a sender encrypts a message, the sender ensures that the intended recipient is the only one who can read it. Digitally signed and encrypted messages are protected as they travel across the Internet, but native GroupWise encryption is removed as messages leave your GroupWise system.

After users have installed an S/MIME security provider on their workstations, you can configure default functionality for it (GroupWise Admin console > Domain object, Post Office object, or User object > Client Options > Send > Security > Secure Item Options). You can specify a URL from which you want users to obtain their S/MIME certificates. You can require the use of digital signatures and encryption, rather than letting users decide when to use them. You can even select the encryption algorithm and encryption key size if necessary. For more information, see Send Options: Security.

After you have configured S/MIME functionality in the GroupWise Admin console, GroupWise users must select the security provider (GroupWise client > Tools > Options > Security > Send Options) and then obtain a personal digital certificate. Unless you installed Entrust, users can request certificates (GroupWise client > Tools > Options > Certificates > Get Certificate). If you provided a URL, users are taken to the certificate authority of your choice. Otherwise, certificates for use with GroupWise can be obtained from various certificate providers, including:

NOTE:Some certificate providers charge a fee for certificates and some do not.

After users have selected the appropriate security provider and obtained a personal digital certificate, they can protect their messages with S/MIME encryption by digitally signing them (GroupWise client > Actions > Sign Digitally) and encrypting them (GroupWise client > Actions > Encrypt). Buttons are added to the GroupWise toolbar for convenient use on individual messages, or users can configure GroupWise to always use digital signatures and encryption (GroupWise client > Tools > Options > Security > Send Options). The messages they send with digital signatures and encryption can be read by recipients using any other S/MIME-enabled email product.

GroupWise client users are responsible for managing their personal digital certificates. Users can have multiple personal digital certificates. In the GroupWise client, users can view their own certificates, view the certificates they have received from their contacts, access recipient certificates from LDAP directories, change the trust level on certificates, import and export certificates, and so on. For more information, see Section 91.3, Accessing S/MIME Certificates in an LDAP Directory.

The certificates are stored in the local certificate store on the user’s workstation. They are not stored in GroupWise. Therefore, if a user moves to a different workstation, he or she must import the personal digital certificate into the certificate store on the new workstation, even though the same GroupWise account is being accessed.

If your system includes smart card readers on users’ workstations, certificates can also be retrieved from this source, so that after composing a message, users can sign them by inserting their smart cards into the card readers. The GroupWise client picks up the digital signature and adds it to the message.

The GroupWise client verifies the user certificate to ensure that it has not been revoked. It also verifies the certificate authority. If a certificate has expired, the GroupWise user receives a warning message.

For complete details about using S/MIME encryption in the GroupWise client, see Sending S/MIME Secure Messages in the GroupWise 2014 R2 Client User Guide.

NOTE:S/MIME encryption is not available in GroupWise WebAccess.

Any messages that are not digitally signed or encrypted are still protected by native GroupWise encryption as long as they are within your GroupWise system.