| Oracle® Application Server Certificate Authority Administrator's Guide 10g (10.1.4.0.1) Part Number B15989-01 |
|
|
View PDF |
| Oracle® Application Server Certificate Authority Administrator's Guide 10g (10.1.4.0.1) Part Number B15989-01 |
|
|
View PDF |
S/MIME applications, such as Outlook, Mozilla, or Netscape mail clients, can sign and encrypt mail messages based on PKI.
A sender can sign a message by using his signing private key and the recipient can verify the signature by using the sender's signing certificate (usually sent along with the signed mail message).
A sender can encrypt a message by using the recipient's encryption certificate and recipient can decrypt the message by using his encryption private key.
Users can request and get signing, or encryption, or both types of certificates from OracleAS Certificate Authority using browser (Internet Explorer, Mozilla or Netscape).
Setting up S/MIME operations involves getting certificates and establishing the SMIME parameters.
To get the S/MIME certificates from OracleAS Certificate Authority, please refer to"User Certificates Tab" in Chapter 8, "End-User Interfaceof the Oracle Application Server Certificate Authority". Be sure to install the certificate into the browser.
A user can get a single certificates that does both signing and encryption, but security is better when each user gets two certificates: one for signing and one for encryption. The signing key should be kept securely on the user's machine or smart card for non-repudiation purpose. The encryption key should be archived for recovering the encrypted message if the encryption key is lost.
You can set your S/MIME parameters in an Outlook Mail client or a Mozilla/Netscape Mail client.
In Outlook, select Tools-->Options-->Security-->Setup Secure Email:
In Security Settings Name, put the name you want.
In Certificates and Algorithms:
Choose your signing certificate. You will sign outgoing message by using this certificate.
Choose your encryption certificate. People will encrypt messages sent to you by using this certificate.
Check the box Send these certificates with signed messages.
Click OK repeatedly to finish this setting process.
In a Mozilla/Netscape Mail client, select Edit-->Mail & Newsgroups Account Settings-->Security:
In the Digital Signing pane, click Select to choose the signing certificate you created for that purpose.
In the Encryption pane, click Select to choose the encryption certificate you created for that purpose. (The same certificate can server both purposes if the Usage you selected included both Encryption and Signing.)
Notifications are sent by OCA to the administrator and users. These notifications can be encrypted using SMIME: see the "Notification Sub-tab" section in Chapter 5, "Configuring Oracle Application Server Certificate Authority".
After composing the mail message, do the following steps before sending the message:
In Outlook, take these steps to encrypt your message, or sign it, or both:
To encrypt the message, go to Options and check the box Encrypt message contents and attachments. Make sure that you have the encryption certificate for each and every recipient. (To get a recipient's encryption certificate, see "Getting Other People's Encryption Certificates".)
To sign the message, go to Options and check the box Add digital signature to outgoing message.
You can read an encrypted message if you have the private key of the certificate used to encrypt the message. This key also enables you to verify the signature of the sender, if you trust the CA that signs the sender's signing certificate. To view the security information of the message, click the message, and then do the following steps corresponding to your particular mail client:
You can encrypt messages you intend to send to a particular recipient by using that recipient's certificate. You can acquire those certificates as follows:
If you receive a message that includes the sender's encryption certificate, then that certificate will automatically be saved in your certificate store.
You can ask people to send you their encryption certificates (with no private key), which you can then save in your certificate store.
You could also retrieve encryption certificates from an LDAP directory:
In Outlook, the following circumstances cause automatic retrieval of another user's certificate from the LDAP directory.
If you are using Internet Only mode with a standard LDAP server, sending an encrypted e-mail message to a user in that LDAP server causes retrieval of his certificate. For this to work, you must be enrolled in S/MIME security and you must have a Digital ID for your e-mail account.
When you use Corporate/Workgroup mode with Microsoft Exchange Server, you can obtain certificates from the Global Address Book. You must be enrolled in Exchange Advanced Security.
In Mozilla, getting certificates automatically from LDAP is not yet supported.
Using LDAP commands directly, you could retrieve each desired certificate from the directory, store it in a file, and finally save it into your certificate store.
