Sun Java System Messaging Server 6.3 Administration Guide

24.3 Requirements for Using S/MIME

The signature and encryption features are not immediately available to Communications Express Mail users after you install Messaging Server. Before a user can take advantage of S/MIME, the requirements described in this section must be met.

24.3.1 Private and Public Keys

At least one private and public key pair, including a certificate in standard X.509 v3 format, must be issued to each Communications Express Mail user who will use S/MIME. The certificate, used in a verification process, assures other mail users that the keys really belong to the person who uses them. A user can have more than one key pair and associated certificate.

Keys and their certificates are issued from within your organization or purchased from a third-party vendor. Regardless of how the keys and certificates are issued, the issuing organization is referred to as a certificate authority (CA).

Key pairs and their certificates are stored in two ways:

24.3.2 Keys Stored on Smart Cards

If the private-public key pair, with its certificate, is stored on a smart card, a card reader must be properly attached to the mail user’s computer. The card reading device also requires software; the device and its software are supplied by the vendor from whom you purchase this equipment.

There are actually two parts to a system with card reading capabilities. One part is the hardware card reader and it's driver. The second part is the actual card, which is usually provided by a different vendor and requires drivers for reading the cards. Not all cards are supported. Refer to the Table 24–1 to see a list of the supported SmartCards (ActiveCard, now renamed ActiveIdentity, and NetSign).

When properly installed, a mail user inserts their smart card into the reading device when they want to create a digital signature for an outgoing message. After verification of their smart card password, the private key is accessible by Communications Express Mail to sign the message. See 24.2 Required Software and Hardware Components for information on supported smart cards and reading devices.

Libraries from the vendor of the smart card are required on the user’s computer. See 24.8 Key Access Libraries for the Client Machines for more information.

24.3.3 Keys Stored on the Client Machine

If key pairs and certificates are not stored on smart cards, they must be kept in a local key store on the mail user’s computer (client machine). Their browser provides the key store and also has commands to download a key pair and certificate to the key store. The key store may be password-protected; this depends on the browser.

Libraries from the vendor of the browser are required on the user’s computer to support a local key store. See 24.8 Key Access Libraries for the Client Machines for more information.

24.3.4 Publish Public Keys in LDAP Directory

All public keys and certificates must also be stored to an LDAP directory, accessible by the Sun Java System Directory Server. This is referred to as publishing the public keys so they are available to other mail users who are creating S/MIME messages.

Public keys of the sender and receiver are used in the encrypting-decrypting process of an encrypted message. Public key certificates are used to validate private keys that were used for digital signatures.

See 24.11 Managing Certificates for more information to use ldapmodify to publish the public keys and certificates.

24.3.5 Give Mail Users Permission to Use S/MIME

To create a signed or encrypted message, a valid Communications Express Mail user must have permission to do so. This involves using the mailAllowedServiceAccess or mailDomainAllowedServiceAccess LDAP attributes for a user’s LDAP entry. These attributes can be used to include or exclude mail users from S/MIME on an individual or domain basis.

See 24.10 Granting Permission to Use S/MIME Features for more information.

24.3.6 Multi-language Support

A Communications Express Mail user who only uses English for their mail messages might not be able to read an S/MIME message which contains non-Latin language characters, such as Chinese. One reason for this situation is that the Java 2 Runtime Environment (JRE) installed on the user’s machine does not have the charsets.jar file in the /lib directory.

The charsets.jar file is not installed if the English version of JRE was downloaded using the default JRE installation process. However, charsets.jar is installed for all other language choices of a default installation.

To ensure that the charsets.jar file is installed in the /lib directory, alert your users to use the custom installation to install the English version of JRE. During the installation process, the user must select the “Support for Additional Languages” option.