Oracle IRM Desktop can be installed by anyone intending to use the product to read documents that have been sealed using Oracle IRM encryption technology, or to seal documents. The person installing the product must have administrator rights for the computer on which it is being installed. Many organizations do not give administrator rights to individual users, in which case the organization's IT specialists should install the product.
This section explains the process of installing Oracle IRM Desktop on client computers. It covers these topics:
Supported operating systems, browsers, and third-party applications
The latest requirements are detailed on the certification matrix documents available from the following location on the Oracle Technology Network:
http://www.oracle.com/technology/software/products/ias/files/fusion_certification.htm
The installation requires administrator privileges or elevated privileges.
Note:
If you are reading this section in the online help, then Oracle IRM Desktop is already installed.Oracle IRM Desktop is typically downloaded and installed from a web page. The web page might be hosted by Oracle IRM, or by another organization. Typically, you will be told the address of the download site.
Close all instances of Microsoft Word, PowerPoint, Excel, and Outlook.
Uninstall any previous version of Oracle IRM Desktop or the SealedMedia Unsealer or Desktop software.
Go to the Oracle IRM Desktop download site.
Follow any instructions on the Oracle IRM Desktop download site for downloading the installation file.
Run the downloaded installation file and follow the installation wizard.
Do not attempt to install Oracle IRM Desktop on a mapped drive or on a drive defined using the subst command.
Silent and unattended installations are also supported (see Section 1.5, "Silent and Unattended Installations").
You can upgrade to this version of Oracle IRM Desktop from version 5.5 onwards, by running the installation wizard on the computer that has the older version.
For versions earlier than 5.5, or from any version of SealedMedia Unsealer or Desktop, you can upgrade to this version only by uninstalling the older version and installing this one.
Caution:
When upgrading from versions of Oracle IRM Desktop earlier than version 11.1, you will lose the rights that are stored locally to use sealed documents (the rights that enable you to continue working when you are offline). When this happens, you will have to obtain new rights by going online and synchronizing with the server. For this reason, do not begin an upgrade unless you have online access to the server. (You can cause resynchronization by opening an existing sealed file.)Caution:
If you uninstall Oracle IRM Desktop from a computer, you will not be able to use the computer to read sealed documents.To uninstall Oracle IRM Desktop from a computer, you need administrator rights for that computer.
Use the Control Panel Add/Remove Programs dialog to uninstall Oracle IRM Desktop, if required. Alternatively, run the installer and you will be offered the option to uninstall.
Uninstalling Oracle IRM Desktop does not delete your local rights database from your system. If you re-install, your existing rights will still be available.
Silent and unattended installations are intended to be made by IT specialists with full administrator rights for all the client computers.
This section contains the following topics:
The Oracle IRM Desktop installation package is a self-extracting executable that contains an MSI installer. If you are the network administrator for many Oracle IRM Desktop users, you can use the installer to manage silent installations and preconfigure settings.
You can either pass arguments to the self-extracting executable, or run it once to extract the MSI installer and then use msiexec.exe to pass arguments directly to it. However, if using GPO (Group Policy Object) then the standard way to set parameters is to use Orca from the Windows SDK to create MST files that set the required arguments, then to apply that transform and the MSI together in GPO.
The following example shows how to pass arguments directly to an extracted MSI installer:
msiexec /i "OracleIRMDesktop_en.msi" /qn EMAIL_OUTLOOK_ACTIVATED=1
The following shows how to achieve the same effect by passing arguments to the self-extracting executable:
"OracleIRMDesktop_en.exe" /v' /qn EMAIL_OUTLOOK_ACTIVATED=1'
The /v argument signifies the arguments enclosed by the single quotes are to be passed to the MSI installer within the executable.
Most of the configurable settings relate to the functional subcomponents of Oracle IRM Desktop:
Oracle IRM Desktop - controls access to sealed documents
Desktop sealing - integrates sealing options into Windows Explorer
Synchronization manager - automates rights synchronization
Search integration - integrates with search facilities
Email integration - integrates with popular email applications such as Microsoft Outlook
After installation, the above settings are accessible by right-clicking the Oracle IRM icon in the Windows notification area (tooltray) and selecting Options.
There are also configurable settings for:
authentication
legacy server authentication types
clean-up of local data
The following sections provide information about the configurable settings. All components have valid defaults that enable a user to open and work with sealed documents, subject to their rights, immediately after installation. Configuration of settings during installation is optional.
The Oracle IRM Desktop settings that you can preconfigure are as follows:
| Property and description | UI Option | Values | Default |
|---|---|---|---|
| UNSEALER_OFFICEENABLED
Determines whether the integration with Microsoft Office is enabled. |
Enable Microsoft Office support | 0 = disabled
1 = enabled |
1 |
| UNSEALER_SHOWTRAYICON
Determines whether the Oracle IRM notification icon is shown. |
Display in system tray | 0 = hide
1= show |
1 |
| UNSEALER_SHOWIRMBAR
Determines whether the Oracle IRM information bar is displayed within Microsoft Office for sealed documents. |
Display Sealed Office information bar | 0 = hide
1 = show |
1 |
These options relate to settings that appear on the Oracle IRM Desktop tab of the Oracle IRM Desktop Options dialog.
The Desktop sealing settings that you can preconfigure are as follows:
| Property and description | UI option | Values | Default |
|---|---|---|---|
| DESKTOPSEALER_ACTIVATED
Determines whether the sealing of content through Oracle IRM Desktop is enabled. |
Enable Desktop Sealing | 0 = disabled
1 = enabled |
1 |
| DESKTOPSEALER_CLASSIFICATIONMRUSIZE
Sets the maximum number of recently used contexts displayed in Seal To menus in Windows Explorer. |
Recently Used Context List | integer | 5 |
| DESKTOPSEALER_DELETESOURCEFILES
Determines whether the original unsealed files are deleted after sealed versions of them are created, or whether the original unsealed files are moved to the recycle bin, and whether the user is prompted before these actions. |
Delete original file(s) after sealing | 0 = No deletion
1 = Original files moved to recycle bin, with confirmation 2 = Original files permanently deleted, with confirmation 3 = Original files moved to recycle bin, with no confirmation 4 = Original files permanently deleted, with no confirmation |
0 |
These settings relate to options on the Desktop Sealing tab of the Oracle IRM Desktop Options dialog.
The synchronization manager settings that you can preconfigure are as follows.
| Property and description | Values | Default |
|---|---|---|
| SYNCINITIALSERVERS
Determines a set of servers to which Oracle IRM Desktop will be initially synchronized, as shown in the list of synchronized servers. The set of servers has to be encoded into a compound string in the form: <url1>|<value1>[,<url2>|<value2>,<url3>|<value3>,...] |
For example, to add the following servers:
the string to pass in the SYNCINITIALSERVERS property is: SYNCINITIALSERVERS="https://irm1.example.com/irm_desktop|1,https://irm2.example.com/irm_desktop|1,https://irm3.example.com/irm_desktop|0" where the value 1 means that synchronization for the server is enabled and the value 0 means that synchronization for the server is disabled. |
None |
| SYNCLOCKEDSERVERS
Determines a set of servers that are locked from user modification. If a locked server appears in the list of synchronized servers, the user cannot disable synchronization for that server, nor remove it from the list of synchronized servers. The presence of a server in this set does not add it to the list of synchronized servers. Locked servers will appear in the list of synchronized servers only because they have been added through the SYNCINITIALSERVERS property or because a user has added it. |
For example, to lock the following servers:
the string to pass in the SYNCLOCKEDSERVERS property is: SYNCLOCKEDSERVERS ="https://irm1.example.com/irm_desktop|1,https://irm2.example.com/irm_desktop|1" where the value 1 means the server is locked. A value of 0 would mean that the server is unlocked, but this has the same effect as simply not listing the server. |
None |
These settings relate to the server list on the Synchronization tab of the Oracle IRM Desktop Options dialog.
| Property and description | UI option | Values | Default |
|---|---|---|---|
| SYNC_LOGLEVEL
Determines the level of logging of synchronization messages to the Windows event log. The messages are categorized as low-level, standard, and detailed. |
Synchronization Messages | 0 = no messages
1 = success notifications 2 = error notifications only; no success notifications 3 = 7 = |
2 |
These settings relate to the checkboxes on the Synchronization Log Configuration dialog.
The search settings that you can preconfigure are as follows:
| Property and description | UI option | Values | Default |
|---|---|---|---|
| SEARCH_ENABLED
Determines whether searching of sealed documents is enabled. |
Enable Search | 0 = disabled
1 = enabled |
[1] |
| SEARCH_REPORTERRORS
Determines whether search errors are reported in the Windows event log. |
Search Error Messages | 0 = do not report
1 = report |
1 |
| SEARCH_REPORTWARNINGS
Determines whether search warnings are reported in the Windows event log. |
Search Warning Messages | 0 = do not report
1 = report |
0 |
| SEARCH_REPORTINFORMATION
Determines whether search information is reported in the Windows event log. |
Search Information Messages | 0 = do not report
1 = report |
0 |
These settings relate to the option on the Search tab of the Oracle IRM Desktop Options dialog, and to the checkboxes on the Search Log Configuration dialog.
The email settings that you can preconfigure are as follows:
| Property and description | UI option | Values | Default |
|---|---|---|---|
| EMAIL_OUTLOOK_ACTIVATED
Determines whether the sealed email integration is activated within Microsoft Outlook. |
Microsoft Outlook | 0 = deactivated
1 = activated |
0 |
| EMAIL_LOTUSNOTES_ACTIVATED
Determines whether the sealed email integration is activated within Lotus Notes. |
Lotus Notes | 0 = deactivated
1 = activated |
0 |
| EMAIL_USECUSTOMTEMPLATE
Determines whether a Microsoft Word template file should be used when sending sealed emails. |
Use Custom Template | 0 = do not use custom template
1 = use custom template |
0 |
| EMAIL_CUSTOMTEMPLATEFILE
Specifies the Microsoft Word template file to use when sending sealed emails. The file could contain watermarking that you want added to every sealed email you send. |
Specify the Word template file.... | path and filename | none |
| EMAIL_BODYFILE
Specifies the RTF or HTML file that contains the unsealed body text of sealed emails. |
Template Body File | path and filename | none |
| EMAIL_BODYTYPE
Determines the type of the unsealed body text of sealed emails. |
Unsealed Email Body | 0 = blank
1 = plain text 2 = RTF or HTML file |
1 |
| EMAIL_BODYTEXT
Specifies the unsealed body text of sealed emails. |
Specify Text | string | none |
| EMAIL_SEALEDFORMAT
Determines the format that sealed emails will be sent as. |
Seal Format | 0 = Microsoft Word
1 = RTF 2 = Plain Text |
0 |
These settings relate to options on the Email tab of the Oracle IRM Desktop Options dialog, and on the Sealed Email Options dialog you can access by clicking the Settings button on the Email tab.
The authentication settings that you can preconfigure are as follows:
| Property and description | UI Option | Values | Default |
|---|---|---|---|
| AUTHENTICATION_DISABLESAVECREDENTIALS
Determines whether users can cache their authentication credentials. If caching is not allowed, users will have to enter their username and password whenever foreground synchronization to the Oracle IRM Server is required. |
None | 0 = allow caching option
1 = disable caching option |
0 |
| AUTHENTICATION_SUPPRESSPRIVACYPOLICYDIALOG
Suppresses the dialog that allows users to read a server's policy on handling personal data. Normally, this dialog appears before first contact with any new server, and a user must accept the policy before using Oracle IRM. This dialog should only be suppressed at sites which have a known, fixed list of Oracle IRM Servers, and where the users have been informed of the privacy policy by other means. |
None | 0 = show dialog normally
1 = never show dialog |
0 |
The term "Legacy" refers to earlier releases of Oracle IRM Server, specifically 10g. The legacy setting that you can preconfigure is as follows:
| Property and description | UI option | Values | Default |
|---|---|---|---|
| LEGACY_SHOWAUTHENTICATIONMENU
Determines whether the drop-down menu for authentication types is shown. |
Synchronization Messages | 0 = do not show
1 = show |
1 |
This setting relates to the authentication dialog that is shown for legacy servers.
This setting is read both on install and uninstall.
The local data clean-up setting that you can preconfigure is as follows:
| Property and description | UI option | Values | Default |
|---|---|---|---|
| LOCALDATA_CLEAN
Determines whether a local data clean-up is performed and, if so, whether it is a safe clean or a full clean. A safe clean:
A full clean performs all the operations of a safe clean, plus the following:
|
None | 0 = no action
1 = safe clean 2 = full clean |
0 |
The Oracle IRM background process startup setting that you can preconfigure is as follows:
| Property and description | UI option | Values | Default |
|---|---|---|---|
| STARTIRMBACKGROUND
Determines whether If set to 1, If set to 0, |
None | 0 = do not start
1 = automatically start |
1 |
If you prefer to use the MSI file directly, you can extract it as follows:
On a test box, run the Oracle IRM Desktop installation executable, but click Cancel on the first installation screen.
Runing the executable extracts the MSI file to a subfolder of the current user's temporary area. For example:
C:\Documents and Settings\Fred\local settings\temp\Oracle-IRM-Installer-NNN
where NNN is a number. This is a subfolder of the folder defined by the %TEMP% environment variable.
The equivalent location in Windows Vista and Windows 7 is:
C:\Users\Fred\AppData\Local\Temp\Oracle-IRM-Installer-NNN
Navigate to that folder and take a copy of the MSI file.
You can now use the MSI file for your corporate roll-out.
Oracle IRM Desktop looks for configuration settings in the following keys, in order:
HKLM\Software\Policies\Oracle\IRM (machine wide policy)
HKCU\Software\Policies\Oracle\IRM (user policy)
HKCU\Software\Oracle\IRM (user setting)
HKLM\Software\Oracle\IRM (default setting)
The installer can be used to set the default settings (4 above) by passing in installer parameters (as described in Section 1.5, "Silent and Unattended Installations").
A user can override these settings through the Oracle IRM Desktop Options dialog (3 above).
To lock settings so that they cannot be changed by users, the policy keys must be set by group policy (1 or 2 above). The sub key path, value name and type information required to set group policy is given in Section 9.5, "Registry Key Information".
This section contains the following topics:
These sections describe how to use the Lotus Domino Designer to integrate sealing options into a mail template on a Lotus Domino Server. The procedure applies to Domino 7 and might differ for other versions.
When you have completed the integration tasks, users will see a Seal on Send checkbox when composing new email.
When sending an email containing sensitive information, users simply need to tick the Seal on Send checkbox. When users are ready to send the email, they click the Send button as usual, and will be prompted to choose the appropriate context for the email. The email will be sealed to the selected context before being sent. If the email is ever forwarded, it will only be accessible to users who have rights in the context.
As a prerequisite for this procedure, you might need to load the Lotus Domino Designer application, which is not installed on the Domino Server by default.
If you do not integrate sealing options into your mail template, users can still access sealing options from menus. However, for ease of use and to encourage users to remember to seal email when appropriate, Oracle recommends that you integrate the options into your template as described here.
The process of integrating sealing options into a mail template comprises:
Adding a Seal on Send checkbox to a subform and propagating the changes to mail databases.
Checking that the integration works.
Note:
Oracle recommends that you make a backup copy of your mail template file before making changes, for example,C:\Program Files\Lotus\Domino\Data\mail7.ntf.Define the Seal and Send action as follows:
Start the Lotus Domino Designer application.
Choose Open an Existing Database and select the server to customize.
Select the relevant database, for example, Mail (R7), and click Open.
Expand the Shared Code folder and select Subforms.
Open the DelOptionSubform subform.
Make a copy of the Encrypt field that you can edit to create your Seal on Send checkbox. For example, create an Encrypt_1 field.
Double-click the new field so that you can edit it as follows.
Change the field name to SMSealOnSend.
On the second tab, in the choices list box, enter Seal on send|1.
On the sixth tab, amend the Hide if formula to ensure that the checkbox only appears for users who have Oracle IRM Desktop installed. You need to append the following to the formula:
@Environment("SMSealAndSend") != "1"
For example, the formula might now read:
getCal := @GetProfileField("CalendarProfile"; "showOptions"); From != @UserName | @IsAvailable($HideMailHeader) | getCal = "0" | @Environment("SMSealAndSend") != "1"
Save the changes.
Having changed the mail template, the change needs to be propagated to all mail databases. Changes are usually scheduled to be propagated automatically at night. If you want to propagate the changes immediately, do the following:
Open a command prompt.
Go to the Domino installation folder, for example, C:\Program Files\Lotus\Domino.
Execute the following command:
ndesign -d mail
Having propagated the changes, you need to check that they work correctly. This involves using Lotus Notes on a computer that has Oracle IRM Desktop installed and that has the Lotus Notes integration enabled. It also involves having the right to create sealed email, which means that you need to have a Contributor role in at least one context.
Use the following procedure to check that the Lotus Notes integration works:
Close any open Lotus Notes windows and enable Lotus Notes integration in Oracle IRM Desktop (by checking the Lotus Notes box on the Email tab of the Oracle IRM Desktop Options dialog).
Start Lotus Notes and send a test memo to yourself.
Expose the suboptions of the memo, and check that the Seal on Send checkbox is present.
Check the Seal on Send checkbox, then click Send.
You should be prompted to select a context for the memo. If no contexts are listed, use the Refresh Available Contexts option. When you receive the memo, you should find that it is sealed.
Finally, use another computer to check that the Seal on Send checkbox is exposed only to users who have Oracle IRM Desktop installed and the Notes integration option enabled.
This document describes how to deploy Oracle IRM Desktop for users of Citrix environments. It also provides guidance on how to control rights synchronization for Citrix users.
This installation allows in-application sealing of documents (that is, sealing within Microsoft Word, Excel, and PowerPoint).
Installing the Oracle IRM Desktop Software
In a Citrix environment, you need to install the Oracle IRM Desktop software on each Citrix server. You need to use the Windows Add/Remove Programs dialog rather than simply run the installation directly, as follows:
Obtain the Oracle IRM Desktop installation executable, and save it to a location accessible from the Citrix server, but do not run it.
Use the Windows Add Or Remove Programs application to install the Oracle IRM Desktop installation executable on the Citrix server.
Having installed the Oracle IRM Desktop software on each Citrix server, it is possible for Citrix users to start working with sealed documents according to their rights. However, Oracle recommends that you set up login and logout scripts to control rights synchronization in a non-standard way.
Note:
If users are allowed to use non-Citrix systems as well as a Citrix system, you need to use device limits to ensure that rights are available on both types of system. For example, users might have laptops for mobile use as well as access to a Citrix system. By default, a user's rights can only be cached on one system at a time. An administrator can raise the device limit (which will apply to all users) as required. See Oracle Fusion Middleware Administrator's Guide for Oracle IRM Server.Controlling Rights Synchronization for Citrix Users
We recommend that you use scripts to control rights synchronization for Citrix users. This is the simplest way to ensure that rights will be available regardless of which Citrix server hosts a given session. Without such scripts, a user's rights might be cached on one server when the user is using another.
This guidance presumes that Citrix users are using Windows authentication to access sealed documents.
You might use the following HTML application (HTA) at the start of a user's Citrix session:
<html>
<head>
<script type=text/javascript>
function done(){
close();
}
</script>
</head>
<body onLoad="done()">
<script type=text/javascript>
self.moveTo(2000,2000);
</script>
<OBJECT CLASSID="clsid:18CEFFD2-A724-11D3-B647-86BD54000000" TYPE="application/login-softseal" TITLE="Retrieve Rights" WIDTH=150 HEIGHT=150 id=SealedMedia_Unsealer_Plugin1>
<PARAM NAME=server VALUE="https://servername:443/irm_desktop">
<PARAM NAME=refreshall VALUE="true">
</OBJECT>
</body>
</html>
The first <PARAM> tag specifies the address of your rights server. The second <PARAM> tag specifies the operation that you want to occur: refreshall. This synchronizes the user's rights so that they are available for the session.
A similar script with the releaseall parameter would run at the end of a session.