S/MIME LDAP address book Secure address book virtual appliance admin setup manual

Similar documents
Windows app manual. KeyTalk Windows App Manual P a g e 1

How to Set Up External CA VPN Certificates

LDAP Configuration Guide

LOMBA KETERAMPILAN SISWA

Bitnami ez Publish for Huawei Enterprise Cloud

LDAP Directory Integration

Quick Installation Guide for RHV/Ovirt

Sophos UTM Web Application Firewall For: Microsoft Exchange Services

Upgrade Instructions. NetBrain Integrated Edition 7.1. Two-Server Deployment

Policy Manager for IBM WebSphere DataPower 7.2: Configuration Guide

Load Balancing Nginx Web Servers with OWASP Top 10 WAF in AWS

Using SSL to Secure Client/Server Connections

Authenticating Devices

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

SOA Software API Gateway Appliance 6.3 Administration Guide

epldt Web Builder Security March 2017

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

Bitnami Coppermine for Huawei Enterprise Cloud

Bitnami Tiny Tiny RSS for Huawei Enterprise Cloud

Implementing Infoblox Data Connector 2.0

Cisco Expressway Authenticating Accounts Using LDAP

Dell Storage Manager 2016 R3 Installation Guide

Certificate Management

Authenticating Cisco VCS accounts using LDAP

vcenter Server Installation and Setup Update 1 Modified on 30 OCT 2018 VMware vsphere 6.7 vcenter Server 6.7

SafeConsole On-Prem Install Guide

Using SSL/TLS with Active Directory / LDAP

Load Balancing Nginx Web Servers with OWASP Top 10 WAF in Azure

Enforced Client Policy & Reporting Server (EPRS) 2.3. Administration Guide

Bitnami ProcessMaker Community Edition for Huawei Enterprise Cloud

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Cisco UCS C-Series IMC Emulator Quick Start Guide. Cisco IMC Emulator 2 Overview 2 Setting up Cisco IMC Emulator 3 Using Cisco IMC Emulator 9

How to Configure Guest Access with the Ticketing System

vcenter Server Appliance Configuration Modified on 17 APR 2018 VMware vsphere 6.7 VMware ESXi 6.7 vcenter Server 6.7

Barracuda Networks NG Firewall 7.0.0

Storage Made Easy Cloud Appliance installation Guide

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

System Configuration. The following topics explain how to configure system configuration settings on Firepower Management Centers and managed devices:

ExtraHop 6.1 ExtraHop Explore Admin UI Guide

IPMI Configuration Guide

Table of Contents 1 V3 & V4 Appliance Quick Start V4 Appliance Reference...3

LDAP Directory Integration

HySecure Quick Start Guide. HySecure 5.0

3. In the upper left hand corner, click the Barracuda logo ( ) then click Settings 4. Select the check box for SPoE as default.

Installing Cisco MSE in a VMware Virtual Machine

Linux Administration

NGFW Security Management Center

Integration Guide. ManageEngine Network Configuration Manager

VII. Corente Services SSL Client

Bitnami Re:dash for Huawei Enterprise Cloud

Public. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2

ZENworks 2017 ZENworks Appliance Deployment and Administration Reference. December 2016

Mavenir Systems Inc. SSX-3000 Security Gateway

Load Balancing Web Servers with OWASP Top 10 WAF in AWS

vshield Administration Guide

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Cisco Prime Service Catalog Virtual Appliance Quick Start Guide 2

Controller Installation

akkadian Global Directory 3.0 System Administration Guide

How to configure the LuxCloud WHMCS plugin (version 2+) Version: 2.2

How to Set Up VPN Certificates

The Balabit s Privileged Session Management 5 F5 Azure Reference Guide

VMware Skyline Collector User Guide. VMware Skyline 1.4

PlateSpin Transformation Manager Appliance Guide. June 2018

Cisco Expressway REST API

Bitnami Pimcore for Huawei Enterprise Cloud

Link Gateway Initial Configuration Manual

Bitnami Dolibarr for Huawei Enterprise Cloud

NetExtender for SSL-VPN

Bitnami Piwik for Huawei Enterprise Cloud

IBM Single Sign On for Bluemix Version December Identity Bridge Configuration topics

Bitnami Ruby for Huawei Enterprise Cloud

SSH Communications Tectia SSH

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Managing External Identity Sources

Administration Guide

Bitnami OSQA for Huawei Enterprise Cloud

vcenter Server Installation and Setup Modified on 11 MAY 2018 VMware vsphere 6.7 vcenter Server 6.7

Bomgar Vault Server Installation Guide

Identity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication

Appliance Guide. Version 1.0

Overview. ACE Appliance Device Manager Overview CHAPTER

Configure the Cisco DNA Center Appliance

Installing Cisco CMX in a VMware Virtual Machine

Installing and Configuring VMware vrealize Orchestrator

Managing Certificates

Xcalar Installation Guide

Application Visibility and Analytics SE Remote Demo Platform Information

Authenticating and Importing Users with AD and LDAP

Proofpoint Threat Response

FAQ. General Information: Online Support:

Installing and Upgrading Cisco Network Registrar Virtual Appliance

vapp Deployment and Configuration Guide

Contents. Introducing TARMAC Customizing your user experience... 19

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Protection! User Guide. A d m i n i s t r a t o r G u i d e. v L i c e n s i n g S e r v e r. Protect your investments with Protection!

Two factor authentication for Apache using mod_auth_radius

Comodo Dome Data Protection Software Version 3.8

Red Hat CloudForms 4.6

Transcription:

S/MIME LDAP address book Secure email address book virtual appliance admin setup manual Company KeyTalk IT Security BV Author MR van der Sman Creation date 31 August 2018 Last updated 25 January 2019 Product KeyTalk S/MIME (secure e-mail) LDAP address book Data classification Public Software/firmware version 5.5.0 Manual version 5.5.0.3 KeyTalk IT Security BV www.keytalk.com Page 1

Contents 1. KeyTalk s secure S/MIME email addressbook directory...3 2. Configuring S/MIME address book directory for KeyTalk use...4 3. Setting up and configuring the KeyTalk S/MIME LDAP...4 3.1 Configuration steps...5 3.2 Changing factory default SSH key for the S/MIME LDAP...8 3.3 Managing the S/MIME LDAP contents...8 3.4 Changing your S/MIME LDAP user admin authentication credentials...8 3.5 S/MIME LDAP logfiles...9 3.6 Changing the webbased search look and feel...9 3.7 REST API and KeyTalk client LDAP S/MIME address-book fetching...9 4. KeyTalk contact details and 3 rd line support...10 KeyTalk IT Security BV www.keytalk.com Page 2

1. KeyTalk s secure S/MIME email addressbook directory Many customer s do not wish to fiddle with their own LDAP or AD to make available their own secure public address book for S/MIME (encrypted email) detail lookup purposes. KeyTalk offers as part of its certificate and key management solution a hardened (Open)LDAP for the sole purpose of allowing people to lookup your enrolled S/MIME certificate details so they can securely email those who are registered in the LDAP S/MIME Addressbook. This LDAP comes as a virtual appliance and allows for regular LDAP based addressbook lookups in commonly used mailclients, but also includes a browser based lookup function based on Nginx. As part of our security focus, this LDAP has been optimized to protect against harvest attacks by means of a return value of maximum 1. Failed2ban (www.fail2ban.org) is incorporated and will block malicious IPs. Advanced Network Intrusion Detection (http://aide.sourceforge.net/) is used to verify the integrity of files. The specs: Operating System: CentOS 7.6.1810 Kernel: 3.10.0-862.11.6 OpenLDAP version: v2.4.44 (Oct 30 2018 23:14:27) OpenSSL version: 1.0.2k-fips nginx version: 1.12.2 PHP version: 7.2.14 Minimal memory requirement: 4 GB Preferred memory requirement: 8 GB Minimal CPU requirement: 2 cores, 8 threads Preferred CPU requirement: 4 cores, 8 threads Diskspace: 15 GB Minimal firewall port requirements: TCP/22, TCP/80, TCP/443, TCP/389, TCP/636, TCP/3000 Lookups per second: 22.000 in optimal conditions Writes per second: 10.000 in optimal conditions Max S/MIME entries: 50.000.000 KeyTalk IT Security BV www.keytalk.com Page 3

2. Configuring S/MIME address book directory for KeyTalk use The following settings apply under KeyTalk s Authentication LDAP module as an additional added LDAP (your first likely being your own AD/LDAP) Make sure to follow these exact Bind DN settings, as the custom LDAP schema has been configured to only work with these configurations. Ensure you check Address Book only!! The default uid=admin bind password is : change! NOTE: In order to enable LDAPS you MUST upload the issuing CA in PEM format under which your LDAP S/MIME address book certificate was issued. 3. Setting up and configuring the KeyTalk S/MIME LDAP You can download this virtual appliance SMIME LDAP address book from the KeyTalk website under its download section. The web-interface listens by default on http://<sethostname> In order to properly use https://<sethostname>, https://<setipaddress>, ldaps://<sethostname> or ldaps://<setipaddress> a configuration change is required as explained further in this manual. A factory-default self-signed certificate and keypair is provided as part of this release. Do NOT use this certificate for production purposes!! The HTTP(S) based S/MIME address search allows for exact match only lookups for S/MIME public key and certificate information in PEM and DER format. KeyTalk IT Security BV www.keytalk.com Page 4

You can also use this LDAP as your mailclient s address book, by adding it manually to your mailclient, (or have a future version of a KeyTalk client auto-configure this for you). Example in Outlook: 3.1 Configuration steps DHCP is default used to assign networking. To manually set your IPv4 and/or IPv6 for the first time use the following steps: 1) From your CLI login: Username: root Password: Change! 2) After successful authentication a network setting script will start. Edit a connection, select Wired connection 1 and make appropriate changes KeyTalk IT Security BV www.keytalk.com Page 5

3) When done select OK: 4) Press N; this will keep username/password SSH login enabled. Press Y; this will deactivate SSH based username/password-based login and enforce SSH key based login, or Press CTRL-C to quit the script and enter your root based CLI, without making changes to the login method. 5) You can verify the configured IP address from the CLI, by means of giving the command: ifconfig 6) Once IP is assigned, SSH to the machine s IP address and login as root. Use the provided default SSH private key or username/password as found with the KeyTalk S/MIME LDAP virtual appliance download to login. To change the network settings again and add an HTTP proxy, after IP has been set you can also use a browser to access the admin GUI on: https://<ipaddress>:3000 Default username: keytalk Default password: SecureLDAPSMIME@Keytalk2018! 7) Change the management password and ensure you do not lose this password!: KeyTalk IT Security BV www.keytalk.com Page 6

8) Change the LDAP Admin password: 9) Change the hostname, optionally set your HTTP proxy, save settings then apply settings: 10) Activate LDAPS and HTTPS by uploading your certificate and key in PEM format: KeyTalk s LDAP S/MIME address book next version will contain an option to automatically manage this certificate using the KeyTalk Certificate and Key & Enrolment virtual appliance KeyTalk IT Security BV www.keytalk.com Page 7

3.2 Changing factory default SSH key for the S/MIME LDAP a) Provided you do not already have an SSH key, you need to create one: follow this guide https://www.ssh.com/ssh/putty/windows/puttygen b) Copy from PuttyGen the Public key for pasting into open-ssh c) Use the VI or nano editor to remove the old key, and paste your public SSH key (in VI: press end, press I, press end, press right mouse button, press esc, type :wq <enter>) 3.3 Managing the S/MIME LDAP contents Plenty of LDAP management tools exist. KeyTalk customers mostly use: http://www.ldapadmin.org/download/ldapadmin.html As the connection settings use your network details: Base: Username: Password: dc=keytalk,dc=com cn=admin,dc=keytalk,dc=com change! 3.4 Changing your S/MIME LDAP user admin authentication credentials The user admin account is used to write/change remotely your LDAP entries. It s the same username and password used in the KeyTalk LDAP Authentication module to connect to the S/MIME LDAP as addressbook only. To change your SMIME LDAP user admin password simply login into the LDAP using any LDAP management tool, select the account and select change password: KeyTalk IT Security BV www.keytalk.com Page 8

3.5 S/MIME LDAP logfiles Logfiles can be locally found using CLI/SSH under: /var/log/ slapd.log log for the LDAP service messages log for system and service error messages nginx-access.log log for anyone using the Nginx webinterface (IP address etc) nginx-error.log log for errors related to the Nginx webinterface To send logfiles to a remote syslog-server follow the following steps: a) cd /etc/ b) vi rsyslog.conf c) Edit the end portion of the last text part named #*.* @@remote-host:514 to *.* @@<remotesyslogserveraddress>:<portnumber> 3.6 Changing the webbased search look and feel The current version of the S/MIME LDAP virtual appliance does not formally support UI changes in an easy-to-change manner. However those who are versed in the art of PHP can find all required files to make these changes here: /var/www/html 3.7 REST API and KeyTalk client LDAP S/MIME address-book fetching Under KeyTalk SERVICES an appropriate KeyTalk Admin can set the LDAP S/MIME server address-book details, so a future version of the KeyTalk client can auto-configure a client present email program, and/or the current REST-API can fetch these details. Set it in the KeyTalk virtual appliance under the appropriate SERVICE as: See chapter 2 of this manual to actually ensure that the configured S/MIME LDAP address book is configured in the KeyTalk virtual appliance to have issued S/MIME certificates written to (and removed when revocation or replacement happens) KeyTalk IT Security BV www.keytalk.com Page 9

4. KeyTalk contact details and 3 rd line support KeyTalk IT Security is registered with the Dutch chamber of commerce under: 59072555 with registered VAT number: NL853305766B01 Our office address: Kleine Haag 21 3811HE Amersfoort The Netherlands Phone: +31 88 KEYTALK or +31 88 5398255 Email: sales@keytalk.com Opening hours: Mo-Fr 08:00 18:00 Customer and partner technical 3 rd line support Phone: +31 88 KEYTALK or +31 88 5398255 Email: support@keytalk.com Opening hours: Mo-Su 00:00 24:00 (24/7) Website: Firmware/software: https://www.keytalk.com https://www.keytalk.com/download KeyTalk IT Security BV www.keytalk.com Page 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback