S/MIME LDAP address book Secure email address book virtual appliance admin setup manual Company KeyTalk IT Security BV Author MR van der Sman Creation date 31 August 2018 Last updated 25 January 2019 Product KeyTalk S/MIME (secure e-mail) LDAP address book Data classification Public Software/firmware version 5.5.0 Manual version 5.5.0.3 KeyTalk IT Security BV www.keytalk.com Page 1
Contents 1. KeyTalk s secure S/MIME email addressbook directory...3 2. Configuring S/MIME address book directory for KeyTalk use...4 3. Setting up and configuring the KeyTalk S/MIME LDAP...4 3.1 Configuration steps...5 3.2 Changing factory default SSH key for the S/MIME LDAP...8 3.3 Managing the S/MIME LDAP contents...8 3.4 Changing your S/MIME LDAP user admin authentication credentials...8 3.5 S/MIME LDAP logfiles...9 3.6 Changing the webbased search look and feel...9 3.7 REST API and KeyTalk client LDAP S/MIME address-book fetching...9 4. KeyTalk contact details and 3 rd line support...10 KeyTalk IT Security BV www.keytalk.com Page 2
1. KeyTalk s secure S/MIME email addressbook directory Many customer s do not wish to fiddle with their own LDAP or AD to make available their own secure public address book for S/MIME (encrypted email) detail lookup purposes. KeyTalk offers as part of its certificate and key management solution a hardened (Open)LDAP for the sole purpose of allowing people to lookup your enrolled S/MIME certificate details so they can securely email those who are registered in the LDAP S/MIME Addressbook. This LDAP comes as a virtual appliance and allows for regular LDAP based addressbook lookups in commonly used mailclients, but also includes a browser based lookup function based on Nginx. As part of our security focus, this LDAP has been optimized to protect against harvest attacks by means of a return value of maximum 1. Failed2ban (www.fail2ban.org) is incorporated and will block malicious IPs. Advanced Network Intrusion Detection (http://aide.sourceforge.net/) is used to verify the integrity of files. The specs: Operating System: CentOS 7.6.1810 Kernel: 3.10.0-862.11.6 OpenLDAP version: v2.4.44 (Oct 30 2018 23:14:27) OpenSSL version: 1.0.2k-fips nginx version: 1.12.2 PHP version: 7.2.14 Minimal memory requirement: 4 GB Preferred memory requirement: 8 GB Minimal CPU requirement: 2 cores, 8 threads Preferred CPU requirement: 4 cores, 8 threads Diskspace: 15 GB Minimal firewall port requirements: TCP/22, TCP/80, TCP/443, TCP/389, TCP/636, TCP/3000 Lookups per second: 22.000 in optimal conditions Writes per second: 10.000 in optimal conditions Max S/MIME entries: 50.000.000 KeyTalk IT Security BV www.keytalk.com Page 3
2. Configuring S/MIME address book directory for KeyTalk use The following settings apply under KeyTalk s Authentication LDAP module as an additional added LDAP (your first likely being your own AD/LDAP) Make sure to follow these exact Bind DN settings, as the custom LDAP schema has been configured to only work with these configurations. Ensure you check Address Book only!! The default uid=admin bind password is : change! NOTE: In order to enable LDAPS you MUST upload the issuing CA in PEM format under which your LDAP S/MIME address book certificate was issued. 3. Setting up and configuring the KeyTalk S/MIME LDAP You can download this virtual appliance SMIME LDAP address book from the KeyTalk website under its download section. The web-interface listens by default on http://<sethostname> In order to properly use https://<sethostname>, https://<setipaddress>, ldaps://<sethostname> or ldaps://<setipaddress> a configuration change is required as explained further in this manual. A factory-default self-signed certificate and keypair is provided as part of this release. Do NOT use this certificate for production purposes!! The HTTP(S) based S/MIME address search allows for exact match only lookups for S/MIME public key and certificate information in PEM and DER format. KeyTalk IT Security BV www.keytalk.com Page 4
You can also use this LDAP as your mailclient s address book, by adding it manually to your mailclient, (or have a future version of a KeyTalk client auto-configure this for you). Example in Outlook: 3.1 Configuration steps DHCP is default used to assign networking. To manually set your IPv4 and/or IPv6 for the first time use the following steps: 1) From your CLI login: Username: root Password: Change! 2) After successful authentication a network setting script will start. Edit a connection, select Wired connection 1 and make appropriate changes KeyTalk IT Security BV www.keytalk.com Page 5
3) When done select OK: 4) Press N; this will keep username/password SSH login enabled. Press Y; this will deactivate SSH based username/password-based login and enforce SSH key based login, or Press CTRL-C to quit the script and enter your root based CLI, without making changes to the login method. 5) You can verify the configured IP address from the CLI, by means of giving the command: ifconfig 6) Once IP is assigned, SSH to the machine s IP address and login as root. Use the provided default SSH private key or username/password as found with the KeyTalk S/MIME LDAP virtual appliance download to login. To change the network settings again and add an HTTP proxy, after IP has been set you can also use a browser to access the admin GUI on: https://<ipaddress>:3000 Default username: keytalk Default password: SecureLDAPSMIME@Keytalk2018! 7) Change the management password and ensure you do not lose this password!: KeyTalk IT Security BV www.keytalk.com Page 6
8) Change the LDAP Admin password: 9) Change the hostname, optionally set your HTTP proxy, save settings then apply settings: 10) Activate LDAPS and HTTPS by uploading your certificate and key in PEM format: KeyTalk s LDAP S/MIME address book next version will contain an option to automatically manage this certificate using the KeyTalk Certificate and Key & Enrolment virtual appliance KeyTalk IT Security BV www.keytalk.com Page 7
3.2 Changing factory default SSH key for the S/MIME LDAP a) Provided you do not already have an SSH key, you need to create one: follow this guide https://www.ssh.com/ssh/putty/windows/puttygen b) Copy from PuttyGen the Public key for pasting into open-ssh c) Use the VI or nano editor to remove the old key, and paste your public SSH key (in VI: press end, press I, press end, press right mouse button, press esc, type :wq <enter>) 3.3 Managing the S/MIME LDAP contents Plenty of LDAP management tools exist. KeyTalk customers mostly use: http://www.ldapadmin.org/download/ldapadmin.html As the connection settings use your network details: Base: Username: Password: dc=keytalk,dc=com cn=admin,dc=keytalk,dc=com change! 3.4 Changing your S/MIME LDAP user admin authentication credentials The user admin account is used to write/change remotely your LDAP entries. It s the same username and password used in the KeyTalk LDAP Authentication module to connect to the S/MIME LDAP as addressbook only. To change your SMIME LDAP user admin password simply login into the LDAP using any LDAP management tool, select the account and select change password: KeyTalk IT Security BV www.keytalk.com Page 8
3.5 S/MIME LDAP logfiles Logfiles can be locally found using CLI/SSH under: /var/log/ slapd.log log for the LDAP service messages log for system and service error messages nginx-access.log log for anyone using the Nginx webinterface (IP address etc) nginx-error.log log for errors related to the Nginx webinterface To send logfiles to a remote syslog-server follow the following steps: a) cd /etc/ b) vi rsyslog.conf c) Edit the end portion of the last text part named #*.* @@remote-host:514 to *.* @@<remotesyslogserveraddress>:<portnumber> 3.6 Changing the webbased search look and feel The current version of the S/MIME LDAP virtual appliance does not formally support UI changes in an easy-to-change manner. However those who are versed in the art of PHP can find all required files to make these changes here: /var/www/html 3.7 REST API and KeyTalk client LDAP S/MIME address-book fetching Under KeyTalk SERVICES an appropriate KeyTalk Admin can set the LDAP S/MIME server address-book details, so a future version of the KeyTalk client can auto-configure a client present email program, and/or the current REST-API can fetch these details. Set it in the KeyTalk virtual appliance under the appropriate SERVICE as: See chapter 2 of this manual to actually ensure that the configured S/MIME LDAP address book is configured in the KeyTalk virtual appliance to have issued S/MIME certificates written to (and removed when revocation or replacement happens) KeyTalk IT Security BV www.keytalk.com Page 9
4. KeyTalk contact details and 3 rd line support KeyTalk IT Security is registered with the Dutch chamber of commerce under: 59072555 with registered VAT number: NL853305766B01 Our office address: Kleine Haag 21 3811HE Amersfoort The Netherlands Phone: +31 88 KEYTALK or +31 88 5398255 Email: sales@keytalk.com Opening hours: Mo-Fr 08:00 18:00 Customer and partner technical 3 rd line support Phone: +31 88 KEYTALK or +31 88 5398255 Email: support@keytalk.com Opening hours: Mo-Su 00:00 24:00 (24/7) Website: Firmware/software: https://www.keytalk.com https://www.keytalk.com/download KeyTalk IT Security BV www.keytalk.com Page 10